Skip to main content
Skip to main content
Security
Sign in

Microsoft security intelligence

Security research, threat intelligence, and Microsoft 365 Defender news.

Subscribe
Featured image for Breaking down NOBELIUM’s latest early-stage toolset

Breaking down NOBELIUM’s latest early-stage toolset

In this blog, we highlight four tools representing a unique infection chain utilized by NOBELIUM: EnvyScout, BoomBox, NativeZone, and VaporRage. These tools have been observed being used in the wild as early as February 2021 attempting to gain a foothold on a variety of sensitive diplomatic and government entities.
Read more Breaking down NOBELIUM’s latest early-stage toolset
Featured image for New sophisticated email-based attack from NOBELIUM

New sophisticated email-based attack from NOBELIUM

Microsoft Threat Intelligence Center (MSTIC) has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware, and other related components. The campaign, initially observed and tracked by Microsoft since January 2021, evolved over a series of waves demonstrating significant experimentation.
Read more New sophisticated email-based attack from NOBELIUM
Featured image for Phorpiex morphs: How a longstanding botnet persists and thrives in the current threat environment

Phorpiex morphs: How a longstanding botnet persists and thrives in the current threat environment

Phorpiex, an enduring botnet known for extortion campaigns and for using old-fashioned worms, began diversifying its infrastructure in recent years to become more resilient and to deliver more dangerous payloads. Today, the Phorphiex botnet continues to maintain a large network of bots and generates wide-ranging malicious activities. These activities have expanded to include cryptocurrency mining. Read our in-depth research into this botnet.
Read more Phorpiex morphs: How a longstanding botnet persists and thrives in the current threat environment
Featured image for Business email compromise campaign targets wide range of orgs with gift card scam

Business email compromise campaign targets wide range of orgs with gift card scam

Read our investigation of a BEC campaign that used attacker-created email infrastructure to facilitate gift card theft targeting the consumer goods, process manufacturing and agriculture, real estate, discrete manufacturing, and professional services sectors.
Read more Business email compromise campaign targets wide range of orgs with gift card scam
Featured image for Center for Threat-Informed Defense teams up with Microsoft, partners to build the ATT&CK® for Containers matrix

Center for Threat-Informed Defense teams up with Microsoft, partners to build the ATT&CK® for Containers matrix

Microsoft is happy to have contributed and worked closely with the Center for Threat-Informed Defense and other partners to develop the MITRE ATT&CK® for Containers matrix.
Read more Center for Threat-Informed Defense teams up with Microsoft, partners to build the ATT&CK® for Containers matrix
Featured image for Investigating a unique “form” of email delivery for IcedID malware

Investigating a unique “form” of email delivery for IcedID malware

Microsoft threat analysts have been tracking activity where contact forms published on websites are abused to deliver malicious links to enterprises using emails with fake legal threats. The emails instruct recipients to click a link to review supposed evidence behind their allegations, but are instead led to the download of IcedID, an info-stealing malware.
Read more Investigating a unique “form” of email delivery for IcedID malware
Featured image for Gamifying machine learning for stronger security and AI models

Gamifying machine learning for stronger security and AI models

We are open sourcing the Python source code of a research toolkit we call CyberBattleSim, an experimental research project that investigates how autonomous agents operate in a simulated enterprise environment using high-level abstraction of computer networks and cybersecurity concepts.
Read more Gamifying machine learning for stronger security and AI models
Featured image for Automating threat actor tracking: Understanding attacker behavior for intelligence and contextual alerting

Automating threat actor tracking: Understanding attacker behavior for intelligence and contextual alerting

A probabilistic graphical modeling framework used by Microsoft 365 Defender research and intelligence teams for threat actor tracking enables us to quickly predict the likely threat group responsible for an attack, as well as the likely next attack stages.
Read more Automating threat actor tracking: Understanding attacker behavior for intelligence and contextual alerting
Featured image for New Security Signals study shows firmware attacks on the rise; here’s how Microsoft is working to help eliminate this entire class of threats

New Security Signals study shows firmware attacks on the rise; here’s how Microsoft is working to help eliminate this entire class of threats

The March 2021 Security Signals report showed that more than 80% of enterprises have experienced at least one firmware attack in the past two years, but only 29% of security budgets are allocated to protect firmware.
Read more New Security Signals study shows firmware attacks on the rise; here’s how Microsoft is working to help eliminate this entire class of threats
Featured image for Analyzing attacks taking advantage of the Exchange Server vulnerabilities

Analyzing attacks taking advantage of the Exchange Server vulnerabilities

Microsoft continues to monitor and investigate attacks exploiting the recent on-premises Exchange Server vulnerabilities. As organizations recover from this incident, we continue to publish guidance and share threat intelligence to help detect and evict threat actors from affected environments.
Read more Analyzing attacks taking advantage of the Exchange Server vulnerabilities
Featured image for Automatic on-premises Exchange Server mitigation now in Microsoft Defender Antivirus

Automatic on-premises Exchange Server mitigation now in Microsoft Defender Antivirus

Microsoft Defender Antivirus and System Center Endpoint Protection will automatically mitigate CVE-2021-26855 on any vulnerable Exchange Server on which it is deployed. We have taken this additional step to further support our customers who are still vulnerable and have not yet implemented the complete security update.
Read more Automatic on-premises Exchange Server mitigation now in Microsoft Defender Antivirus
Featured image for GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence

GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence

Microsoft has identified three new pieces of malware being used in late-stage activity by NOBELIUM – the actor behind the SolarWinds attacks, SUNBURST, and TEARDROP.
Read more GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence