In this month-long webinar series, IT pros and security practitioners can hone their security skillsets with a deeper understanding of AI-centric challenges, opportunities, and best practices using Microsoft Security solutions.

Each session will follow a hosted demo format and cover a Microsoft Learn module (topics listed below). You can ask the SMEs questions via the chat as they show you how to use Microsoft Purview and Microsoft Defender for Cloud to protect your organization in the age of AI.

Learn Live dates/topics include:

April 15 at 12pm PST – Manage AI Data Security Challenges with Microsoft Purview: Microsoft Purview helps you strengthen data security in AI environments, providing tools to handle challenges from AI technology. Learn to safeguard your data and adapt to evolving security challenges in AI technology. This session will help you:
Understand sensitivity labels in Microsoft 365 Copilot
Secure against generative AI data exposure with endpoint Data Loss Prevention
Detect generative AI usage with Insider Risk Management
Dynamically protect sensitive data with Adaptive Protection
April 22 at 12pm PST – Manage Compliance with Microsoft Purview with Microsoft 365 Copilot: Use Microsoft Purview for compliance management with Microsoft 365 Copilot. You’ll learn how to handle compliance aspects of Copilot’s AI functionalities through Purview. This session will teach you how to:
Audit Copilot interactions within Microsoft 365 using Microsoft Purview
Investigate Copilot interactions using Microsoft Purview eDiscovery
Manage Copilot data retention with Microsoft Purview Data Lifecycle Management
Monitor and mitigate risks in Copilot interactions using Microsoft Purview Communication Compliance
April 29 at 12pm PST – Identify and Mitigate AI Data Security Risks: Microsoft Purview Data Security Posture Management (DSPM) for AI helps organizations monitor AI activity, enforce security policies, and prevent unauthorized data exposure. Learn how to configure DSPM for AI, track AI interactions, run data assessments, and apply security controls to reduce risks associated with AI usage. You will learn how to:
Explain the purpose and benefits of Microsoft Purview DSPM for AI
Set up and configure DSPM for AI to monitor AI interactions
Identify and analyze AI security risks using reports and insights
Run and review AI data assessments to detect oversharing risks
Apply security policies, such as DLP and sensitivity labels, to protect AI-referenced data
May 13 at 10am PST – Enable Advanced Protection for AI Workloads with Microsoft Defender for Cloud: As organizations use and develop AI applications, they need to address new and amplified security risks. Prepare your environment for secure AI adoption to safeguard your data and identify threats to your AI. This session will help you:
Understand how Defender for Cloud can protect AI workloads
Enable threat protection workloads for AI
Gain application and end user context for AI alerts
Register today for these new sessions. We look forward to seeing you!

If you’re unable to attend a session, don’t worry—the recordings will be made available on-demand via YouTube.

The post Explore how to secure AI by attending our Learn Live Series appeared first on Microsoft Security Blog.

So you just finished watching Microsoft Secure. That means by now, you’ve heard about our new protections for AI and Microsoft Security Copilot agents. These innovations will be the focus of Microsoft Security’s sessions and activities at RSACTM 2025 Conference (RSAC 2025).

The can’t-miss conference is just around the corner. Microsoft Security is bringing an exciting lineup of sessions, expert panels, and exclusive networking opportunities to empower security professionals in the era of AI. Our entire presence at RSAC 2025 is designed to help you boost your AI skills so you can stay ahead of threats and manage security more effectively. is designed to help you boost your AI skills so you can stay ahead of threats and manage security more effectively.

Whether you’re interested in protecting all your AI investments, AI-driven security, threat intelligence, or securing cloud environments, we’ve got something for you. To help you plan your time from Sunday, April 27 to Thursday, May 1, 2025, in San Francisco, here’s a quick and easy guide to all the key Microsoft Security moments at RSAC 2025.

📅 Microsoft Security Event Schedule at RSAC 2025

🔹 Sunday, April 27
📍 Microsoft Pre-Day | 4:00 PM – 6:00 PM | Palace Hotel

For the fourth year in a row, Microsoft Pre-Day kicks off the full lineup of Microsoft events and activities throughout RSAC 2025. We will host these at the Microsoft Security Hub at Palace Hotel, just a short walk from Moscone Center.

Hear directly from Microsoft Security leaders as they share reporting on emerging cyberthreat trends and the product innovations designed to protect against them —including. See the lineup below:

Vasu Jakkal, Corporate Vice President (CVP), Microsoft Security Business

; Charlie Bell, Executive Vice President, Microsoft Security

; Sherrod DeGrippo, Director of Threat Intelligence Strategy

Dorothy Li, Corporate Vice President (CVP), Microsoft Security Copilot

Ann Johnson, Corporate Vice President (CVP) and Deputy CISO

; Aand other Microsoft Security leaders more as they share reporting on emerging cyberthreat trends and the product innovations designed to protect against them. Register today

Register for Pre-Day today.

📍 Networking Reception | 6:00 PM – 8:30 PM | Microsoft Security Hub, Palace Hotel, Second Floor

Stick around after Microsoft Pre-Day to attend the Networking Reception—a lively evening designed to connect with the security community, engage with Microsoft leaders, and exchange ideas in a relaxed atmosphere. It’s the perfect way to kick off an inspiring week at RSAC 2025.

📍 CISO Dinner | 6:00 PM – 8:00 PM

If you’re a CISO or Security executive and you register for Microsoft Pre-Day, you’ll automatically be invited to our Security Executive Dinner hosted by our very own, Vasu Jakkal, CVP, Microsoft Security Business.

🔹 Monday, April 28 – Zeroing in on Innovation

On Monday we ease into things by focusing on what’s new all around. We’ll share lots of goodness about agents and our new innovations announced in March.

🕹️Security Gaming Demo Experience at the Microsoft Security Booth #5744 | All day, every day | Moscone Center North Expo Hall

Monday is the first day to explore the show floor. Stop by the Microsoft Security Booth #5744 in Moscone Center North Expo Hall to explore live demos, meet Microsoft Security experts, and get hands-on with the latest tools.

Challenge your cybersecurity skills! At RSAC, bBecome a defender against cyber threats in a fast-paced, interactive game. Guided by Security AI and AI Agents, yYou’ll be a part of a mission, navigatinge realistic incident response scenarios using Microsoft Security solutions, including our new AI Agents. Engage in quick skill challenges and wrap up with expert insights. Are you ready to beat the bad actors?

🎤 Keynote: Security in the Age of Agentic AI | 4:40 PM | Moscone Center (West Stage)

Agentic workflows will dramatically reshape what is possible in security. By enabling more complex problem-solving, agent collaboration, and iterative learning, agentic AI will empower a new paradigm for security that was once the domain of science fiction. Vasu Jakkal will take an imaginative look at the future of security AI agents, and the very human-driven way they will change the game.

🔑 Microsoft Sessions at RSAC 2025 | All day | Moscone Center

Our top Microsoft Security experts were chosen by RSAC to share their insights and best practices to help you level up your own security strategy. These sessions are designed for learning, not selling. So, you’ll hear more about what’s happening in the security space and less about products.

Practical Strategies for Security Architecture in a Changing World​ @ 8:30 AM – 9:20 AM

This session will delve into the core pillars of security architecture and share practical strategies that uphold foundational principles. Will discuss holistic system thinking and provide a practical playbook for navigating the complexities of security architecture while maintaining a focus on the fundamentals and essential considerations for a secure digital environment.

Speaker: Abhilasha Bhargav-Spantzel, Partner Security Architect, Microsoft

RSAC™ Innovation Sandbox @ 9:30 AM – 12:40 PM ​

Ten of cybersecurity’s boldest new innovators compete in Innovation Sandbox for the title of “Most Innovative Startup.” ISB celebrates 20 years & spotlights startups with potentially game-changing ideas. The Finalists have 3 minutes to share groundbreaking products & solutions with a panel of judges. Interact first-hand with these companies as the judges deliberate before the winner is crowned.

Speakers: Christopher Young, Executive Vice President, Business Development, Strategy and Ventures, Microsoft; David Chan, Managing Director, Morgan Stanley; Dorit Dor, Chief Technology Officer, Check Point Software Technologies; Niloofar Razi Howe, Operating Partner, Capitol Meridian Partners; Hugh Thompson, Executive Chairman & RSAC™ Conference Program Committee Chair, RSAC; Paul Kocher, Researcher, Independent Researcher; and Nasrin Rezai, SVP & CISO, Verizon

AI Era Authentication: Securing the Future with Inclusive Identity @ 1:10 PM – 2:00 PM

This session explores the security and usability risks of authentication techniques for users with diverse needs. Emergence of AI agents, a new user identity acting on our behalf, also necessitates a rethink of authentication methods. Discover AI-era authentication using sensors like location and behavior and learn about the shift from active to passive authentication with prototypes in action.

Speakers: Abhilasha Bhargav-Spantzel, Partner Security Architect, Microsoft and Aditi Shah, Senior Data & Applied Scientist, Microsoft

DPRK Remote IT Workers – Have You Hired One and Are You at Risk? @ 2:20 PM – 3:10 PM

The DPRK actively deploys remote IT workers to generate revenue for the regime while circumventing sanctions. DPRK IT workers pose risks to companies, including insider access, potential intellectual property theft, and exposure to other malicious cyber activity. This panel will discuss best practices for identifying and preventing the hiring of DPRK IT workers.

Speakers: Greg Schloemer, Senior Threat Intelligence Analyst, Microsoft; Elizabeth Pelker, Special Agent, FBI; Chris Horne, Director, Trust & Safety Intelligence & Investigations, Upwork; Adam Meyers, SVP Intelligence, CrowdStrike; and Bryan Vorndran, Assistant Director, FBI

💡 Featured Sessions | All day | Microsoft Security Hub at the Palace Hotel (Second Floor)

Here’s where we talk products. Don’t miss our deep-dive, small setting sessions happening at the Microsoft Security Hub. Build your AI cybersecurity skills as Microsoft Security experts will share what they’ve learned and provide insights you can apply in your own organization.

Harnessing Diversity – Strengthening the Cybersecurity Workforce in the Age of AI ​@ 10:30AM – 11:30AM​

Speakers: Amanda Minnich, Principal Research Manager, Microsoft; Nicole Ford VP, Customer Security Officer, Microsoft; Kyla Guru, Founder/CEO, Bits N’ Bytes Cybersecurity Education; Tanell Ford, Assistant General Counsel, Microsoft; and

Sherrod Degrippo, Directory of Threat Intelligence Strategy, Microsoft

Reshaping SecOps for the Cloud AI Era @ 10:30AM – 11:30AM​

Speaker: Scott Woodbridge, General Manager, Product Marketing, Microsoft and Corina Feuerstein, Principal Product Manager for Copilot in Defender and Sentinel

Practical use of CoPilot AutoFix to address Security Backlog @ 12:00PM – 1:30PM​

Speakers: Alexis Wales, CISO, GitHub and Marcelo Oliveira, VP, Product Management, GitHub

Executive Lunch: Scaling Compliance for Global Regulations @ ​12:00PM – 1:30PM​

Speakers: Bret Arsenault, CVP, Chief Cybersecurity Advisor, Microsoft

💻Theatre Sessions | Location: Microsoft Security Booth #5744

Theatre sessions are where the magic happens. Here’s where we talk products. These 15-20 minute informal, come-and-go sessions run all day at the Microsoft Security booth. They’re demo-heavy product showcases to help you learn how to better use the tools you’ve got now.

Identity Security in the Era of AI with Security Copilot @ 5:35PM – 5:55 PM

Security Copilot Agents: Autonomous, adaptive, with you in control @ 6:05PM – 6:25 PM

From Risk to Resilience: The Next Evolution in Multicloud Security @ 6:35 PM– 6:55PM

🏆MISA Awards| Location: Microsoft Security Hub at the Palace Hotel (Second Floor)

It’s time to suit up in heroic attire for an epic celebration at the 6th annual Microsoft Security Excellence Awards! Just like the Avengers, assembling to save the world, we’re coming together to honor the extraordinary achievements of our MISA members who work so diligently to protect customers from external threats! Congratulations to the incredible finalists for the sixth annual Microsoft Security Excellence Awards presented by MISA!

🤝 Customer Meetings | Location: Microsoft Security Hub at the Palace Hotel (Second Floor)

Take advantage of the opportunity to connect with Microsoft Security experts and enhance your cybersecurity knowledge. From April 28 to April 30, 2025, you customers and CISOs can schedule one-on-one meetings at the Palace Hotel to discuss your most pressing security product and threat intelligence questions. Secure your spot by visiting the Microsoft Security Experiences at RSAC 2025 Home Page.

🔹 Tuesday, April 29 – Choose Your Own Product Adventure

Tuesday is the busiest day of the conference, with lots of choices in front of you, so plan ahead.

🎤 Keynote: AI Safety: Where Do We Go From Here? | 8:30 AM | Moscone Center (West Stage)

During this keynote session, Google, Microsoft, NVIDIA, and the UK AI Safety Institute leaders come together for this blockbuster panel to explain the evolving landscape of AI safety. Attendees will gain insights into key developments in AI safety that should matter to organizations, its intersection with existing security initiatives, and time-tested approaches to translate AI safety to practice.

Speakers: Ram Shankar Siva Kumar, Data Cowboy, Microsoft; Jade Leung, Data Cowboy, Microsoft; and Daniel Rohrer, VP Software Product Security, Architecture & Research, NVIDIA

🔑 Microsoft Sessions at RSAC 2025 | All day | Moscone Center

RSAC has chosen top Microsoft Security experts to share insights and best practices, letting you learn about the latest in security without the sales pitch.

Incident Response Dilemmas: Sharing Intel Across Sectors in Critical Times​ @ 9:40 – 10:30 AM ​

An incident may be a singular event affecting one entity. What happens when it affects our critical infrastructure and has the possibility of sector-wide impact and cascading effects? How do companies share information and meet regulatory expectations? The session will dive into the work that financial services companies, the government, and cloud service providers are taking to mature IR.

Speakers: Ann Johnson, CVP & Deputy CISO, Customer Security Managment Office, Microsoft; Ted Conklin, Chief AI Officer & Deputy Assistant Secretary, US Treasury; Heather Hogsett, Senior Vice President, Deputy Head of BITS, Bank Policy Institute; and Erez Liebermann, Partner, Debevoise & Plimpton LLP

XPIA Attacks – Rethinking Defense in Depth for an AI-Powered World @1:15 – 2:05 PM​

As adversaries rapidly develop sophisticated AI attacks, the solutions also need to evolve rapidly. This panel will explore Cross/Indirect Prompt Injection Attacks (XPIA) and the need to rethink traditional defense in depth strategies. Gain insights into XPIA trends, risk analysis, and innovative solutions to protect critical infrastructure. Join for practical strategies and expert insights.

Speakers: Abhilasha Bhargav-Spantzel, Partner Security Architect, Microsoft; Aanchal Gupta, CVP, Microsoft; John Leo, Jr, Managing Director – Threat and Vulnerability Management Leader, EY; and Stefano Zanero, Professor, Politecnico di Milano

A Year(ish) of Countering Malicious Actors’ Use of AI: What Have We Learned? @ 2:25 –3:15 PM​

Artificial Intelligence has changed the game when it comes to how cyber adversaries operate, and how defenders respond. This panel will explore lessons learned from the past year of countering malicious cyber actors’ use of AI, challenges and limitations of legal actions involving AI, and what roadblocks might appear going forward as AI, and the actors who use it, continues to evolve.

Speakers: Sherrod DeGrippo, Director, Threat Intelligence Strategy, Microsoft; Morgan Adamski, Executive Director, US Cyber Command; Cynthia Kaiser, Deputy Assistant Director, FBI; and Sean Newell, Chief, National Security Cyber Section, National Security Division, Department of Justice

💡 Featured Sessions | Location: Microsoft Security Hub at the Palace Hotel (Second Floor)

Pick your favorite Microsoft Security solution and meet the experts in a smaller group learning setting.

Defending Against Modern Threats: Enhancing Endpoint Security and IT Resilience @ 8:00AM – 9:30AM

Speaker: Archana Devi Sunder Rajan, Partner Group Product Manager, Microsoft and Peter M. Thompson, Principal PM Manager, Microsoft

Secure and Govern AI to safeguard your data, reduce risks, and support compliance @ ​10:30AM – 11:30AM​

Speakers: Herain Oberoi, GM, Data & AI Security, Microsoft; Rudra Mitra, Corporate Vice President, Microsoft Purview; and Neta Haiby, Director of AI Security, Microsoft

Microsoft Security Copilot @ 12:00PM – 1:30PM

Speaker: Dorothy Li, CVP, Microsoft Security Copilot & Marketplace

Secure Future Initiative Executive Lunch​ @12:00PM-1:30PM​

Speakers: Vasu Jakkal, CVP Microsoft Security

Secure your data in the era of AI with Microsoft Purview @ 2:30PM – 3:30PM

Speakers: Talhah Mir, Principal Group Product Manager, Microsoft Purview and Maithili Dandige, Partner Group Product Manager, Microsoft Purview

​AI and Automation Panel: The Startup Innovation for Enterprise Resilience – moderated by FC @ 2:30PM – 3:30PM

**Attendees will have the opportunity to receive a copy of FC’s book, How I Rob Banks, and the chance to have it signed by the author at the end of the session. Speakers: Kevin Magee, Director Cybersecurity Startups, Microsoft for Startups; FC, Co-founder & CEO, Cygenta; Shane Coleman, Chief Data Security Evangelist; Christ “Tito” Sestito, CEO, HiddenLayer; Ravid Circus, Co-founder & CPO, Seemplicity; and Jeremy Vaughan, CEO, Start Left Security

💻Theatre Sessions | Location: Microsoft Security Booth #5744

Stop by the Microsoft Security booth to catch a short demo of your favorite product.

See Beyond Silos and Protect Better with Microsoft Security Exposure Management @11:00 AM –11:20 AM

Accelerate your Zero Trust journey with the Microsoft Entra Suite @11:30 AM – 11:50 AM

Automating Vulnerability Management: The Power of “Endpoint Vulnerability Remediation Agent” in Microsoft Intune @12:00 PM – 12:20 PM

From Risk to Resilience: The Next Evolution in Multicloud Security @12:30 PM – 12:50 PM

Accelerating post-breach deep content analysis and mitigation with Microsoft Purview @ 1:00 PM – 1:20 PM

Microsoft Sentinel Uncovered: Advanced Capabilities to Transform the SOC @ 1:30 PM – 1:50 PM

Protect AI Workloads from Code to Runtime with Microsoft Defender for Cloud @ 2:00 PM – 2:20 PM

Security Copilot Agents: Autonomous, adaptive, with you in control @ 2:30 PM – 2:50 PM

Unified SecOps: Defending Critical Infrastructure with Microsoft Defender @ 3:00 PM – 3:20 PM

Be Fast as Lighting: Automate Microsoft Defender XDR and Microsoft Sentinel Service Delivery @ 3:30 PM – 3:50 PM

Mastering Cloud Threats: Detect, Investigate, and Respond in real-time with Microsoft Defender for Cloud and Defender XDR integration @ 4:00 PM – 4:20 PM

Practical Strategies for Securing AI-Driven Data: Enhancing Cyber Resilience and Insider Risk Management @ 4:30 PM – 4:50PM

Secure and govern access to GenAI apps with the Microsoft Entra Suite @5:00 PM – 5:20 PM

Bolster your SOC with Microsoft’s Managed Extended Detection and Response (MXDR) @ 5:30 PM – 5:50PM

🥳 Networking and Fun | Location: Microsoft Security Hub at the Palace Hotel (Second Floor)

Now for the fun stuff.

Secure & Sip: DevOps Edition @ 4:30PM – 6:30PM

Speaker: Alexis Wales, CISO, GitHub

Gather with GitHub’s security leaders and experts for meaningful conversations, thoughtfully crafted cocktails, and a custom ramen bar to round out your first day at RSA.

Karaoke Party​ @ 8:00PM – 11:00PM​ | Security Hub at the Palace Hotel

Join us for an unforgettable Microsoft Security Karaoke Party hosted by Vasu Jakkal at RSAC! Known for her enthusiasm and leadership, Vasu will grace the karaoke stage along with Microsoft Security leaders, product experts, and customers. This is a fantastic opportunity for networking and celebrating the dynamic security community. Register now to secure your spot and get ready for a night of music, laughter, and great company!

🤝 Customer Meetings | Location: Microsoft Security Hub at the Palace Hotel (Second Floor)

Day 2 of meetings with Microsoft Security experts continues. Customers and CISOs Ssecure your spot by visiting the Microsoft Security Experiences at RSAC 2025 Home Page. [Insert link – https://MicrosoftSecurityEvents.eventbuilder.com/MicrosoftRSAC2025events?source=blog_techcomm]

🔹 Wednesday, April 30

Wednesday is your last chance to get hands-on with Microsoft Security solutions and ask questions at the Hub and booth and in 1:1 meetings.

🔑 Microsoft Sessions at RSAC 2025 | Location: Moscone Center

IMO, we saved the best for last.

Guardians of the Cyber Galaxy: Allies Against AI-Powered Cybercrime​ @ 8:30 – 9:20 AM

​AI is revolutionizing cybercrime, putting traditional defenses to the test. Expert panelists unite to detail innovative public-private strategies and real-world case studies from their experience in INTERPOL, the FBI, Microsoft, and the Privacy & Cybersecurity Group of an international law firm. Gain actionable insights to protect the global community and fortify cybersecurity defenses.

Speakers: Sean Farrell, Lead Counsel, AI Strategy, Digital Crimes Unit, Microsoft Corporation; Garylene Javier, Privacy & Cybersecurity Counsel, Crowell & Moring LLP; Craig Jones, Immediate Past Director Cybercrime, INTERPOL; and Andrew Sczygielski, Supervisory Special Agent, Federal Bureau of Investigation

Green and Sustainable AI for Cybersecurity​ @1:15 – 2:05 PM​

The session will consider the carbon cost of AI and analytics. It will focus on the estimated energy and carbon costs of many cybersecurity use cases and approaches that can be taken to build more sustainable solutions. This will be illustrated through the use of a threat hunting and detection analytical solution and how that could be designed to be most power efficient.

Speakers: Lesley Kipling, Chief Security Advisor, Microsoft and Sian John, CTO, NCC Group

Scaling AppSec With an SDLC for Citizen Development​ @ 1:15 – 2:05 PM​

AppSec programs are difficult. Filled to the brim with vulnerabilities. Overloaded staff and inadequate budget. The common “solution” is to narrow scope and focus on crown jewels and their devs. Increasing the scope to 100x devs and 1000x apps surprisingly worked, resulting in program remediation of >50K vulnerabilities in 3 months. 18K of them in a single night. This session will show how.

Speakers: Ryan McDonald, Principal Program Manager, Microsoft and Michael Bargury, Co-Founder & CTO, Zenity

💡 Featured Sessions | Location: Microsoft Security Hub at the Palace Hotel (Second Floor)

Don’t miss the final few Microsoft Security focused sessions at our Hub.

Threat intelligence trends and insights panel: Exclusive briefing from Microsoft Threat Intelligence @10:30AM – 11:30AM​

Speakers: Sherrod De Grippo, Director of Threat Intelligence Strategy, Microsoft; Jeremy Dallman, Senior Director of Security Research in Microsoft Threat Intelligence; and Steven Masada, Assistant General Counsel, DCU

Secure access for your employees with Entra Suite @ ​10:30AM – 11:30AM​

Speakers: Irina Nechaeva, General Manager, Identity and Network Access

Securing the AI Powered Enterprise Executive Panel Lunch @​12:00PM – 1:30PM​

Speakers: Bret Arsenault, Chief Cybersecurity Advisor, Microsoft; Brandon Dixon, Partner Product Manager, Security AI Strategy, Microsoft; Manny Sahota, Director, Global Cloud Privacy, Microsoft; Herain Oberoi, General Manager, Data Security, Governance, Compliance, Privacy Business and Marketing, Microsoft; and Sarah Bird, Chief Product Officer of Responsible AI, Microsoft

💻Theatre Sessions | Location: Microsoft Security Booth #5744

Don’t miss your chance to see demos and ask questions casually at the booth.

Make Windows endpoints more secure and prevent downtime @11:00 AM – 11:20 AM

Unlocking Opportunities: A Guide to Partnering with Microsoft @11:30 AM – 11:50 AM

EY Security Copilot Empowered Solutions @12:00 PM – 12:20 PM

Microsoft Security Copilot: Protect at the speed and scale of AI @12:30 PM – 12:50 PM

Phishing-Resistant Authentication, Trusted Onboarding & Recovery @ 1:00 PM – 1:20 PM

Building a multi-layered approach to data security SOC @ 1:30 PM – 1:50 PM

Secure your email and collaboration tools against sophisticated cyber attacks @ 2:00 PM – 2:20 PM

The latest intelligence on North Korean remote IT workers @ 2:30 PM – 2:50 PM

Secure and govern M365 Copilot with Microsoft Purview @ 3:00 PM – 3:20 PM

Proactively Mitigate Risks with Microsoft Security Exposure Management @ 3:30 PM – 3:50 PM

Windows 365: The security of Windows, the scale of the cloud@ 4:00 PM – 4:20 PM

Shift your SOC from manual incident response to automatic attack disruption @ 4:30 PM –4:50PM

A Look Inside Microsoft’s Secure Future Initiative: Progress, Innovations, and Best Practices @ 5:00 PM – 5:20 PM

Simplifying Data Security for the Modern Network with Microsoft Purview and Netskope One @ 5:30 PM – 5:50 PM

🤝 Customer Meetings | Location: Microsoft Security Hub at the Palace Hotel (Second Floor)

It’s your customers and CISOs final chance to ask your questions and give your suggestions directly to Microsoft Security experts. Book your meeting here: Microsoft Security Experiences at RSAC 2025 Home Page.

🔹 Thursday, May 1

We’re wrapping up the conference with a Post-Day event designed for security leaders.

🔑 Microsoft Sessions at RSAC | Location: Moscone Center

Last but certainly not least.

Shaping Cybersecurity: How Regulation Shapes Operational Cyber Defense​ @ 10:50 – 11:40AM​

In 2024, elections and growing cyberthreats pushed cybersecurity to the forefront of government priorities. The panel will explore governments’ efforts to strengthen cybersecurity and resilience through regulation, the impact on operational cyber defense, and discuss where greater alignment is possible. Attendees will gain an understanding of the quickly evolving global regulatory landscape.

Speakers: Ted Maurer, Senior Director, Global Cybersecurity Policy, Microsoft; Christiane Kirketerp de Viron, Director for Digital Society, Trust & Cybersecurity, DG Connect, European Commission; Ari Schwartz, Managing Director, Cybersecurity Services, Venable LLP; Josephine Wolff, Associate Professor of Cybersecurity Policy, Tufts University, The Fletcher School; and Florian Schütz, Director, NCSC – National Cybersecurity Centre

Taking the Fight Upstream: Pursuing Systemic Defense Against Phishing​ @12:20 – 11:10 PM​

Three decades into the public internet, cybercrime is booming and phishing remains a key vector. With AI-enhanced attacks rising, common users are increasingly ill-equipped to defend themselves. What can be done upstream to protect society? This session explores systemic defense strategies across the ICT ecosystem that hold the potential for significant ecosystem-wide impact. Speakers: Kelly Bissell, CVP Security & Fraud, Microsoft; Tal Goldstein, Head of Strategy, World Economic Forum Centre for Cybersecurity; Steven Kelly, Chief Trust Officer, Institute for Security and Technology; and Kemba Walden, President, Paladin Global Institute, Paladin Capital Group

Fraud, Risk, Hollywood & Government—A Strategy for AI Across Industry @12:20 – 11:10 PM

​Dive into the high-stakes world of AI as the experts in this session unravel AI’s game-changing roles in Hollywood, government, and finance. Experience firsthand revolutionary strategies, ethical showdowns, and futuristic trends set to redefine industry landscapes. Get ready for a session that’s as dynamic and ambitious as a Hollywood blockbuster!

Speakers: Vishal Amin, GM, National Security Group, Security; Gurpreet Bhatia, Acting Deputy CIO for Cybersecurity, Acting CISO, DOD; David Mahdi, CIO, Transmit Security; and Scott Mann, Film Director & Co-Founder/Co-CEO, Flawless

Generative AI Meets Identity Governance: Automating the Overlooked​ @ 1:30 – 2:20 PM​

Identity governance is often the last thing to be implemented and rarely gets the attention it deserves due to its complexity. This session will explore how Generative AI agents can help overcome this by automating critical but often deprioritized tasks like role mining and identity lifecycle management, particularly addressing the challenges of managing ‘movers’ within organizations.

Speakers: Angelica Faber, Sr Security Architect, Microsoft and Wesley Kuzma, Architect Manager, Microsoft

💻Theatre Sessions | Location: Microsoft Security Booth #5744

Catch the last day of theater sessions.

How Enterprises will Continue to Learn from Open Source @11:00 AM – 11:20 AM

Creating Bespoke Identity Governance Solutions with Microsoft Entra Suite @11:30 AM – 11:50 AM

Identity-first security: Using an event-based approach for threat remediation @ 12:00 PM – 12:20 PM

Securing and governing Agents built-in Microsoft Copilot Studio @ 12:30 PM – 12:50 PM

Azure Platform Security in an Evolving Threat Landscape @ 1:00 PM – 1:20 PM

🔚 Post-Day Forum | Location: Microsoft Silicon Valley Experience Center

After the main conference oOn Thursday, May 1, 2025, join us at the Microsoft Security Post-Day Forum at the Microsoft Experience Center in Silicon Valley. Hosted by Microsoft Security business leader Janice Le, this exclusive event will explore key topics like securing AI, the Secure Future Initiative, and insights on Security Copilot. It’s a unique opportunity to engage with industry leaders, dive deeper into discussions inspired by the week’s events, and help shape the future of AI-driven security. Complimentary transportation will be available between San Francisco and the venue, with pick-up starting at 7:30 AM PT from the Palace Hotel and drop-off concluding at Moscone Center by 2:00 PM PT. Register now.

🎯 How to Make the Most of Microsoft Security at RSAC 2025

✅ Plan Ahead: Bookmark this blog to easily find the things that interest you the most.

✅ Visit the Booth: Engage with our security experts, experience live demos, and grab some swag.

✅ Follow Along Online: Stay updated by following Microsoft Security on LinkedIn and X.

✅ Book a Meeting: Want to connect 1:1 with a Microsoft Security expert? Customers and CISOs can Ssecure your spot by visiting the Microsoft Security Experiences at RSAC 2025 Home Page.

See you at RSAC 2025!

The post The ultimate guide to Microsoft Security at RSAC 2025  appeared first on Microsoft Security Blog.

Threat actors have consistently relied on outdated or misconfigured assets, exploiting vulnerabilities that enable them to gain a persistent foothold inside the target. For instance, in the case of Exchange Server, ProxyShell and ProxyNotShell vulnerabilities were widely exploited in attacks long after they were fixed by security updates in 2021 and 2022, respectively. In these attacks, threat actors abused a combination of server-side request forgery (SSRF) and privilege escalation flaws, allowing remote code execution. Successful compromise enabled threat actors to drop web shells, conduct lateral movement, and exfiltrate sensitive data, often evading detection for extended periods. More recently, attackers have shifted to NTLM relay and credential leakage techniques. Office documents and emails sent through Outlook serve as effective entry points for attackers to exploit NTLM coercion vulnerabilities, given their ability to embed UNC links within them. Attackers exploit NTLM authentication by relaying credentials to a vulnerable server, potentially resulting in target account compromise. Microsoft has released mitigation guidance against NTLM relay attacks.

SharePoint Server has also been a consistent target for attackers exploiting critical vulnerabilities to gain persistent and privileged access inside the target. In recent attacks, stealthy persistence tactics, such as replacing or appending web shell code into existing files like signout.aspx, installing remote monitoring and management (RMM) tools for broader access, and other malicious activities were observed.

While cloud-based software offers some inherent security advantages in software updates and high availability, some organizations’ requirements mean they need to run on-premises Exchange and SharePoint implementations. As cyber threats continue to grow in sophistication, it has never been more important to ensure that the on-premises infrastructure remains secure. This AMSI integration on SharePoint Server and Exchange Server becomes especially important when attackers attempt to exploit security vulnerabilities, particularly zero-days. With AMSI integrated, these malicious attempts are detected and blocked in real-time, offering a critical defense mechanism while organizations work on installing official patches and updates. AMSI detections are surfaced on the Microsoft Defender portal, enabling SecOps teams to investigate, correlate with other malicious activity in the environment, and remediate.

In this blog post, we discuss different types of attacks targeting Exchange and SharePoint, and demonstrate how AMSI is helping organizations protect against these attacks. We also share mitigation and protection guidance, as well as detection details and hunting queries.

AMSI integration

In both SharePoint Server and Exchange Server, AMSI is integrated as a security filter module within the IIS pipeline to inspect incoming HTTP requests before they are processed by the application. The filter is triggered at the onBeginRequest stage through the SPRequesterFilteringModule for SharePoint Server and HttpRequestFilteringModule for Exchange Server, allowing it to analyze incoming requests before they reach authentication and authorization phases. This integration ensures that potential threats are identified before they interact with internal processing, mitigating the risk of exploitation. On detecting a malicious request, the application returns a HTTP 400 Bad Request response.

Extending AMSI with request body scan

When AMSI was first integrated, it provided an important layer of defense by scanning incoming request headers. This was crucial for identifying malicious activity, particularly SSRF attempts. However, many modern attacks are now embedded within request bodies, rather than just in the headers. This meant that header-only scans were no longer enough to catch the full range of sophisticated threats.

To address this emerging risk, we added newer improvements in both products. The Exchange Server November release extended capabilities to include scanning of request bodies, ensuring broader protection. A similar improvement is added to SharePoint Server currently in public preview. These enhanced security controls are not enabled by default, making it crucial for organizations to assess for stronger protection.

Microsoft recommends evaluating and enabling these extended options for better protection and visibility. These enhancements are especially important for detecting and mitigating remote code execution vulnerabilities and particularly post-authentication vulnerabilities where SSRF may not be needed. The introduction of request body scanning is a critical step in our commitment to protect these crown jewels against more sophisticated, evasive threats. With the ability to inspect the full content of incoming requests, AMSI now detects a wider range of malicious activities.

Attacks targeting Exchange and SharePoint servers

SSRF exploitation

Server-side request forgery (SSRF) can allow attackers to make unauthorized requests on behalf of the server, potentially accessing internal services, metadata endpoints, or even escalating privileges. Attackers can exploit SSRF to bypass authentication mechanisms by leveraging internal API calls. Additionally, by chaining SSRF with additional flaws, attackers could gain unauthorized access to the backend and perform arbitrary remote code execution within the environment.

One example is CVE-2023-29357, a critical authentication bypass vulnerability in SharePoint Server. This flaw allowed attackers to bypass authentication and gain elevated privileges by exploiting improper validation of security tokens. In attacks, this was combined with another vulnerability, CVE-2023-24955, to achieve unauthenticated remote code execution on vulnerable SharePoint servers.

Another example is CVE-2022-41040, an AutoDiscover SSRF vulnerability in Exchange Server. By targeting AutoDiscover, attackers exploited the trust relationships within Exchange to impersonate users and trigger backend functionality that normally requires authentication, laying the groundwork for remote code execution.

AMSI acted as first layer of defense against these incidents, protecting customers against thousands of SSRF attempts observed on a daily basis, thereby breaking the exploitation chain.

Suspicious access indicative of web shell interaction

In many intrusions, attackers drop web shells into public-facing directories. In one such Exchange server compromise, AMSI logged a suspicious .aspx file interaction. This was highlighted by Microsoft Defender for Endpoint simply because there is no .aspx file by that name in the said folder path:

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts\premium\.

Attackers often rename web shells to legitimate filenames seen in different folder to avoid suspicion. In this case, the filename getidtoken is a default shipped file but with .htm extension.

Similar stealthy activities have also been observed for SharePoint. In one case, the attackers modified the legitimate signout.aspx file by appending web shell code. This allowed attackers to create a stealthy backdoor and maintain persistence without raising suspicion.

AMSI acts as a real-time inspection and defense layer similar to a web application firewall (WAF) and plays a critical role in detecting and responding to active compromises. AMSI inspects incoming requests, captures malicious web shell interactions, and logs them for analysis. This level of visibility enables Microsoft Defender for Endpoint to pinpoint the exact location of malicious files on disk, such as within Exchange’s Outlook Web Application (OWA), where attackers commonly stage web shells. By correlating AMSI network logs with suspicious activity, Microsoft Defender for Endpoint can locate and remove previously undetected files, effectively cleaning the infected server and mitigating further damage. Importantly, this capability provides durable protection, allowing defenders to monitor and react to threats even in post-compromise scenarios.

Suspicious mailbox access through Exchange Web Services (EWS) abuse

Exchange Web Services (EWS) is a core component of Microsoft Exchange that allows programmatic access to mailboxes through SOAP-based APIs. While this is critical for legitimate operations such as Outlook integration, mobile sync, and third-party app, the service is also widely abused by threat actors. Notably, in incidents like CVE-2023-23397, EWS was used post-compromise to search mailboxes for sensitive content and exfiltrate emails over HTTPS, blending in with legitimate traffic.

Attackers leverage EWS’s deep access to perform mailbox searches, download entire inboxes, and set up hidden forwarding rules, often using stolen credentials or after gaining a foothold via another Exchange vulnerability. Attackers commonly abuse EWS APIs — GetFolder, FindItem, and GetItem — to stealthily search and exfiltrate sensitive emails from compromised mailboxes. GetFolder API maps the mailbox structure, which can be used to identify key folders like Inbox and Sent Items. FindItem API allows searching for emails containing specific keywords or supplied datetime filter to retrieve relevant results. Finally, GetItem API is used to view full email contents and attachments.

This API-driven abuse technique blends in with legitimate EWS traffic, making detection challenging without deep content inspection. AMSI addresses this with request body scanning, which enables real-time detection of suspicious search patterns, abnormal access, and targeted email theft. Below is a sequence of suspicious SOAP calls logged by AMSI when attackers attempt to exfiltrate emails.

Insecure deserialization leading to RCE

The PowerShell application pool is a privileged component that handles remote PowerShell sessions in Exchange, typically invoked by Exchange Control Panel (ECP) or Exchange Management Shell (EMS). It runs under SYSTEM or high-privileged service accounts, making it a prime target for misuse. After gaining access to backend PowerShell endpoints, attackers can pass crafted cmdlets and arguments that trigger operations such as arbitrary file writes and command execution. This method has been observed in major incidents like ProxyShell and ProxyNotShell, where attackers execute system-level commands via crafted PowerShell requests.

A common pattern seen in these attacks is the use of legitimate management cmdlets like Get-Mailbox, New-MailboxExportRequest, or Set- commands, but with crafted arguments or malicious serialization payloads that trigger code execution in the backend. AMSI now has complete visibility into all the backend PowerShell commands along with the passed arguments to inspect the request buffer for any suspicious API calls such as Process.Start, various file write APIs and Assembly.load.

Web control abuse

Exploitation of vulnerabilities like CVE-2024-38094, CVE-2024-38024, and CVE-2024-38023 exemplify attacks that abuse Site owner privileges to execute arbitrary code on the SharePoint server. The exploitation leverages the Business Data Connectivity (BDC) feature and malicious use of the BDCMetadata.bdcm file. This XML-based file defines connections to external data sources but could be abused to reference dangerous .NET classes and methods. Once the malicious .bdcm file is uploaded and registered in SharePoint’s BDC service (using site owner permissions), the attacker can trigger execution by creating an External List or web part that interacts with the BDC model. SharePoint processes this model and reflectively loads and executes the specified method, leading to RCE as the SharePoint service account, which typically has high privileges. With body scan enabled, the complete payload is available for inspection and surfaces LobSystem type as DotNetAssembly hinting at code execution. AMSI’s deep integration enables visibility into the malicious Base64 buffer, which Microsoft Defender for Endpoint leverages to detect and block code execution attempts.

Mitigation and protection guidance

As these attacks show, SharePoint and Exchange servers are high-value targets. These attacks also tend to be advanced threats with highly evasive techniques. Keeping these servers safe from these advanced attacks is of utmost importance. Here are steps that organizations can take:

• Activate AMSI on Exchange Server and SharePoint Server. AMSI is a versatile standard that allows applications and services to integrate with any AMSI-capable anti-malware product present on a device. Starting with SharePoint Server Subscription Edition Version 25H1, AMSI extends its scanning capabilities to include the bodies of HTTP requests. The Exchange AMSI body scanning feature was introduced with the Exchange Server November 2024 Security Update (SU). Microsoft recommends updating Exchange Server and SharePoint Server to these versions or later to take advantage of the new improved body scanning feature. This request body scan feature is critical for detecting and mitigating threats that may be embedded in request payloads, providing a more comprehensive security solution. Check prerequisites and learn how to configure AMSI in the following resources:
  • AMSI integration with Exchange Server
  • Configure AMSI integration with SharePoint Server
• Apply the latest security updates. Identify and remediate vulnerabilities or misconfigurations in Exchange and SharePoint Server. Deploy the latest security updates as soon as they become available. Use threat and vulnerability management to audit these servers regularly for vulnerabilities, misconfigurations, and suspicious activity.
• Keep antivirus and other protections enabled. It’s critical to protect SharePoint and Exchange servers with antivirus software and other security solutions like firewall protection and MFA. Turn on cloud-delivered protection and automatic sample submission to use artificial intelligence and machine learning to quickly identify and stop new and unknown threats. Use attack surface reduction rules to automatically block behaviors like credential theft and suspicious use of PsExec and WMI. Turn on tamper protection features to prevent attackers from stopping security services. If you are worried that these security controls will affect performance or disrupt operations, engage with IT pros to help determine the true impact of these settings. Security teams and IT pros should collaborate on applying mitigations and appropriate settings.
• Review sensitive roles and groups. Review highly privileged groups like Administrators, Remote Desktop Users, and Enterprise Admins. Attackers add accounts to these groups to gain foothold on a server. Regularly review these groups for suspicious additions or removal. To identify Exchange/SharePoint -specific anomalies, review the list of users in sensitive roles.
• Restrict access. Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Enforce strong randomized, just-in-time local administrator passwords and Enable MFA. Use tools like LAPS.
• Prioritize alerts. The distinctive patterns of SharePoint and Exchange server compromise aid in detecting malicious behaviors and inform security operations teams to quickly respond to the initial stages of compromise. Pay attention to and immediately investigate alerts indicating suspicious activities. Catching attacks in the exploratory phase, the period in which attackers spend several days exploring the environment after gaining access, is key. Public facing application pools are commonly hijacked by attackers through web shell deployment. Prioritize alerts related to processes such as net.exe, cmd.exe, and powershell.exe originating from these pools or w3wp.exe in general.

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threats on SharePoint Server as the following malware:

• Exploit:Script/SPLobSystemRCE.A
• Exploit:Script/SPLobSystemRCE.B
• Exploit:Script/SPAuthBypass.A

Microsoft Defender Antivirus detects threats on Exchange Server as the following malware:

• Exploit:Script/SuspMailboxSearchEWS.A
• Exploit:Script/SuspExchgSession.D
• Exploit:Script/ExchgProxyRequest

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts might indicate activity related to this threats discussed in this blog. Note, however, that these alerts can be also triggered by unrelated threat activity.

• Possible web shell installation
• Possible IIS web shell
• Suspicious processes indicative of a web shell
• Possible IIS compromise
• Suspicious Exchange Process Execution 
• Possible exploitation of Exchange Server vulnerabilities

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used by the threats discussed in this blog:

CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2022-41040, CVE-2022-41082, CVE-2019-0604, CVE-2024-21413, CVE-2023-23397, CVE-2023-36563, CVE-2023-29357, CVE-2023-24955, CVE-2024-38094, CVE-2024-38024, CVE-2024-38023

Microsoft Security Exposure Management

Microsoft Security Exposure Management (MSEM) provides enhanced visibility for important assets by offering customers predefined classification logics for high-value assets. This includes both managed (Microsoft Defender for Endpoint-onboarded) and unmanaged Exchange servers.

Customers can review the device inventory and the critical classification library to identify Exchange servers and consider applying the new security settings on them.

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article
• Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Processes run by the IIS worker process

Broadly search for processes executed by the IIS worker process. Further investigation should be performed on any devices where the created process is indicative of reconnaissance.

DeviceProcessEvents
| where InitiatingProcessFileName == 'w3wp.exe'
| where InitiatingProcessCommandLine contains "MSExchange" or InitiatingProcessCommandLine contains "SharePoint"
| where FileName !in~ ("csc.exe","cvtres.exe","conhost.exe","OleConverter.exe","wermgr.exe","WerFault.exe","TranscodingService.exe")
| project FileName, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp

Chopper web shell command line

Chopper is one of the most widespread web shells targeting SharePoint and Exchange servers. Use this query to hunt for Chopper web shell activity:

DeviceProcessEvents
| where InitiatingProcessFileName =~ "w3wp.exe" and FileName == "cmd.exe"
| where ProcessCommandLine has "&cd&echo"

Suspicious files in SharePoint or Exchange directories

DeviceFileEvents
| where Timestamp >= ago(7d)
| where InitiatingProcessFileName == "w3wp.exe"
| where FolderPath has "\\FrontEnd\\HttpProxy\\" or FolderPath has "\\TEMPLATE\\LAYOUTS\\ " or FolderPath has "\\aspnet_client\\"
| where InitiatingProcessCommandLine contains "MSExchange" or InitiatingProcessCommandLine contains "Sharepoint"
| project FileName,FolderPath,SHA256, InitiatingProcessCommandLine, DeviceId, Timestamp

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Our post on web shell threat hunting with Microsoft Sentinel also provides guidance on looking for web shells in general. The Exchange SSRF Autodiscover ProxyShell detection, which was created in response to ProxyShell, can be used for queries due to functional similarities with this threat. Also, the new Exchange Server Suspicious File Downloads and Exchange Worker Process Making Remote Call queries specifically look for suspicious downloads or activity in IIS logs. In addition to these, we have a few more that could be helpful in looking for post-exploitation activity:

• Exchange OAB virtual directory attribute containing potential web shell 
• Web shell activity 
• Malicious web application requests linked with Microsoft Defender for Endpoint alerts 
• Exchange IIS worker dropping web shell 
• Web shell detection
• Detect MailSniper Activity 

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Stopping attacks against on-premises Exchange Server and SharePoint Server with AMSI appeared first on Microsoft Security Blog.

The evolution of ransomware attacks

Modern ransomware campaigns are meticulously planned. Cyberattackers understand that their chances of securing a ransom increase significantly if they can inflict widespread damage across a victim’s environment. The rationale is simple: paying the ransom becomes the most viable option when the alternative—restoring the environment and recovering data—is technically unfeasible, time-consuming, and costly.

This level of damage happens in minutes and even seconds, where bad actors embed themselves within an organization’s environment, laying the groundwork for a coordinated cyberattack that can encrypt dozens, hundreds, or even thousands of devices within minutes. To execute such a campaign, threat actors must overcome several challenges such as evading protection, mapping the network, maintaining their code execution ability, and preserving persistency in the environment, building their way to securing two major prerequisites necessary to execute ransomware on multiple devices simultaneously:

• High-privilege accounts: Whether cyberattackers choose to drop files and encrypt the devices locally or perform remote operations over the network, they must obtain the ability to authenticate to a device. In an on-premises environment, cyberattackers usually target domain admin accounts or other high-privilege accounts, as those can authenticate to the most critical resources in the environment.
• Access to central network assets: To execute the ransomware attack as fast and as wide as possible, threat actors aim to achieve access to a central asset in the network that is exposed to many endpoints. Thus, they can leverage the possession of high-privilege accounts and connect to all devices visible in their line of sight.

The role of domain controllers in ransomware campaigns

Domain controllers are the backbone of any on-premises environment, managing identity and access through Active Directory (AD). They play a pivotal role in enabling cyberattackers to achieve their goals by fulfilling two critical requirements:

1. Compromising highly privileged accounts

Domain controllers house the AD database, which contains sensitive information about all user accounts, including highly privileged accounts like domain admins. By compromising a domain controller, threat actors can:

• Extract password hashes: Dumping the NTDS.dit file allows cyberattackers to obtain password hashes for every user account.
• Create and elevate privileged accounts: Cyberattackers can generate new accounts or manipulate existing ones, assigning them elevated permissions, ensuring continued control over the environment.

With these capabilities, cyberattackers can authenticate as highly privileged users, facilitating lateral movement across the network. This level of access enables them to deploy ransomware on a scale, maximizing the impact of their attack.

2. Exploiting centralized network access

Domain controllers handle crucial tasks like authenticating users and devices, managing user accounts and policies, and keeping the AD database consistent across the network. Because of these important roles, many devices need to interact with domain controllers regularly to ensure security, efficient resource management, and operational continuity. That’s why domain controllers need to be central in the network and accessible to many endpoints, making them a prime target for cyberattackers looking to cause maximum damage with ransomware attacks.

Given these factors, it’s no surprise that domain controllers are frequently at the center of ransomware operations. Cyberattackers consistently target them to gain privileged access, move laterally, and rapidly deploy ransomware across an environment. We’ve seen in more than 78% of human-operated cyberattacks, threat actors successfully breach a domain controller. Additionally, in more than 35% of cases, the primary spreader device—the system responsible for distributing ransomware at scale—is a domain controller, highlighting its crucial role in enabling widespread encryption and operational disruption.

Case study: Ransomware attack using a compromised domain controller

In one notable case, a small-medium manufacturer fell victim to a well-known, highly skilled threat actor, commonly identified as Storm-0300, attempting to execute a widespread ransomware attack:

Pre domain-compromise activity

After gaining initial access, presumably through leveraging the customer’s VPN infrastructure, and prior to obtaining domain admin privileges, the cyberattackers initiated a series of actions focused on mapping potential assets and escalating privileges. A wide, remote execution of secrets dump is detected on Microsoft Defender for Endpoint-onboarded devices and User 1 (domain user) is contained by attack disruption.

Post domain-compromise activity

Once securing domain admin (User 2) credentials, potentially through leveraging the victim’s non-onboarded estate, the attacker immediately attempts to connect to the victim’s domain controller (DC1) using Remote Desktop Protocol (RDP) from the cyberattacker’s controlled device. When gaining access to DC1, the cyberattacker leverages the device to perform the following set of actions:

• Reconnaissance—The cyberattacker leverages the domain controller’s wide network visibility and high privileges to map the network using different tools, focusing on servers and network shares.
• Defense evasion—Leveraging the domain controller’s native group policy functionality, the cyberattacker attempts to tamper with the victim’s antivirus by modifying security-related group policy settings.
• Persistence—The cyberattacker leverages the direct access to Active Directory, creating new domain users (User 3 and User 4) and adding them to the domain admin group, thus establishing a set of highly privileged users that would later on be used to execute the ransomware attack.

Encryption over the network

Once the cyberattacker takes control over a set of highly privileged users, this provides them access to any domain-joined resource, including comprehensive network access and visibility. It will also allow them to set up tools for the encryption phase of the cyberattack.

Assuming they’re able to validate a domain controller’s effectiveness, they begin by running the payload locally on the domain controller. Attack disruption detects the threat actor’s attempt to run the payload and contains User 2, User 3, and the cyberattacker-controlled device used to RDP to the domain controller.

After successfully containing Users 2 and 3, the cyberattacker proceeded to log in to the domain controller using User 4, who had not yet been utilized. After logging into the device, the cyberattacker attempted to encrypt numerous devices over the network from the domain controller, leveraging the access provided by User 4.

Attack disruption detects the initiation of encryption over the network and automatically granularly contains device DC1 and User 4, blocking the attempted remote encryption on all Microsoft Defender for Endpoint-onboarded and targeted devices.

Protecting your domain controllers

Given the central role of domain controllers in ransomware attacks, protecting them is critical to preventing large-scale damage. However, securing domain controllers is particularly challenging due to their fundamental role in network operations. Unlike other endpoints, domain controllers must remain highly accessible to authenticate users, enforce policies, and manage resources across the environment. This level of accessibility makes it difficult to apply traditional security measures without disrupting business continuity. Hence, security teams constantly face the complex challenge of striking the right balance between security and operational functionality.

To address this challenge, Defender for Endpoint introduced contain high value assets (HVA), an expansion of our contain device capability designed to automatically contain HVAs like domain controllers in a granular manner. This feature builds on Defender for Endpoint’s capability to classify device roles and criticality levels to deliver a custom, role-based containment policy, meaning that if a sensitive device, such a domain controller, is compromised, it is immediately contained in less than three minutes, preventing the cyberattacker from moving laterally and deploying ransomware, while at the same time maintaining the operational functionality of the device. The ability of the domain controller to distinguish between malicious and benign behavior helps keep essential authentication and directory services up and running. This approach provides rapid, automated cyberattack containment without sacrificing business continuity, allowing organizations to stay resilient against sophisticated human-operated cyberthreats.

Now your organization’s domain controllers can leverage automatic attack disruption as an extra line of defense against malicious actors trying to overtake high value assets and exert costly ransomware attacks.

Learn more

Explore these resources to stay updated on the latest automatic attack disruption capabilities:

• Learn more about Microsoft Defender for Endpoint.
• Read about the new containment features.
• Learn how attack disruption safeguards your domain controllers in this video.
• Check out our latest infographic.
• Read about automatic attack disruption.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Average cost per data breach in the United States 2006-2024, Ani Petrosyan. October 10, 2024.

The post How cyberattackers exploit domain controllers using ransomware appeared first on Microsoft Security Blog.

In addition to discovering the vulnerability, Microsoft also found that the exploit has been deployed by PipeMagic malware. Microsoft is attributing the exploitation activity to Storm-2460, which also used PipeMagic to deploy ransomware. Ransomware threat actors value post-compromise elevation of privilege exploits because these could enable them to escalate initial access, including handoffs from commodity malware distributors, into privileged access. They then use privileged access for widespread deployment and detonation of ransomware within an environment. Microsoft highly recommends that organizations prioritize applying security updates for elevation of privilege vulnerabilities to add a layer of defense against ransomware attacks if threat actors are able to gain an initial foothold.

This blog details Microsoft’s analysis of the observed CLFS exploit and related activity targeting our customers. This information is shared with our customers and industry partners to improve detection of these attacks and encourage rapid patching or other mitigations, as appropriate. A more comprehensive recommendations section, with indicators of compromise and detection details can be found at the end of the blog post.

CVE 2025-29824: A zero-day vulnerability in the Common Log File System (CLFS)

The exploit activity discovered by Microsoft targets a zero-day vulnerability in the Common Log File System (CLFS) kernel driver. Successful exploitation allows an attacker running as a standard user account to escalate privileges. The vulnerability is tracked as CVE-2025-29824 and was fixed on April 8, 2025.

Pre-exploitation activity

While Microsoft hasn’t determined the initial access vectors that led to the devices being compromised, there are some notable pre-exploitation behaviors by Storm-2460. In multiple cases, the threat actor used the certutil utility to download a file from a legitimate third-party website that was previously compromised to host the threat actor’s malware.

The downloaded file was a malicious MSBuild file, a technique described here, that carried an encrypted malware payload. Once the payload was decrypted and executed via the EnumCalendarInfoA API callback, the malware was found to be PipeMagic, which Kaspersky documented in October 2024. Researchers at ESET have also observed the use of PipeMagic in 2023 in connection with the deployment of a zero-day exploit for a Win32k vulnerability assigned CVE-2025-24983. A domain used by the PipeMagic sample was aaaaabbbbbbb.eastus.cloudapp.azure[.]com, which has now been disabled by Microsoft.

CLFS exploit activity

Following PipeMagic deployment, the attackers launched the CLFS exploit in memory from a dllhost.exe process.

The exploit targets a vulnerability in the CLFS kernel driver. It’s notable that the exploit first uses the NtQuerySystemInformation API to leak kernel addresses to user mode. However, beginning in Windows 11, version 24H2, access to certain System Information Classes within NtQuerySystemInformation became available only to users with SeDebugPrivilege, which typically only admin-like users can obtain. This meant that the exploit did not work on Windows 11, version 24H2, even if the vulnerability was present.

The exploit then utilizes a memory corruption and the RtlSetAllBits API to overwrite the exploit process’s token with the value 0xFFFFFFFF, enabling all privileges for the process, which allows for process injection into SYSTEM processes.

As part of the exploitation, a CLFS BLF file with the following path is created by the exploit’s dllhost.exe process: C:\ProgramData\SkyPDF\PDUDrv.blf.

Post-exploitation activity leads to ransomware activity

Upon successful exploitation, a payload is injected into winlogon.exe. This payload then injected the Sysinternals procdump.exe tool into another dllhost.exe and ran it with the following command line:

C:\Windows\system32\dllhost.exe -accepteula -r -ma lsass.exe c:\programdata\[random letters].

Having done this, the actor was able to dump the memory of LSASS and parse it to obtain user credentials.

Then, Microsoft observed ransomware activity on target systems. Files were encrypted and a random extension added, and a ransom note with the name !_READ_ME_REXX2_!.txt was dropped. Microsoft is tracking activity associated with this ransomware as Storm-2460.

Although we weren’t able to obtain a sample of ransomware for analysis, we’re including some notable events surrounding the activity to better help defenders:

• Two .onion domains have been seen in the !_READ_ME_REXX2_!.txt ransom notes
  • jbdg4buq6jd7ed3rd6cynqtq5abttuekjnxqrqyvk4xam5i7ld33jvqd.onion which has been tied to the RansomEXX ransomware family
  • uyhi3ypdkfeymyf5v35pbk3pz7st3zamsbjzf47jiqbcm3zmikpwf3qd.onion
• The ransomware is launched from dllhost.exe with the command line:

--do [path_to_ransom] (for example, C:\Windows\system32\dllhost.exe --do C:\foobar)

• The file extension on the encrypted files is random per device, but the same for every file
• Some typical ransomware commands that make recovery or analysis harder are executed, including:
  • bcdedit /set {default} recoveryenabled no
  • wbadmin delete catalog -quiet
  • wevtutil cl Application
• In one observed case the actor spawned notepad.exe as SYSTEM

Mitigation and protection guidance

Microsoft released security updates to address CVE 2025-29824 on April 8, 2025. Customers running Windows 11, version 24H2 are not affected by the observed exploitation, even if the vulnerability was present. Microsoft urges customers to apply these updates as soon as possible.

Microsoft recommends the following mitigations to reduce the impact of activity associated with Storm-2460:

• Refer to our blog Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself for robust measures to defend against ransomware.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
• Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint. Ransomware attackers often identify unmanaged or legacy systems and use these blind spots to stage attacks.
• Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
• Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. Use Microsoft Defender Vulnerability Management to assess your current status and deploy any updates that might have been missed.
• Microsoft 365 Defender customers can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks:
• Use advanced protection against ransomware

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threats associated with this activity as the following malware:

• SilverBasket (Win64/Windows)
• MSBuildInlineTaskLoader.C (Script/Windows)
• SuspClfsAccess (Win32/Windows)

Microsoft Defender for Endpoint

The following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

• A process was injected with potentially malicious code
• Potential Windows DLL process injection
• Suspicious access to LSASS service
• Sensitive credential memory read
• Suspicious process injection observed
• File backups were deleted
• Ransomware behavior detected in the file system

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article
• Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Hunting queries

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Search for devices having CVE-2025-29814 exposure

DeviceTvmSoftwareVulnerabilities
| where CveId in ("CVE-2025-29814")
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,
CveId,VulnerabilitySeverityLevel
| join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,
CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware

Detect CLFS BLF file creation after exploitation of CVE 2025-29824

DeviceFileEvents 
| where FolderPath has "C:\\ProgramData\\SkyPDF\\" and FileName endswith ".blf"

LSSASS process dumping activity

SecurityEvent 
  | where EventID == 4688
  | where CommandLine has("dllhost.exe -accepteula -r -ma lsass.exe") 
  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer

Ransomware process activity

let cmdlines = dynamic(["C:\\Windows\\system32\\dllhost.exe --do","bcdedit /set {default} recoveryenabled no","wbadmin delete catalog -quiet","wevtutil cl Application"]);
DeviceProcessEvents 
| where ProcessCommandLine has_any (cmdlines)
| project TimeGenerated, DeviceName, ProcessCommandLine, AccountDomain, AccountName

PipeMagic and RansomEXX fansomware domains

let domains = dynamic(["aaaaabbbbbbb.eastus.cloudapp.azure.com","jbdg4buq6jd7ed3rd6cynqtq5abttuekjnxqrqyvk4xam5i7ld33jvqd.onion","uyhi3ypdkfeymyf5v35pbk3pz7st3zamsbjzf47jiqbcm3zmikpwf3qd.onion"]);
DeviceNetworkEvents
| where RemoteUrl has_any (domains)
| project TimeGenerated, DeviceId, DeviceName, Protocol, LocalIP, LocalIPType, LocalPort,RemoteIP, RemoteIPType, RemotePort, RemoteUrl

Indicators of compromise

References

• https://blog.talosintelligence.com/building-bypass-with-msbuild/
• https://www.kaspersky.com/about/press-releases/kaspersky-uncovers-pipemagic-backdoor-attacks-businesses-through-fake-chatgpt-application  
• https://x.com/ESETresearch/status/1899508656258875756

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Exploitation of CLFS zero-day leads to ransomware activity appeared first on Microsoft Security Blog.

In this series, we will introduce these leaders and share more about their background, their role, and their priorities. 

Q: Tell us about your current role and responsibilities.

Igor Sakhnov: “As Microsoft’s Corporate Vice President of Engineering for Identity, I lead data and platform engineering along with business-facing initiatives. Since April 2024, I’ve also served as Deputy Chief Information Security Officer (CISO) focusing on identity-related security risks.”

Mark Russinovich: “In my role, I work with a large team to identify and resolve the security risks that come up and evolve under the Microsoft Azure umbrella, the core operating system itself, and the groups that make up the core engineering systems that the entire company depends on. In all these cases, we want the risk mitigations to be durable so once they’re done, the system stays secure and doesn’t have to be revisited every year.”

Yonatan Zunger: “My job is to try and think about all the different ways in which things involving AI can go wrong, make sure that we have good, thoughtful plans for each of those things, and develop the right tools so we can design and run the right incident response for AI issues.”

Q: How did you get your start in cybersecurity?

Igor Sakhnov: “It didn’t really start in cybersecurity. My journey began with a deep interest in understanding how systems work and how they interact and perform at scale. Inevitably, the hard question of security surfaces and the interesting aspects of detection and prevention become top of mind.”

Mark Russinovich: “I’ve always been interested in the way computers and operating systems work. In junior high I started working with computers and figuring out the internals, then went to college and graduate school in it. There was a natural intersection with cybersecurity and operating systems design since both involve understanding complex systems, and I started doing more with cybersecurity.”

Yonatan Zunger: “I started my career as a theoretical physicist. I joined Google, spent years building search and infrastructure, and in 2011 I became the Chief Technology Officer of social. This was a few months before the launch of Google Plus, and I discovered that the hard parts of the job had nothing to do with technology. Instead, all the hard parts were security and privacy, and those were interesting problems to me. It quickly became clear that using these technologies in the right or wrong way can have a huge impact on people’s lives. That stuck with me, and it caused me to genuinely fall in love with the field.”

Q: What does your team do, and how do you work with others across the company?

Igor Sakhnov: “My team is responsible for the work and innovation in the Identity space, building a large-scale enterprise identity system. Over the past year, the point about larger systems being identity-driven has really come to fruition, with the new efforts that leverage identity in the network flows.”

Mark Russinovich: “My team focuses on technical strategy, architecture, and security risk management for the Azure platform, engineering systems, and core operating systems. We work closely with teams across Microsoft to implement durable security measures. I collaborate with emerging technology teams to understand customer requirements and guide Azure’s development while ensuring security remains a priority in all decisions and implementations.”

Yonatan Zunger: “We’re a very horizontal team and our work has six core pillars: AI research, infrastructure, empowerment, evaluation and review, incident response, and policy and engagement. Within those pillars are a lot of people working on a lot of things, from doing safety and teaching it to people, to thoroughly testing and vetting every piece of generative AI software that goes out the door at Microsoft, to bringing AI expertise into incident responses, to engaging with all sorts of stakeholders across the world, and talking and sharing with them but also listening and learning.”

Q: How do you balance the need for security with the need for innovation in your team?

Igor Sakhnov: “Balancing is important and hard. We strive to integrate security into the development process from the outset, shifting left and avoiding interruptions. No matter how innovative the product is, it will not get adapted if it is not secure or not reliable.”

Mark Russinovich: “I don’t think it’s an either or, but it is a balance. The second something may turn into a widget or service that people will depend on, you need security, but if you create such a hardened system that no one can use it, you’ve wasted time. We have a commitment to our customers that security is always in the driver’s seat, but innovation is holding the road map, and we’re delivering on that.”

Yonatan Zunger: “Engineering is the art of building systems to solve problems. If you’re building a system that isn’t safe and secure, you aren’t solving the customer’s problem, you’re building a system that will give them more problems.”

Q: What are some of the biggest cybersecurity misconceptions that you encounter?

Igor Sakhnov: “The desire to make the perfect solution. This is why ‘assume breach’ is the mindset I cultivated with my team. Yes, we must focus on the protection at all costs, and we should expect that any protection will be circumvented. How we detect, reduce the impact, and mitigate in the shortest time is top of mind.”

Mark Russinovich: “The assumption that unless you can prove to me something is not secure, it’s secure. You of course must invest in prevention, but Microsoft has said for close to a decade now that you have to assume any system can and will be breached, so you have to minimize the impact and increase how you detect and mitigate those breaches.”

Yonatan Zunger: “The idea that security, privacy, and safety are three distinct things. They’re not. If you’ve ever seen a security team, say, ‘That sounds like a privacy problem,’ and a privacy team say, ‘That sounds like a security problem,’ and nobody fixes it, you know where this story ends. Artificial boundaries like these are a factory of nasty incidents.”

Q: What’s one piece of advice you would give to your younger self?

Igor Sakhnov: “Shift focus from the local improvements and invest heavily into the influence to shift larger organization for all to move in the needed direction. Microsoft’s Secure Future Initiative is a notable example where a central push supersedes all the local innovation we have done over the years.”

Mark Russinovich: “I don’t look back and think about things that I’ve done wrong, but for those that are just starting out in a career or in life, I’d say this: When you find an area that you’re passionate about, learn that area and the areas around it, and learn one level deeper than you think necessary to be effective. My father gave me that advice and it’s what inspired me to pursue computers.”

Yonatan Zunger: “If you ever find yourself in a relationship where you can’t fully be yourself…leave.”

Microsoft Secure

To see these innovations in action, join us on April 9, 2025 for Microsoft Secure, a digital event focused on security in the age of AI. 

Register now

Leadership as the ultimate control layer

Across identity, cloud ecosystems, and privacy, these leaders have independently arrived at similar conclusions: security enables rather than restricts, perfect protection is impossible, but resilience is achievable, and everyone—from engineers to customers—plays a role in defense.

Microsoft’s security transformation isn’t just about technology. It’s about people like Igor Sakhnov, Mark Russinovich, and Yonatan Zunger who demonstrate the diverse leadership needed to strengthen Microsoft’s security posture for our customers and the industry.

Watch for more profiles in this series as we highlight additional deputy chief information security officers, including leaders overseeing cloud infrastructure, customer security, threat intelligence, and more.

RSAC 2025

Learn more about AI-first, end-to-end security at The Microsoft at RSAC Experience. From our signature Pre-Day to demos and networking, discover how Microsoft Security can give you the advantage you need in the era of AI.

Register now

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Meet the Deputy CISOs who help shape Microsoft’s approach to cybersecurity appeared first on Microsoft Security Blog.

That’s why we’re inviting you to attend Tech Accelerator: Azure Security and AI Adoption on April 22. Designed for developers and cloud architects, this one-day virtual event will equip you with the essential guidance and resources you need to securely plan, build, manage, and optimize your Azure deployments and AI projects. 

Why should you attend? 

During this event, you will learn how to leverage Microsoft security guidance, products, and tooling throughout your cloud journey – from the time you consider Azure to the point that you’re regularly managing and optimizing workloads. Discover how Microsoft protects its platform, how to identify security risks in your Azure environments, protect your infrastructure from security threats, design secure AI environments, and build and protect your AI applications. 

What can you expect? 

During this event, you’ll have the opportunity to: 

• Learn from the experts: Get in-depth technical guidance from Microsoft experts to secure your Azure deployments and AI applications. 
• Engage with the community: Connect with fellow developers, cloud architects, and IT professionals. 

Event details 

• Dates: April 22, 2025 
• Duration: 8:00-11:30 AM Pacific Time  
• Format: One keynote + six 25-minute sessions with technical guidance and demos 

April 22, 2025:  

All sessions will be streamed live on the Microsoft Tech Community platform with live Q&A during the event with the speakers and subject experts. Q&A will close at 12:00 PM PT on Friday, April 25, 2025. Sessions will be available on demand immediately, so you can watch at your convenience.  

Registration is not required. On each session page, you can find an Add to calendar link. Click the Attend button on the page to receive reminders. Please post questions early and often; we’re here to help! 

Please save the date and join us: https://aka.ms/AzureEssentialsEvent 

The post Tech Accelerator: Azure security and AI adoption appeared first on Microsoft Security Blog.

Every year, threat actors use various social engineering techniques during tax season to steal personal and financial information, which can result in identity theft and monetary loss. These threat actors craft campaigns that mislead taxpayers into revealing sensitive information, making payments to fake services, or installing malicious payloads. Although these are well-known, longstanding techniques, they could still be highly effective if users and organizations don’t use advanced anti-phishing solutions and conduct user awareness and training. 

In this blog, we share details on the different campaigns observed by Microsoft in the past several months leveraging the tax season for social engineering. This also includes additional recommendations to help users and organizations defend against tax-centric threats. Microsoft Defender for Office 365 blocks and identifies the malicious emails and attachments used in the observed campaigns. Microsoft Defender for Endpoint also detects and blocks a variety of threats and malicious activities related but not limited to the tax threat landscape. Additionally, the United States Internal Revenue Service (IRS) does not initiate contact with taxpayers by email, text messages or social media to request personal or financial information.

BruteRatel C4 and Latrodectus delivered in tax and IRS-themed phishing emails

On February 6, 2025, Microsoft observed a phishing campaign that involved several thousand emails targeting the United States. The campaign used tax-themed emails that attempted to deliver the red-teaming tool BRc4 and Latrodectus malware. Microsoft attributes this campaign to Storm-0249, an access broker active since 2021 and known for distributing, at minimum, BazaLoader, IcedID, Bumblebee, and Emotet malware. The following lists the details of the phishing emails used in the campaign:

Example email subjects:

• Notice: IRS Has Flagged Issues with Your Tax Filing
• Unusual Activity Detected in Your IRS Filing
• Important Action Required: IRS Audit

Example PDF attachment names:

• lrs_Verification_Form_1773.pdf
• lrs_Verification_Form_2182.pdf
• lrs_Verification_Form_222.pdf

The emails contained a PDF attachment with an embedded DoubleClick URL that redirected users to a Rebrandly URL shortening link. That link in turn redirected the browser to a landing site that displayed a fake DocuSign page hosted on a domain masquerading as DocuSign. When users clicked the Download button on the landing page, the outcome depended on whether their system and IP address were allowed to access the next stage based on filtering rules set up by the threat actor:

• If access was permitted, the user received a JavaScript file from Firebase, a platform sometimes misused by cybercriminals to host malware. If executed, this JavaScript file downloaded a Microsoft Software Installer (MSI) containing BRc4 malware, which then installed Latrodectus, a malicious tool used for further attacks.
• If access was restricted, the user received a benign PDF file from royalegroupnyc[.]com. This served as a decoy to evade detection by security systems.

Latrodectus is a loader primarily used for initial access and payload delivery. It features dynamic command-and-control (C2) configurations, anti-analysis features such as minimum process count and network adapter check, C2 check-in behavior that splits POST data between the Cookie header and POST data. Latrodectus 1.9, the malware’s latest evolution first observed in February 2025, reintroduced scheduled tasks for persistence and added the ability to run Windows commands via the command prompt.

BRc4 is an advanced adversary simulation and red-teaming framework designed to bypass modern security defenses, but it has also been exploited by threat actors for post-exploitation activities and C2 operations.

Phishing email with QR code in a PDF links to RaccoonO365 infrastructure

Between February 12 and 28, 2025, tax-themed phishing emails were sent to over 2,300 organizations, mostly in the United States in the engineering, IT, and consulting sectors. The emails had an empty body but contained a PDF attachment with a QR code and subjects indicating that the documents needed to be signed by the recipient. The QR code pointed to a hyperlink associated with a RaccoonO365 domain: shareddocumentso365cloudauthstorage[.]com. The URL included the recipient email as a query string parameter, so the PDF attachments were all unique. RaccoonO365 is a PhaaS platform that provides phishing kits that mimic Microsoft 365 sign-in pages to steal credentials. The URL was likely a phishing page used to collect the targeted user’s credentials.

The emails were sent with a variety of display names, which are the names that recipients see in their inboxes, to make the emails appear as if they came from an official source. The following display names were observed in these campaigns:

• EMPLOYEE TAX REFUND REPORT
• Project Funding Request Budget Allocation
• Insurance Payment Schedule Invoice Processing
• Client Contract Negotiation Service Agreement
• Adjustment Review Employee Compensation
• Tax Strategy Update Campaign Goals
• Team Bonus Distribution Performance Review
• proposal request
• HR|Employee Handbooks

AHKBot delivered in IRS-themed phishing emails

On February 13, 2025, Microsoft observed a campaign using an IRS-themed email that targeted users in the United States. The email’s subject was IRS Refund Eligibility Notification and the sender was jessicalee@eboxsystems[.]com.

The email contained a hyperlink that directed users to download a malicious Excel file. The link (hxxps://business.google[.]com/website_shared/launch_bw[.]html?f=hxxps://historyofpia[.]com/Tax_Refund_Eligibility_Document[.]xlsm) abused an open redirector on what appeared to be a legitimate Google Business page. It redirected users to historyofpia[.]com, which was likely compromised to host the malicious Excel file. If the user opened the Excel file, they were prompted to enable macros, and if the user enabled macros, a malicious MSI file was downloaded and run.

The MSI file contained two files. The first file, AutoNotify.exe, is a legitimate copy of the executable used to run AutoHotKey script files. The second file, AutoNotify.ahk, is an AHKBot Looper script which is a simple infinite loop that receives and runs additional AutoHotKey scripts. The AHKBot Looper was in turn observed downloading the Screenshotter module, which includes code to capture screenshots from the compromised device. Both Looper and Screenshotter used the C2 IP address 181.49.105[.]59 to receive commands and upload screenshots.

GuLoader and Remcos delivered in tax-themed phishing emails

On March 3, 2025, Microsoft observed a tax-themed phishing campaign targeting CPAs and accountants in the United States, attempting to deliver GuLoader and Remcos malware. The campaign, which consisted of less than 100 emails, began with a benign rapport-building email from a fake persona asking for tax filing services due to negligence by a previous CPA. If the recipient replied, they would then receive a second email with the malicious PDF. This technique increases the click rates on the malicious payloads due to the established rapport between attacker and recipient.

The malicious PDF attachment contained an embedded URL. If the attachment was opened and the URL clicked, a ZIP file was downloaded from Dropbox. The ZIP file contained various .lnk files set up to mimic tax documents. If launched by the user, the .lnk file uses PowerShell to download a PDF and a .bat file. The .bat file in turn downloaded the GuLoader executable, which then installed Remcos.

GuLoader is a highly evasive malware downloader that leverages encrypted shellcode, process injection, and cloud-based hosting services to deliver various payloads, including RATs and infostealers. It employs multiple anti-analysis techniques, such as sandbox detection and API obfuscation, to bypass security defenses and ensure successful payload execution.

Remcos is a RAT that provides attackers with full control over compromised systems through keylogging, screen capturing, and process manipulation while employing stealth techniques to evade detection.

Mitigation and protection guidance

Microsoft recommends the following mitigations to reduce the impact of this threat.

• Educate users about protecting personal and business information in social media, filtering unsolicited communication, identifying lure links in phishing emails, and reporting reconnaissance attempts and other suspicious activity.
• Turn on Zero-hour auto purge (ZAP) in Defender for Office 365 to quarantine sent mail in response to newly-acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
• Pilot and deploy phishing-resistant authentication methods for users.
• Enforce multifactor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly require MFA from all devices in all locations at all times.
• Implement Entra ID Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites including phishing sites, scam sites, and sites that contain exploits and host malware.
• Educate users about using the browser URL navigator to validate that upon clicking a link in search results they have arrived at an expected legitimate domain.
• Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
• Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow and time-of-click verification of URLs and links in email messages, other Microsoft Office applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
• Enable investigation and remediation in full automated mode to allow Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
• Run endpoint detection and response (EDR) in block mode, so that Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts detected post-breach.

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components used in the campaigns shared in this blog as the following:

• Backdoor:Win64/BruteRatel
• Backdoor:Win32/BruteRatel
• Trojan:Win64/BruteRatel
• Trojan:Win32/BruteRatel
• Trojan:Win64/Latrodectus
• Trojan:Win32/Latrodectus
• TrojanDownloader:JS/Latrodectus
• Trojan:Win32/Remcos
• Backdoor:MSIL/Remcos
• Trojan:Win32/Guloader

Microsoft Defender for Endpoint

The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

• Possible Latrodectus activity
• Brute Ratel toolkit related behavior
• A file or network connection related to ransomware-linked actor Storm-0249 detected
• Suspicious phishing activity detected

Microsoft Defender for Office 365

Microsoft Defender for Office 365 offers enhanced solutions for blocking and identifying malicious emails. These alerts, however, can be triggered by unrelated threat activity.

• A potentially malicious URL click was detected 
• Email messages containing malicious URL removed after delivery
• Email messages removed after delivery
• A user clicked through to a potentially malicious URL
• Suspicious email sending patterns detected
• Email reported by user as malware or phish

Defender for Office 365 also detects the malicious PDF attachments used in the phishing campaign launched by Storm-0249.

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article
• Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

• Latrodectus
• PhaaS RaccoonO365 campaign
• Remcos delivery through tax document lures
• Storm-0249 distributes Latrodectus in malvertising campaign
• Storm-0249
• Brute Ratel C4
• QR code phishing with adversary-in-the-middle capability

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Furthermore, listed below are some sample queries utilizing Sentinel ASIM Functions for threat hunting across both Microsoft first-party and third-party data sources.

Hunt normalized Network Session events using the ASIM unifying parser _Im_NetworkSession for IOCs:

let lookback = 7d;
let ioc_ip_addr = dynamic(["181.49.105.59 "]); 
_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) 
| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor

Hunt normalized File events using the ASIM unifying parser imFileEvent for IOCs:

let ioc_sha_hashes=dynamic(["fe0b2e0fe7ce26ae398fe6c36dae551cb635696c927761738f040b581e4ed422","bb3b6262a288610df46f785c57d7f1fa0ebc75178c625eaabf087c7ec3fccb6a","9728b7c73ef25566cba2599cb86d87c360db7cafec003616f09ef70962f0f6fc",
"3c482415979debc041d7e4c41a8f1a35ca0850b9e392fecbdef3d3bc0ac69960","165896fb5761596c6f6d80323e4b5804e4ad448370ceaf9b525db30b2452f7f5","a31ea11c98a398f4709d52e202f3f2d1698569b7b6878572fc891b8de56e1ff7",
"a1b4db93eb72a520878ad338d66313fbaeab3634000fb7c69b1c34c9f3e17727","0b22a0d84afb8bc4426ac3882a5ecd2e93818a2ea62d4d5cbae36d942552a36a","4d5839d70f16e8f4f7980d0ae1758bb5a88b061fd723ea4bf32b4b474c222bec","9bffe9add38808b3f6021e6d07084a06300347dd5d4b7e159d97e949735cff1e"]);  
imFileEvent
  | where SrcFileSHA256 in (ioc_sha_hashes) or TargetFileSHA256 in (ioc_sha_hashes)
  | extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0])
  | extend AlgorithmType = "SHA256"

 Hunt normalized Web Session events using the ASIM unifying parser _Im_WebSession for IOCs:

let lookback = 7d;
let ioc_domains = dynamic(["slgndocline.onlxtg.com ", "cronoze.com ", "muuxxu.com ", "proliforetka.com ", "porelinofigoventa.com ", "shareddocumentso365cloudauthstorage.com", "newsbloger1.duckdns.org"]);
  _Im_WebSession (starttime=ago(lookback), eventresult='Success', url_has_any=ioc_domains)
 | summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor  

In addition to the above, Sentinel users can also leverage the following queries, which may be relevant to the content of this blog.

•  Phishing link click observed in Network Traffic
•  Email Link Execution with Alert Correlation

Indicators of compromise

BruteRatel C4 and Lactrodectus infection chain

RaccoonO365

AHKBot

Remcos

References

• https://www.morado.io/blog-posts/understanding-raccoono365-phishing-as-a-service
• https://www.irs.gov/privacy-disclosure/report-phishing

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Threat actors leverage tax season to deploy tax-themed phishing campaigns appeared first on Microsoft Security Blog.

Microsoft’s Unified Security Operations for Public Sector

Discover how Microsoft helps public sectors modernize security operations to enhance cyber defense and streamline processes.

Read the datasheet

Microsoft’s unified security operations for public sector

Embracing modern security technology, processes, and continuous skill development is vital for protecting public sector organizations. By leveraging innovations powered by generative AI, unparalleled threat intelligence, and best practices, public sectors can transform their security operations to effectively defend against emerging cyberthreats.

AI-powered security operations: Microsoft delivers innovations to effectively protect against today’s complex threat landscape. The AI-powered unified security operations platform offers an enhanced and streamlined approach to security operations by integrating security information and event management (SIEM), security orchestration, automation, and response (SOAR), extended detection and response (XDR), posture and exposure management, cloud security, threat intelligence, and AI into a single, cohesive experience, eliminating silos and providing end-to-end security operations (SecOps). The unified platform boosts analyst efficiency, reduces context switching, and delivers quicker time to value with less integration work.

Microsoft is committed to helping public sector customers accelerate threat detection and response through improved security posture across organizations with richer insights, multi-tenant management, early warnings, and increased efficiency through automation and generative AI. Through automatic attack disruption, Microsoft Defender XDR utilizes robust threat intelligence, advanced AI and machine learning to detect and contain sophisticated cyberattacks in real time, significantly reducing their impact. This high-fidelity detection and protection capability disrupts more than 40,000 incidents each month, like identity threats and human-operated cyberattacks, while maintaining a false positive rate below 1%.

“Speed is an important factor against adversaries, and gaining situational awareness across a complex landscape of threats is therefore key.”

—Customer in the healthcare industry

People and process modernization: Public-private partnerships play a vital role in fostering the exchange of best practices and developing standardized processes that drive efficiency in incident response and threat intelligence sharing. For example, adapting the threat triage process to leverage generative AI agents can enable teams to scale significantly with agents autonomously analyzing and triaging vast volumes of alerts in real time, prioritize critical cyberthreats, and recommend specific remediation steps based on historical patterns. These collaborations also empower organizations to build teams equipped with cutting-edge skills and a comprehensive understanding of generative AI capabilities, helping them stay ahead of emerging cyberthreats.

Collective cyber defense and threat intelligence: Using Microsoft’s global threat intelligence insights, public sector organizations can collaborate with each other and across other sectors to share deeper cyberthreat insights efficiently. This partnership enables public sector organizations to exchange threat intelligence in a standardized manner within a region or country.

“Collective defense collaborations are driven by mutual interests with industry peers and cybersecurity alliances on improving security postures and responding more effectively to emerging threats.”

—Customer in the transport industry

The power of generative AI in cyber operations

Generative AI brings several transformative benefits to cybersecurity, making it a cornerstone for public sector security operations center (SOC) modernization.

Enhanced threat detection and response: Generative AI has the potential to sift through data from firewalls, endpoints, and cloud workloads, surfacing actionable cyberthreats that might go unnoticed in manual reviews. Unlike traditional rule-based detection methods, generative AI can identify attack patterns, adapt to emerging cyberthreats, and prioritize incidents based on risk severity, helping security teams focus on the most critical issues. Generative AI can go beyond simply surfacing cyberthreats; it can contextualize attack signals, predict potential breaches, and recommend guided responses for remediation strategies, reducing the burden on security analysts. Microsoft Security Copilot is already covering a range of use cases and is expanding rapidly to seize the full potential of generative AI. By providing guided incident investigation and response, Security Copilot helps security operations center (SOC) teams to detect and respond to cyberthreats more effectively. It can help teams to learn about malicious actors and campaigns, provide rapid summaries, and even contact the user to check for suspicious behavior. Adoption is associated with 30% reduction in security incident mean time to resolution (MTTR).²

Reduced operational overheads: By automating routine tasks, generative AI can free analysts from repetitive processes like alert triage or patch validation, enabling them to focus on advanced threat hunting. Security teams can already leverage Security Copilot to translate complex scripts into natural language, highlighting and explaining key parts to enhance team skills and reduce investigation time for advanced investigations as much as by 85%, helping security teams operate at scale.³

“Increased support from AI is critical given the significant capacity challenge in the public sector: a shortage of talent, an influx of threats, and an ever-increasing volume of data, assets, and organizations.”

—National SOC customer

Building a resilient digital future together

As nation-state threat actors and cybercriminals increasingly employ generative AI in their cyberattacks, public sector organizations can no longer rely on fragmented, manual defenses. The path forward lies in public-private collaboration, centered on co-designing and innovating solutions tailored to the public sector’s unique needs.

By adopting Microsoft Security solutions, public sector organizations can leverage combined resources, expertise, and cutting-edge technology to fortify critical infrastructure, safeguard citizen data, and strengthen public trust.

Now is the time to act: Modernize your cyber defense in the AI era to collectively forge a more secure and resilient digital future for government and public sector operations.

Learn more

Learn more about the AI-Powered Security Operations Platform for more details on the unified Security Operations platform.

Learn more about Microsoft Sentinel.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2024

²Generative AI and Security Operations Center Productivity: Evidence from Live Operations, Microsoft study. James Bono, Alec Xu, Justin Grana. November 24, 2024.

³Forrester Total Economic Impact™ of Microsoft Sentinel. The Total Economic Impact^(TM) Of Microsoft Sentinel, a commissioned study conducted by Forrester Consulting, March 2024. Results are based on a composite organization representative of interviewed customers.

The post Transforming public sector security operations in the AI era appeared first on Microsoft Security Blog.

Using Security Copilot, we were able to identify potential security issues in bootloader functionalities, focusing on filesystems due to their high vulnerability potential. This approach saved our team approximately a week’s worth of time that would have otherwise been spent manually reviewing the content. Through a series of prompts, we identified and refined security issues, ultimately uncovering an exploitable integer overflow vulnerability. Copilot also assisted in finding similar patterns in other files, ensuring comprehensive coverage and validation of our findings. This efficient process allowed us to confirm several additional vulnerabilities and extend our analysis to other bootloaders like U-boot and Barebox, which share code with GRUB2. We’re sharing this research as an example of the increased efficiency, streamlined workflows, and improved capabilities that AI solutions like Security Copilot can deliver for defenders, security researchers, and SOC analysts. As AI continues to emerge as a key tool in the cybersecurity community, Microsoft emphasizes the importance of vendors and researchers maintaining their focus on information sharing. This approach ensures that AI’s advantages in rapid vulnerability discovery, remediation, and accelerated security operations can effectively counter malicious actors’ attempts to use AI to scale common attack tactics, techniques, and procedures (TTPs).

While threat actors would likely require physical device access to exploit the U-boot or Barebox vulnerabilities, in the case of GRUB2, the vulnerabilities could further be exploited to bypass Secure Boot and install stealthy bootkits or potentially bypass other security mechanisms, such as BitLocker. The implications of installing such bootkits are significant, as this can grant threat actors complete control over the device, allowing them to control the boot process and operating system, compromise additional devices on the network, and pursue other malicious activities. Furthermore, it could result in persistent malware that remains intact even after an operating system reinstallation or a hard drive replacement.

We disclosed these vulnerabilities with the GRUB2, U-boot, and Barebox maintainers and worked with the GRUB2 maintainers to contribute fixes for the discovered vulnerabilities. To address the issues, the GRUB2 maintainers released security updates on February 18, 2025, and both the U-boot and Barebox maintainers released updates on February 19, 2025. We thank the GRUB2, U-boot, and Barebox maintainers as well as the open-source community for their quick response and collaborative efforts in addressing these issues, and we advise users to ensure their instances are up to date. We would also like to thank the RedHat support team for their assistance in disclosing these issues to manufacturers. The respective vulnerabilities are summarized in the following table:

In this blog, we detail how Secure Boot and GRUB2 function, explain how the GRUB2 vulnerabilities could have been exploited, and provide information on the vulnerabilities found in other open-source bootloaders to highlight the risks associated with unknowingly sharing vulnerable code among different open-source projects. As the boot process involves multiple components spanning different manufacturers and vendors, updates and fixes to the Secure Boot process can be particularly complex and run the risk of rendering a device unusable. As such, we are also sharing these findings with the security community to emphasize the importance of responsible disclosure and collaboration in the effort to enhance protection technologies and security across different devices and platforms.

Secure Boot and GRUB2

Before 2006, Intel-based computers booted into startup firmware code commonly known as the BIOS (Basic Input/Output System), which was responsible for hardware initialization and setup of common services to later be used by a bootloader. Ultimately, the BIOS would transfer control to a bootloader coded in real mode, which would commonly load an operating system (OS).

With time, attackers realized there is no root-of-trust verification of bootloaders by the firmware, thus began the era of bootkits, which are bootloader-based rootkits. To standardize the boot process, a unified firmware schema to replace BIOS was introduced in 2006, which is currently known as the Unified Extensible Firmware Interface (UEFI).

UEFI also helped combat bootkits, as it offers services that validate bootloaders and its own extensible modules by means of digital signatures. That protocol is known as Secure Boot and is essential to establishing a root of trust for the boot process, in which the firmware verifies UEFI drivers and OS modules with a platform key or a Key Exchange Key, and bootloaders verify the loaded operating system.

Trust is then achieved with the help of equipment manufacturers, which can sign code trusted by Secure Boot, by means of Certificate Authorities (CA). Essentially, manufacturers sign code with their private key, and their public key is signed with a root CA, commonly Microsoft’s UEFI CA. This is also essential to supporting non-Windows bootloaders such as GRUB2 (which commonly boots Linux) and allowing third party operating systems to benefit from Secure Boot. Since GRUB2 is fully open-sourced, vendors install a small program called a shim, which is signed by Microsoft’s UEFI CA and is responsible for validating the integrity of GRUB2. The shim can further consult a mechanism called Secure Boot Advanced Targeting (SBAT) for further revocation and management options as SBAT is used by the shim to provide a way to track and revoke individual software components based on metadata rather than cryptographic signatures alone.

The dangers of a GRUB2

Since bootloaders run before operating systems run, they mostly have UEFI-provided services as APIs to rely on. Therefore, bootloaders do not benefit from modern operating system security features, such as:

• No-Execute (NX): Known in Windows as Data Execution Prevention (DEP), and enforces memory page execute protections. Before the introduction of NX, attackers could override return addresses (which are maintained in-memory) and jump to arbitrary code (commonly a shellcode) that could be placed using the provided input.
• Address Space Layout Randomization (ASLR): This feature randomizes the base address of modules, which makes return address overrides and function pointer overrides highly unreliable since attackers do not know where usable code might be found.
• Safe dynamic allocators: Dynamic allocations are a favorite target for attackers, and modern operating systems harden their heap allocators with various techniques, including Safe Unlinking, type-safety, Pointer Authentication, and others.
• Stack cookies / Canaries: These are randomly generated values pushed between the return address and local variables on the stack, with the intent of detecting changes in their values before using the return address (commonly in a RET instruction).

Additionally, GRUB2 offers complex logic to implement various features, including:

• Image file parsers (PNG, TGA, and JPEG)
• Font parsing and support (PF2 file format)
• Network support (HTTP, FTP, DNS, ICMP, etc.)
• Various filesystem supportability (FAT, NTFS, EXT, JFS, HFS, ReiserFS, etc.)
• Bash-like command-line utility
• Extensible dynamic module loading capabilities

Furthermore, GRUB2 is coded in C, which is considered a memory-unsafe language, and as mentioned, does not benefit from any modern security mitigation. Considering the implication of defeating Secure Boot and strategically assessing the project (such as with Google’s Rule of 2), it is evident why GRUB2 may be of interest to vulnerability researchers.

Several memory corruption vulnerabilities have been uncovered in the past and are evident of the risks that we have mentioned. Noteworthy examples include:

Findings

Through a combination of static code analysis tools (such as CodeQL), fuzzing the GRUB2 emulator (grub-emu) with AFL++, manual code analysis, and using Microsoft Security Copilot, we have uncovered several vulnerabilities.

Using Security Copilot, we initially explored which functionalities in a bootloader have the most potential for vulnerabilities, with Copilot identifying network, filesystems, and cryptographic signatures as key areas of interest. Given our ongoing analysis of network vulnerabilities and the fact that cryptography is largely handled by UEFI, we decided to focus on filesystems.

Using the JFFS2 filesystem code as an example, we prompted Copilot to find all potential security issues, including exploitability analysis. Copilot identified multiple security issues, which we refined further by requesting Copilot to identify and provide the five most pressing of these issues. In our manual review of the five identified issues, we found three were false positives, one was not exploitable, and the remaining issue, which warranted our attention and further investigation, was an integer overflow vulnerability.

We used Security Copilot to successfully identify similar patterns in other GRUB2 files. Assuming the possibility of false negatives, we performed thorough validation and review of GRUB2 to avoid overlooking any issues, allowing us to confirm several additional vulnerabilities were present relating to the integer overflow.

Through this research, we have disclosed the following vulnerabilities:

Most of those vulnerabilities are simple memory corruption vulnerabilities. As an example, let us examine the JFS symbolic link resolution function:

The vulnerability is an overflow of the size variable:

• The size variable is declared as grub_size_t, which is ultimately defined as a 64-bit unsigned integer (uint64_t).
• The function grub_le_to_cpu64 converts a Little-Endian 64-bit value to the CPU’s native Endianess. Since x86-64 is already Little-Endian, it does nothing (on Big-Endian systems it reverses the byte-order of the 64-bit input value).
• Note the input data and its inode are fully attacker-controlled, since they supply the filesystem image. Therefore, size can get an arbitrary value, including the very large value 0xFFFFFFFFFFFFFFFF (which is the maximum value an unsigned 64-bit integer can get).
• The linknest checks are irrelevant for the vulnerability, but they assure the number of nested symbolic links to not exceed a limit (defined as 8).
• The size+1 calculation is an integer overflow—if size is 0xFFFFFFFFFFFFFFFF then size+1 is now 0. Note grub_malloc happily allocates a 0-byte chunk and returns it to the variable symlink.
• At this point, symlink is being written to by the function grub_jfs_read_file. The contents are arbitrarily set by the attacker, and while this function will never be able to read 0xFFFFFFFFFFFFFFFF bytes, an attacker would still be able to override important data beyond the limit of the symlink variable with an arbitrary payload.

It seems GRUB2 maintainers were aware of other types of integer overflow issues in the past and therefore introduced functions such as grub_add and grub_mul to handle addition and multiplication overflows safely. However, it seems there are quite a few places where those functions have not been considered.

The other vulnerabilities we’ve reported had similar out-of-bounds or integer overflow issues. In addition, we have reported a cryptographic side-channel attack issue, in which the function grub_crypto_memcmp does not perform its memory comparison in constant-time. The vulnerability is quite similar to one we disclosed on Netgear routers in the past.

Variant analysis and extensions to other bootloaders

After the discovery of the GRUB2 filesystem vulnerabilities and validating their exploitability, we concluded it is very likely other bootloaders might be affected by similar vulnerabilities, potentially as a result of the practice of copy-pasting filesystem parsing code between different open-source projects.

To test this hypothesis, we asked Security Copilot to find similar code in GitHub based on GRUB2’s filesystem implementations. This approach initially found many GRUB2 forks, so we continued to refine the search and manually review the results. Within those results, the U-boot and Barebox bootloaders, which are both commonly used for embedded systems, were identified as having shared code with GRUB2. Further investigation led us to identify similar vulnerabilities in both bootloaders, as detailed in the table below.

To exploit those in an embedded system context, attackers would most likely require physical access to those devices.

Enhancing security beyond Microsoft with research and threat intelligence sharing

As our research demonstrates, the discovered vulnerabilities can impact a wide range of systems and devices with varying impact. The vulnerabilities in GRUB2 can be exploited to bypass Secure Boot and allow threat actors to gain arbitrary code execution in the context of GRUB2, install stealthy bootkits and persistent malware, and compromise additional devices on the network. Additionally, there are further consequences to bypassing Secure Boot as it undermines the security mechanism designed to protect the boot process. Secure Boot bypasses can lead to threat actors loading untrusted software and malicious code during the boot process, evading detection by security solutions, and gaining full control of the system for potential widespread impact across operating systems relying on UEFI Secure Boot. While the vulnerabilities impacting U-boot and Barebox may be more difficult to exploit for threat actors by requiring physical device access, the issues still underscore the dangers of sharing susceptible code across multiple open-source projects.

This research also demonstrates the necessity of responsible vulnerability disclosure, threat intelligence sharing, and partner collaboration in addressing these issues to safeguard users against current and future threats. Given the complexity of the boot process, which involves multiple components from different manufacturers, coupled with the fact that updates to Secure Boot can run the risk of rendering a device unusable, responsible disclosure of these vulnerabilities is necessary to prevent threat actor exploitation and give teams time to effectively coordinate and collaborate on mitigation measures.

To address the discovered issues, the GRUB2 maintainers updated the vulnerable versions in SBAT while working with manufacturers to update DBX database entries as well as their shims to improve Secure Boot revocation management, particularly for bootloaders like shim that act as an intermediary between firmware Secure Boot verification and Linux distributions boot processes. In addition to deploying patches to address the vulnerabilities, the GRUB2 maintainers disabled some of the OS modules when Secure Boot is enabled to help ensure only trusted and verified code executes during the boot process, further reducing the attack surface. We would like to again thank the GRUB2 team and open-source community for their efforts in addressing these issues, as well as the U-boot and Barebox maintainers for quickly releasing fixes.

Leveraging AI like Security Copilot was invaluable in our research, saving us approximately a week’s worth of time by efficiently identifying and refining security issues in bootloader functionalities, ultimately allowing us to uncover several vulnerabilities. Identifying, disclosing, and contributing fixes for vulnerabilities, such as those mentioned in this blog post, is part of our ongoing commitment to enhance security at Microsoft and beyond. Microsoft is dedicated to improving security through research-driven protections and collaboration with customers, partners, and industry experts. Microsoft security researchers discover vulnerabilities and threats, translating this knowledge into enhanced solutions that protect users daily, and by expanding our research, we also contribute to the security of devices worldwide across all platforms.

Jonathan Bar Or

Microsoft 365 Defender Research Team

References

• https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html
• https://www.cve.org/CVERecord?id=CVE-2024-56737
• https://www.cve.org/CVERecord?id=CVE-2024-56738
• https://www.cve.org/CVERecord?id=CVE-2025-0677
• https://www.cve.org/CVERecord?id=CVE-2025-0678
• https://www.cve.org/CVERecord?id=CVE-2025-0684
• https://www.cve.org/CVERecord?id=CVE-2025-0685
• https://www.cve.org/CVERecord?id=CVE-2025-0686
• https://www.cve.org/CVERecord?id=CVE-2025-0689
• https://www.cve.org/CVERecord?id=CVE-2025-0690
• https://www.cve.org/CVERecord?id=CVE-2025-1118
• https://www.cve.org/CVERecord?id=CVE-2025-1125
• https://www.cve.org/CVERecord?id=CVE-2025-26726
• https://www.cve.org/CVERecord?id=CVE-2025-26727
• https://www.cve.org/CVERecord?id=CVE-2025-26728
• https://www.cve.org/CVERecord?id=CVE-2025-26729
• https://www.cve.org/CVERecord?id=CVE-2025-26721
• https://www.cve.org/CVERecord?id=CVE-2025-26722
• https://www.cve.org/CVERecord?id=CVE-2025-26723
• https://www.cve.org/CVERecord?id=CVE-2025-26724
• https://www.cve.org/CVERecord?id=CVE-2025-26725
• https://wiki.osdev.org/BIOS
• https://wiki.osdev.org/Bootloader
• https://d3fend.mitre.org/offensive-technique/attack/T1067/
• https://wiki.osdev.org/UEFI
• https://uefi.org/sites/default/files/resources/UEFI_Plugfest_2013_-_New_Orleans_-_Microsoft_UEFI_CA.PDF
• https://www.gnu.org/software/grub/manual/grub/html_node/UEFI-secure-boot-and-shim.html
• https://github.com/rhboot/shim/blob/main/SBAT.md
• https://theapplewiki.com/wiki/Heap_Hardening
• https://chromium.googlesource.com/chromium/src/+/master/docs/security/rule-of-2.md
• https://nvd.nist.gov/vuln/detail/cve-2020-10713
• https://ubuntu.com/security/CVE-2021-3695
• https://ubuntu.com/security/CVE-2021-3696
• https://ubuntu.com/security/CVE-2021-3697
• https://ubuntu.com/security/CVE-2022-28733
• https://ubuntu.com/security/CVE-2022-28734
• https://ubuntu.com/security/CVE-2022-28735
• https://nvd.nist.gov/vuln/detail/cve-2023-4692
• https://codeql.github.com/
• https://github.com/AFLplusplus/AFLplusplus
• https://wiki.osdev.org/Endianness
• https://wiki.osdev.org/X86-64
• https://www.redhat.com/en/blog/inodes-linux-filesystem
• https://cwe.mitre.org/data/definitions/190.html
• https://cwe.mitre.org/data/definitions/208.html

Learn more

Security Copilot customers can use the standalone experience to create their own prompts or run pre-built promptbooks to automate incident response or investigation tasks related to this threat.

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Analyzing open-source bootloaders: Finding vulnerabilities faster with AI appeared first on Microsoft Security Blog.