Inside Microsoft Threat Intelligence: From Insight to Disruption

A close-up of a woman with black hair and bangs wearing a necklace, with visible text reading Sherrod DeGrippo Director Threat Intelligence Strategy.

Threat intelligence lives at the heart of cybersecurity strategy

Threat intelligence often gets reduced to raw data: indicators of compromise, profiles of known actors, or sheer signal volume. But at Microsoft, threat intelligence is more than just awareness, it’s an engine of protection, action, and disruption. At its core, threat intelligence may be designed to answer a single question and drive a specific action; however, the real value comes from other security teams using derivatives of finished intelligence to detect, defend, and defang threats faster.

This miniseries offers a behind-the-scenes look at how Microsoft Threat Intelligence works in the real world. Through four distinct stories, we’ll show how threat intelligence powers our end-to-end security strategy, from proactively stopping zero-days to helping customers through major incidents and taking legal action against cybercriminals.

We begin with Sherrod DeGrippo, Director of Threat Intelligence Strategy, and the story of Storm-1152, a group responsible for creating and selling hundreds of millions of fraudulent Microsoft accounts. This is more than a tale of one actor. It’s about how Microsoft disrupts the ecosystem that fuels ransomware, fraud, and abuse, and why that disruption matters.

More than signal: Turning insight into action

When Microsoft Threat Intelligence uncovered an unusual spike in account creation, it didn’t look like headline news. But what emerged was Storm-1152, a cybercriminal group that had created and sold over 750 million fake Microsoft accounts. These weren’t just throwaways for spam. They were fuel for phishing, ransomware, identity theft, and extortion.

The deeper our teams dug, the clearer it became: Storm-1152 wasn’t just a lone actor. It was an enabler. A key supplier in a much larger ecosystem of financially motivated threats.

Disrupting the supply chain of cybercrime

Storm-1152 didn’t operate alone, it empowered others. Groups like Octo Tempest relied on these fake accounts for initial access, impersonation, and social engineering. In the crimeware economy, one actor’s infrastructure becomes another’s weapon.

Rather than observe from the sidelines, our threat intelligence teams acted. Partnering with the Digital Crimes Unit (DCU) and Arkose Labs, Microsoft investigators mapped the threat infrastructure and pursued coordinated legal takedowns. The result: domains were seized, services dismantled, and a 60% drop in related activity followed.

Real-World disruption: Microsoft’s Digital Crimes Unit

What makes Microsoft different isn’t just our visibility into threats, it’s our ability to disrupt them. The Digital Crimes Unit (DCU) works alongside threat intelligence teams and global law enforcement to bring real-world consequences to online criminal operations.

In the case of Storm-1152, DCU coordinated legal action to seize domains and disrupt the group’s infrastructure, cutting off access to services used by ransomware crews, fraud rings, and other threat actors. But this is just one example of DCU’s global impact.

Since its inception, Microsoft’s DCU has disrupted 32 malware families and nation-state actors through civil actions, rescuing over 500 million victim devices. Its collaboration with law enforcement has contributed to over 780 arrests since 2014. In 2024 alone, DCU seized 453 domains used by cybercriminals and nation-state actors and helped enable 85 arrests around the world.

This ability to act—at legal, technical, and operational levels—is core to Microsoft’s approach. We don’t just defend against cybercrime. We dismantle it.

Human judgment at machine scale

Microsoft Threat Intelligence has unmatched visibility to the tune of ingesting 84 trillion signals each day. But DeGrippo makes it clear: it’s not just about the volume of data, it’s about what we do with it. Storm-1152 was detected through anomaly spotting, which means our automated systems picked up the initial signal. But turning that anomaly into meaningful action required human expertise.

As Sherrod DeGrippo puts it, “AI is our partner, but it’s the analyst who decides what’s real and what has to be stopped.” Microsoft’s security teams combined machine learning, detection engineering, and global analyst collaboration to hunt, confirm, and block the activity before it spread further.

That combination allows Microsoft to act before a patch is available, and sometimes even before a threat is publicly known. What followed was months of work: tracking, modeling, reverse engineering, and collaboration between internal teams and external partners.

From takedown to ripple effect

Disrupting Storm-1152 wasn’t just about removing one actor, it was about shaking an entire network. By removing access to services that fueled multiple threat groups, Microsoft’s action had cascading effects across the cybercrime ecosystem. Meanwhile, our teams continue to stop attacks, seize infrastructure, and feed that intelligence back into Defender, Sentinel, and Microsoft Security Copilot.

This is the unique power of Microsoft Threat Intelligence: unmatched visibility, rapid action, and the ability to disrupt not just the threat, but the infrastructure behind it.

“We’re not just tracking threat actors,” DeGrippo says. “We’re taking them out of the game.”

Watch the video