-
-
Analysis of Storm-0558 techniques for unauthorized email access
Analysis of the techniques used by the threat actor tracked as Storm-0558 for obtaining unauthorized access to email data, tools, and unique infrastructure characteristics. -
Storm-0978 attacks reveal financial and espionage motives
Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America. The campaign involved the abuse of CVE-2023-36884, which included a zero-day remote code execution vulnerability exploited via Microsoft Word documents. -
The five-day job: A BlackByte ransomware intrusion case study
In a recent investigation by Microsoft Incident Response of a BlackByte 2.0 ransomware attack, we found that the threat actor progressed through the full attack chain, from initial access to impact, in less than five days, causing significant business disruption for the victim organization. -
IoT devices and Linux-based systems targeted by OpenSSH trojan campaign
Microsoft has uncovered an attack leveraging custom and open-source tools to target internet-facing IoT devices and Linux-based systems. The attack involves deploying a patched version of OpenSSH on affected devices to allow root login and the hijack of SSH credentials. -
Cadet Blizzard emerges as a novel and distinct Russian threat actor
Microsoft attributes several campaigns to a distinct Russian state-sponsored threat actor tracked as Cadet Blizzard (DEV-0586), including the WhisperGate destructive attack, Ukrainian website defacements, and the hack-and-leak front “Free Civilian”. -
Detecting and mitigating a multi-stage AiTM phishing and BEC campaign
Microsoft Defender Experts observed a multi-stage adversary-in-the-middle (AiTM) and business email compromise (BEC) attack targeting banking and financial services organizations over two days. This attack originated from a compromised trusted vendor, involved AiTM and BEC attacks across multiple supplier/partner organizations for financial fraud, and did not use a reverse proxy like typical AiTM attacks. -
Guidance for investigating attacks using CVE-2023-23397
This guide provides steps organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397. -
KillNet and affiliate hacktivist groups targeting healthcare with DDoS attacks
KillNet, a group that the US Department of Health and Human Services (DHHS) has called pro-Russia hacktivists, has been launching waves of attacks targeting governments and companies with focus on the healthcare sector. In this blog post, we provide an overview of the DDoS attack landscape against healthcare applications hosted in Azure over three months. -
DEV-0139 launches targeted attacks against the cryptocurrency industry
Microsoft security researchers investigate an attack where the threat actor, tracked DEV-0139, used chat groups to target specific cryptocurrency investment companies and run a backdoor within their network.


