Threat intelligence

The Microsoft Threat Intelligence community is made up of world-class experts, security researchers, analysts, and threat hunters who analyze 100 trillion signals daily to discover threats and deliver timely and timely, relevant insight to protect customers. See our latest findings, insights, and guidance.

Refine Results

Filtered by

Clear All

Refine results

Sort By

Content Type

Topic

Products and services

Publish date

Start Date

End Date

December 15, 2025

16 min read

Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components

CVE-2025-55182 (also referred to as React2Shell and includes CVE-2025-66478, which was merged into it) is a critical pre-authentication remote code execution (RCE) vulnerability affecting React Server Components and related frameworks.
October 9, 2025

12 min read

Investigating targeted “payroll pirate” attacks affecting US universities

Microsoft Threat Intelligence has identified a financially motivated threat actor that we track as Storm-2657 compromising employee accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts, attacks that have been dubbed “payroll pirate”.
September 25, 2025

13 min read

XCSSET evolves again: Analyzing the latest updates to XCSSET’s inventory

Microsoft Threat Intelligence has uncovered a new variant of the XCSSET malware, which is designed to infect Xcode projects, typically used by software developers building Apple or macOS-related applications.
July 22, 2025

20 min read

Disrupting active exploitation of on-premises SharePoint vulnerabilities

Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting vulnerabilities targeting internet-facing SharePoint servers.
Retain Microsoft Security Experts

Microsoft Security Experts are now available to strengthen your team with managed security services. Learn how to defend against threats with security experts.

Get started
June 30, 2025

18 min read

Jasper Sleet: North Korean remote IT workers’ evolving tactics to infiltrate organizations

Since 2024, Microsoft Threat Intelligence has observed remote IT workers deployed by North Korea leveraging AI to improve the scale and sophistication of their operations, steal data, and generate revenue for the North Korean government.
April 9, 2025

13 min read

Stopping attacks against on-premises Exchange Server and SharePoint Server with AMSI

Exchange Server and SharePoint Server are business-critical assets and considered crown-jewels for many organizations, making them attractive targets for attacks.
April 3, 2025

13 min read

Threat actors leverage tax season to deploy tax-themed phishing campaigns

As Tax Day approaches in the United States on April 15, Microsoft has detected several tax-themed phishing campaigns employing various tactics.
March 17, 2025

13 min read

StilachiRAT analysis: From system reconnaissance to cryptocurrency theft

Microsoft Incident Response uncovered a novel remote access trojan (RAT) named StilachiRAT, which demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data.
Modernize your Security Operations Center with Microsoft Sentinel

Microsoft Sentinel is a cloud-native SIEM solution powered by AI and automation that delivers intelligent security analytics across your entire enterprise.

Learn more
March 13, 2025

10 min read

Phishing campaign impersonates Booking.com, delivers a suite of credential-stealing malware

Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking.
February 13, 2025

10 min read

Storm-2372 conducts device code phishing campaign

Microsoft Threat Intelligence Center discovered an active and successful device code phishing campaign by a threat actor we track as Storm-2372.
February 12, 2025

23 min read

The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation

Microsoft is publishing for the first time our research into a subgroup within the Russian state actor Seashell Blizzard and its multiyear initial access operation, tracked by Microsoft Threat Intelligence as the “BadPilot campaign”.
February 6, 2025

11 min read

Code injection attacks using publicly disclosed ASP.NET machine keys

Microsoft Threat Intelligence observed limited activity by an unattributed threat actor using a publicly available, static ASP.

Threat intelligence

Filtered by

Refine results

Retain Microsoft Security Experts

Modernize your Security Operations Center with Microsoft Sentinel

Get started with Microsoft Security