Microsoft embraced this vision early on, more than two decades ago, because we understood what it could mean for our employees and for the communities where we live and work.

This progress did not come easily or through the actions of any one organization. It required sustained public‑private partnership — a model that made today’s milestone possible.

Progress is not a solitary endeavor

Brad Smith, Vice Chair and President, Microsoft

Let’s go on the journey.

Skip timeline

2002

The founding gift

Microsoft donates 10 acres of land worth $8.7 million for a light rail station at Overlake, destined to become Redmond Technology Station. 

This prime location next to Microsoft’s campus enables planning for the East Link station in Redmond at much lower cost.

2003 2004 2005 2006

2007

Sending a message

Microsoft steps up to support the ‘Roads & Transit’ campaign, Seattle Prop.1, the ballot initiative to expand light rail across Puget Sound.

The measure narrowly fails, but the big message is clear: the Eastside’s largest employer believes in light rail and
will help turn a vision into reality.

2008

Winning the vote

Microsoft doubles-down, providing funds and vocal public support for Sound Transit 2’s revised ballot measure campaign.

These major campaign contributions helped voters hear the plan for a more connected region: voters passed Sound Transit 2 with 58% approval.

It’s the turning point that sets the East Link project in motion. For the first time, a light rail line connecting Seattle, Bellevue, and Redmond has voter-approval for massive regional and federal funding.

$1.7

billion

transit expansion

36

new miles

of light rail

2009 2010

2011

Holding the line

Progress on the East Link was nearly stopped due to Initiative 1125, which would have blocked light rail on I-90 and other transit projects across the region.

Microsoft jumps in as the biggest supporter of the “No” campaign to help raise awareness of the impacts on critical pieces of the project. Voters agreed and chose to reject I-1125, protecting critical funding and right-of-way for East Link.

2012

2013

Bridging the gaps

Microsoft shifts its focus to turning an idea into concrete, steel, and rail cars, funding major infrastructure that will vastly improve station access.

Microsoft funds the original design to build a pedestrian/cycle bridge over State Route 520 to the Redmond Technology Station.

Spanning a busy freeway, an iconic white canopy-peaked bridge becomes part of the vision, infrastructure that will eventually connect the new Redmond Technology Station to Microsoft’s west campus, a regional bike trail, and King County Metro bus service.

Creating a connected hub

2014 2015

2016

Thinking even bigger

Microsoft steps up again to support the Sound Transit 3 (ST3) “Yes” campaign, to help spread awareness of the project. Microsoft is the biggest corporate donor to the campaign.

Voters pass ST3, affirming the region’s need for transit. This authorizes $54 billion for transit expansions, including extending East Link to Redmond’s Downtown and further regional lines.

2017 2018

2019

Staying on track

The project comes under threat again, this time from Initiative 976, which seeks to cut the vehicle excise taxes which are a key source of Sound Transit funding.  

Microsoft strongly opposes I-976.

2020

Building better connections

On the land donated by Microsoft nearly two decades earlier, Sound Transit opens a 300-space park-and-ride garage at Redmond Technology Station. This public facility helps residents access transit options more easily.

King County Metro Transit buses and Microsoft Connector Bus service and campus shuttles begin using the convenient new station, further knitting campus commute resources into the public transit hub. The connected system makes it easier for employees to reduce single occupancy trips to Microsoft’s campus.

2021 2022 2023

2024

All aboard

Light rail arrives on the Eastside. Tens of thousands of residents celebrate as the first light rail segment—the 2-Line—opens between South Bellevue and Redmond Technology Station.

Funded by Microsoft and delivered through a public‑private partnership, the 1,100‑foot white‑canopy pedestrian bridge connects the community to light rail with a safer, more accessible crossing. The bridge is owned by the City of Redmond, with Microsoft continuing to support its long‑term maintenance.

Through a unique partnership with Sound Transit, the City of Redmond, and Washington State, Microsoft has invested in enhancing connectivity around the rail line:

Bike trails

Cycle tracks

Sidewalks

Road upgrades

New underpass

By car, foot, or bike, these connections make it easier for people to access the rail line, increasing light rail ridership and making the project even more effective upon opening.

2025

2026

History is made

The East Link Extension achieves an engineering first, something never before attempted in transit history: the world’s first light rail passenger service across a floating bridge.

The first ever Crosslake Connection train departs, fully connecting Seattle and points north and south to Eastside stations across Lake Washington.

The pontoon structure stretches

5,700

ft

Trains can travel safely at speeds up to

55

mph

The bridge is built to move with water and wind while keeping the rail steady

---

On track for real community benefits

15 minutes

travel from Bellevue to Seattle

25 minutes

travel from Redmond Technology to Seattle

3,000-4,000

daily riders expected at new stations

15,000

new housing units projected in Bellevue

30,000

new jobs projected in Bellevue

---

A transportation victory for the community

After 24 years from the gifting of land to voter approvals and completion, light rail to the Eastside will transform how an entire region moves, connects, and grows together.

The project succeeded because Microsoft, Sound Transit, local governments, community advocates, engineering firms, other business leaders, and thousands of workers joined forces to achieve something never done before.

Microsoft has demonstrated its commitment to community development by contributing over $400 million towards regional infrastructure and growth initiatives. This significant investment showcases how partnerships with corporations can drive lasting, positive change within communities.

Microsoft has invested in many ways…

Unwavering advocacy

Boosting public perception 

Filling funding gaps

Accelerating project development

The result is a transit system that serves everyone: employees, small business owners, students, families, and communities.

This is a true community win that will make the region more connected, sustainable, and economically vibrant for generations to come.

End of timeline

The post Light rail across Lake Washington: A public‑private partnership that connected the region appeared first on Microsoft Corporate Responsibility.

The discipline now known as “cyber diplomacy” may be relatively new, but the issues at stake are well known. “It’s all part of a bigger diplomatic discussion that has been going on since World War II; it’s just happening now in an online environment,” says Kaja Ciglic, Senior Director of Digital Diplomacy at Microsoft who heads the company’s Cybersecurity Policy and Diplomacy (CPD) team.

For more than a decade, Microsoft has been working with governments, international organizations, industry partners, and civil society groups to help shape governance in cyberspace. Here, Ciglic and fellow Senior Director of Digital Diplomacy Nemanja “Neno” Malisevic, two of CPD’s longtime leaders, explain what cyber diplomacy is, why it matters, and how it’s evolving. 

People might be surprised to learn that Microsoft has “digital diplomats.” What does your work involve?

Kaja Ciglic: On a basic level, our work is about trying to keep the online environment as stable as possible, and to allow as many people as possible to use it securely. 

Neno Malisevic: We work with governments, particularly foreign ministries and diplomats, to shape what responsible behavior in cyberspace looks like for governments, what it looks like for industry, and what kind of guardrails should exist for each.  

This means we engage with countries bilaterally—in a one-on-one setting—as well as multilaterally, with groups of countries. Over the last 10-plus years, however, we’ve been working to move cybersecurity policy discussions to multistakeholder diplomacy, which includes industry and civil society as well as government. Importantly, this has never been about taking decision-making power away from states. The idea is simply that before states make a decision, they should have a chance to hear from people outside of government who have years of experience in this space. As Brad Smith, Vice Chair and President of Microsoft, has framed it, multistakeholder diplomacy gives industry and civil society a voice, not a vote. 

What are the big issues in cyber diplomacy today?

Neno Malisevic: A lot of our work is pushing back against authoritarian visions for cyberspace. For nearly 20 years, many of the big multilateral cybersecurity processes have been initiated by Russia and its allies—places where a lot of cyberthreats originate. You don’t need to be a cybersecurity expert to know that the real purpose behind these initiatives is not to combat cybercrime or enhance cybersecurity. Rather, it’s about control of their citizens, control of the internet. They don’t want treaties that protect people from states. They want treaties that protect states from people.  

Kaja Ciglic: The difference becomes clear when you look at the words they use: Russia doesn’t call it cybersecurity, they call it “information security,” and that’s actually really important. The West has defined cyberspace as the infrastructure that runs the internet. Russia defines it as “information space,” which includes data as well as infrastructure. Same for China. Because their definition of the online environment includes the information and content shared online, cyber regulation becomes a question of freedom of speech. That’s most often where the challenges lie. 

Why is Microsoft invested in cyber diplomacy?

Neno Malisevic: Given how many users Microsoft has worldwide, including many government customers, earning public trust really matters.  

More broadly, if people trust cyberspace, they will engage with it and use it. That helps Microsoft do business in this space. It helps us innovate. It also helps other businesses, including our competitors. And that’s okay. This is real diplomacy that Microsoft does for the benefit of the entire cyber ecosystem. 

Kaja Ciglic: Cyberspace has become a domain of conflict, which destabilizes the entire online environment. At Microsoft, we have a unique understanding of the cyber landscape because of how many people around the world use our technology. We have a responsibility to use our data and insights to help keep the online world safe, secure, and accessible. 

How do you push back against authoritarian efforts?

Neno Malisevic: In formal negotiations among states, Microsoft can’t actually propose a treaty or ask for textual changes to an agreement or report. Only states can do that. So, we need to work closely with governments to help them understand why the positions we advocate for are in our common interest and encourage them to advocate for those positions as well. That takes time. Cyber diplomacy—and all diplomacy, really—is a marathon, not a sprint, which makes it important for us to stay the course for the long run, as CPD has done. 

This is critical because a number of authoritarian states are very strategically patient. They’re very good at getting others engaged in minutiae—this particular rule, this particular paragraph—while in the bigger picture they’re maneuvering to shape the rules in their favor.  

Kaja Ciglic: Around the world, countries are at very different stages of development, both offline and online. For many, the internet can feel like a threatening space, and cybersecurity can seem overwhelming. Often, what they want most are practical tools that address immediate economic, development, or security challenges. As a result, they may agree to anything that looks like it could help them, even though ultimately it might carry negative consequences for freedom of speech or could be abused. Unfortunately, some states are adept at exploiting this dynamic. 

How has cyber diplomacy evolved over the decade that you’ve worked in the space?

Neno Malisevic: Much of the early work aimed to reach consensus on what responsible behavior in cyberspace should look like. In 2017, these discussions stalled among states at the UN. In response, Microsoft focused on bringing multistakeholder groups together to find common ground. We helped launch the Paris Call for Trust and Security in Cyberspace, which, for the first time, brought together governments, industry, and civil society to agree on a set of cybersecurity principles.  

Cyber diplomacy today is more focused on the practical applications of foundational principles. For example, more than a decade ago, a group of experts at the UN agreed that international law applies in cyberspace—which was a significant achievement. But there’s still a lot of discussion needed to determine how to use international law in a cyber context. This is one of the reasons Microsoft helped create the Oxford Process on International Law Protections in Cyberspace, which is trying to progress that discussion. 

Are there emerging cybersecurity issues that are changing your work?

Kaja Ciglic: We’re facing a serious global threat from cyber mercenaries, which are private companies that develop and sell what we call “offensive” cyber capabilities—irresponsible or illegal uses of technology that compromise human rights and safety. A common example today is companies that sell spyware for surveillance, which is often used to target journalists and political dissidents. However, the vulnerabilities that mercenaries exploit to access software systems and insert spyware can be used for other types of threats, including attacks on critical infrastructure like water and power utilities. This is not a future problem; it’s an issue today.

Multistakeholder diplomacy is critical in this case. Many tech companies have agreed on principles that we’ll uphold to keep our commercial technology from being used for offensive purposes. Microsoft is a founding member of the Cybersecurity Tech Accord, which has brought together more than 160 companies in a commitment to principles that include fighting mercenary activity. Governments also need to agree to regulations around the use of cyber mercenary capabilities, and we actively support the Pall Mall Process, which seeks to create the necessary guardrails. 

What is on the horizon for cyber diplomacy?

Neno Malisevic: It will continue to be important for stakeholders to come together to advocate against potentially dangerous visions for cyberspace. But merely pushing back is not enough. We need to find ways to collectively articulate positive alternatives. And to do that, you need to look at the big picture. You need to build capacity, which we have been championing via a new Advancing Regional Cybersecurity (ARC) initiative. You have to continue evolving what responsible behavior in cyberspace looks like, for example, by creating guardrails for cyber espionage, something we have been partnering on with the Center for Security, Innovation, and New Technology at American University (AU-CSINT). And, across the board, you need to continue building trust through constructive diplomatic engagements with states bilaterally and multilaterally.  

Kaja Ciglic: Hospitals and aid operations increasingly depend on data and networks, and we are partnering with the International Committee of the Red Cross on its Digital Emblem initiative to strengthen legal protections for humanitarian and medical services in the digital environment.  

And, of course, we need to continue making sense of AI in the context of cybersecurity and diplomacy. Microsoft helped launch the Roundtable for AI, Security, and Ethics (RAISE), led by United Nations Institute for Disarmament Research (UNIDIR), to translate high-level debates on AI and security into practical, multistakeholder guidance and safeguards that governments and industry can implement. That is where the future of diplomatic discussions is heading—as technology evolves, so should the responses. 

The post Cyberspace and the future of global diplomacy appeared first on Microsoft Corporate Responsibility.

As AI reshapes how people learn, work, and access services, demand on these systems will only grow. Meeting that demand requires more than expanding connectivity alone. It requires coordinated investments across the infrastructure that enables digital participation, linking connectivity with energy, devices, and water systems that communities depend on every day.

Across regions and sectors, at Microsoft, we’re working with local partners, nonprofits, connectivity providers, and energy access providers to support this integrated approach. By deploying these systems together and aligning them with local needs, these partnerships are helping communities build the durable infrastructure needed to unlock new opportunities in education, agriculture, entrepreneurship, and public services.

Strengthening agricultural livelihoods through digital access in Kenya

The opportunity: In rural Kenya, gaps in internet infrastructure have constrained economic opportunity and public participation. As digital systems become central to daily life, reliable connectivity is essential not only for education and public services, but for strengthening agricultural livelihoods and local enterprise through access to new buyers, real-time market information, and other data and digital tools.

The impact: Through partnerships with local providers like Mawingu, we are expanding last-mile connectivity across underserved communities, bringing reliable internet to those beyond the reach of traditional broadband networks. Using Starlink for connectivity, Mawingu will lead deployments across 450 community hubs nationwide, including schools, farmer cooperatives, aggregation centers, and digital resource facilities.

These hubs serve as digitally enabled access points that strengthen agricultural value chains, support entrepreneurship, and unlock access to AI-powered tools and services. By combining satellite-enabled connectivity with locally operated broadband infrastructure, we ensure that access translates into sustainable, community-level impact.

What begins as connectivity becomes something more enduring: the ability for rural communities to participate fully in education, enterprise, and the digital economy.

Growing digital opportunity in Mount Pleasant, Wisconsin

The opportunity: In Mount Pleasant, Wisconsin, Microsoft is building the world’s most powerful AI datacenter as part of a multi-billion-dollar investment reshaping the region’s economic landscape. With next-generation AI infrastructure taking root in Racine County, the focus is on ensuring that the growth reaches beyond the datacenter campus by strengthening broadband access, expanding workforce pathways, and supporting long-term economic development across the community. 

The impact: In collaboration with local internet provider E‑vergent, we are expanding reliable and affordable high-speed internet access across surrounding communities. Through this partnership, our Fairwater AI datacenter investment is helping extend broadband access to rural residents while delivering next-generation internet service to more than 1,200 homes and businesses in Sturtevant, Wisconsin. These investments help ensure that residents, students, and small businesses can access the digital tools, education opportunities, and economic participation that high-speed connectivity enables. 

Together, these efforts reflect Microsoft’s Datacenter Community Pledge. By pairing AI infrastructure with local connectivity and workforce investments, we work to ensure that next generation datacenter development strengthens the long-term economic vitality of the communities where it is built.

Scaling meaningful connectivity across 12 states in India

The opportunity: In rural India, many underserved communities remain beyond the reach of reliable broadband networks due to remote terrain and dispersed populations, limiting consistent access to education, digital services, and economic opportunity. Expanding high-speed internet across multiple states requires strengthening existing wireless infrastructure and extending fiber networks into newly served regions.

The impact: Microsoft and AirJaldi Networks have worked together for nearly a decade to expand broadband infrastructure across rural and underserved regions in 12 Indian states. The partnership focuses on strengthening local connectivity ecosystems by supporting the development of resilient broadband networks that can reach communities where traditional infrastructure has historically been limited.

Alongside expanding connectivity, the collaboration has also emphasized building the skills needed to ensure people can safely and productively participate in the digital economy. AirJaldi has developed community-based digital skilling programs that support women, youth, and students in developing practical digital literacy, responsible internet use, and foundational technology skills. These programs help communities build confidence using online tools for education, entrepreneurship, and access to services, ensuring that expanded connectivity translates into meaningful opportunity and long-term local impact.

Strengthening rural broadband across the central United States 

The opportunity: Across rural communities in the central United States, high-speed broadband access is unlocking new possibilities for agriculture, education, telehealth, and local economic growth—but access alone is only part of the equation. 

The impact: Microsoft is working with Nextlink Internet to expand connectivity and digital skills programs across rural communities in twelve states. At full buildout, the effort is expected to reach more than 1.9 million people in previously unserved areas using fixed wireless technology designed for rural deployment. By pairing infrastructure with community programs, the collaboration helps ensure new connectivity creates real opportunity for residents and local businesses.  

In Seward, Nebraska, this investment includes a Digital Empowerment Center developed by Nextlink and the Seward County Chamber of Commerce. The center offers free workshops on device navigation, internet safety, photo editing, and AI tools, along with tech support and workspace for remote workers and small businesses, with a strong focus on helping seniors build digital confidence.  

A second center launched in February 2026 in Falls County, Texas through partnerships with Chilton Independent School District, the City of Golinda, Connected Nation, and Human-I-T. High school students serve as paid Digital Navigators, leading workshops for seniors while earning scholarships, and refurbished devices help participants get online and stay connected. 

Expanding access to credit and smartphones across Africa

The opportunity: Across Africa, millions of small business owners and households have historically lacked access to traditional banking, credit, and digital tools needed to participate fully in the digital economy. Without affordable devices and trusted financial services, many entrepreneurs remain disconnected from online markets, education, and economic opportunity. 

The impact: Microsoft has partnered with M-KOPA for nearly a decade as it evolved into a leading Pan-African fintech platform, now serving over 7 million customers across Kenya, Uganda, Ghana, Nigeria, and South Africa. M-KOPA focuses on unlocking financial potential through smartphone devices by combining affordable smartphones with embedded financial services, including credit, insurance, and digital payments. For microentrepreneurs like Jane in Kenya, access to a smartphone gained access to health insurance, emergency financing, and the tools to grow her business, strengthening long-term financial resilience for her family and community.  

M-KOPA uses AI and machine learning to responsibly expand credit access by forecasting repayment patterns and managing risk at scale. The company is also investing in workforce development and local manufacturing, including a smartphone assembly facility in Kenya that supports job creation and strengthens regional supply chains.   

Together, these efforts demonstrate how expanding access to smart devices can unlock economic participation, financial inclusion, and digital opportunity across the continent. 

Transitioning to solar power in Inírida, Colombia

The opportunity: In Colombia’s Amazon region, the municipality of Inírida operates outside of the country’s main electricity grid and has historically relied on local diesel generation. This dependence on transported fuel has led to higher costs, greater emissions, and energy systems that are difficult to scale as population and demand grow, with diesel-generated electricity remaining highly carbon intensive, inherently unstable, and often available for only a few hours each day. Expanding access to reliable, renewable energy presents an opportunity to support a clean energy transition while strengthening long-term resilience in one of the country’s most remote regions.

The impact: Through a partnership with Anditel, Microsoft is supporting the Sol de Inírida solar projects. The first phase is now fully operational, delivering more than 7,500 solar panels with 2.49 megawatts of installed capacity and supplying 18 percent of the municipality’s energy consumption and benefiting over 3,000 families. The project avoids nearly 2,927 tons of CO₂ emissions annually and eliminates approximately 290,000 gallons of diesel use each year.

We are advancing a second phase that will expand total capacity to 9.2 megawatts and add a 20 MWh battery energy storage system, together covering roughly one-third of the municipality’s energy demand. Nano grids and micro grids further extend clean energy access to homes, schools, and health centers, pairing renewable power with telecommunications infrastructure to strengthen long-term resilience.

Strengthening climate-resilient water systems in Lagos, Nigeria

The opportunity: In Lagos, rapid urban growth and climate pressures have strained access to safe water and sanitation. National data shows that 45 percent of residents lack access to safely managed water, and 75 percent lack safely managed sanitation. 

The impact: Through the Lagos Peri-urban Water and Sanitation Improvement Project, we are working with WaterAid Nigeria to deliver access to sustainable, climate-resilient water, sanitation, and hygiene services for more than 21,000 people over three years. 

The initiative rehabilitates non-functional water systems, upgrades sanitation facilities to be gender-inclusive, and strengthens community preparedness for climate-related shocks. By pairing infrastructure improvements with hygiene education and local engagement, the project demonstrates how water resilience and public health move forward together. 

Reducing water loss and strengthening water security in Dublin, Ireland

The opportunity: Water utilities around the world face growing pressure to maintain aging infrastructure while conserving limited water resources. In the Greater Dublin area, a significant share of treated water can be lost through leaks before reaching homes and businesses, placing additional strain on the River Liffey, which supplies most of the region’s drinking water. Detecting leaks in large underground pipelines is difficult using traditional methods, making advanced monitoring technologies critical for improving water resilience and reducing unnecessary withdrawals. 

The impact: Through a collaboration between Aganova and Ireland’s national water utility, Uisce Éireann, we are deploying acoustic leak detection technology to identify hidden leaks in Dublin’s water infrastructure. Using Aganova’s Nautilus system, which travels inside large pipelines without interrupting service, the project is surveying about 40 kilometers of strategic pipelines in Dublin, Ireland. 

Leak data allows Uisce Éireann to prioritize repairs, improving network efficiency while reducing the energy required for water treatment and distribution. Together, these efforts strengthen long-term water security and show how advanced monitoring technologies can help cities modernize critical infrastructure while conserving vital resources. 

Reducing stormwater pollution in Cheyenne, Wyoming through urban filtration

The opportunity: Urban stormwater runoff is a growing source of water pollution in cities across the United States. In Cheyenne, Wyoming, runoff flowing into Crow Creek carries sediment, trash, nutrients, and other contaminants from streets and neighborhoods into the local watershed. Over time, these pollutants degrade water quality, harm aquatic ecosystems, and place additional strain on local water management systems. Addressing stormwater pollution at its source is an important step toward protecting waterways and strengthening watershed resilience. 

The impact: Through a collaboration between Frog Creek Partners and the City of Cheyenne, we are installing stormwater filtration systems at key storm drains throughout the city to intercept pollutants before they reach Crow Creek. The project will deploy 127 Gutter Bin filtration units designed to capture trash, sediment, microplastics, nutrients, and heavy metals carried in urban runoff. 

By preventing pollutants from entering the creek, these systems help improve water quality across the watershed while supporting healthier ecosystems and cleaner waterways for the surrounding community. Together, these efforts demonstrate how targeted infrastructure investments and local partnerships can help cities reduce stormwater pollution and strengthen long-term watershed health. 

From access to lasting foundations

Across connectivity, AI-enabled financial inclusion, renewable energy, and water stewardship, one lesson is clear. Lasting digital opportunity depends on strong foundational infrastructure built and deployed together. Connectivity, energy, devices, and water systems must work in concert to support the communities and economies that rely on them. 

As demand for connectivity and AI accelerates, these systems must scale responsibly. Aligning digital access with resilient energy and water infrastructure helps ensure that communities can expand connectivity while strengthening the foundations that support long-term economic growth and resilience. 

The post Building sustainable and connected communities worldwide appeared first on Microsoft Corporate Responsibility.

Most likely it was a phishing attack, an email scam that caught an employee off guard and tricked them into feeding their credentials into a malicious website designed to look legitimate, inadvertently handing a criminal the keys to their inbox. 

H2 wasn’t flooded with spam or crippled by malware. But from that day on, bad actors were in the network, biding their time and monitoring email exchanges—particularly those of Josh B., Vice President of Commercial Operations, who oversaw H2’s relationships with vendors. 

In April 2025, Josh B. reached out to Cheplapharm, a global pharmaceutical company headquartered in Germany that has been working with H2 for more than a decade. Josh B. was considering a change to H2’s payment processes, moving from wire transfers to ACH payments to save money on banking fees. He emailed a trusted contact at the company, a sales manager, to find out if the change was feasible. 

Josh B. didn’t know it, but that was when the cybercriminals saw their opportunity. 

The sales manager replied to Josh B.’s email, saying that Cheplapharm couldn’t accept ACH payments because it didn’t have a US bank account. But soon after, Josh B. got another email from his contact—same subject line, same email signature—saying that he’d checked with Cheplapharm’s finance and accounting teams and found that they could take ACH payments after all. The sales rep attached the details for a US-based account. 

It wasn’t unusual for Cheplapharm to change course like this, so the request didn’t seem like a red flag to Josh B. Still, he was cautious—he transferred $0.44 to the account to make sure payments were routed properly. The sales manager confirmed receipt of the transfer. Josh B., reassured, made another transfer, this time for several million dollars. A few weeks later, he made another seven-figure payment to the account. 

The problem was, Josh B. wasn’t communicating with a real sales manager at Cheplapharm. He was emailing the cybercriminals who’d been watching his communications, waiting for just this moment. 

On May 20, Josh B. got another email from his sales contact—this time inquiring why Cheplapharm hadn’t received payment from H2. Josh B. pointed to the ACH transfers, but the real sales manager knew nothing about those payments, and by that time the imposter was long gone. The bank account where Josh B. sent the payments had been shut down. H2 was out more than $7.3 million—money it needed to pay Cheplapharm in order to provide medications its customers depend on. 

The infrastructure that powers cybercrime

The type of attack that hit H2-Pharma is known as business email compromise (BEC), or payment diversion fraud, and it’s not an easy scam to pull off. It requires time, patience, and sophisticated social engineering. It also requires specialized technology. A BEC scam is a multi-stage attack, and each phase uses different tools and technical infrastructure.

The initial stage involves gaining access to an email account, often through phishing techniques. Other tactics may include scraping the web for vast lists of addresses to target, deploying mass-mailing tools to send out thousands of emails, and hosting legitimate-looking websites intended to harvest user credentials.

Fraudsters then use the stolen credentials to log into the victim’s account and search for supplier details, financial discussions, and pending invoices. They copy email signatures and monitor threads to find a moment when a bill needs to be paid, then slip into an ongoing conversation, impersonating the real vendor to convince the victim to route payment to a different account. Increasingly, they use AI voice cloning and face-swapping technology to manipulate victims.

After defrauding their target the attacker disappears, erasing their tracks before the victim realizes what has happened.

This type of fraud might be too technically demanding for the average cyber thief to manage on their own, but cybercrime today is a booming underground business with a wide range of “Cybercrime-as-a-Service” (CaaS) providers selling ready-made tools and services.

Until recently, criminals could subscribe to a service that provided the necessary tool to conduct attacks such as BEC for as little as $24 a month: a platform called RedVDS.

RedVDS provided cheap, disposable virtual computers (VDS stands for Virtual Dedicated Server) that were used as launchpads for a wide range of cyber-enabled financial fraud. RedVDS fueled a surge in worldwide fraud that has cost victims more than $66 million since 2019. These figures represent only confirmed cases—actual worldwide losses may be much higher.

Outsourcing cyberattacks to CaaS vendors like RedVDS not only makes it easier to launch sophisticated fraud schemes but also helps perpetrators evade detection. “Cybercriminals don’t want to use their own infrastructure,” says Donal Keating, Director of Innovation and Research at Microsoft. “Nobody uses their own car to rob a bank.”

RedVDS provided anonymity, taking payment in cryptocurrency and eliminating usage logs. Subscribers could log on remotely using a VPN to hide their real location while they gathered information over time. RedVDS was tailor-made for cybercrime, but it wasn’t malware; it was simply the infrastructure that facilitated cyberattacks. “This infrastructure layer is a critical enabler of modern cybercrime cases,” says Alexandra Gerst, Senior Corporate Counsel with Microsoft’s Digital Crimes Unit (DCU).

RedVDS also allowed criminals to wipe their server to remove evidence of wrongdoing. Deleted data can be recovered, but wiping a server overwrites the entire disk with a fresh operating system and a new IP address, leaving no trace of prior activity. RedVDS subscribers could wipe and reinstall their system in a matter of minutes. 

The thread that unraveled the RedVDS enterprise

Microsoft tracks more than 100 trillion security signals daily to detect malicious activity, and the company’s threat analysts began to see a pattern: Thousands of attacks on customers worldwide were coming from different Windows hosts using the same computer ID. That ID mapped to a single Windows 2022 Eval installation, a “try before you buy” license that had been pirated. When the DCU’s investigators began to follow the stolen ID, they learned that users received receipts from RedVDS. 

The operators behind RedVDS, a group Microsoft tracks as Storm-2470, were cloning the same Windows virtual machine over and over again without changing the system ID.  

“At the end of the day, cybercriminals are just like the rest of us—they get a little bit lazy,” says Sean Ensz, Principal Investigator with the DCU. RedVDS facilitated scams that preyed on human error, yet in the end, it was the criminals’ own human error that led to the takedown of the enterprise.  

How the DCU pulled the plug on RedVDS

Investigators with the DCU went undercover as subscribers to RedVDS, learning how the platform worked and tracing cryptocurrency payments. They discovered that RedVDS was using a fictitious business entity that claimed to operate in the Bahamas, but the address of the business turned out to belong to a building at the University of the Bahamas that had been demolished in 2024.

Once they had traced the criminal activity to a specific group, the DCU knew exactly how to cut off RedVDS from victims, but it wasn’t what TV and movies might lead you to expect. There was no feverish hacking to neutralize the technology; no dramatic raid on an underground criminal lair. The DCU simply wields the power of the law.  

The perpetrators were not only using Microsoft’s branding to defraud victims, they were violating the terms of service that governed the stolen Windows license. The misuse of Microsoft’s intellectual property provided legal grounds for the DCU to file a civil lawsuit, asking US courts for permission to seize the two domains RedVDS used to host its marketplace and customer portal. The case moved swiftly, and the DCU quickly took down redvds.com and redvds.pro, severing RedVDS from its cybercriminal customers. 

The DCU also filed a civil lawsuit in the UK that helped obtain information about RedVDS’s operators and customers. The civil cases are part of a larger joint operation with international law enforcement. Germany’s Public Prosecutor’s Office Frankfurt am Main—Central Office for Combating Internet Crime (ZIT), together with the German State Criminal Police Office Brandenburg, has seized a key server associated with RedVDS, disrupting its central marketplace. Concurrently, and in line with ongoing efforts, Microsoft is collaborating with international law enforcement entities such as Europol’s European Cybercrime Centre (EC3) to dismantle the wider network of servers and payment systems that facilitated services for RedVDS customers. 

Even after RedVDS was taken down, there were still virtual computers running the unauthorized Windows servers for cyberattacks. In response to such cases, the DCU has established the Statutory Automated Disruption (SAD) program, which enables the team to dismantle malicious infrastructure using both legal and technical measures. This program is powered by a semi-automated notification process that leverages local legal frameworks. Hosting providers are being alerted about illicit activity on their platforms and are asked to implement appropriate measures to stop any further harm.  

In the first week after the DCU filed the civil case against RedVDS, the team was able to take down 95% of RedVDS virtual computers leveraging the SAD program. “That continuous automated pressure, paired with human oversight to route notices to the right hands, is what makes the disruption stick,” says Lakshmi Mucharla, Senior Data Analyst at the DCU. “Automated systems are designed to keep working as long as criminals keep trying to spin up the infrastructure.”  

Don’t let it happen to you: How to identify—and avoid—business email compromise

However technologically sophisticated they might be, BEC attacks ultimately depend on social engineering. “The key component in this type of attack is the criminals’ ability to convince victims that they’re communicating with people they trust,” says Richard Boscovich, Assistant General Counsel in the DCU. This email, sent by a RedVDS user to Gatehouse Dock Condo Association (GDCA), which joined H2-Pharma as a co-plaintiff in the DCU’s US civil case, shows what to look out for. 

Urgency: Fraudsters demand payment quickly, threatening victims and using guilt to manipulate them into acting without full diligence. Slow down, read carefully, and check for telltale signs of fraud. 

Homoglyph domains: A critical component of BEC attacks is registration of lookalike domains that are nearly indistinguishable from legitimate web addresses. The criminals who defrauded GDCA emailed from bellinqham-marine.com instead of bellingham-marine.com—nearly impossible to detect without close scrutiny. In the course of their investigation, the DCU uncovered over 7,300 IP addresses linked to RedVDS infrastructure that collectively hosted more than 3,700 homoglyph domains within a 30-day period. 

Hiding behind pixels: Like most of us, victims at GDCA and H2-Pharma relied on digital communication—yet a simple in-person conversation would have exposed the attempted fraud. “If you’re dealing with payments, you need to be extra diligent in making sure that you’re interacting with the person you think you are,” says Jacklynne Sienicki, director of data analytics at the DCU. Pick up the phone and talk to a trusted contact, or better yet, meet them in person. Hundreds of RedVDS subscribers used deepfakes and AI voice cloning to fool victims, so don’t rely on a voicemail message or video call to confirm the authenticity of a request. 

Exploiting security gaps: Always, always turn on multifactor authentication—it blocks 99% of phishing attempts. And stay on top of software updates. All legitimate technology providers embed security features into their products, but you won’t have up-to-date protection if you don’t install the latest updates. 

The post RedVDS and the Invisible Infrastructure of Modern Cybercrime appeared first on Microsoft Corporate Responsibility.