GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence
Microsoft has identified three new pieces of malware being used in late-stage activity by NOBELIUM – the actor behind the SolarWinds attacks, SUNBURST, and TEARDROP.
Threat intelligence
The Microsoft Threat Intelligence community is made up of world-class experts, security researchers, analysts, and threat hunters who analyze 100 trillion signals daily to discover threats and deliver timely and timely, relevant insight to protect customers. See our latest findings, insights, and guidance.
Refine results
Topic
Products and services
Publish date
Retain Microsoft Security Experts
Microsoft Security Experts are now available to strengthen your team with managed security services. Learn how to defend against threats with security experts.
-
-
XLM + AMSI: New runtime defense against Excel 4.0 macro malware
We have recently expanded the integration of Antimalware Scan Interface (AMSI) with Office 365 to include the runtime scanning of Excel 4. -
HAFNIUM targeting Exchange Servers with 0-day exploits
Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. -
Microsoft open sources CodeQL queries used to hunt for Solorigate activity
We are sharing the CodeQL queries that we used to analyze our source code at scale and rule out the presence of the code-level indicators of compromise (IoCs) and coding patterns associated with Solorigate so that other organizations may perform a similar analysis. Modernize your Security Operations Center with Microsoft Sentinel
Microsoft Sentinel is a cloud-native SIEM solution powered by AI and automation that delivers intelligent security analytics across your entire enterprise.
-
Web shell attacks continue to rise
A year ago, we reported the steady increase in the use of web shells in attacks worldwide. -
What tracking an attacker email infrastructure tells us about persistent cybercriminal operations
Sweeping research into massive attacker infrastructures, as well as our real-time monitoring of malware campaigns and attacker activity, directly inform Microsoft security solutions, allowing us to build or improve protections that block malware campaigns and other email threats, both current and future, as well as provide enterprises with the tools for investigating and responding to email campaigns in real-time. -
ZINC attacks against security researchers
In recent months, Microsoft has detected cyberattacks targeting security researchers by an actor we track as ZINC. -
Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop
Our continued investigation into the Solorigate attack has uncovered new details about the handover from the Solorigate DLL backdoor (SUNBURST) to the Cobalt Strike loader (TEARDROP, Raindrop, and others). Tailored AI insights from Microsoft Security Copilot
Empower your defenders to detect hidden patterns, harden defenses, and respond to incidents faster with generative AI.
-
New Surface PCs enable virtualization-based security (VBS) by default to empower customers to do more, securely
The new Surface Pro 7+ for Business will ship with virtualization-based security (VBS) and Hypervisor-protected code integrity (HVCI, also commonly referred to as memory integrity) enabled out of the box to give customers even stronger security that is built-in and turned on by default. -
Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers
We, along with the security industry and our partners, continue to investigate the extent of the Solorigate attack. -
Collaborative innovation on display in Microsoft’s insider risk management strategy
Partnering with organizations like Carnegie Mellon University allows us to bring their rich research and insights to our products and services, so customers can fully benefit from our breadth of signals. -
Ensuring customers are protected from Solorigate
UPDATE: Microsoft continues to work with partners and customers to expand our knowledge of the threat actor behind the nation-state cyberattacks that compromised the supply chain of SolarWinds and impacted multiple other organizations.
