Following its emergence in August 2023, Tycoon2FA rapidly became one of the most widespread phishing-as-a-service (PhaaS) platforms, enabling campaigns responsible for tens of millions of phishing messages reaching over 500,000 organizations each month worldwide. The phishing kit—developed, supported, and advertised by the threat actor tracked by Microsoft Threat Intelligence as Storm-1747—provided adversary-in-the-middle (AiTM) capabilities that allowed even less skilled threat actors to bypass multifactor authentication (MFA), significantly lowering the barrier to conducting account compromise at scale.

Tycoon2FA’s platform enabled threat actors to impersonate trusted brands by mimicking sign-in pages for services like Microsoft 365, OneDrive, Outlook, SharePoint, and Gmail. It also allowed threat actors using its service to establish persistence and to access sensitive information even after passwords are reset, unless active sessions and tokens were explicitly revoked. This worked by intercepting session cookies generated during the authentication process, simultaneously capturing user credentials. The MFA codes were subsequently relayed through Tycoon2FA’s proxy servers to the authenticating service.

To evade detection, Tycoon2FA used techniques like anti-bot screening, browser fingerprinting, heavy code obfuscation, self-hosted CAPTCHAs, custom JavaScript, and dynamic decoy pages. Targets are often lured through phishing emails containing attachments like .svg, .pdf, .html, or .docx files, often embedded with QR codes or JavaScript.

This blog provides a comprehensive up-to-date analysis of Tycoon2FA’s progression and scale. We share specific examples of the Tycoon2FA service panel, including a detailed analysis of Tycoon2FA infrastructure. Defending against Tycoon2FA and similar AiTM phishing threats requires a layered approach that blends technical controls with user awareness. This blog also provides Microsoft Defender detection and hunting guidance, as well as resources on how to set up mail flow rules, enforce spoof protections, and configure third-party connectors to prevent spoofed phishing messages from reaching user inboxes.

Operational overview of Tycoon2FA

Tycoon2FA customer panel

Tycoon2FA phishing services were advertised and sold to cybercriminals on applications like Telegram and Signal. Phish kits were observed to start at $120 USD for access to the panel for 10 days and $350 for access to the panel for a month, but these prices could vary.

Tycoon2FA is operated through a web‑based administration panel provided on a per user basis that centrally integrates all functionality provided by the Tycoon 2FA PhaaS platform. The panel serves as a single dashboard for configuring, tracking, and refining campaigns. While it does not include built‑in mailer capabilities, the panel provides the core components needed to support phishing campaigns. This includes pre‑built templates, attachment files for common lure formats, domain and hosting configuration, redirect logic, and victim tracking. This design makes the platform accessible to less technically skilled actors while still offering sufficient flexibility for more experienced operators.

After signing in, Tycoon2FA customers are presented with a dashboard used to configure, monitor, and manage phishing campaigns. Campaign operators can configure a broad set of campaign parameters that control how phishing content is delivered and presented to targets. Key settings include lure template selection and branding customization, redirection routing, MFA interception behavior, CAPTCHA appearance and logic, attachment generation, and exfiltration configuration. Campaign operators can choose from highly configurable landing pages and sign-in themes that impersonate widely trusted services such as Microsoft 365, Outlook, SharePoint, OneDrive, and Google, increasing the perceived legitimacy of attacks.

Campaign operators can also configure how the malicious content is delivered through attachments. Options include generating EML files, PDFs, and QR codes, offering multiple ways to package and distribute phishing lures.

The panel also allows operators to manage redirect chains and routing logic, including the use of intermediate pages and decoy destinations. Support for automated subdomain rotation and intermediary Cloudflare Workers-based URLs enables campaigns to adapt quickly as infrastructure is identified or blocked. The following is a visual example of redirect and routing options, including intermediate pages and decoy destinations used within a phishing campaign.

Once configured, these settings control the appearance and behavior of the phishing pages delivered to targets. The following examples show how selected themes (Microsoft 365 and Outlook) are rendered as legitimate-looking sign-in pages presented to targets.

Beyond campaign configuration, the panel provides detailed visibility into victim interaction and authentication outcomes. Operators can track valid and invalid sign-in attempts, MFA usage, and session cookie capture, with victim data organized by attributes such as targeted service, browser, location, and authentication status. Captured credentials and session cookies can be viewed or downloaded directly within the panel and/or forwarded to Telegram for near‑real‑time monitoring. The following image shows a summary view of victim account outcomes for threat actors to review and track.

Captured session information including account attributes, browsers and location metadata, and authentication artifacts are exfiltrated through Telegram bot.

In addition to configuration and campaign management features, the panel includes a section for announcements and updates related to the service. These updates reflect regular maintenance and ongoing changes, indicating that the service continues to evolve.

By combining centralized configuration, real-time visibility, and regular platform updates, the service enables scalable AiTM phishing operations that can adapt quickly to defensive measures. This balance of usability, adaptability, and sustained development has contributed to Tycoon2FA’s adoption across a wide range of campaigns.

Tycoon2FA infrastructure

Tycoon2FA’s infrastructure has shifted from static, high-entropy domains to a fast-moving ecosystem with diverse top-level domains (TLDs) and short-lived (often 24-72 hours) fully qualified domain names (FQDNs), with the majority hosted on Cloudflare. A key change is the move toward a broader mix of TLDs. Early tracking showed heavier use of regional TLDs like .es and .ru, but recent campaigns increasingly rotated across inexpensive generic TLDs that require little to no identity verification. Examples include .space, .email, .solutions, .live, .today, and .calendar, as well as second-level domains such as .sa[.]com, .in[.]net, and .com[.]de.

Tycoon2FA generated large numbers of subdomains for individual phishing campaigns, used them briefly, then dropped them and spun up new ones. Parent root domains might remain registered for weeks or months, but nearly all campaign-specific FQDNs were temporary. The rapid turnover complicated detection efforts, such as building reliable blocklists or relying on reputation-based defenses.

Subdomain patterns have also shifted toward more readable formats. Instead of high entropy or algorithmically generated strings, like those used in July 2025, newly observed subdomains used recognizable words tied to common workflows or services, like those observed in December 2025.

July 2025 campaign URL structure examples:

• hxxps://qonnfp.wnrathttb[.]ru/Fe2yiyoKvg3YTfV!/$EMAIL_ADDRESS
• hxxps://piwf.ariitdc[.]es/kv2gVMHLZ@dNeXt/$EMAIL_ADDRESS
• hxxps://q9y3.efwzxgd[.]es/MEaap8nZG5A@c8T/*EMAIL_ADDRESS
• hxxps://kzagniw[.]es/LI6vGlx7@1wPztdy

December 2025 campaign URL structure examples:

• hxxps://immutable.nathacha[.]digital/T@uWhi6jqZQH7/#?EMAIL_ADDRESS
• hxxps://mock.zuyistoo[.]today/pry1r75TisN5S@8yDDQI/$EMAIL_ADDRESS
• hxxps://astro.thorousha[.]ru/vojd4e50fw4o!g/$ENCODED EMAIL_ADDRESS
• hxxps://branch.cricomai[.]sa[.]com/b@GrBOPttIrJA/*EMAIL_ADDRESS
• hxxps://mysql.vecedoo[.]online/JB5ow79@fKst02/#EMAIL_ADDRESS
• hxxps://backend.vmfuiojitnlb[.]es/CGyP9!CbhSU22YT2/

Some subdomains resembled everyday processes or tech terms like cloud, desktop, application, and survey, while others echoed developer or admin vocabulary like python, terminal, xml, and faq. Software as a service (SaaS) brand names have appeared in subdomains as well, such as docker, zendesk, azure, microsoft, sharepoint, onedrive, and nordvpn. This shift was likely used to reduce user suspicion and to evade detection models that rely on entropy or string irregularity.

Tycoon2FA’s success stemmed from closely mimicking legitimate authentication processes while covertly intercepting both user credentials and session tokens, granting attackers full access to targeted accounts. Tycoon2FA operators could bypass nearly all commonly deployed MFA methods, including SMS codes, one-time passcodes, and push notifications. The attack chain was typical yet highly effective and started with phishing the user through email, followed by a multilayer redirect chain, then a spoofed sign-in page with AiTM relay, and authentication relay culminating in token theft.

Tycoon2FA phishing emails

In observed campaigns, threat actors gained initial access through phishing emails that used either embedded links or malicious attachments. Most of Tycoon2FA’s lures fell into four categories:

• PDF or DOC/DOCX attachments with QR codes
• SVG files containing embedded redirect logic
• HTML attachments with short messages
• Redirect links that appear to come from trusted services

Email lures were crafted from ready-made templates that impersonated trusted business applications like Microsoft 365, Azure, Okta, OneDrive, Docusign, and SharePoint. These templates spanned themes from generic notifications (like voicemail and shared document access) to targeted workflows (like human resources (HR) updates, corporate documents, and financial statements). In addition to spoofing trusted brands, phishing emails often leveraged compromised accounts with existing threads to increase legitimacy.

While Tycoon2FA supplied hosting infrastructures, along with various phishing and landing page related templates, email distribution was not provided by the service.

Defense evasion

From a defense standpoint, Tycoon2FA stood out for its continuously updated evasion and attack techniques. A defining feature was the use of constantly changing custom CAPTCHA pages that regenerated frequently and varied across campaigns. As a result, static signatures and narrowly scoped detection logic became less effective over time. Before credentials were entered, targets encounter the custom CAPTCHA challenge, which was designed to block automated scanners and ensure real users reach the phishing content. These challenges often used randomized HTML5 canvas elements, making them hard to bypass with automation. While Cloudflare Turnstile was once the primary CAPTCHA, Tycoon2FA shifted to using a rotating set of custom CAPTCHA challenges. The CAPTCHA acted as a gate in the flow, legitimizing the process and nudging the target to continue.

After the CAPTCHA challenge, the user was shown a dynamically generated sign-in portal that mirrored the targeted service’s branding and authentication flow, most often Microsoft or Gmail. The page might even include company branding to enhance legitimacy. When the user submitted credentials, Tycoon2FA immediately relayed them to the real service, triggering the genuine MFA challenge. The phishing page then displayed the same MFA prompt (for example, number matching or code entry). Once the user completed MFA, the attacker captured the session cookie and gained real-time access without needing further authentication, even if the password was changed later. These pages were created with heavily obfuscated and randomized JavaScript and HTML, designed to evade signature-based detection and other security tools.

The phishing kit also disrupted analysis through obfuscation and dynamic code generation, including nonfunctional dead code, to defeat consistent fingerprinting. When the campaign infrastructure encountered an unexpected or invalid server response (for example, a geolocation outside the allowed targeting zone), the kit replaced phishing content with a decoy page or a benign redirect to avoid exposing the live credential phishing site.

Tycoon2FA further complicated investigation by actively checking for analysis of environments or browser automation and adjusting page behavior if detected. These evasive measures included:

• Intercepting user input
  • Keystroke monitoring
  • Blocking copy/paste and right click functions
• Detecting or blocking automated inspection
  • Automation tools (for example, PhantomJS, Burp Suite)
  • Disabling common developer tool shortcuts
• Validating and filtering incoming traffic
  • Browser fingerprinting
  • Datacenter IP filtering
  • Geolocation restrictions
  • Suspicious user agent profiling
• Increased obfuscation
  • Encoded content (Base64, Base91)
  • Fragmented or concatenated strings
  • Invisible Unicode characters
  • Layered URL/URI encoding
  • Dead or nonfunctional script

If analysis was suspected at any point, the kit redirected to a legitimate decoy site or threw a 404 error.

Complementing these anti-analysis measures, Tycoon2FA used increasingly complex redirect logic. Instead of sending victims directly to the phishing page, it chained multiple intermediate hosts, such as Azure Blob Storage, Firebase, Wix, TikTok, or Google resources, to lend legitimacy to the redirect path. Recent changes combined these redirect chains with encoded Uniform Resource Identifier (URI) strings that obscured full URL paths and landing points, frustrating both static URL extraction and detonation attempts. Stacked together, these tactics made Tycoon2FA a resilient, fast-moving system that evaded both automated and manual detection efforts.

Credential theft and account access

Captured credentials and session tokens were exfiltrated over encrypted channels, often via Telegram bots. Attackers could then access sensitive data and establish persistence by modifying mailbox rules, registering new authenticator apps, or launching follow-on phishing campaigns from compromised accounts. The following diagram breaks down the AiTM process.

Tycoon2FA illustrated the evolution of phishing kits in response to rising enterprise defenses, adapting its lures, infrastructure, and evasion techniques to stay ahead of detection. As organizations increasingly adopt MFA, attackers are shifting to tools that target the authentication process itself instead of attempting to circumvent it. Coupled with affordability, scalability, and ease of use, Tycoon2FA posed a persistent and significant threat to both consumer and enterprise accounts, especially those that rely on MFA as a primary safeguard.

Mitigation and protection guidance

Mitigating threats from phishing actors begins with securing user identity by eliminating traditional credentials and adopting passwordless, phishing-resistant MFA methods such as FIDO2 security keys, Windows Hello for Business, and Microsoft Authenticator passkeys.

Microsoft Threat Intelligence recommends enforcing phishing-resistant MFA for privileged roles in Microsoft Entra ID to significantly reduce the risk of account compromise. Learn how to require phishing-resistant MFA for admin roles and plan a passwordless deployment.

Passwordless authentication improves security as well as enhances user experience and reduces IT overhead. Explore Microsoft’s overview of passwordless authentication and authentication strength guidance to understand how to align your organization’s policies with best practices. For broader strategies on defending against identity-based attacks, refer to Microsoft’s blog on evolving identity attack techniques.

If Microsoft Defender alerts indicate suspicious activity or confirmed compromised account or a system, it’s essential to act quickly and thoroughly. The following are recommended remediation steps for each affected identity:

1. Reset credentials – Immediately reset the account’s password and revoke any active sessions or tokens. This ensures that any stolen credentials can no longer be used.
2. Re-register or remove MFA devices – Review users’ MFA devices, specifically those recently added or updated.
3. Revert unauthorized payroll or financial changes – If the attacker modified payroll or financial configurations, such as direct deposit details, revert them to their original state and notify the appropriate internal teams.
4. Remove malicious inbox rules – Attackers often create inbox rules to hide their activity or forward sensitive data. Review and delete any suspicious or unauthorized rules.
5. Verify MFA reconfiguration – Confirm that the user has successfully reconfigured MFA and that the new setup uses secure, phishing-resistant methods.

To defend against the wide range of phishing threats, Microsoft Threat Intelligence recommends the following mitigation steps:

• Review our recommended settings for Exchange Online Protection and Microsoft Defender for Office 365.
• Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Microsoft 365 applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links used in phishing and other attacks.
• Turn on Zero-hour auto purge (ZAP) in Defender for Office 365 to quarantine sent mail in response to newly-acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
• Turn on Safe Links and Safe Attachments in Microsoft Defender for Office 365.
• Enable network protection in Microsoft Defender for Endpoint.
• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attack tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants
• Use the Attack Simulator in Microsoft Defender for Office 365 to run realistic, yet safe, simulated phishing and password attack campaigns. Run spear-phishing (credential harvest) simulations to train end-users against clicking URLs in unsolicited messages and disclosing credentials.
• Configure automatic attack disruption in Microsoft Defender XDR. Automatic attack disruption is designed to contain attacks in progress, limit the impact on an organization’s assets, and provide more time for security teams to remediate the attack fully.
• Configure Microsoft Entra with increased security.
• Pilot and deploy phishing-resistant authentication methods for users.
• Implement Entra ID Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.

Microsoft Defender detections

Microsoft Defender customers can refer to the list of applicable detections below. Microsoft Defender coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

Additionally, using Microsoft Defender for Cloud Apps connectors, Microsoft Defender XDR raises AiTM-related alerts in multiple scenarios. For Microsoft Entra ID customers using Microsoft Edge, attempts by attackers to replay session cookies to access cloud applications are detected by Microsoft Defender XDR through Defender for Cloud Apps connectors for Microsoft Office 365 and Azure. In such scenarios, Microsoft Defender XDR raises the following alerts:

• Stolen session cookie was used
• User compromised through session cookie hijack

Microsoft Defender XDR raises the following alerts by combining Microsoft Defender for Office 365 URL click and Microsoft Entra ID Protection risky sign-ins signal.

• Possible AiTM phishing attempt
• Risky sign-in attempt after clicking a possible AiTM phishing URL

Microsoft Security Copilot

Microsoft Security Copilot is embedded in Microsoft Defender and provides security teams with AI-powered capabilities to summarize incidents, analyze files and scripts, summarize identities, use guided responses, and generate device summaries, hunting queries, and incident reports.

Customers can also deploy AI agents, including the following Microsoft Security Copilot agents, to perform security tasks efficiently:

• Threat Intelligence Briefing agent
• Phishing Triage agent
• Threat Hunting agent
• Dynamic Threat Detection agent

Security Copilot is also available as a standalone experience where customers can perform specific security-related tasks, such as incident investigation, user analysis, and vulnerability impact assessment. In addition, Security Copilot offers developer scenarios that allow customers to build, test, publish, and integrate AI agents and plugins to meet unique security needs.

Threat intelligence reports

Microsoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments:

• Actor profile: Storm-1747
• Tool profile: Tycoon2FA
• Technique profile: Adversary-in-the-middle credential phishing

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Advanced hunting

Microsoft Defender customers can run the following advanced hunting queries to find activity associated with Tycoon2FA.

Suspicious sign-in attempts

Find identities potentially compromised by AiTM attacks:

AADSignInEventsBeta
| where Timestamp > ago(7d)
| where IsManaged != 1
| where IsCompliant != 1
//Filtering only for medium and high risk sign-in
| where RiskLevelDuringSignIn in (50, 100)
| where ClientAppUsed == "Browser"
| where isempty(DeviceTrustType)
| where isnotempty(State) or isnotempty(Country) or isnotempty(City)
| where isnotempty(IPAddress)
| where isnotempty(AccountObjectId)
| where isempty(DeviceName)
| where isempty(AadDeviceId)
| project Timestamp,IPAddress, AccountObjectId, ApplicationId, SessionId, RiskLevelDuringSignIn, Browser

Suspicious URL clicks from emails

Look for any suspicious URL clicks from emails by a user before their risky sign-in:

UrlClickEvents
| where Timestamp between (start .. end) //Timestamp around time proximity of Risky signin by user
| where AccountUpn has "" and ActionType has "ClickAllowed"
| project Timestamp,Url,NetworkMessageId

References

• Tycoon 2FA Malware Analysis, Overview by ANY.RUN

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

The post Inside Tycoon2FA: How a leading AiTM phishing kit operated at scale appeared first on Microsoft Security Blog.

To fully realize the potential of AI, organizations must pair innovation with responsibility and robust data security. This year, the Data Security Index report builds upon the responses of more than 1,700 security leaders to highlight three critical priorities for protecting organizational data and securing AI adoption:

1. Moving from fragmented tools to unified data security.
2. Managing AI-powered productivity securely.
3. Strengthening data security with generative AI itself.

By consolidating solutions for better visibility and governance controls, implementing robust controls processes to protect data in AI-powered workflows, and using generative AI agents and automation to enhance security programs, organizations can build a resilient foundation for their next wave of generative AI-powered productivity and innovation. The result is a future where AI both drives efficiency and acts as a powerful ally in defending against data risk, unlocking growth without compromising protection.

In this article we will delve into some of the Data Security Index report’s key findings that relate to generative AI and how they are being operationalized at Microsoft. The report itself has a much broader focus and depth of insight.

1. From fragmented tools to unified data security

Many organizations still rely on disjointed tools and siloed controls, creating blind spots that hinder the efficacy of security teams. According to the 2026 Data Security Index, decision-makers cite poor integration, lack of a unified view across environments, and disparate dashboards as their top challenges in maintaining proper visibility and governance. These gaps make it harder to connect insights and respond quickly to risks—especially as data volumes and data environment complexity surge. Security leaders simply aren’t getting the oversight they need.

Why it matters
Consolidating tools into integrated platforms improves visibility, governance, and proactive risk management.

To address these challenges, organizations are consolidating tools, investing in unified platforms like Microsoft Purview that bring operations together while improving holistic visibility and control. These integrated solutions frequently outperform fragmented toolsets, enabling better detection and response, streamlined management, and stronger governance.

As organizations adopt new AI-powered technologies, many are also leaning into emerging disciplines like Microsoft Purview Data Security Posture Management (DSPM) to keep pace with evolving risks. Effective DSPM programs help teams identify and prioritize data‑exposure risks, detect access to sensitive information, and enforce consistent controls while reducing complexity through unified visibility. When DSPM provides proactive, continuous oversight, it becomes a critical safeguard—especially as AI‑powered data flows grow more dynamic across core operations.

We’re trying to use fewer vendors. If we need 15 tools, we’d rather not manage 15 vendor solutions. We’d prefer to get that down to five, with each vendor handling three tools.”

—Global information security director in the hospitality and travel industry

2. Managing AI-powered productivity securely

Generative AI is already influencing data security incident patterns: 32% of surveyed organizations’ data security incidents involve the use of generative AI tools. Understandably, surveyed security leaders have responded to this trend rapidly. Nearly half (47%) the security leaders surveyed in the 2026 Data Security Index are implementing generative AI-specific controls—an increase of 8% since the 2025 report. This helps enable innovation through the confident adoption of generative AI apps and agents while maintaining security.

Why it matters
Generative AI boosts productivity and innovation, but both unsanctioned and sanctioned AI tools must be managed. It’s essential to control tool use and monitor how data is accessed and shared with AI.

In the full report, we explore more deeply how AI-powered productivity is changing the risk profile of enterprises. We also explore several mechanisms, both technical and cultural, already helping maintain trust and reduce risk without sacrificing productivity gains or compliance.

3. Strengthening data security with generative AI

The 2026 Data Security Index indicates that 82% of organizations have developed plans to embed generative AI into their data security operations, up from 64% the previous year. From discovering sensitive data and detecting critical risks to investigating and triaging incidents, as well as refining policies, generative AI is being deployed for both proactive and reactive use cases at scale. The report explores how AI is changing the day-to-day operations across security teams, including the emergence of AI-assisted automation and agents.

Our generative AI systems are constantly observing, learning, and making recommendations for modifications with far more data than would be possible with any kind of manual or quasi-manual process.”

—Director of IT in the energy industry

Turning recommendations into action

As organizations confront the challenges of data security in the age of AI, the 2026 Data Security Index report offers three clear imperatives: unifying data security, increasing generative AI oversight, and using AI solutions to improve data security effectiveness.

1. Unified data security requires continuous oversight and coordinated enforcement across your data estate. Achieving this scenario demands mechanisms that can discover, classify, and protect sensitive information at scale while extending safeguards to endpoints and workloads. Microsoft Purview DSPM operationalizes this principle through continuous discovery, classification, and protection of sensitive data across cloud, software as a service (SaaS), and on-premises assets.
2. Responsible AI adoption depends on strict (but dynamic) controls and proactive data risk management. Organizations must enforce automated mechanisms that prevent unauthorized data exposure, monitor for anomalous usage, and guide employees toward sanctioned tools and responsible practices. Microsoft enforces these principles through governance policies supported by Microsoft Purview Data Loss Prevention and Microsoft Defender for Cloud Apps. These solutions detect, prevent, and respond to risky generative AI behaviors that increase the likelihood of data exposure, policy violations, or unsafe outputs, ensuring innovation aligns with security and compliance requirements.
3. Modern security operations benefit from automation that accelerate detection and response alongside strong oversight. AI-powered agents can streamline threat investigation, recommend policies, and reduce manual workload while maintaining human oversight for accountability. We deliver this capability through Microsoft Security Copilot, embedded across Microsoft Sentinel, Microsoft Entra, Microsoft Intune, Microsoft Purview, and Microsoft Defender. These agents automate threat detection, incident investigation, and policy recommendations, enabling faster response and continuous improvement of security posture.

Stay informed, stay productive, stay protected

The insights we’ve covered here only scratch the surface of what the Microsoft Data Security Index reveals.The full report dives deeper into global trends, detailed metrics, and real-world perspectives from security leaders across industries and the globe. It provides specificity and context to help you shape your generative AI strategy with confidence.

If you want to explore the data behind these findings, see how priorities vary by region, and uncover actionable recommendations for secure AI adoption, read the full 2026 Microsoft Data Security Index to access comprehensive research, expert commentary, and practical guidance for building a security-first foundation for innovation.

Learn more

Learn more about the Microsoft Purview unified data security solutions.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post New Microsoft Data Security Index report explores secure AI adoption to protect sensitive data appeared first on Microsoft Security Blog.

This attack vector is not new but has seen increased visibility and use since May 2025. The phishing campaigns Microsoft has observed using this attack vector are opportunistic rather than targeted in nature, with messages sent to a wide variety of organizations across several industries and verticals. Notably, Microsoft has also observed a campaign leveraging this vector to conduct financial scams against organizations. While these attacks share many characteristics with other credential phishing email campaigns, the attack vector abusing complex routing and improperly configured spoof protections distinguishes these campaigns. The phishing attack vector covered in this blog post does not affect customers whose Microsoft Exchange mail exchanger (MX) records point to Office 365; these tenants are protected by native built-in spoofing detections.

Phishing messages sent through this vector may be more effective as they appear to be internally sent messages. Successful credential compromise through phishing attacks may lead to data theft or business email compromise (BEC) attacks against the affected organization or partners and may require extensive remediation efforts, and/or lead to loss of funds in the case of financial scams. While Microsoft detects the majority of these phishing attack attempts, organizations can further reduce risk by properly configuring spoof protections and any third-party connectors to prevent spoofed phish or scam messages sent through this attack vector from reaching inboxes.

In this blog, we explain how threat actors are exploiting these routing scenarios and provide observations from related attacks. We provide specific examples—including technical analysis of phishing messages, spoof protections, and email headers—to help identify this attack vector. This blog also provides additional resources with information on how to set up mail flow rules, enforce spoof protections, and configure third-party connectors to prevent spoofed phishing messages from reaching user inboxes.

Spoofed phishing attacks

In cases where a tenant has configured a complex routing scenario, where the MX records are not pointed to Office 365, and the tenant has not configured strictly enforced spoof protections, threat actors may be able to send spoofed phishing messages that appear to have come from the tenant’s own domain. Setting strict Domain-based Message Authentication, Reporting, and Conformance (DMARC) reject and SPF hard fail (rather than soft fail) policies and properly configuring any third-party connectors will prevent phishing attacks spoofing organizations’ domains.

This vector is not, as has been publicly reported, a vulnerability of Direct Send, a mail flow method in Microsoft 365 Exchange Online that allows devices (like printers, scanners), applications, or third-party services to send email without authentication using the organization’s accepted domain, but rather takes advantage of complex routing scenarios and misconfigured spoof protections. Tenants with MX records pointed directly to Office 365 are not vulnerable to this attack vector of sending spoofed phishing messages.

As with most other phishing attacks observed by Microsoft Threat intelligence throughout 2025, the bulk of phishing campaigns observed using this attack vector employ the Tycoon2FA PhaaS platform, in addition to several other phishing services in use as well. In October 2025, Microsoft Defender for Office 365 blocked more than 13 million malicious emails linked to Tycoon2FA, including many attacks spoofing organizations’ domains. PhaaS platforms such as Tycoon2FA provide threat actors with a suite of capabilities, support, and ready-made lures and infrastructure to carry out phishing attacks and compromise credentials. These capabilities include adversary-in-the-middle (AiTM) phishing, which is intended to circumvent multifactor authentication (MFA) protections. Credential phishing attacks sent through this method employ a variety of themes such as voicemail notifications, password resets, HR communications, among others.

Microsoft Threat Intelligence has also observed emails intended to trick organizations into paying fake invoices, potentially leading to financial losses. Generally, in these spoofed phishing attacks, the recipient email address is used in both the “To” and “From” fields of the email, though some attacks will change the display name of the sender to make the attack more convincing and the “From” field could contain any valid internal email address.

Credential phishing with spoofed emails

The bulk of phishing messages sent through this attack vector uses the same lures as conventionally sent phishing messages, masquerading as services such as Docusign, or communications from HR regarding salary or benefits changes, password resets, and so on. They may employ clickable links in the email body or QR codes in attachments or other means of getting the recipient to navigate to a phish landing page. The appearance of having been sent from an internal email address is the most visible distinction to an end user, often with the same email address used in the “To” and “From” fields.

Email headers provide more information regarding the delivery of spoofed phishing emails, such as the appearance of an external IP address used by the threat actor to initiate the phishing attack. Depending on the configuration of the tenant, there will be SPF soft or hard fail, DMARC fail, and DKIM will equal none as both the sender and recipient appear to be in the same domain. At a basic level of protection, these should cause a message to land in a spam folder, but a user may retrieve and interact with phishing messages routed to spam. The X-MS-Exchange-Organization-InternalOrgSender will be set to True, but X-MS-Exchange-Organization-MessageDirectionality will be set to Incoming and X-MS-Exchange-Organization-ASDirectionalityType will have a value of “1”, indicating that the message was sent from outside of the organization. The combination of internal organization sender and incoming directionality is indicative of a message spoofed to appear as an internal communication, but not necessarily indicative of maliciousness. X-MS-Exchange-Organization-AuthAs will be set to Anonymous, indicating that the message came from an external source.

The Authentication-Results header example provided below illustrates the result of enforced authentication. 000 is an explicit DMARC failure. The resultant action is either reject or quarantine. The headers shown here are examples of properly configured environments, effectively blocking phishing emails sent through this attack vector:

spf=fail (sender IP is 51.89.59[.]188) smtp.mailfrom=contoso.com; dkim=none (message not signed) header.d=none;dmarc=fail action=quarantine header.from=contoso.com;compauth=fail reason=000

spf=fail (sender IP is 51.68.182[.]101) smtp.mailfrom= contoso.com; dkim=none (message not signed) header.d=none;dmarc=fail action=oreject header.from=contoso.com;

Any third-party connectors—such as a spam filtering service, security solution, or archiving service—must be configured properly or spoof detections cannot be calculated correctly, allowing phishing emails such as the examples below to be delivered. The first of these examples indicate the expected authentication failures in the header, but no action is taken due to reason 905, which indicates that the tenant has set up complex routing where the mail exchanger record (MX record) points to either an on-premises Exchange environment or a third-party service before reaching Microsoft 365:

spf=fail (sender IP is 176.111.219[.]85) smtp.mailfrom= contoso.com; dkim=none (message not signed) header.d=none;dmarc=fail action=none header.from= contoso.com;compauth=none reason=905

The phishing message masquerades as a notification from Microsoft Office 365 informing the recipient that their password will soon expire, although the subject line appears to be intended for a voicemail themed lure. The link in the email is a nested Google Maps URL pointing to an actor-controlled domain at online.amphen0l-fci[.]com.

The second example also shows the expected authentication failures, but with an action of “oreject” with reason 451, indicating complex routing and that the message was delivered to the spam folder.

spf=softfail (sender IP is 162.19.129[.]232) smtp.mailfrom=contoso.com; dkim=none (message not signed) header.d=none;dmarc=fail action=oreject header.from=contoso.com;compauth=none reason=451

This email masquerades as a SharePoint communication asking the recipient to review a shared document. The sender and recipient addresses are the same, though the threat actor has set the display name of the sender to “Pending Approval”. The InternalOrgSender header is set to True. On the surface, this appears to be an internally sent email, though the use of the recipient’s address in both the “To” and “From” fields may alert an end user that this message is not legitimate.

The nested Google URL in the email body points to actor-controlled domain scanuae[.]com. This domain acts as a redirector, loading a script that constructs a URL using the recipient’s Base64-encoded email before loading a custom CAPTCHA page on the Tycoon2FA domain valoufroo.in[.]net. A sample of the script loaded on scanuae[.]com is shown here:

The below example of the custom CAPTCHA page is loaded at the Tycoon2FA domain goorooyi.yoshemo.in[.]net. The CAPTCHA is one of many similar CAPTCHAs observed in relation to Tycoon2FA phishing sequences. Clicking through it leads to a Tycoon2FA phish landing page where the recipient is prompted to input their credentials. Alternatively, clicking through the CAPTCHA may lead to a benign page on a legitimate domain, a tactic intended to evade detection and analysis.

Spoofed email financial scams

Microsoft Threat Intelligence has also observed financial scams sent through spoofed emails. These messages are crafted to look like an email thread between a highly placed employee at the targeted organization, often the CEO of the organization, an individual requesting payment for services rendered, or the accounting department at the targeted organization. In this example, the message was initiated from 163.5.169[.]67 and authentication failures were not enforced, as DMARC is set to none and action is set to none, a permissive mode that does not protect against spoofed messages, allowing the message to reach the inbox on a tenant whose MX record is not pointed to Office 365.

Authentication-Results	spf=fail (sender IP is 163.5.169[.]67) smtp.mailfrom=contoso.com; dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=contoso.com;compauth=fail reason=601

The scam message is crafted to appear as an email thread with a previous message between the CEO of the targeted organization, using the CEO’s real name, and an individual requesting payment of an invoice. The name of the individual requesting payment (here replaced with “John Doe”) appears to be a real person, likely a victim of identity theft. The “To” and “From” fields both use the address for the accounting department at the targeted organization, but with the CEO’s name used as the display name in the “From” field. As with our previous examples, this email superficially appears to be internal to the organization, with only the use of the same address as sender and recipient indicating that the message may not be legitimate. The body of the message also attempts to instill a sense of urgency, asking for prompt payment to retain a discount.

Most of the emails observed as part of this campaign include three attached files. The first is the fake invoice requesting several thousand dollars to be sent through ACH payment to a bank account at an online banking company. The name of the individual requesting payment is also listed along with a fake company name and address. The bank account was likely set up using the individual’s stolen personally identifiable information.

The second attachment (not pictured) is an IRS W-9 form that lists the name and social security number of the individual used to set up the bank account. The third attachment is a fake “bank letter” ostensibly provided by an employee at the online bank used to set up the fraudulent account. The letter provides the same banking information as the invoice and attempts to add another layer of believability to the scam.

Falling victim to this scam could result in significant financial losses that may not be recoverable as the funds will likely be moved quickly by the actor in control of the fraudulent bank account.  

Mitigation and protection guidance

Preventing spoofed email attacks

The following links provide information for customers whose MX records are not pointed to Office 365 on how to configure mail flow connectors and rules to prevent spoofed emails from reaching inboxes.

• These links provide information on how to properly configure mail flow with connectors:
  • Manage mail flow using a third-party cloud service with Exchange Online
  • Configure mail flow using connectors in Exchange Online
  • Mail flow rules (transport rules) in Exchange Online
  • Enhanced filtering for connectors in Exchange Online
• These links provide information on configuring SPF, DKIM, and DMARC:
  • Email authentication in cloud organizations
  • Set up SPF to identify valid email sources for your custom cloud domains
  • Set up DKIM to sign mail from your cloud domain
  • Set up DMARC to validate the From address domain for cloud senders
• The following links provide more in-depth information on Direct Send:
  • Introducing more control over Direct Send in Exchange Online
  • Direct Send vs sending directly to an Exchange Online tenant

Mitigating AiTM phishing attacks

Microsoft Threat Intelligence recommends the following mitigations, which are effective against a range of phishing threats.

• Review our recommended settings for Exchange Online Protection and Microsoft Defender for Office 365.
• Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Microsoft 365 applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links used in phishing and other attacks.
• Turn on Zero-hour auto purge (ZAP) in Defender for Office 365 to quarantine sent mail in response to newly-acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attack tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants
• Configure Microsoft Entra with increased security.
• Pilot and deploy phishing-resistant authentication methods for users.
• Implement Entra ID Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.

Mitigating threats from phishing actors begins with securing user identity by eliminating traditional credentials and adopting passwordless, phishing-resistant MFA methods such as FIDO2 security keys, Windows Hello for Business, and Microsoft Authenticator passkeys.

Microsoft recommends enforcing phishing-resistant MFA for privileged roles in Microsoft Entra ID to significantly reduce the risk of account compromise. Learn how to require phishing-resistant MFA for admin roles and plan a passwordless deployment.

Passwordless authentication improves security as well as enhances user experience and reduces IT overhead. Explore Microsoft’s overview of passwordless authentication and authentication strength guidance to understand how to align your organization’s policies with best practices. For broader strategies on defending against identity-based attacks, refer to Microsoft’s blog on evolving identity attack techniques.

If Microsoft Defender alerts indicate suspicious activity or confirmed compromised account or a system, it’s essential to act quickly and thoroughly. Below are recommended remediation steps for each affected identity:

1. Reset credentials – Immediately reset the account’s password and revoke any active sessions or tokens. This ensures that any stolen credentials can no longer be used.
2. Re-register or remove MFA devices – Review users MFA devices, specifically those recently added or updated.
3. Revert unauthorized payroll or financial changes – If the attacker modified payroll or financial configurations, such as direct deposit details, revert them to their original state and notify the appropriate internal teams.
4. Remove malicious inbox rules – Attackers often create inbox rules to hide their activity or forward sensitive data. Review and delete any suspicious or unauthorized rules.
5. Verify MFA reconfiguration – Confirm that the user has successfully reconfigured MFA and that the new setup uses secure, phishing-resistant methods.

Microsoft Defender XDR detections

Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article
• Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender XDR threat analytics

• Actor profile: Storm-1747
• Technique profile: Adversary-in-the-middle credential phishing

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Finding potentially spoofed emails:

EmailEvents
| where Timestamp >= ago(30d)
| where EmailDirection == "Inbound"
| where Connectors == ""  // No connector used
| where SenderFromDomain in ("contoso.com")  // Replace with your domain(s)
| project Timestamp, NetworkMessageId, InternetMessageId, SenderMailFromAddress,
          SenderFromAddress, SenderDisplayName, SenderFromDomain, SenderIPv4,
          RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation

Finding more suspicious, potentially spoofed emails:

EmailEvents
| where EmailDirection == "Inbound"
| where Connectors == ""  // No connector used
| where SenderFromDomain in ("contoso.com", "fabrikam.com") // Replace with your accepted domains
| where AuthenticationDetails !contains "SPF=pass" // SPF failed or missing
| where AuthenticationDetails !contains "DKIM=pass" // DKIM failed or missing
| where AuthenticationDetails !contains "DMARC=pass" // DMARC failed or missing
| where SenderIPv4 !in ("") // Exclude known relay IPs
| where ThreatTypes has_any ("Phish", "Spam") or ConfidenceLevel == "High" // 
| project Timestamp, NetworkMessageId, InternetMessageId, SenderMailFromAddress,
          SenderFromAddress, SenderDisplayName, SenderFromDomain, SenderIPv4,
          RecipientEmailAddress, Subject, AuthenticationDetails, DeliveryAction

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

The below hunting queries can also be found in the Microsoft Defender portal for customers who have Microsoft Defender XDR installed from the Content Hub, or accessed directly from GitHub.

• Spoof and impersonation phish detections
• Spoof attempts with auth failure

Below are the queries using Sentinel Advanced Security Information Model (ASIM) functions to hunt threats across both Microsoft first-party and third-party data sources. ASIM also supports deploying parsers to specific workspaces from GitHub, using an ARM template or manually.

Detect network IP and domain indicators of compromise using ASIM

The following query checks domain and URL IOCs across data sources supported by ASIM web session parser:

//IP list and domain list- _Im_NetworkSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["162.19.196.13", "163.5.221.110", "51.195.94.194", "51.89.59.188"]);
let ioc_domains = dynamic(["2fa.valoufroo.in.net", "valoufroo.in.net", "integralsm.cl", "absoluteprintgroup.com"]);
_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)
| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),
  EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor

Detect web sessions IP and file hash indicators of compromise using ASIM

The following query checks domain and URL IOCs across data sources supported by ASIM web session parser:

//IP list - _Im_WebSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["162.19.196.13", "163.5.221.110", "51.195.94.194", "51.89.59.188"]);
_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr)
| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),
  EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor

Detect domain and URL indicators of compromise using ASIM

The following query checks domain and URL IOCs across data sources supported by ASIM web session parser:

// file hash list - imFileEvent
// Domain list - _Im_WebSession
let ioc_domains = dynamic(["2fa.valoufroo.in.net", "valoufroo.in.net", "integralsm.cl", "absoluteprintgroup.com"]);
_Im_WebSession (url_has_any = ioc_domains)

Spoofing attempts from specific domains

// Add the list of domains to search for.
let DomainList = dynamic(["2fa.valoufroo.in.net", "valoufroo.in.net", "integralsm.cl", "absoluteprintgroup.com"]); 
EmailEvents 
| where TimeGenerated > ago (1d) and DetectionMethods has "spoof" and SenderFromDomain in~ (DomainList)
| project TimeGenerated, AR=parse_json(AuthenticationDetails) , NetworkMessageId, EmailDirection, Subject, SenderFromAddress, SenderIPv4, ThreatTypes, DetectionMethods, ThreatNames  
| evaluate bag_unpack(AR)  
| where column_ifexists('SPF','') =~ "fail" or  column_ifexists('DMARC','') =~ "fail" or column_ifexists('DKIM','') =~ "fail" or column_ifexists('CompAuth','') =~ "fail"
| extend Name = tostring(split(SenderFromAddress, '@', 0)[0]), UPNSuffix = tostring(split(SenderFromAddress, '@', 1)[0])
| extend Account_0_Name = Name
| extend Account_0_UPNSuffix = UPNSuffix
| extend IP_0_Address = SenderIPv4

Indicators of compromise

References

• https://www.mimecast.com/threat-intelligence-hub/microsoft-direct-send-abuse/
• https://www.proofpoint.com/us/blog/email-and-cloud-threats/attackers-abuse-m365-for-internal-phishing
• https://www.varonis.com/blog/direct-send-exploit

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky. To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

The post Phishing actors exploit complex routing and misconfigurations to spoof domains appeared first on Microsoft Security Blog.

In a campaign observed in the first half of 2025, we identified the actor specifically targeting Workday profiles. However, it’s important to note that any SaaS systems storing HR or payment and bank account information could be easily targeted with the same technique. These attacks don’t represent any vulnerability in the Workday platform or products, but rather financially motivated threat actors using sophisticated social engineering tactics and taking advantage of the complete lack of multifactor authentication (MFA) or lack of phishing-resistant MFA to compromise accounts. Workday has published guidance for their customers in their community, and we thank Workday for their partnership and support in helping to raise awareness on how to mitigate this threat.

Microsoft has identified and reached out to some of the affected customers to share tactics, techniques, and procedures (TTPs) and assist with mitigation efforts. In this blog, we present our analysis of Storm-2657’s recent campaign and the TTPs employed in attacks. We offer comprehensive guidance for investigation and remediation, including implementing phishing-resistant MFA to help block these attacks and protect user accounts. Additionally, we provide comprehensive detections and hunting queries to enable organizations to defend against this attack and disrupt threat actor activity.

Analysis of the campaign

In the observed campaign, the threat actor gained initial access through phishing emails crafted to steal MFA codes using adversary-in-the-middle (AITM) phishing links. After obtaining MFA codes, the threat actor was able to gain unauthorized access to the victims’ Exchange Online and later hijacked and modified their Workday profiles.

After gaining access to compromised employee accounts, the threat actor created inbox rules to delete incoming warning notification emails from Workday, hiding the actor’s changes to the HR profiles. Storm-2657 then stealthily moved on to modify the employee’s salary payment configuration in their HR profile, thereby redirecting future salary payments to accounts under the actor’s control, causing financial harm to their victims. While the following example illustrates the attack flow as observed in Workday environments, it’s important to note that similar techniques could be leveraged against any payroll provider or SaaS platform.

Initial access

The threat actor used realistic phishing emails, targeting accounts at multiple universities, to harvest credentials. Since March 2025, we’ve observed 11 successfully compromised accounts at three universities that were used to send phishing emails to nearly 6,000 email accounts across 25 universities.

Some phishing emails contained Google Docs links, making detection challenging, as these are common in academic environments. In multiple instances, compromised accounts did not have MFA enabled. In other cases, users were tricked into disclosing MFA codes via AiTM phishing links distributed through email. Following the compromise of email accounts and the payroll modifications in Workday, the threat actor leveraged newly accessed accounts to distribute further phishing emails, both within the organization and externally to other universities.

The threat actor used several themes in their phishing emails. One common theme involved messages about illnesses or outbreaks on campus, suggesting that recipients might have been exposed. These emails included a link to a Google Docs page that then redirected to an attacker-controlled domain.

Some examples of the email subject lines are:

• COVID-Like Case Reported — Check Your Contact Status
• Confirmed Case of Communicable Illness
• Confirmed Illness

In one instance, a phishing email was sent to 500 individuals within a single organization, encouraging targets to check their illness exposure status. Approximately 10% of recipients reported the email as a suspected phishing attempt.

The second theme involved reports of misconduct or actions by individuals within the faculty, with the goal of tricking recipients into checking the link to determine if they are mentioned in the report.

Some examples of the subject lines are:

• Faculty Compliance Notice – Classroom Misconduct Report
• Review Acknowledgment Requested – Faculty Misconduct Mention

The most recently identified theme involved phishing emails impersonating a legitimate university or an entity associated with a university. To make their messages appear convincing, Storm-2657 tailored the content based on the recipient’s institution. Examples included messages that appear to be official communications from the university president, information about compensation and benefits, or documents shared by HR with recipients. Most of the time the subject line contained either the university name or the university’s president name, further enhancing the email’s legitimacy and appeal to the intended target.

Some examples of the subject lines are:

• Please find the document forwarded by the HR Department for your review
• [UNIVERSITY NAME] 2025 Compensation and Benefits Update
• A document authored by [UNIVERSITY PRESIDENT NAME] has been shared for your examination.

Defense evasion

Following account compromise, the threat actor created a generic inbox rule to hide or delete any incoming warning notification emails from the organization’s Workday email service. This rule ensured that the victim would not see the notification emails from Workday about the payroll changes made by the threat actor, thereby minimizing the likelihood of detection by the victim. In some cases, the threat actor might have attempted to stay under the radar and hide their traces from potential reviews by creating rule names solely using special characters or non-alphabetic symbols like “….” or “\’\’\’\’”.

Persistence

In observed cases, the threat actor established persistence by enrolling their own phone numbers as MFA devices for victim accounts, either through Workday profiles or Duo MFA settings. By doing so, they bypassed the need for further MFA approval from the legitimate user, enabling continued access without detection.

Impact

The threat actor subsequently accessed Workday through single sign-on (SSO) and changed the victim’s payroll/bank account information.

With the Workday connector enabled in Microsoft Defender for Cloud Apps, analysts can efficiently investigate and identify attack traces by examining Workday logs and Defender-recorded actions. There are multiple indicators available to help pinpoint these changes. For example, one indicator from the Workday logs generated by such threat actor changes is an event called “Change My Account” or “Manage Payment Elections”, depending on the type of modifications performed in the Workday application audit logs:

These payroll modifications are frequently accompanied by notification emails informing users that payroll or bank details have been changed or updated. As previously discussed, threat actors might attempt to eliminate these messages either through manual deletion or by establishing inbox rules. These deletions can be identified by monitoring Exchange Online events such as SoftDelete, HardDelete, and MoveToDeletedItems. The subjects of these emails typically contain the following terms:

• “Payment Elections”
• “Payment Election”
• “Direct Deposit”

Microsoft Defender for Cloud Apps correlates signals from both Microsoft Exchange Online (first-party SaaS application) and Workday (third-party SaaS application), enabling thorough detection of suspicious activities that span multiple systems, as seen in the image below. Only by correlating first party and third-party signals is it possible to detect this activity spawning across multiple systems.

Mitigation and protection guidance

Mitigating threats from actors like Storm-2657 begins with securing user identity by eliminating traditional credentials and adopting passwordless, phishing-resistant MFA methods such as FIDO2 security keys, Windows Hello for Business, and Microsoft Authenticator passkeys.

Microsoft recommends enforcing phishing-resistant MFA for privileged roles in Microsoft Entra ID to significantly reduce the risk of account compromise. Learn how to require phishing-resistant MFA for admin roles and plan a passwordless deployment.

Passwordless authentication improves security as well as enhances user experience and reduces IT overhead. Explore Microsoft’s overview of passwordless authentication and authentication strength guidance to understand how to align your organization’s policies with best practices. For broader strategies on defending against identity-based attacks, refer to Microsoft’s blog on evolving identity attack techniques.

If Microsoft Defender alerts indicate suspicious activity or confirmed compromised account or a system, it’s essential to act quickly and thoroughly. Below are recommended remediation steps for each affected identity:

1. Reset credentials – Immediately reset the account’s password and revoke any active sessions or tokens. This ensures that any stolen credentials can no longer be used.
2. Re-register or remove MFA devices – Review users MFA devices, specifically those recently added or updated.
3. Revert unauthorized payroll or financial changes – If the attacker modified payroll or financial configurations, such as direct deposit details, revert them to their original state and notify the appropriate internal teams.
4. Remove malicious inbox rules – Attackers often create inbox rules to hide their activity or forward sensitive data. Review and delete any suspicious or unauthorized rules.
5. Verify MFA reconfiguration – Confirm that the user has successfully reconfigured MFA and that the new setup uses secure, phishing-resistant methods.

Microsoft Defender XDR detections

Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Hunting queries

Microsoft Defender XDR

The Microsoft Defender for Cloud Apps connector for Workday includes write events such as Workday account updates, payroll configuration changes, etc. These are available in the Defender XDR CloudAppEvents hunting tables for further investigation. Important events related to this attack include but are not limited:

• Add iOS Device
• Add Android Device
• Change My Account
• Manage Payment Elections

Install the Microsoft Defender for Cloud Apps connector for Workday to take advantage of these logging, investigation, and detection capabilities.

Review inbox rules created to hide or delete incoming emails from Workday

Results of the following query may indicate an attacker is trying to delete evidence of Workday activity.

CloudAppEvents 
| where Timestamp >= ago(1d)
| where Application == "Microsoft Exchange Online" and ActionType in ("New-InboxRule", "Set-InboxRule")  
| extend Parameters = RawEventData.Parameters // extract inbox rule parameters
| where Parameters has "From" and Parameters has "@myworkday.com" // filter for inbox rule with From field and @MyWorkday.com in the parameters
| where Parameters has "DeleteMessage" or Parameters has ("MoveToFolder") // email deletion or move to folder (hiding)
| mv-apply Parameters on (where Parameters.Name == "From"
| extend RuleFrom = tostring(Parameters.Value))
| mv-apply Parameters on (where Parameters.Name == "Name" 
| extend RuleName = tostring(Parameters.Value))

Review updates to payment election or bank account information in Workday

The following query surfaces changes to payment accounts in Workday.

CloudAppEvents 
| where Timestamp >= ago(1d)
| where Application == "Workday"
| where ActionType == "Change My Account" or ActionType == "Manage Payment Elections"
| extend Descriptor = tostring(RawEventData.target.descriptor)

Review device additions in Workday

The following query looks for recent device additions in Workday. If the device is unknown, it may indicate an attacker joined their own device for persistence and MFA evasion.

CloudAppEvents 
| where Timestamp >= ago(1d)
| where Application == "Workday"
| where ActionType has "Add iOS Device" or ActionType has "Add Android Device"
| extend Descriptor = tostring(RawEventData.target.descriptor) // will contain information of the device

Hunt for bulk suspicious emails from .edu sender

The following query identifies email from .edu senders sent to a high number of users.

EmailEvents
| where Timestamp >= ago(7d)
| where SenderFromDomain has "edu" or SenderMailFromDomain has "edu"
| where EmailDirection == "Inbound"
| summarize dcount(RecipientEmailAddress), dcount(InternetMessageId), make_set(InternetMessageId), dcount(Subject), dcount(NetworkMessageId), take_any(NetworkMessageId) by bin(Timestamp,1d), SenderFromAddress
| where dcount_RecipientEmailAddress > 100 // number can be adjusted, usually the sender will send emails to around 100-600 recipients per day

Hunt for phishing URL from identified .edu phish sender

If a suspicious .edu sender has been identified, use the following query to surface email events from this sender address.

EmailEvents
| where Timestamp >= ago(1d)
| where SenderFromAddress == ""
| where EmailDirection == "Inbound"
| project NetworkMessageId, Subject, InternetMessageId
| join EmailUrlInfo on NetworkMessageId
| where Timestamp >= ago(1d)
| project Url, NetworkMessageId, Subject, InternetMessageId

Hunt for user clicks to suspicious URL from the identified .edu phish sender (previous query)

If a suspicious .edu sender has been identified, use the below query to surface user clicks that may indicate a malicious link was accessed.

EmailEvents
| where Timestamp >= ago(1d)
| where SenderFromAddress == ""
| where EmailDirection == "Inbound"
| project NetworkMessageId, Subject, InternetMessageId
| join UrlClickEvents on NetworkMessageId
| where Timestamp >= ago(1d)
| project AccountUpn, Subject, InternetMessageId, DetectionMethods, ThreatTypes, IsClickedThrough // these users very likely fall into the phishing attack

Microsoft Sentinel

Install the Workday connector for Microsoft Sentinel. Microsoft Sentinel has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog.

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Malicious inbox rule

The query includes filters specific to inbox rule creation, operations for messages with ‘DeleteMessage’, and suspicious keywords.

let Keywords = dynamic(["helpdesk", " alert", " suspicious", "fake", "malicious", "phishing", "spam", "do not click", "do not open", "hijacked", "Fatal"]);
OfficeActivity
| where OfficeWorkload =~ "Exchange" 
| where Operation =~ "New-InboxRule" and (ResultStatus =~ "True" or ResultStatus =~ "Succeeded")
| where Parameters has "Deleted Items" or Parameters has "Junk Email"  or Parameters has "DeleteMessage"
| extend Events=todynamic(Parameters)
| parse Events  with * "SubjectContainsWords" SubjectContainsWords '}'*
| parse Events  with * "BodyContainsWords" BodyContainsWords '}'*
| parse Events  with * "SubjectOrBodyContainsWords" SubjectOrBodyContainsWords '}'*
| where SubjectContainsWords has_any (Keywords)
 or BodyContainsWords has_any (Keywords)
 or SubjectOrBodyContainsWords has_any (Keywords)
| extend ClientIPAddress = case( ClientIP has ".", tostring(split(ClientIP,":")[0]), ClientIP has "[", tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))), ClientIP )
| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))
| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\')[-1]))
| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by  Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
| extend OriginatingServerName = tostring(split(OriginatingServer, " ")[0])

Risky sign-in with new MFA method

This query identifies scenarios of risky sign-ins tied to new MFA methods being added.

let mfaMethodAdded=CloudAppEvents
    | where ActionType =~ "Update user." 
    | where RawEventData has "StrongAuthenticationPhoneAppDetail"
    | where isnotempty(RawEventData.ObjectId) and isnotempty(RawEventData.Target[1].ID)
    | extend AccountUpn = tostring(RawEventData.ObjectId)
    | extend AccountObjectId = tostring(RawEventData.Target[1].ID)
    | project MfaAddedTimestamp=Timestamp,AccountUpn,AccountObjectId;
    let usersWithNewMFAMethod=mfaMethodAdded
    | distinct AccountObjectId;
    let hasusersWithNewMFAMethod = isnotempty(toscalar(usersWithNewMFAMethod));
    let riskySignins=AADSignInEventsBeta
    | where hasusersWithNewMFAMethod
    | where AccountObjectId in (usersWithNewMFAMethod)
    | where RiskLevelDuringSignIn in ("50","100") //Medium and High sign-in risk level.
    | where Application in ("Office 365 Exchange Online", "OfficeHome")
    | where isnotempty(SessionId)
    | project SignInTimestamp=Timestamp, Application, SessionId, AccountObjectId, IPAddress,RiskLevelDuringSignIn
    | summarize SignInTimestamp=argmin(SignInTimestamp,*) by Application,SessionId, AccountObjectId, IPAddress,RiskLevelDuringSignIn;
    mfaMethodAdded
    | join riskySignins on AccountObjectId
    | where MfaAddedTimestamp - SignInTimestamp < 6h //Time delta between risky sign-in and device registration less than 6h
    | project-away AccountObjectId1

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article
• Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Acknowledgments

We would like to thank Workday for their collaboration and assistance in responding to this threat.

Workday customers can refer to the guidance published by Workday on their community: https://community.workday.com/alerts/customer/1229867.

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

The post Investigating targeted “payroll pirate” attacks affecting US universities appeared first on Microsoft Security Blog.

While under Microsoft’s Secure Future Initiative (SFI), default security has been strengthened by design, defenders still need to make the most out of customer-facing security capabilities. Therefore, this blog recommends countermeasures and controls across identity, endpoints, data apps, and network layers to help harden enterprise Teams environments. To frame these defenses, we first examine relevant stages of the attack chain. This guidance complements, but doesn’t repeat, the guidance built into the Microsoft Security Development Lifecycle (SDL) as outlined in the Teams Security Guide;  we will instead focus on guidance for disrupting adversarial objectives based on the relatively recently observed attempts to exploit Teams infrastructure and capabilities.

Attack chain

Reconnaissance

Every Teams user account is backed by a Microsoft Entra ID identity. Each team member is an Entra ID object, and a team is a collection of channel objects. Teams may be configured for the cloud or a hybrid environment and supports multi-tenant organizations (MTO) and cross-tenant communication and collaboration. There are anonymous participants, guests, and external access users. From an API perspective, Teams is an object type that can be queried and stored in a local database for reconnaissance by enumerating directory objects, and mapping relationships and privileges. For example, federation tenant configuration indicates whether the tenant allows external communication and can be inferred from the API response queries reflecting the effective tenant federation policy.

While not unique to Teams, there are open-source frameworks that can specifically be leveraged to enumerate less secure users, groups, and tenants in Teams (mostly by repurposing the Microsoft Graph API or gathering DNS), including ROADtools, TeamFiltration, TeamsEnum, and MSFT-Recon-RS. These tools facilitate enumerating teams, members of teams and channels, tenant IDs and enabled domains, as well as permissiveness for communicating with external organizations and other properties, like presence. Presence indicates a user’s current availability and status outside the organization if Privacy mode is not enabled, which could then be exploited if the admin has not disabled external meetings and chat with people and organizations outside the organization (or at least limited it to specified external domains).

Many open-source tools are modular Python packages including reusable libraries and classes that can be directly imported or extended to support custom classes, meaning they are also interoperable with other custom open-source reconnaissance and discovery frameworks designed to identify potential misconfigurations.

Resource development

Microsoft continuously enhances protections against fraudulent Microsoft Entra ID Workforce tenants and the abuse of free tenants and trial subscriptions. As these defenses grow stronger, threat actors are forced to invest significantly more resources in their attempts to impersonate trusted users, demonstrating the effectiveness of our layered security approach. . This includes threat actors trying to compromise weakly configured legitimate tenants, or even actually purchasing legitimate ones if they have confidence they could ultimately profit. It should come as no surprise that if they can build a persona for social engineering, they will take advantage of the same resources as legitimate organizations, including custom domains and branding, especially if it can lend credibility to impersonating internal help desk, admin, or IT support, which could then be used as a convincing pretext to compromise targets through chat messaging and phone calls. Sophisticated threat actors try to use the very same resources used by trustworthy organizations, such as acquiring multiple tenants for staging development or running separate operations across regions, and using everyday Teams features like scheduling private meetings through chat, and audio, video and screen-sharing capabilities for productivity.

Initial access

Tech support scams remain a generally popular pretext for delivery of malicious remote monitoring and management (RMM) tools and information-stealing malware, leading to credential theft, extortion, and ransomware. There are always new variants to bypass security awareness defenses, such as the rise in email bombing to create a sense of stress and urgency to restore normalcy. In 2024, for instance, Storm-1811 impersonated tech support, claiming to be addressing junk email issues that it had initiated. They used RMM tools to deliver the ReedBed malware loader of ransomware payloads and remote command execution. Meanwhile, Midnight Blizard has successfully impersonated security and technical support teams to get targets to verify their identities under the pretext of protecting their accounts by entering authentication codes that complete the authentication flow for breaking into the accounts.

Similarly in May, Sophos identified a 3AM ransomware (believed to be a rebranding of BlackSuit) affiliate adopting techniques from Storm-1811, including flooding employees with unwanted emails followed by voice and video calls on Teams impersonating help desk personnel, claiming they needed remote access to stop the flood of junk emails. The threat actor reportedly spoofed the IT organization’s phone number.

With threat actors leveraging deepfakes, perceived authority helps make this kind of social engineering even more effective. Threat actors seeking to spoof automated workflow notifications and interactions can naturally extend to spoofing legitimate bots and agents as they gain more traction, as threat actors are turning to language models to facilitate their objectives.

Prevalent threat actors associated with ransomware campaigns, including the access broker tracked as Storm-1674 have used sophisticated red teaming tools, like TeamsPhisher, to distribute DarkGate malware and other malicious payloads over Teams. In December 2024, for example, Trend Micro reported an incident in which a threat actor impersonated a client during a Teams call to persuade a target to install AnyDesk. Remote access was reportedly then used also to deploy DarkGate. Threat actors may also just use Teams to gain initial access through drive-by-compromise activity to direct users to malicious websites.

Widely available admin tools, including AADInternals, could be leveraged to deliver malicious links and payloads directly into Teams. Teams branding (like any communications brand asset) makes for effective bait, and has been used by adversary-in-the-middle (AiTM) actors like Storm-00485. Threat actors could place malicious advertisements in search results for a spoofed app like Teams to misdirect users to a download site hosting credential-stealing malware. In July 2025, for instance, Malwarebytes reported observing a malvertising campaign delivering credential-stealing malware through a fake Microsoft Teams for Mac installer.

Whether it is a core app that is part of Teams, an app created by Microsoft, a partner app validated by Microsoft, or a custom app created by your own organization—no matter how secure an app—they could still be spoofed to gain a foothold in a network. And similar to leveraging a trusted brand like Teams, threat actors will also continue to try and take advantage of trusted relationships as well to gain Teams access, whether leveraging an account with access or abusing delegated administrator relationships to reach a target environment.

Persistence

Threat actors employ a variety of persistence techniques to maintain access to target systems—even after defenders attempt to regain control. These methods include abusing shortcuts in the Startup folder to execute malicious tools, or exploiting accessibility features like Sticky Keys (as seen in this ransomware case study). Threat actors could try to create guest users in target tenants or add their own credentials to a Teams account to maintain access.

Part of the reason device code phishing has been used to access target accounts is that it could enable persistent access for as long as the tokens remain valid. In February, Microsoft reported that Storm-2372 had been capturing authentication tokens by exploiting device code authentication flows, partially by masquerading as Microsoft Teams meeting invitations and initiating Teams chats to build rapport, so that when the targets were prompted to authenticate, they would use Storm-2372-generated device codes, enabling Storm-2372 to steal the authenticated sessions from the valid access tokens.

Teams phishing lures themselves can sometimes be a disguised attempt to help threat actors maintain persistence. For example, in July 2025, the financially motivated Storm-0324 most likely relied on TeamsPhisher to send Teams phishing lures to deliver a custom malware JSSloader for the ransomware operator Sangria Tempest to use as an access vector to maintain a foothold.

Execution

Apart from admin accounts, which are an attractive target because they come with elevated privileges, threat actors try and trick everyday Teams users into clicking links or opening files that lead to malicious code execution, just like through email.

Privilege escalation

If threat actors successfully compromise accounts or register actor-controlled devices, they often times  try to change permission groups to escalate privileges. If a threat actor successfully compromises a Teams admin role, this could lead to abuse of the permissions to use the admin tools that belong to that role.

Credential access

With a valid refresh token, actors can impersonate users through Teams APIs. There is no shortage of administrator tools that can be maliciously repurposed, such as AADInternals, to intercept access to tokens with custom phishing flows. Tools like TeamFiltration could be leveraged just like for any other Microsoft 365 service for targeting Teams. If credentials are compromised through password spraying, threat actors use tools like this to request OAuth tokens for Teams and other services. Threat actors continue to try and bypass multifactor authentication (MFA) by repeatedly generating authentication prompts until someone accepts by mistake, and try to compromise MFA by adding alternate phone numbers or intercepting SMS-based codes.

For instance, the financially motivated threat actor Octo Tempest uses aggressive social engineering, including over Teams, to take control of MFA for privileged accounts. They consistently socially engineer help desk personnel, targeting federated identity providers using tools like AADInternals to federate existing domains, or spoof legitimate domains by adding and then federating new domains to forge tokens.

Discovery

To refine targeting, threat actors analyze Teams configuration data from API responses, enumerate Teams apps if they obtain unauthorized access, and search for valuable files and directories by leveraging toolkits for contextualizing potential attack paths. For instance, Void Blizzard has used AzureHound to enumerate a compromised organization’s Microsoft Entra ID configuration and gather details on users, roles, groups, applications, and devices. In a small number of compromises, the threat actor accessed Teams conversations and messages through the web client. AADInternals can also be used to discover Teams group structures and permissions.

The state-sponsored actor Peach Sandstorm has delivered malicious ZIP files through Teams, then used AD Explorer to take snapshots of on-premises Active Directory database and related files.

Lateral movement

A threat actor that manages to obtain Teams admin access (whether directly or indirectly by purchasing an admin account through a rogue online marketplace) could potentially leverage external communication settings and enable trust relationships between organizations to move laterally. In late 2024, in a campaign dubbed VEILdrive by Hunters’ Team AXON, the financially motivated cybercriminal threat actors Sangria Tempest and Storm-1674 used previously compromised accounts to impersonate IT personnel and convince a user in another organization through Teams to accept a chat request and grant access through a remote connection.

Collection

Threat actors often target Teams to try and collect information from it that could help them to accomplish their objectives, such as to discover collaboration channels or high-privileged accounts. They could try to mine Teams for any information perceived as useful in furtherance of their objectives, including pivoting from a compromised account to data accessible to that user from OneDrive or SharePoint. AADInternals can be used to collect sensitive chat data and user profiles. Post-compromise, GraphRunner can leverage the Microsoft Graph API to search all chats and channels and export Teams conversations.

Command and control

Threat actors attempt to deliver malware through file attachments in Teams chats or channels. A cracked version of Brute Ratel C4 (BRc4) includes features to establish C2 channels with platforms like Microsoft Teams by using their communications protocols to send and receive commands and data.

Post-compromise, threat actors can use red teaming tool ConvoC2 to send commands through Microsoft Teams messages using the Adaptive Card framework to embed data in hidden span tags and then exfiltrate using webhooks. But threat actors can also use legitimate remote access tools to try and establish interactive C2 through Teams.

Exfiltration

Threat actors may use Teams messages or shared links to direct data exfiltration to cloud storage under their control. Tools like TeamFiltration include an exfiltration module that rely on a valid access token to then extract recent contacts and download chats and files through OneDrive or SharePoint.

Impact

Threat actors try to use Teams messages to support financial theft through extortion, social engineering, or technical means.

Octo Tempest has used communication apps, including Teams to send taunting and threatening messages to organizations, defenders, and incident response teams as part of extortion and ransomware payment pressure tactics. After gaining control of MFA through social engineering password resets, they sign in to Teams to identify sensitive information supporting their financially motivated operations.

Mitigation and protection guidance

Strengthen identity protection

• Enable sign-in and user risk policies in Microsoft Entra ID Protection. Enforce access controls based on sign-in risk. Users must be registered for Microsoft Entra multifactor authentication before sign-in risk policies can be triggered.
• Configure just-in-time access to privileged roles. Use Microsoft Entra Privileged Identity Management (PIM) (preview) to provide as-needed and just-in-time access to Microsoft 365 roles to reduce standing privileges and limit exposure.

Harden endpoint security

• Use configuration analyzer to strengthen security posture. Identify and remediate security policies that are less secure than the Standard or Strict protection profiles in preset security policies.
• Keep Teams clients, browsers, OS, and dependencies updated.
• Enable network protection and web protection capability in Defender for Endpoint.
• Enable cloud-delivered protection in Defender Antivirus. Cloud-delivered protection enables sharing detection status between Microsoft 365 and Defender for Endpoint. Real-time protection blocking, including on-access scanning, is not availablewhen Defender Antivirus is running only in passive mode. You can turn on endpoint detection and response (EDR) in block mode even if Defender Antivirus isn’t your primary antivirus solution. EDR in block mode detects and remediates malicious items on the device post-breach.
• Protect security settings from being disabled or changed with tamper protection.
• Require device compliance policies with Conditional Access. Enhance conditional access, to the extent available, with real-time enforcement through Continuous Access Evaluation (CAE), so that user session revocation is enforced in near-real time. Teams is supported as a cloud app in Microsoft Entra, so that conditional access policies apply when a user signs in. The Teams desktop application supports AppLocker, but we recommend using App Control, if feasible. Use Defender for Endpoint to enforce device compliance with Microsoft Intune.
• If your organization utilizes another remote support tool such as Remote Help, disable or remove Quick Assist as a best practice, if it isn’t used within your environment.
• Understand and use attack surface reduction capabilities in your environment to prevent common techniques used in combination with Teams threat activity as part of your first line of defense.
  • Block Win32 API calls from Office macros
  • Block Office applications from injecting code into other processes
  • Block Office applications from creating executable content
  • Block all Office applications from creating child processes
  • Block credential stealing from the Windows local security authority subsystem
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion
  • Block execution of potentially obfuscated scripts
  • Block persistence through WMI event subscription
  • Block process creations originating from PSExec and WMI commands
  • Block use of copied or impersonated system tools
  • Block JavaScript or VBScript from launching downloaded executable content
  • Use advanced protection against ransomware

Secure Teams clients and apps

Implementing some of these recommendations will require Teams Administrator permissions.

• Follow the Microsoft Teams recommendations on Microsoft Secure Score.
• Manage Teams for iOS and Android with Microsoft Intune.
  • Apply app-based Conditional Access.
  • Create Intune app protection policies
• Configure Teams protection in Defender for Office 365.
  • Turn on Safe Attachments.
  • Set up Safe Links policies.
  • Use SharePoint Online PowerShell to prevent users from downloading malicious files.
  • Use the Defender portal (or PowerShell) to create an alert policy for detected files.
  • Configure Zero-hour auto purge (ZAP). ZAP can retroactively detect existing malicious chat messages in Teams. Set the quarantine policy that is used for detections.
• Secure external access to Teams with Microsoft Entra ID.
• Manage guest access in Teams.
• Manage call settings in Teams. Inbound calls originating from the Public Switched Telephone Network (PSTN) on a tenant global level can be blocked.
• Use meeting and event policies to control the features that are available to organizers and participants.
• Use the Teams admin center or PowerShell to require anonymous users and people from untrusted organizations to complete a verification check before joining the meeting. 
• Control access to meetings with lobby policies (who can bypass it and eligibility for admitting participants).
• Manage who can present and request control to generally prevent external users by default without business justification from being able to automatically request control over a shared window or screen.
• Manage Teams recording policies for meetings and events (as well as for town halls).
• Manage external meetings and chat.
  • Specify which types of external meetings and chat to allow and which users should have access to these features. You can change the default setting to limit external access to only allowed domains or block specific domains and subdomains. By blocking external communication with trial-only tenants, users that do not have any purchased seats are not able to search and contact your users via chat, Teams calls, and meetings.
  • You can prevent users that are not managed by an organization from starting conversations or prevent chat with them. If you choose to allow anonymous users in your environment, you can verify their identities by email code to join meetings (Premium).
• Monitor Teams activities using activity policies in Defender for Cloud Apps. If external users are enabled, you can monitor their presence. Defender for Cloud Apps integrates directly with Microsoft 365 audit logs. Office 365 Cloud Apps Security has access to the features of Defender for Cloud Apps to support the Office 365 app connector.
  • Specify which users and groups can use Microsoft Teams apps or a copilot agent and control it on a per-app basis. You can change the default setting letting users install apps by default. Evaluate the compliance, security, and data handling information of an app and also understand the permissions requested by the app before you allow an app to be used.

Protect sensitive data

• Use meeting templates, sensitivity labels, and admin policies together for sensitive meetings.
  • Teams data is encrypted in transit and at rest in Microsoft services, between services, and between clients and services. For heightened confidentiality, you can also use end-to-end encryption in advanced meeting protection that is available with the Teams Premium add-on license. This encrypts audio, video, and video-based screen sharing at its origin and decrypts it at its destination.
  • You can use end-to-end encryption for up to 200 meeting participants and turn off the ability to copy and paste from meeting chats. The Premium add-on license may be required to prevent users from sharing sensitive information when attending external meetings and restrict recording to organizers in meetings with sensitive information.
• Block chats and channel messages that contain sensitive information with Microsoft Purview Data Loss Prevention (DLP) for Teams.
• Manage sharing settings for SharePoint and OneDrive.

Raise awareness

• Get started using attack simulation training. The Teams attack simulation training is currently in private preview. Build organizational resilience by raising awareness of QR code phishing, deepfakes including voice, and about protecting your organization from tech support and ClickFix scams.
• Train developers to follow best practices when working with the Microsoft Graph API. Apply these practices when detecting, defending against, and responding to malicious techniques targeting Teams.
  • Using server-side code to make Graph API calls that require access tokens helps protect against token interception or leakage. We recommend using the most secure authentication flow available. For more information, see Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials.
• Learn more about some of the frequent initial access threats impacting SharePoint servers. SharePoint is a front end for Microsoft Teams and an attractive target.

Configure detection and response

• Verify the auditing status of your organization in Microsoft Purview to make sure you can investigate incidents. In Threat Explorer, Content malware includes files detected by Safe Attachments for Teams, and URL clicks include all user clicks in Teams.
• Customize how users report malicious messages, and then view and triage them.
  • Security Operations (SecOps) should be enabled to proactively manage false negatives and false positives, and to hunt for threats and detections. They should triage and investigate from the Defender XDR incidents queue in the Defender portal.
  • If user reporting of messages is turned on in the Teams admin center, it also needs to be turned on in the Defender portal. We encourage you to submit user reported Teams messages to Microsoft here.
• Search the audit log for events in Teams.
  • Refer to the table listing the Microsoft Teams activities logged in the Microsoft 365 audit log. With the Office 365 Management Activity API, you can retrieve information about user, admin, system, and policy actions and events including from Entra activity logs.
• Familiarize yourself with relevant advanced hunting schema and available tables.
  • Advanced hunting supports guided and advanced modes. You can use the advanced hunting queries in the advanced hunting section to hunt with these tables for Teams-related threats.
  • Several tables covering Teams-related threats are available in preview and populated by Defender for Office 365, including MessageEvents, MessagePostDeliveryEvents, MessageUrlInfo, and UrlClickEvents. These tables provide visibility into ZAP events and URLs in Teams messages, including allowed or blocked URL clicks in Teams clients. You can join these tables with others to gain more comprehensive insight into the progression of the attack chain and end-to-end threat activity.
• Connect Microsoft 365 to Microsoft Defender for Cloud Apps.
  • To hunt for Teams messages without URLs, use the CloudAppEvents table, populated by Defender for Cloud Apps. This table also includes chat monitoring events, meeting and Teams call tracking, and behavioral analytics. To make sure advanced hunting tables are populated by Defender for Cloud Apps data, go to the Defender portal and select Settings > Cloud apps > App connectors. Then, in the Select Microsoft 365 components page, select the Microsoft 365 activities checkbox. Control Microsoft 365 with built-in policies and policy templates to detect and notify you about potential threats.
• Create Defender for Cloud Apps threat detection policies.
  • Many of the detection types enabled by default apply to Teams and do not require custom policy creation, including sign-ins from geographically distant locations in a short time, access from a country not previously associated with a user, unexpected admin actions, mass downloads, activity from anonymous IP addresses, or from a device flagged as malware-infected by Defender for Endpoint, as well as Oauth app abuse (when app governance is turned on).
  • Defender for Cloud Apps enables you to identify high-risk use and cloud security issues, detect abnormal user behavior, and prevent threats in your sanctioned cloud apps. You can integrate Defender for Cloud Apps with Microsoft Sentinel (preview) or use the supported APIs.
• Detect and remediate illicit consent grants in Microsoft 365.
  • Refer to the compromised and malicious applications incident response playbook. This playbook includes relevant guidance for identifying and investigating malicious activity on third-party apps installed in Teams, custom apps using the Graph API for Teams, or OAuth abuse involving Teams permissions.
• Discover and enable the Microsoft Sentinel data lake in Defender XDR. Sentinel data lake brings together security logs from data sources like Microsoft Defender and Microsoft Sentinel, Microsoft 365, Microsoft Entra ID, Purview, Intune, Microsoft Resource Graph, firewall and network logs, identity and access logs, DNS, plus sources from hundreds of connectors and solutions, including Microsoft Defender Threat Intelligence. Advanced hunting KQL queries can be run directly on the data lake. You can analyze the data using Jupyter notebooks.

Microsoft Defender detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender XDR

The following alerts might indicate threat activity associated with this threat.

• Malicious sign in from a risky IP address
• Malicious sign in from an unusual user agent
• Account compromised following a password-spray attack
• Compromised user account identified in Password Spray activity
• Successful authentication after password spray attack
• Password Spray detected via suspicious Teams client (TeamFiltration)

Microsoft Entra ID Protection

Any type of sign-in and user risk detection might also indicate threat activity associated with this threat. An example is listed below. These alerts, however, can be triggered by unrelated threat activity.

• Impossible travel
• Anomalous Microsoft Teams login from web client

Microsoft Defender for Endpoint

The following alerts might indicate threat activity associated with this threat.

• Suspicious module loaded using Microsoft Teams

The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

• Suspicious usage of remote management software

Microsoft Defender for Office 365

The following alerts might indicate threat activity associated with this threat.

• Malicious link shared in Teams chat
• User clicked a malicious link in Teams chat

When Microsoft Defender for Cloud Apps is enabled, the following alert might indicate threat activity associated with this threat.

• Potentially Malicious IT Support Teams impersonation post mail bombing

The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

• A potentially malicious URL click was detected
• Possible AiTM phishing attempt

Microsoft Defender for Identity

The following Microsoft Defender for Identity alerts can indicate associated threat activity:

• Account enumeration reconnaissance
• Suspicious additions to sensitive groups
• Account Enumeration reconnaissance (LDAP)

Microsoft Defender for Cloud Apps

The following alerts might indicate threat activity associated with this threat.

• Consent granted to application with Microsoft Teams permissions
• Risky user installed a suspicious application in Microsoft Teams
• Compromised account signed in to Microsoft Teams
• Microsoft Teams chat initiated by a suspicious external user
• Suspicious Teams access via Graph API

The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

• Possible mail exfiltration by app

Microsoft Security Copilot

Microsoft Security Copilot customers can use the Copilot in Defender embedded experience to check the impact of this report and get insights based on their environment’s highest exposure level in Threat analytics, Intel profiles, Intel Explorer and Intel projects pages of the Defender portal.

You can also use Copilot in Defender to speed up analysis of suspicious scripts and command lines by inspecting them below the incident graph on an incident page and in the timeline on the Device entity page without using external tools.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender XDR threat analytics

• Technique Profile: Threats targeting Microsoft Teams

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries

Microsoft Defender XDR

Advanced hunting allows you to view and query all the data sources available within the unified Microsoft Defender portal, which include Microsoft Defender XDR and various Microsoft security services.

After onboarding to the Microsoft Sentinel data lake, auxiliary log tables are no longer available in Microsoft Defender advanced hunting. Instead, you can access them through data lake exploration Kusto Query Language (KQL) queries in the Defender portal. For more information, see KQL queries in the Microsoft Sentinel data lake.

You can design and tweak custom detection rules using the advanced hunting queries and set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. You can also link the generated alert to this report so that it appears in the Related incidents tab in threat analytics. Custom detection rule can automatically take actions on devices, files, users, or emails that are returned by the query. To make sure you’re creating detections that trigger true alerts, take time to review your existing custom detections by following the steps in Manage existing custom detection rules.

Detect potential data exfiltration from Teams

let timeWindow = 1h; 
let messageThreshold = 20; 
let trustedDomains = dynamic(["trustedpartner.com", "anothertrusted.com"]); 
CloudAppEvents 
| where Timestamp > ago(1d) 
| where ActionType == "MessageSent" 
| where Application == "Microsoft Teams" 
| where isnotempty(AccountObjectId)
| where tostring(parse_json(RawEventData).ParticipantInfo.HasForeignTenantUsers) == "true" 
| where tostring(parse_json(RawEventData).CommunicationType) in ("OneOnOne", "GroupChat") 
| extend RecipientDomain = tostring(parse_json(RawEventData).ParticipantInfo.ParticipatingDomains[1])
| where RecipientDomain !in (trustedDomains) 
| extend SenderUPN = tostring(parse_json(RawEventData).UserId)
| summarize MessageCount = count() by bin(Timestamp, timeWindow), SenderUPN, RecipientDomain
| where MessageCount > messageThreshold 
| project Timestamp, MessageCount, SenderUPN, RecipientDomain
| sort by MessageCount desc  

Detect mail bombing that sometimes precedes technical support scams on Microsoft Teams

EmailEvents 
   | where Timestamp > ago(1d) 
   | where DetectionMethods contains "Mail bombing" 
   | project Timestamp, NetworkMessageId, SenderFromAddress, Subject, ReportId

Detect malicious Teams content from MessageEvents

MessageEvents 
   | where Timestamp > ago(1d) 
   | where ThreatTypes has "Phish"                
       or ThreatTypes has "Malware"               
       or ThreatTypes has "Spam"                    
   | project Timestamp, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType, IsExternalThread, ReportId

Detect communication with external help desk/support representatives

MessageEvents  
| where Timestamp > ago(5d)  
 | where IsExternalThread == true  
 | where (RecipientDetails contains "help" and RecipientDetails contains "desk")  
	or (RecipientDetails contains "it" and RecipientDetails contains "support")  
	or (RecipientDetails contains "working" and RecipientDetails contains "home")  
	or (SenderDisplayName contains "help" and SenderDisplayName contains "desk")  
	or (SenderDisplayName contains "it" and SenderDisplayName contains "support")  
	or (SenderDisplayName contains "working" and SenderDisplayName contains "home")  
 | project Timestamp, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType

Expand detection of communication with external help desk/support representatives by searching for linked process executions

let portableExecutable  = pack_array("binary.exe", "portable.exe"); 
let timeAgo = ago(30d);
MessageEvents
  | where Timestamp > timeAgo
  | where IsExternalThread == true
  | where (RecipientDetails contains "help" and RecipientDetails contains "desk")
      or (RecipientDetails contains "it" and RecipientDetails contains "support")
      or (RecipientDetails contains "working" and RecipientDetails contains "home")
  | summarize spamEvent = min(Timestamp) by SenderEmailAddress
  | join kind=inner ( 
      DeviceProcessEvents  
      | where Timestamp > timeAgo
      | where FileName in (portableExecutable)
      ) on $left.SenderEmailAddress == $right.InitiatingProcessAccountUpn 
  | where spamEvent < Timestamp

Surface Teams threat activity using Microsoft Security Copilot

Microsoft Security Copilot in Microsoft Defender comes with a query assistant capability in advanced hunting. You can also run the following prompt in Microsoft Security Copilot pane in the Advanced hunting page or by reopening Copilot from the top of the query editor:

Show me recent activity in the last 7 days that matches attack techniques described in the Microsoft Teams technique profile. Include relevant alerts, affected users and devices, and generate advanced hunting queries to investigate further.

Microsoft Sentinel

Possible Teams phishing activity

This query specifically monitors Microsoft Teams for one-on-one chats involving impersonated users (e.g., 'Help Desk', 'Microsoft Security').

let suspiciousUpns = DeviceProcessEvents
    | where DeviceId == "alertedMachine"
    | where isnotempty(InitiatingProcessAccountUpn)
    | project InitiatingProcessAccountUpn;
    CloudAppEvents
    | where Application == "Microsoft Teams"
    | where ActionType == "ChatCreated"
    | where isempty(AccountObjectId)
    | where RawEventData.ParticipantInfo.HasForeignTenantUsers == true
    | where RawEventData.CommunicationType == "OneonOne"
    | where RawEventData.ParticipantInfo.HasGuestUsers == false
    | where RawEventData.ParticipantInfo.HasOtherGuestUsers == false
    | where RawEventData.Members[0].DisplayName in ("Microsoft  Security", "Help Desk", "Help Desk Team", "Help Desk IT", "Microsoft Security", "office")
    | where AccountId has "@"
    | extend TargetUPN = tolower(tostring(RawEventData.Members[1].UPN))
    | where TargetUPN in (suspiciousUpns)

Files uploaded to Teams and access summary

This query identifies files uploaded to Microsoft Teams chat files and their access history, specifically mentioning operations from SharePoint. It allows tracking of potential file collection activity through Teams-related storage.

OfficeActivity 
    | where RecordType =~ "SharePointFileOperation"
    | where Operation =~ "FileUploaded" 
    | where UserId != "app@sharepoint"
    | where SourceRelativeUrl has "Microsoft Teams Chat Files" 
    | join kind= leftouter ( 
       OfficeActivity 
        | where RecordType =~ "SharePointFileOperation"
        | where Operation =~ "FileDownloaded" or Operation =~ "FileAccessed" 
        | where UserId != "app@sharepoint"
        | where SourceRelativeUrl has "Microsoft Teams Chat Files" 
    ) on OfficeObjectId 
    | extend userBag = bag_pack(UserId1, ClientIP1) 
    | summarize make_set(UserId1, 10000), make_bag(userBag, 10000) by TimeGenerated, UserId, OfficeObjectId, SourceFileName 
    | extend NumberUsers = array_length(bag_keys(bag_userBag))
    | project timestamp=TimeGenerated, UserId, FileLocation=OfficeObjectId, FileName=SourceFileName, AccessedBy=bag_userBag, NumberOfUsersAccessed=NumberUsers
    | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
    | extend Account_0_Name = AccountName
    | extend Account_0_UPNSuffix = AccountUPNSuffix

References

• A familiar playbook with a twist: 3AM ransomware actors dropped virtual machine with vishing and Quick Assist (Sophos)
• convoC2 (Cxnuri0n)
• EvilSlackbot (Drew-Sec)
• Fake Microsoft Teams Emails Phish for Credentials (Dark Reading)
• Fake Microsoft Teams for Mac delivers Atomic Stealer (Malwarebytes)
• GraphRunner (Dafthack)
• Inside the Microsoft Teams attack matrix: unpacking the frontier in collaboration threats (Cyberdom)
• Microsoft 365 Attack Surfaces: Elevation of Privilege Vulnerabilities (CoreView)
• Microsoft 365 secure configuration baselines (CISA)
• MSFT-Recon-RS (Copyleftdev)
•  Ongoing Email Bombing Campaigns leading to Remote Access and Post-Exploitation (eSentire)
• Playing for the wrong team: dangerous functionalities in Microsoft Teams enable phishing and malware delivery by attackers (Proofpoint)
• Signed. Sideloaded. Compromised! (Ontinue)
• Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing” (Sophos)
• TeamsEnum (Secure Systems Engineering)
• TeamsPhisher (Octoberfest7)
• Thinking Outside the Mailbox: Modernized Phishing Techniques (Praetorian)
• Unmasking VEILDrive: Threat Actors Exploit Microsoft Services for C2 (Hunters)
• Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion (Trend Micro)

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out ff

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

The post Disrupting threats targeting Microsoft Teams appeared first on Microsoft Security Blog.

Unlike traditional on-premises ransomware, where the threat actor typically deploys malware to encrypt critical files across endpoints within the compromised network and then negotiates for a decryption key, cloud-based ransomware introduces a fundamental shift. Leveraging cloud-native capabilities, Storm-0501 rapidly exfiltrates large volumes of data, destroys data and backups within the victim environment, and demands ransom—all without relying on traditional malware deployment.

Storm-0501’s targeting is opportunistic. The threat actor initially deployed Sabbath ransomware in an attack against United States school districts in 2021. In November 2023, the actor targeted the healthcare sector. Over the years, the actor switched ransomware payloads multiple times, using Embargo ransomware in 2024 attacks.

In September 2024, we published a blog detailing how Storm-0501 extended its on-premises ransomware operations into hybrid cloud environments. The threat actor gained a foothold by compromising Active Directory environments and then pivoted to Microsoft Entra ID, escalating privileges on hybrid and cloud identities to gain global administrator privileges. The impact phase of these attacks took one of two forms: implanting backdoors in Entra ID tenant configurations using maliciously added federated domains to allow sign-in as nearly any user or deploying on-premises ransomware to encrypt endpoints and servers, eventually demanding ransom for the decryption keys.

Storm-0501 has continued to demonstrate proficiency in moving between on-premises and cloud environments, exemplifying how threat actors adapt as hybrid cloud adoption grows. They hunt for unmanaged devices and security gaps in hybrid cloud environments to evade detection and escalate cloud privileges and, in some cases, traverse tenants in multi-tenant setups to achieve their goals.

In this blog post, we describe the impact of a recent Storm-0501 attack on a compromised cloud environment. We trace how the threat actor achieved cloud-based ransomware impact through cloud privilege escalation, taking advantage of protection and visibility gaps across the compromised environment, and pivoting from on-premises to cloud pivots. Understanding how such attacks are conducted is critical in protecting cloud environments. Below we share protection and mitigation recommendations, including strengthening protections for cloud identities and cloud resources, and detection guidance across Microsoft security solutions to help organizations harden their networks against these attacks.

On-premises compromise and pivot to the cloud

In a recent campaign, Storm-0501 compromised a large enterprise composed of multiple subsidiaries, each operating its own Active Directory domain. These domains are interconnected through domain trust relationships, enabling cross-domain authentication and resource access.

The cloud environment mirrors this complexity. Different subsidiaries maintain separate Microsoft Azure tenants, with varying Microsoft Defender product coverage. Notably, only one tenant had Microsoft Defender for Endpoint deployed, and devices from multiple Active Directory domains were onboarded to this single tenant’s license. This fragmented deployment created visibility gaps across the environment.

Active Directory domains were synchronized to several Entra ID tenants using Entra Connect Sync servers. In some cases, a single domain was synced to more than one tenant, further complicating identity management and monitoring. For clarity, this blog focuses on the two tenants impacted by the attack: one where on-premises activity was observed, and another where cloud-based activity occurred.

On-premises activity

For the purposes of this blog, we focus our analysis on the post-compromise phase of the on-premises attack, meaning that the threat actor had already achieved domain administrator privileges in the targeted domain. Read our previous blog for a more comprehensive overview of Storm-0501 tactics in on-premises environments.

The limited deployment of Microsoft Defender for Endpoint across the environment significantly hindered detection. Of the multiple compromised domains, only one domain had significant Defender for Endpoint deployment, leaving portions of the network unmonitored. On the few onboarded devices where Storm-0501 activity was observed, we noted that the threat actor conducted reconnaissance before executing malicious actions. Specifically, the threat actor used the following commands:

sc query sense
sc query windefend

The threat actor checked for the presence of Defender for Endpoint services, suggesting a deliberate effort to avoid detection by targeting non-onboarded systems. This highlights the importance of comprehensive endpoint coverage.

Lateral movement was facilitated using Evil-WinRM, a post-exploitation tool that utilizes PowerShell over Windows Remote Management (WinRM) for remote code execution. The abovementioned commands were executed over sessions initiated with the tool, as well as discovery using other common native Windows tools and commands such as quser.exe and net.exe. Earlier in the attack, the threat actor had compromised an Entra Connect Sync server that was not onboarded to Defender for Endpoint. We assess that this server served as a pivot point, with the threat actor establishing a tunnel to move laterally within the network.

The threat actor also performed a DCSync attack, a technique that abuses the Directory Replication Service (DRS) Remote Protocol to simulate the behavior of a domain controller. By impersonating a domain controller, the threat actor could request password hashes for any user in the domain, including privileged accounts. This technique is often used to extract credentials without triggering traditional authentication-based alerts.

Pivot to the cloud

Following the on-premises compromise of the first tenant, the threat actor leveraged the Entra Connect Sync Directory Synchronization Account (DSA) to enumerate users, roles, and Azure resources within the tenant. This reconnaissance was performed using AzureHound, a tool designed to map relationships and permissions in Azure environments and consequently find potential attack paths and escalations.

Shortly thereafter, the threat actor attempted to sign in as several privileged users. These attempts were unsuccessful, blocked by Conditional Access policies and multifactor authentication (MFA) requirements. This suggests that while Storm-0501 had valid credentials, they lacked the necessary second factor or were unable to satisfy policy conditions.

Undeterred, Storm-0501 shifted tactics. Leveraging their foothold in the Active Directory environment, they traversed between Active Directory domains and eventually moved laterally to compromise a second Entra Connect server associated with different Entra ID tenant and Active Directory domain. The threat actor extracted the Directory Synchronization Account to repeat the reconnaissance process, this time targeting identities and resources in the second tenant.

Identity escalation

As a result of the discovery phase where the threat actor leveraged on-premises control to pivot across Active Directory domains and vastly enumerate cloud resources, they gained critical visibility of the organization’s security posture. They then identified a non-human synced identity that was assigned with the Global Administrator role in Microsoft Entra ID on that tenant. Additionally, this account lacked any registered MFA method. This enabled the threat actor to reset the user’s on-premises password, which shortly after was then legitimately synced to the cloud identity of that user using the Entra Connect Sync service. We identified that that password change was conducted by the Entra Connect’s Directory Synchronization Account (DSA), since the Entra Connect Sync service was configured on the most common mode Password-Hash Synchronization (PHS). Consequently, the threat actor was able to authenticate against Entra ID as that user using the new password.

Since no MFA was registered to that user, after successfully authenticating using the newly assigned password, the threat actor was redirected to simply register a new MFA method under their control. From then on, the compromised user had a registered MFA method that enabled the threat actor to meet MFA conditions and comply with the customer’s Conditional Access policies configuration per resource.

To access the Azure portal using the compromised Global Admin account, the threat actor had to bypass one more condition that was enforced by Conditional Access policies for that resource, which require authentication to occur from a Microsoft Entra hybrid joined device. Hybrid joined devices are devices that are joined to both the Active Directory domain and Entra ID. We observed failed authentication attempts coming from company devices that are either domain-joined or Entra-joined devices that did not meet the Conditional Access condition. The threat actor had to move laterally between different devices in the network, until we observed a successful sign-in to the Azure portal with the Global Admin account coming from a server that was hybrid joined.

From the point that the threat actor was able to successfully meet the Conditional Access policies and sign in to the Azure portal as a Global Admin account, Storm-0501 essentially achieved full control over the cloud domain. The threat actor then utilized the highest possible cloud privileges to obtain their goals in the cloud.

Cloud identity compromise: Entra ID

Cloud persistence

Following successful authentication as a Global Admin to the tenant, Storm-0501 immediately established a persistence mechanism. As was seen in the threat actor’s previous activity, Storm-0501 created a backdoor using a maliciously added federated domain, enabling them to sign in as almost any user, according to the ImmutableId user property. The threat actor leveraged the Global Administrator Entra role privileges and the AADInternals tool to register a threat actor-owned Entra ID tenant as a trusted federated domain by the targeted tenant. To establish trust between the two tenants, a threat actor-generated root certificate is provided to the victim tenant, which in turn is used to allow authentication requests coming from the threat actor-owned tenant. The backdoor enabled Storm-0501 to craft security assertion markup language (SAML) tokens applicable to the victim tenant, impersonating users in the victim tenant while assuming the impersonated user’s Microsoft Entra roles.

Cloud compromise: Azure

Azure initial access and privilege escalation

A tenant’s Entra ID and Azure environments are intertwined. And since Storm-0501 gained top-level Entra ID privileges, they could proceed to their final goal, which was to use cloud-based ransomware tactics for monetary gain. To achieve this goal, they had to find the organization’s valuable data stores, and these were residing in the cloud: in Azure.

Because they had compromised a user with the Microsoft Entra Global Administrator role, the only operation they had to do to infiltrate the Azure environment was to elevate their access to Azure resources. They elevated their access to Azure resources by invoking the Microsoft.Authorization/elevateAccess/action operation. By doing so, they gained the User Access Administrator Azure role over all the organization’s Azure subscriptions, including all the valuable data residing inside them.

To freely operate within the environment, the threat actor assigned themselves the Owner Azure role over all the Azure subscriptions available by invoking the Microsoft.Authorization/roleAssignments/write operation.

Discovery

After taking control over the organization’s Azure environment, we assess that the threat actor initiated a comprehensive discovery phase using various techniques, including the usage of the AzureHound tool, where they attempted to locate the organization’s critical assets, including data stores that contained sensitive information, and data store resources that are meant to back up on-premises and cloud endpoint devices. The threat actor managed to map out the Azure environment, including the understanding of existing environment protections, such as Azure policies, resource locks, Azure Storage immutability policies, and more.

Defense evasion

The threat actor then targeted the organization’s Azure Storage accounts. Using the public access features in Azure Storage, Storm-0501 exposed non-remotely accessible accounts to the internet and to their own infrastructure, paving the way for data exfiltration phase. They did this by utilizing the public access features in Azure Storage. To modify the Azure Storage account resources, the threat actor abused the Azure Microsoft.Storage/storageAccounts/write operation.

Credential access

For Azure Storage accounts that have key access enabled, the threat actor abused their Azure Owner role to access and steal the access keys for them by abusing the Azure Microsoft.Storage/storageAccounts/listkeys/action operation.

Exfiltration

After exposing the Azure Storage accounts, the threat actor exfiltrated the data in these accounts to their own infrastructure by abusing the AzCopy Command-line tool (CLI).

Impact

In on-premises ransomware, the threat actor typically deploys malware that encrypts crucial files on as many endpoints as possible, then negotiates with the victim for the decryption key. In cloud-based ransomware attacks, cloud features and capabilities give the threat actor the capability to quickly exfiltrate and transmit large amounts of data from the victim environment to their own infrastructure, destroy the data and backup cloud resources in the victim cloud environment, and then demand the ransom.

After completing the exfiltration phase, Storm-0501 initiated the mass-deletion of the Azure resources containing the victim organization data, preventing the victim from taking remediation and mitigation action by restoring the data. They do so by abusing the following Azure operations against multiple Azure resource providers:

• Microsoft.Compute/snapshots/delete – Deletes Azure Snapshot, a read-only, point-in-time copy of an Azure VM’s disk (VHD), capturing its state and data at a specific moment, that exists independently from the source disk and can be used as a backup or clone of that disk.
• Microsoft.Compute/restorePointCollections/delete  – Deletes the Azure VM Restore Point, which stores virtual machines (VM) configuration and point-in-time application-consistent snapshots of all the managed disks attached to the VM.
• Microsoft.Storage/storageAccounts/delete – Deletes the Azure storage account, which contains and organization’s Azure Storage data objects: blobs, files, queues, and tables. In all of Storm-0501 Azure campaigns we investigated, this is where they mainly focused, deleting as many Azure Storage account resources as possible in the environment.
• Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/delete – Deletes an Azure recovery services vault protection container. A protection container is a logical grouping of resources (like VMs or workloads) that can be backed up together, within the Recovery Services vault.

During the threat actor’s attempts to mass-delete the data-stores/housing resources, they faced errors and failed to delete some of the resources due to the existing protections in the environment. These protections include Azure resource locks and Azure Storage immutability policies. They then attempted to delete these protections using the following operations:

• Microsoft.Authorization/locks/delete – Deletes Azure resource locks, which are used to prevent accidental user deletion and modification of Azure subscriptions, resource groups, or resources. The lock overrides any user permission.
• Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/delete – Deletes Azure storage immutability policies, which protect blob data from being overwritten or deleted.

After successfully deleting multiple Azure resource locks and Azure Storage immutability policies, the threat actor continued the mass deletion of the Azure data stores, successfully erasing resources in various Azure subscriptions. For resources that remained protected by immutability policies, the actor resorted to cloud-based encryption.

To perform cloud-based encryption, Storm-0501 created a new Azure Key Vault and a new Customer-managed key inside the Key Vault, which is meant to be used to encrypt the left Azure Storage accounts using the Azure Encryption scopes feature:

• Microsoft.KeyVault/vaults/write – Creates or modifies an existing Azure Key Vault. The threat actor creates a new Azure key vault to host the encryption key.
• Microsoft.Storage/storageAccounts/encryptionScopes/write – Creates or modifies Azure storage encryption scopes, which manage encryption with a key that is scoped to a container or an individual blob. When you define an encryption scope, you can specify whether the scope is protected with a Microsoft-managed key or with a customer-managed key that is stored in Azure Key Vault.

The threat actor abused the Azure Storage encryption scopes feature and encrypted the Storage blobs in the Azure Storage accounts. This wasn’t sufficient, as the organization could still access the data with the appropriate Azure permissions. In attempt to make the data inaccessible, the actor deletes the key that is used for the encryption. However, it’s important to note that Azure Key vaults and keys that are used for encryption purposes are protected by the Azure Key Vault soft-delete feature, with a default period of 90 days, which allows the user to retrieve the deleted key/vault from deletion, preventing cloud-based encryption for ransomware purposes.

After successfully exfiltrating and destroying the data within the Azure environment, the threat actor initiated the extortion phase, where they contacted the victims using Microsoft Teams using one of the previously compromised users, demanding ransom.

Mitigation and protection guidance

Microsoft recently implemented a change in Microsoft Entra ID that restricts permissions on the Directory Synchronization Accounts (DSA) role in Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync. This change helps prevent threat actors from abusing Directory Synchronization Accounts in attacks to escalate privileges. Additionally, a new version released in May 2025 introduces modern authentication, allowing customers to configure application-based authentication for enhanced security (currently in public preview). It is also important to enable Trusted Platform Module (TPM) on the Entra Connect Sync server to securely store sensitive credentials and cryptographic keys, mitigating Storm-0501’s credential extraction techniques.

The techniques used by threat actors and described in this blog can be mitigated by adopting the following security measures:

Protecting on-premises

• Turn on tamper protection features to prevent threat actors from stopping security services such as Microsoft Defender for Endpoint, which can help prevent hybrid cloud environment attacks such as Microsoft Entra Connect abuse.
• Run endpoint detection and response (EDR) in block mode so that Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts detected post-breach.
• Turn on investigation and remediation in full automated mode to allow Defender for Endpoint to take immediate action on alerts to help remediate alerts, significantly reducing alert volume.

Protecting cloud identities

• Secure accounts with credential hygiene: practice the principle of least privilege and audit privileged account activity in your Microsoft Entra ID and Azure environments to slow or stop threat actors.
• Enable Conditional Access policies – Conditional Access policies are evaluated and enforced every time the user attempts to sign in. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as device compliance or trusted IP address requirements.
  • Set a Conditional Access policy to limit the access of Microsoft Entra ID Directory Synchronization Accounts (DSA) from untrusted IP addresses to all cloud apps.  Please refer to the advanced hunting section and check the relevant query to get those IP addresses.
  • For Entra Connect Sync servers using application-based authentication, use Conditional Access for workload identities to restrict the application’s service principal from similar unauthorized access.
• Ensure multifactor authentication (MFA) requirement for all users. Adding more authentication methods, such as the Microsoft Authenticator app or a phone number, increases the level of protection if one factor is compromised.
  • Ensure phishing-resistant multifactor authentication strength is required for Administrators.
  • Ensure Microsoft Azure overprovisioned identities should have only the necessary permissions.
• Ensure separate user accounts and mail forwarding for Global Administrator accounts. Global Administrator (and other privileged groups) accounts should be cloud-native accounts with no ties to on-premises Active Directory. See other best practices for using Privileged roles here.
• Ensure all existing privileged users have an already registered MFA method to protect against malicious MFA registrations
• Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
• Refer to Azure Identity Management and access control security best practices for further steps and recommendations to manage, design, and secure your Entra ID environment.
• Ensure Microsoft Defender for Cloud Apps connectors are turned on for your organization to receive alerts on the Microsoft Entra ID Directory Synchronization Account and all other users.
• Enable protection to prevent by-passing of cloud Microsoft Entra MFA when federated with Microsoft Entra ID. This enhances protection against federated domains attacks.
• Set the validatingDomains property of federatedTokenValidationPolicy to “all” to block attempts to sign-in to any non-federated domain (like .onmicrosoft.com) with SAML tokens.
• If only Microsoft Entra ID performs MFA for a federated domain, set federatedIdpMfaBehavior to rejectMfaByFederatedIdp to prevent bypassing MFA CAPs.
• Turn on Microsoft Entra ID protection to monitor identity-based risks and create risk-based Conditional Access policies to remediate risky sign-ins.

Protecting cloud resources

• Use solutions like Microsoft Defender for Cloud to protect your cloud resources and assets from malicious activity, both in posture management, and threat detection capabilities.
• Enable Microsoft Defender for Resource Manager as part of Defender for Cloud to automatically monitor the resource management operations in your organization. Defender for Resource Manager runs advanced security analytics to detect threats and alerts you about suspicious activity.
  • Enabling Defender for Resource Manager allows users to investigate Azure management operations within the Defender XDR, using the advanced hunting experience.
• Utilize the Azure Monitor activity log to investigate and monitor Azure management events.
• Utilize Azure policies for Azure Storage to prevent network and security misconfigurations and maximize the protection of business data stored in your storage accounts.
• Implement Azure Blog Storage security recommendations for enhanced data protection.
• Utilize the options available for data protection in Azure Storage.
• Enable immutable storage for Azure Blob Storage to protect from accidental or malicious modification or deletion of blobs or storage accounts.
• Apply Azure Resource Manager locks to protect from accidental or malicious modifications or deletions of storage accounts.
• Enable Azure Monitor for Azure Blob Storage to collect, aggregate, and log data to enable recreation of activity trails for investigation purposes when a security incident occurs or network is compromised.
• Enabled Microsoft Defender for Storage using a built-in Azure policy.
• After enabling Microsoft Defender for Storage as part of Defender for Cloud, utilize the CloudStorageAggregatedEvents (preview) table in advanced hunting to proactively hunt for storage malicious activity.
• Enable Azure blob backup to protect from accidental or malicious deletions of blobs or storage accounts.
• Apply the principle of least privilege when authorizing access to blob data in Azure Storage using Microsoft Entra and RBAC and configure fine-grained Azure Blob Storage access for sensitive data access through Azure ABAC.
• Use private endpoints for Azure Storage account access to disable public network access for increased security.
• Avoid using anonymous read access for blob data.
• Enable purge protection in Azure Key Vaults to prevent immediate, irreversible deletion of vaults and secrets. Use the default retention interval of 90 days.
• Enable logs in Azure Key Vault and retain them for up to a year to enable recreation of activity trails for investigation purposes when a security incident occurs or network is compromised.
• Enable Microsoft Azure Backup for virtual machines to protect the data on your Microsoft Azure virtual machines, and to create recovery points that are stored in geo-redundant recovery vaults.

General hygiene recommendations

• Utilize Microsoft Security Exposure Management, available in the Microsoft Defender portal, with capabilities such as critical asset protection and attack path analysis that enable security teams to proactively reduce exposure and mitigate the impact of Storm-0501 hybrid attack tactics. In this case, each of the critical assets involved – Entra Connect server, users with DCSync permissions, Global Administrators – can be identified by relevant alerts and recommendations.
• Investigate on-premises and hybrid Microsoft Security Exposure Management attack paths. Security teams can use attack path analysis to trace cross-domain threats that exploit the critical Entra Connect server to pivot into cloud workloads, escalate privileges, and expand their reach. Teams can use the ‘Chokepoint’ view in the attack path dashboard in Microsoft Security Exposure Management to highlight entities appearing in multiple paths.
• Utilize the Critical asset management capability in Microsoft Security Exposure Management by configuring your own custom queries to pinpoint your organization’s business-critical assets according to your needs, such as business-critical Azure Storage accounts.

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender XDR threat analytics

• Actor Profile: Storm-0501
• Activity Profile: Ransomware actor Storm-0501 expands to hybrid cloud environments

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Sign-in activity

Explore sign-in activity from IdentityLogonEvents, look for uncommon behavior, such as sign-ins from newly seen IP addresses or sign-ins to new applications that are non-sync related:

IdentityLogonEvents
| where Timestamp > ago(30d)
| where AccountDisplayName contains "On-Premises Directory Synchronization Service Account"
| extend ApplicationName = tostring(RawEventData.ApplicationName)
| project-reorder Timestamp, AccountDisplayName, AccountObjectId, IPAddress, ActionType, ApplicationName, OSPlatform, DeviceType

The activity of the sync account is typically repetitive, coming from the same IP address to the same application. Any deviation from the natural flow is worth investigating. Cloud applications that are usually accessed by the Microsoft Entra ID sync account are Microsoft Azure Active Directory Connect, Windows Azure Active Directory, and Microsoft Online Syndication Partner Portal.

Cloud activity

Explore the cloud activity (ActionType) of the sync account. Similar to sign-in activity, this account by nature performs a certain set of actions including update User., update Device., and so on. New and uncommon activity from this user might indicate an interactive use of the account, which could legitimate action from someone in the organization or malicious action by the threat actor.

CloudAppEvents
| where Timestamp > ago(30d)
| where AccountDisplayName has "On-Premises Directory Synchronization Service Account"
| extend Workload = RawEventData.Workload
| project-reorder Timestamp, IPAddress, AccountObjectId, ActionType, Application, Workload, DeviceType, OSPlatform, UserAgent, ISP

Pay close attention to action from different DeviceTypes or OSPlatforms, this account automated service is performed from one specific machine, so there shouldn’t be any variety in these fields.

Azure management events

Explore Azure management events by querying the new CloudAuditEvents table in advanced hunting in the Defender portal. The OperationName column indicates the type of control-plane event executed by the user.

let Storm0501Operations = dynamic([
//Microsoft.Authorization
"Microsoft.Authorization/elevateAccess/action",
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/locks/delete",
//Microsoft.Storage
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Storage/storageAccounts/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/delete",
"Microsoft.Storage/storageAccounts/encryptionScopes/write",
//Microsoft.Compute
"Microsoft.Compute/snapshots/delete",
"Microsoft.Compute/restorePointCollections/delete",
//Microsoft.RecoveryServices
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/delete",
//Microsoft.KeyVault
"Microsoft.KeyVault/vaults/write"
]);
CloudAuditEvents
| where Timestamp > ago(30d)
| where AuditSource == "Azure" and DataSource == "Azure Logs"
| where OperationName in~ (Storm0501Operations)
| extend EventName = RawEventData.eventName
| extend UserId = RawEventData.principalOid, ApplicationId = RawEventData.applicationId
| extend Status = RawEventData.status, SubStatus = RawEventData.subStatus
| extend Claims = parse_json(tostring(RawEventData.claims))
| extend UPN = Claims["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
| extend AuthMethods = Claims["http://schemas.microsoft.com/claims/authnmethodsreferences"]
| project-reorder ReportId, EventName, Timestamp, UPN, UserId, AuthMethods, IPAddress, OperationName, AzureResourceId, Status, SubStatus, ResourceId, Claims, ApplicationId

Exposure of resources and users

Explore Microsoft Security Exposure Management capabilities by querying the ExposureGraphNodes and ExposureGraphEdges tables in the advanced hunting in the Defender portal. By utilizing these tables, you can identify critical assets, including Azure Storage accounts that contain sensitive data or protected by an immutable storage policy. All predefined criticality rules can be found here: Predefined classifications

ExposureGraphNodes
| where NodeLabel =~ "microsoft.storage/storageaccounts"
// Criticality check
| extend CriticalityInfo = NodeProperties["rawData"]["criticalityLevel"]
| where isnotempty( CriticalityInfo)
| extend CriticalityLevel = CriticalityInfo["criticalityLevel"]
| extend CriticalityLevel = case(
            CriticalityLevel == 0, "Critical",
            CriticalityLevel == 1, "High",
            CriticalityLevel == 2, "Medium",
            CriticalityLevel == 3, "Low", "")
| extend CriticalityRules = CriticalityInfo["ruleNames"]
| extend StorageContainsSensitiveData = CriticalityRules has "Databases with Sensitive Data"
| extend ImmutableStorageLocked = CriticalityRules has "Immutable and Locked Azure Storage"
// Exposure check
| extend ExposureInfo = NodeProperties["rawData"]["exposedToInternet"]
| project-reorder NodeName, NodeId, CriticalityLevel, CriticalityRules, StorageContainsSensitiveData, ImmutableStorageLocked, ExposureInfo

The following query can identify critical users who are mainly assigned with privileged Microsoft Entra roles, including Global Administrator:

ExposureGraphNodes
| where NodeLabel =~ "user"
| extend UserId = NodeProperties["rawData"]["accountObjectId"]
| extend IsActive = NodeProperties["rawData"]["isActive"]
// Criticality check
| extend CriticalityInfo = NodeProperties["rawData"]["criticalityLevel"]
| where isnotempty(CriticalityInfo)
| extend CriticalityLevel = CriticalityInfo["criticalityLevel"]
| extend CriticalityLevel = case(
            CriticalityLevel == 0, "Critical",
            CriticalityLevel == 1, "High",
            CriticalityLevel == 2, "Medium",
            CriticalityLevel == 3, "Low", "")
| extend CriticalityRules = CriticalityInfo["ruleNames"]
| extend GlobalAdministrator = CriticalityRules has "Global Administrator"
| project-reorder NodeName, NodeId, UserId, IsActive, CriticalityLevel, CriticalityRules, GlobalAdministrator

Omri Refaeli, Karam Abu Hanna, and Alon Marom

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

The post Storm-0501’s evolving techniques lead to cloud-based ransomware appeared first on Microsoft Security Blog.

North Korea has deployed thousands of remote IT workers to assume jobs in software and web development as part of a revenue generation scheme for the North Korean government. These highly skilled workers are most often located in North Korea, China, and Russia, and use tools such as virtual private networks (VPNs) and remote monitoring and management (RMM) tools together with witting accomplices to conceal their locations and identities.

Historically, North Korea’s fraudulent remote worker scheme has focused on targeting United States (US) companies in the technology, critical manufacturing, and transportation sectors. However, we’ve observed North Korean remote workers evolving to broaden their scope to target various industries globally that offer technology-related roles. Since 2020, the US government and cybersecurity community have identified thousands of North Korean workers infiltrating companies across various industries.

Organizations can protect themselves from this threat by implementing stricter pre-employment vetting measures and creating policies to block unapproved IT management tools. For example, when evaluating potential employees, employers and recruiters should ensure that the candidates’ social media and professional accounts are unique and verify their contact information and digital footprint. Organizations should also be particularly cautious with staffing company employees, check for consistency in resumes, and use video calls to confirm a worker’s identity.

Microsoft Threat Intelligence tracks North Korean IT remote worker activity as Jasper Sleet (formerly known as Storm-0287). We also track several other North Korean activity clusters that pursue fraudulent employment using similar techniques and tools, including Storm-1877 and Moonstone Sleet. To disrupt this activity and protect our customers, we’ve suspended 3,000 known Microsoft consumer accounts (Outlook/Hotmail) created by North Korean IT workers. We have also implemented several detections to alert our customers of this activity through Microsoft Entra ID Protection and Microsoft Defender XDR as noted at the end of this blog. As with any observed nation-state threat actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments. As we continue to observe more attempts by threat actors to leverage AI, not only do we report on them, but we also have principles in place to take action against them.

This blog provides additional information on the North Korean remote IT worker operations we published previously, including Jasper Sleet’s usual TTPs to secure employment, such as using fraudulent identities and facilitators. We also provide recent observations regarding their use of AI tools. Finally, we share detailed guidance on how to investigate, monitor, and remediate possible North Korean remote IT worker activity, as well as detections and hunting capabilities to surface this threat.

From North Korea to the world: The remote IT workforce

Since at least early 2020, Microsoft has tracked a global operation conducted by North Korea in which skilled IT workers apply for remote job opportunities to generate revenue and support state interests. These workers present themselves as foreign (non-North Korean) or domestic-based teleworkers and use a variety of fraudulent means to bypass employment verification controls.

North Korea’s fraudulent remote worker scheme has since evolved, establishing itself as a well-developed operation that has allowed North Korean remote workers to infiltrate technology-related roles across various industries. In some cases, victim organizations have even reported that remote IT workers were some of their most talented employees. Historically, this operation has focused on applying for IT, software development, and administrator positions in the technology sector. Such positions provide North Korean threat actors access to highly sensitive information to conduct information theft and extortion, among other operations.

North Korean IT workers are a multifaceted threat because not only do they generate revenue for the North Korean regime, which violates international sanctions, they also use their access to steal sensitive intellectual property, source code, or trade secrets. In some cases, these North Korean workers even extort their employer into paying them in exchange for not publicly disclosing the company’s data.

Between 2020 and 2022, the US government found that over 300 US companies in multiple industries, including several Fortune 500 companies, had unknowingly employed these workers, indicating the magnitude of this threat. The workers also attempted to gain access to information at two government agencies. Since then, the cybersecurity community has continued to detect thousands of North Korean workers. On January 3, 2025, the Justice Department released an indictment identifying two North Korean nationals and three facilitators responsible for conducting fraudulent work between 2018 and 2024. The indicted individuals generated a revenue of at least US$866,255 from only ten of the at least 64 infiltrated US companies.

North Korean threat actors are evolving across the threat landscape to incorporate more sophisticated tactics and tools to conduct malicious employment-related activity, including the use of custom and AI-enabled software.

Tactics and techniques

The tactics and techniques employed by North Korean remote IT workers involve a sophisticated ecosystem of crafting fake personas, performing remote work, and securing payments. North Korean IT workers apply for remote roles, in various sectors, at organizations across the globe.

They create, rent, or procure stolen identities that match the geo-location of their target organizations (for example, they would establish a US-based identity to apply for roles at US-based companies), create email accounts and social media profiles, and establish legitimacy through fake portfolios and profiles on developer platforms like GitHub and LinkedIn. Additionally, they leverage AI tools to enhance their operations, including image creation and voice-changing software. Facilitators play a crucial role in validating fraudulent identities and managing logistics, such as forwarding company hardware and creating accounts on freelance job websites. To evade detection, these workers use VPNs, virtual private servers (VPSs), and proxy services as well as RMM tools to connect to a device housed at a facilitator’s laptop farm located in the country of the job.

Crafting fake personas and profiles

The North Korean remote IT worker fraud scheme begins with the procurement of identities for the workers. These identities, which can be stolen or “rented” from witting individuals, include names, national identification numbers, and dates of birth. The workers might also leverage services that generate fraudulent identities, complete with seemingly legitimate documentation, to fabricate their personas. They then create email accounts and social media pages they use to apply for jobs, often indirectly through staffing or contracting companies. They also apply for freelance opportunities through freelancer sites as an additional avenue for revenue generation. Notably, they often use the same names/profiles repeatedly rather than creating unique personas for each successful infiltration.

Additionally, the North Korean IT workers have used fake profiles on LinkedIn to communicate with recruiters and apply for jobs.

The workers tailor their fake resumes and profiles to match the requirements for specific remote IT positions, thus increasing their chances of getting selected. Over time, we’ve observed these fake resumes and employee documents noticeably improving in quality, now appearing more polished and lacking grammatical errors facilitated by AI.

Establishing digital footprint

After creating their fake personas, the North Korean IT workers then attempt to establish legitimacy by creating digital footprints for these fake personas. They typically leverage communication, networking, and developer platforms, (for example, GitHub) to showcase their supposed portfolio of previous work samples:

Using AI to improve operations

Microsoft Threat intelligence has observed North Korean remote IT workers leveraging AI to improve the quantity and quality of their operations. For example, in October 2024, we found a public repository containing actual and AI-enhanced images of suspected North Korean IT workers:

The repository also contained the resumes and email accounts used by the said workers, along with the following tools and resources they can use to secure employment and to do their work:

• VPS and VPN accounts, along with specific VPS IP addresses
• Playbooks on conducting identity theft and creating and bidding jobs on freelancer websites
• Wallet information and suspected payments made to facilitators
• LinkedIn, GitHub, Upwork, TeamViewer, Telegram, and Skype accounts
• Tracking sheet of work performed, and payments received by the IT workers

Image creation

Based on our review of the repository mentioned previously, North Korean IT workers appear to conduct identity theft and then use AI tools like Faceswap to move their pictures over to the stolen employment and identity documents. The attackers also use these AI tools to take pictures of the workers and move them to more professional looking settings. The workers then use these AI-generated pictures on one or more resumes or profiles when applying for jobs.

Communications

Microsoft Threat Intelligence has observed that North Korean IT workers are also experimenting with other AI technologies such as voice-changing software. While we haven’t observed threat actors using combined AI voice and video products as a tactic first hand, we do recognize that combining these technologies could allow future threat actor campaigns to trick interviewers into thinking they aren’t communicating with a North Korean IT worker. If successful, this tactic could allow the North Korean IT workers to do interviews directly and no longer rely on facilitators standing in for them on interviews or selling them account access.

Facilitators for initial access

North Korean remote IT workers require assistance from a witting facilitator to help find jobs, pass the employment verification process, and once hired, successfully work remotely. We’ve observed Jasper Sleet advertising job opportunities for facilitator roles under the guise of partnering with a remote job candidate to help secure an IT role in a competitive market:

The IT workers may have the facilitators assist in creating accounts on remote and freelance job websites. They might also ask the facilitator to perform the following tasks as their relationship builds:

• Create a bank account for the North Korean IT worker, or lend their (the facilitator’s) own account to the worker
• Purchase mobile phone numbers or SIM cards

During the employment verification process, the witting accomplice helps the North Korean IT workers validate the latter’s fraudulent identities using online background check service providers. The documents submitted by the workers include fake or stolen drivers’ licenses, social security cards, passports, and permanent resident identification cards. Workers train using interview scripts, which include a justification for why the employee must work remotely.

Once hired, the remote workers direct company laptops and hardware to be sent to the address of the accomplice. The accomplice then either runs a laptop farm that provides the laptops with an internet connection at the geo-location of the role or forwards the items internationally. For hardware that remain in the country of the role, the accomplice signs into the computers and installs software that enables the workers to connect remotely. Remote IT workers might also access devices remotely using IP-based KVM devices, like PiKVM or TinyPilot.

Defense evasion and persistence

To conceal their physical location as well as maintain persistence and blend into the target organization’s environment, the workers typically use VPNs (particularly Astrill VPN), VPSs, proxy services, and RMM tools. Microsoft Threat Intelligence has observed the persistent use of JumpConnect, TinyPilot, Rust Desk, TeamViewer, AnyViewer, and Anydesk. When an in-person presence or face-to-face meeting is required, for example to confirm banking information or attend a meeting, the workers have been known to pay accomplices to stand in for them. When possible, however, the workers eliminate all face-to-face contact, offering fraudulent excuses for why they are not on camera during video teleconferencing calls or speaking.

Attribution

Microsoft Threat Intelligence uses the name Jasper Sleet (formerly known as Storm-0287) to represent activity associated with North Korean’s remote IT worker program. These workers are primarily focused on revenue generation, use remote access tools, and likely fall under a particular leadership structure in North Korea. We also track several other North Korean activity clusters that pursue fraudulent employment using similar techniques and tools, including Storm-1877 and Moonstone Sleet.

How Microsoft disrupts North Korean remote IT worker operations with machine learning

Microsoft has successfully scaled analyst tradecraft to accelerate the identification and disruption of North Korean IT workers in customer environments by developing a custom machine learning solution. This has been achieved by leveraging Microsoft’s existing threat intelligence and weak signals generated by monitoring for many of the red flags listed in this blog, among others. For example, this solution uses impossible time travel risk detections, most commonly between a Western nation and China or Russia. The machine learning workflow uses these features to surface suspect accounts most likely to be North Korean IT workers for assessment by Microsoft Threat Intelligence analysts.

Once Microsoft Threat Intelligence reviews and confirms that an account is indeed associated with a North Korean IT worker, customers are then notified with a Microsoft Entra ID Protection risk detection warning of a risky sign-in based on Microsoft’s threat intelligence. Microsoft Defender XDR customers also receive the alert Sign-in activity by a suspected North Korean entity in the Microsoft Defender portal.

Defending against North Korean remote IT worker infiltration

Defending against the threats from North Korean remote IT workers involves a threefold strategy:

• Ensuring a proper vetting approach is in place for freelance workers and vendors
• Monitoring for anomalous user activity
• Responding to suspected Jasper Sleet signals in close coordination with your insider risk team

Investigate

How can you identify a North Korean remote IT worker in the hiring process?

To protect your organization against a potential North Korean insider threat, it is important for your organization to prioritize a process for verifying employees to identify potential risks. The following can be used to assess potential employees:

• Confirm the potential employee has a digital footprint and look for signs of authenticity. This includes a real phone number (not VoIP), a residential address, and social media accounts. Ensure the potential employee’s social media/professional accounts are not highly similar to the accounts of other individuals. In addition, check that the contact phone number listed on the potential employee’s account is unique and not also used by other accounts.
• Scrutinize resumes and background checks for consistency of names, addresses, and dates. Consider contacting references by phone or video-teleconference rather than email only.
• Exercise greater scrutiny for employees of staffing companies, since this is the easiest avenue for North Korean workers to infiltrate target companies.
• Search whether a potential employee is employed at multiple companies using the same persona.
• Ensure the potential employee is seen on camera during multiple video telecommunication sessions. If the potential employee reports video and/or microphone issues that prohibit participation, this should be considered a red flag.
• During video verification, request individuals to physically hold driver’s licenses, passports, or identity documents up to camera.
• Keep records, including recordings of video interviews, of all interactions with potential employees.
• Require notarized proof of identity.

Monitor

How can your organization prevent falling victim to the North Korean remote IT worker technique?

To prevent the risks associated with North Korean insider threats, it’s vital to monitor for activity typically associated with this fraudulent scheme.

Monitor for identifiable characteristics of North Korean remote workers

Microsoft has identified the following characteristics of a North Korean remote worker. Note that not all the criteria are necessarily required, and further, a positive identification of a remote worker doesn’t guarantee that the worker is North Korean.

• The employee lists a Chinese phone number on social media accounts that is used by other accounts.
• The worker’s work-issued laptop authenticates from an IP address of a known North Korean IT worker laptop farm, or from foreign—most commonly Chinese or Russian—IP addresses even though the worker is supposed to have a different work location.
• The worker is employed at multiple companies using the same persona. Employees of staffing companies require heightened scrutiny, given this is the easiest way for North Korean workers to infiltrate target companies.
• Once a laptop is issued to the worker, RMM software is immediately downloaded onto it and used in combination with a VPN.
• The worker has never been seen on camera during a video telecommunication session or is only seen a few times. The worker may also report video and/or microphone issues that prohibit participation from the start.
• The worker’s online activity doesn’t align with routine co-worker hours, with limited engagement across approved communication platforms.

Monitor for activity associated with Jasper Sleet access

• If RMM tools are used in your environment, enforce security settings where possible, to implement MFA:
  • Use Windows Defender Application Control or AppLocker to create policies to block unapproved IT management tools. Consider hunting for unapproved RMM software installations and creating custom detections (Investigation & response > Hunting > Advanced hunting > Manage rules > Create custom detection) for any advanced hunting queries that are useful indicators of anomalous or unapproved activity in your environment.
  • If an unapproved installation is discovered, reset passwords for accounts used to install the RMM services. If a system-level account was used to install the software, further investigation may be warranted.
• Monitor for impossible travel—for example, a supposedly US-based employee signing in from China or Russia.
• Monitor for use of public VPNs such as Astrill. For example, IP addresses associated with VPNs known to be used by Jasper Sleet can be added to Sentinel watchlists. Or, Microsoft Defender for Identity can integrate with your VPN solution to provide more information about user activity, such as extra detection for abnormal VPN connections.
• Monitor for signals of insider threats in your environment. Microsoft Purview Insider Risk Management can help identify potentially malicious or inadvertent insider risks.
• Monitor for consistent user activity outside of typical working hours.

Remediate

What are the next steps if you positively identify a North Korean remote IT worker employed at your company?

Because Jasper Sleet activity follows legitimate job offers and authorized access, Microsoft recommends approaching confirmed or suspected Jasper Sleet intrusions with an insider risk approach using your organization’s insider risk response plan or incident response provider like Microsoft Incident Response. Some steps might include:

• Restrict response efforts to a small, trusted insider risk working group, trained in operational security (OPSEC) to avoid tipping off subjects and potential collaborators.
• Rapidly evaluate the subject’s proximity to critical assets, such as:
  • Leadership or sensitive teams
  • Direct reports or vendor staff the subject has influence over
  • Suppliers or vendors
  • People/non-people accounts, production/pre-production environments, shared accounts, security groups, third-party accounts, security groups, distribution groups, data clusters, and more
• Conduct preliminary link analysis to:
  • Detect relationships with potential collaborators, supporters, or other potential aliases operated by the same actor
  • Identify shared indicators (for example, shared IP addresses, behavioral overlap)
  • Avoid premature action that might alert other Jasper Sleet operators
• Conduct a risk-based prioritization of efforts, informed by:
  • Placement and access to critical assets (not necessarily where you identified them)Stakeholder insight from potentially impacted business units
  • Business impact considerations of containment (which might support additional collection/analysis) or mitigation (for example, eviction)
• Conduct open-source intelligence (OSINT) collection and analysis to:
  • Determine if the identity associated with the threat actor is associated with a real person. For example, North Korean IT workers have leveraged stolen identities of real US persons to facilitate their fraud. Conduct OSINT on all available personally identifiable information (PII) provided by the actor (name, date of birth, SSN, home of record, phone number, emergency contact, and others) and determine if these items are linked to additional North Korean actors, and/or real persons’ identities.
  • Gather all known external accounts operated by the alias/persona (for example, LinkedIn, GitHub, freelance working sites, bug bounty programs).
  • Perform analysis on account images using open-source tools such as FaceForensics++ to determine prevalence of AI-generated content. Detection opportunities within video and imagery include: 
    • Temporal consistency issues: Rapid movements cause noticeable artifacts in video deepfakes as the tracking system struggles to maintain accurate landmark positioning. 
    • Occlusion handling: When objects pass over the AI-generated content such as the face, deepfake systems tend to fail at properly reconstructing the partially obscured face.
    • Lighting adaptation: Changes in lighting conditions might reveal inconsistencies in the rendering of the face
    • Audio-visual synchronization: Slight delays between lip movements and speech are detectable under careful observation
      • Exaggerated facial expressions. 
      • Duplicative or improperly placed appendages.
      • Pixelation or tearing at edges of face, eyes, ears, and glasses.
• Engage counterintelligence or insider risk/threat teams to:
  • Understand tradecraft and likely next steps
  • Gain national-level threat context, if applicable
• Make incremental, risk-based investigative and response decisions with the support of your insider threat working group and your insider threat stakeholder group; one providing tactical feedback and the other providing risk tolerance feedback.
• Preserve evidence and document findings.
• Share lessons learned and increase awareness.
• Educate employees on the risks associated with insider threats and provide regular security training for employees to recognize and respond to threats, including a section on the unique threat posed by North Korean IT workers.

After an insider risk response to Jasper Sleet, it might be necessary to also conduct a thorough forensic investigation of all systems that the employee had access to for indicators of persistence, such as RMM tools or system/resource modifications.

For additional resources, refer to CISA’s Insider Threat Mitigation Guide. If you suspect your organization is being targeted by nation-state cyber activity, report it to the appropriate national authority. For US-based organizations, the Federal Bureau of Investigation (FBI) recommends reporting North Korean remote IT worker activity to the Internet Crime Complaint Center (IC3).

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender XDR

Alerts with the following title in the security center can indicate threat activity on your network:

• Sign-in activity by a suspected North Korean entity

Microsoft Defender for Endpoint

Alerts with the following titles in the security center can indicate Jasper Sleet RMM activity on your network. These alerts, however, can be triggered by unrelated threat activity.

• Suspicious usage of remote management software
• Suspicious connection to remote access software

Microsoft Defender for Identity

Alerts with the following titles in the security center can indicate atypical identity access on your network. These alerts, however, can be triggered by unrelated threat activity.

• Atypical travel
• Suspicious behavior: Impossible travel activity

Microsoft Entra ID Protection

Microsoft Entra ID Protection risk detections inform Entra ID user risk events and can indicate associated threat activity, including unusual user activity consistent with known patterns identified by Microsoft Threat Intelligence research. Note, however, that these alerts can be also triggered by unrelated threat activity.

• Microsoft Entra threat intelligence (sign-in): (RiskEventType: investigationsThreatIntelligence)

Microsoft Defender for Cloud Apps

Alerts with the following titles in the security center can indicate atypical identity access on your network. These alerts, however, can be triggered by unrelated threat activity.

• Impossible travel activity

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Hunting queries

Microsoft Defender XDR

Because organizations might have legitimate and frequent uses for RMM software, we recommend using the Microsoft Defender XDR advanced hunting queries available on GitHub to locate RMM software that hasn’t been endorsed by your organization for further investigation. In some cases, these results might include benign activity from legitimate users. Regardless of use case, all newly installed RMM instances should be scrutinized and investigated.

If any queries have high fidelity for discovering unsanctioned RMM instances in your environment, and don’t detect benign activity, you can create a custom detection rule from the advanced hunting query in the Microsoft Defender portal. 

Microsoft Sentinel

The alert Insider Risk Sensitive Data Access Outside Organizational Geo-locationjoins Azure Information Protection logs (InformationProtectionLogs_CL) with Microsoft Entra ID sign-in logs (SigninLogs) to provide a correlation of sensitive data access by geo-location. Results include:

• User principal name
• Label name
• Activity
• City
• State
• Country/Region
• Time generated

The recommended configuration is to include (or exclude) sign-in geo-locations (city, state, country and/or region) for trusted organizational locations. There is an option for configuration of correlations against Microsoft Sentinel watchlists. Accessing sensitive data from a new or unauthorized geo-location warrants further review.

References

• https://www.justice.gov/opa/pr/two-north-korean-nationals-and-three-facilitators-indicted-multi-year-fraudulent-remote
• https://www.justice.gov/usao-dc/media/1352191/dl
• https://www.reuters.com/technology/north-koreans-use-fake-names-scripts-land-remote-it-work-cash-2023-11-21/
• https://github.com/jischell-msft/RemoteManagementMonitoringTools

Acknowledgments

For more information on North Korean remote IT worker operations, we recommend reviewing DTEX’s in-depth analysis in the report Exposing DPRK’s Cyber Syndicate and IT Workforce.

Learn more

Meet the experts behind Microsoft Threat Intelligence, Incident Response, and the Microsoft Security Response Center at our VIP Mixer at Black Hat 2025. Discover how our end-to-end platform can help you strengthen resilience and elevate your security posture.

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog. 

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky. 

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast. 

The post Jasper Sleet: North Korean remote IT workers’ evolving tactics to infiltrate organizations appeared first on Microsoft Security Blog.

Void Blizzard is a new threat actor Microsoft Threat Intelligence has observed conducting espionage operations primarily targeting organizations that are important to Russian government objectives. These include organizations in government, defense, transportation, media, NGOs, and healthcare, especially in Europe and North America. They often use stolen sign-in details that they likely buy from online marketplaces to gain access to organizations. Once inside, they steal large amounts of emails and files. In April 2025, Microsoft Threat Intelligence observed Void Blizzard begin using more direct methods to steal passwords, such as sending fake emails designed to trick people into giving away their login information.

We thank our partners at Netherlands General Intelligence and Security Service (AIVD) and the Netherlands Defence Intelligence and Security Service (MIVD) for the collaboration on investigating Void Blizzard (also known as LAUNDRY BEAR). You can read their statement here. We also thank our partners at the US Federal Bureau of Investigation for their continued collaboration on investigating Void Blizzard targeting.

Microsoft Threat Intelligence Center has discovered a cluster of worldwide cloud abuse activity conducted by a threat actor we track as Void Blizzard (LAUNDRY BEAR), who we assess with high confidence is Russia-affiliated and has been active since at least April 2024. While Void Blizzard has a global reach, their cyberespionage activity disproportionately targets NATO member states and Ukraine, indicating that the actor is likely collecting intelligence to help support Russian strategic objectives. In particular, the threat actor’s prolific activity against networks in critical sectors poses a heightened risk to NATO member states and allies to Ukraine in general.

Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to the Russian government, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America. The threat actor uses stolen credentials—which are likely procured from commodity infostealer ecosystems—and collects a high volume of email and files from compromised organizations.

In April 2025, Microsoft Threat Intelligence Center observed Void Blizzard evolving their initial access techniques to include targeted spear phishing for credential theft. While Void Blizzard’s tactics, techniques, and procedures (TTPs) are not unique among advanced persistent threat actors or even Russian nation state-sponsored groups, the widespread success of their operations underscores the enduring threat from even unsophisticated TTPs when leveraged by determined actors seeking to collect sensitive information.

In this report, we share our analysis of Void Blizzard’s targeting and TTPs, with the goal of enabling the broader community to apply specific detections and mitigation guidance to disrupt and protect against Void Blizzard’s operations. We extend our gratitude to our partners at the Netherlands General Intelligence and Security Service (AIVD), the Netherlands Defence Intelligence and Security Service (MIVD), and the US Federal Bureau of Investigation for their collaboration in investigating and raising awareness on Void Blizzard activity and tooling to help organizations disrupt and defend against this threat actor.

Void Blizzard targets

Void Blizzard primarily targets NATO member states and Ukraine. Many of the compromised organizations overlap with past—or, in some cases, concurrent—targeting by other well-known Russian state actors, including Forest Blizzard, Midnight Blizzard, and Secret Blizzard. This intersection suggests shared espionage and intelligence collection interests assigned to the parent organizations of these threat actors. Since mid-2024, Microsoft Threat Intelligence has observed Void Blizzard targeting the following industry verticals, many resulting in successful compromises:

• Communications/Telecommunications
• Defense Industrial Base
• Healthcare
• Education
• Government agencies and services
• Information technology
• Intergovernmental organizations
• Media
• NGOs
• Transportation

Void Blizzard regularly targets government organizations and law enforcement agencies, particularly in NATO member states and especially in countries that provide direct military or humanitarian support to Ukraine. Within Ukraine, Void Blizzard has successfully compromised organizations in multiple sectors, including education, transportation, and defense. In October 2024, Void Blizzard compromised several user accounts at a Ukrainian aviation organization that had been previously targeted by Russian General Staff Main Intelligence Directorate (GRU) actor Seashell Blizzard in 2022. This targeting overlap reflects Russia’s long-standing interest in this organization and, more broadly, in aviation-related organizations since Russia’s invasion of Ukraine in 2022. In 2023, another GRU actor, Forest Blizzard, targeted a prominent aviation organization in Ukraine, and since at least August 2024, it has conducted increasing password spray attacks against several NATO member states’ air traffic control providers.

Tools, tactics, and procedures

Initial access

Void Blizzard conducts opportunistic yet targeted high-volume cyberoperations against targets of intelligence value to the Russian government. Their operations predominately leverage unsophisticated techniques for initial access such as password spray and using stolen authentication credentials. Microsoft assesses that Void Blizzard procures cookies and other credentials through criminal ecosystems. These credentials are then used to gain access to Exchange and sometimes SharePoint Online for information collection.

In April 2025, we identified a Void Blizzard adversary-in-the-middle (AitM) spear phishing campaign that targeted over 20 NGO sector organizations in Europe and the United States. The threat actor used a typosquatted domain to spoof the Microsoft Entra authentication portal. Use of a typosquatted domain to spoof Microsoft Entra authentication was a newly observed initial access tactic for this threat actor. This new tactic suggests that Void Blizzard is augmenting their opportunistic but focused access operations with a more targeted approach, increasing the risk for organizations in critical sectors.

In this campaign, the threat actor posed as an organizer from the European Defense and Security Summit and sent emails containing messages with a PDF attachment that lured targets with a fake invitation to the Summit.

The attachment contained a malicious QR code that redirected to Void Blizzard infrastructure micsrosoftonline[.]com, which hosts a credential phishing page spoofing the Microsoft Entra authentication page. We assess that Void Blizzard is using the open-source attack framework Evilginx to conduct the AitM phishing campaign and steal authentication data, including the input username and password and any cookies generated by the server. Evilginx, publicly released in 2017, was the first widely available phishing kit with AitM capabilities.

Post-compromise activity

Despite the lack of sophistication in their initial access methods, Void Blizzard has been effective in gaining access to and collecting information from compromised organizations in critical sectors.

After gaining initial access, Void Blizzard abuses legitimate cloud APIs, such as Exchange Online and Microsoft Graph, to enumerate users’ mailboxes, including any shared mailboxes, and cloud-hosted files. Once accounts are successfully compromised, the actor likely automates the bulk collection of cloud-hosted data (primarily email and files) and any mailboxes or file shares that the compromised user can access, which can include mailboxes and folders belonging to other users who have granted other users read permissions.

In a small number of Void Blizzard compromises, Microsoft Threat Intelligence has also observed the threat actor accessing Microsoft Teams conversations and messages via the Microsoft Teams web client application. The threat actor has also in some cases enumerated the compromised organization’s Microsoft Entra ID configuration using the publicly available AzureHound tool to gain information about the users, roles, groups, applications, and devices belonging to that tenant.

Mitigation and protection guidance

Microsoft Threat Intelligence recommends organizations that are most likely at risk, primarily those in critical sectors including government and defense, to implement the following recommendations to mitigate against Void Blizzard activity:

Hardening identity and authentication

• Implement a sign-in risk policy to automate response to risky sign-ins. A sign-in risk represents the probability that a given authentication request isn’t authorized by the identity owner. A sign-in risk-based policy can be implemented by adding a sign-in risk condition to Conditional Access policies that evaluate the risk level of a specific user or group. Based on the risk level (high/medium/low), a policy can be configured to block access or force multi-factor authentication.
  • When a user is a high risk and Conditional access evaluation is enabled, the user’s access is revoked, and they are forced to re-authenticate.
  • For regular activity monitoring, use Risky sign-in reports, which surface attempted and successful user access activities where the legitimate owner might not have performed the sign-in.
• Require multifactor authentication (MFA). While certain attacks attempt to circumvent MFA, implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats.
  • Leverage phishing-resistant authentication methods such as FIDO Tokens, or Microsoft Authenticator with passkey. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.
• Centralize your organization’s identity management into a single platform. If your organization is a hybrid environment, integrate your on-premises directories with your cloud directories. If your organization is using a third-party for identity management, ensure this data is being logged in a SIEM or connected to Microsoft Entra to fully monitor for malicious identity access from a centralized location. The added benefits to centralizing all identity data is to facilitate implementation of Single Sign On (SSO) and provide users with a more seamless authentication process, as well as configure Microsoft Entra ID’s machine learning models to operate on all identity data, thus learning the difference between legitimate access and malicious access quicker and easier. It is recommended to synchronize all user accounts except administrative and high privileged ones when doing this to maintain a boundary between the on-premises environment and the cloud environment, in case of a breach.
• Secure accounts with credential hygiene: practice the principle of least privilege and audit privileged account activity in your Entra ID environments to slow and stop attackers.

Hardening email security

• Manage mailbox auditing to ensure actions performed by mailbox owners, delegates, and admins are automatically logged. New mailboxes should already have this feature turned on by default.
• Run a non-owner mailbox access report in the Exchange Admin Center to detect unauthorized access onto a mailbox.

Hardening against post-compromise activity

• If a breach or compromise via commodity info stealer is suspected, ensure that any accounts that may have been accessed by that machine have their credentials rotated in addition to removing the malware. Given the widespread use of infostealers in attacks, organizations should immediately respond to infostealer activity and mitigate the risk of credential theft to prevent follow-on malicious activity.
• Conduct an audit search in the Microsoft Graph API for anomalous activity.
• Create Defender for Cloud Apps anomaly detection policies.
• Prevent, detect or investigate possible token theft activity by reviewing mitigation techniques.
• If you suspect password spray activity against your organization’s networks, you can refer to this guide for password spray investigation.

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender for Endpoint

The following alert indicates threat actor activity related to Void Blizzard. Note, however, that this alert can be also triggered by Void Blizzard activity that is not related to the activity covered in this report.

• Void Blizzard activity

The following alerts might indicate credential theft activity related to Void Blizzard utilizing commodity information stealers or conducting password spraying techniques. Note, however, that these alerts can be also triggered by unrelated threat activity.

• Information stealing malware activity
• Password spraying

Microsoft Defender for Identity

The following Microsoft Defender for Identity alerts can indicate associated threat activity. Note, however, that these alerts can be also triggered by unrelated threat activity.

• Password Spray
• Unfamiliar Sign-in properties
• Atypical travel
• Suspicious behavior: Impossible travel activity

Microsoft Defender for Cloud Apps

The following Microsoft Defender for Cloud Apps alerts can indicate associated threat activity. Note, however, that these alerts can be also triggered by unrelated threat activity.

• Impossible travel
• Activity from suspicious IP addresses
• Unusual activities (by user)

Microsoft Defender for Cloud

The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

• AzureHound tool invocation detected
• Communication with possible phishing domain
• Communication with suspicious domain identified by threat intelligence

Microsoft Entra ID Protection

The following Microsoft Entra ID Protection risk detections inform Entra ID user risk events and can indicate associated threat activity, including unusual user activity consistent with known attack patterns identified by Microsoft Threat Intelligence research. Note, however, that these alerts can be also triggered by unrelated threat activity.

• Anomalous Token (sign-in) (RiskEventType: anomalousToken)
• Password spray (RiskEventType: passwordSpray)
• Anomalous Token (user) (RiskEventType: anomalousToken)
• Attacker in the Middle (RiskEventType: attackerinTheMiddle)
• Activity from Anonymous IP address (RiskEventType: anonymizedIPAddress)
• Microsoft Entra threat intelligence (sign-in): (RiskEventType: investigationsThreatIntelligence)
• Suspicious API Traffic (RiskEventType: suspiciousAPITraffic)

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article
• Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

• Void Blizzard

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can find related Void Blizzard spear phishing activity related to this threat in their networks by running the following queries.

Possible phishing email targets

The following query can help identify possible email targets of Void Blizzard’s spear phishing attempts

EmailEvents
| where SenderFromDomain in~ ("ebsumrnit.eu")
| project SenderFromDomain, SenderFromAddress, RecipientEmailAddress, Subject, Timestamp

Communication with Void Blizzard domain

The following query can help surface devices that might have communicated with Void Blizzard’s spear phishing domain:

let domainList = dynamic(["micsrosoftonline.com", "outlook-office.micsrosoftonline.com"]);
union
(
    DnsEvents
    | where QueryType has_any(domainList) or Name has_any(domainList)
    | project TimeGenerated, Domain = QueryType, SourceTable = "DnsEvents"
),
(
    IdentityQueryEvents
    | where QueryTarget has_any(domainList)
    | project Timestamp, Domain = QueryTarget, SourceTable = "IdentityQueryEvents"
),
(
    DeviceNetworkEvents
    | where RemoteUrl has_any(domainList)
    | project Timestamp, Domain = RemoteUrl, SourceTable = "DeviceNetworkEvents"
),
(
    DeviceNetworkInfo
    | extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks)
    | mv-expand DnsAddresses, ConnectedNetworks
    | where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList)
    | project Timestamp, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable = "DeviceNetworkInfo"
),
(
    VMConnection
    | extend RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames = parse_json(RemoteDnsCanonicalNames)
    | mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames
    | where RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList)
    | project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable = "VMConnection"
),
(
    W3CIISLog
    | where csHost has_any(domainList) or csReferer has_any(domainList)
    | project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = "W3CIISLog"
),
(
    EmailUrlInfo
    | where UrlDomain has_any(domainList)
    | project Timestamp, Domain = UrlDomain, SourceTable = "EmailUrlInfo"
),
(
    UrlClickEvents
    | where Url has_any(domainList)
    | project Timestamp, Domain = Url, SourceTable = "UrlClickEvents"
)
| order by TimeGenerated desc

Microsoft Sentinel

The Microsoft blog Web Shell Threat Hunting with Azure Sentinel provides hunting queries and techniques for Sentinel-specific threat hunting. Several hunting queries are also available below. 

NOTE: Microsoft Sentinel customers can use the following queries to detect phishing attempts and email exfiltration attempts via Graph API. While these queries are not specific to threat actors, they can help you stay vigilant and safeguard your organization from phishing attacks. These queries search for a week’s worth of events. To explore up to 30 days’ worth of raw data to inspect events in your network and locate potentially related indicators for more than a week, go to the Advanced hunting page > Query tab, select the calendar dropdown menu to update your query to hunt for the Last 30 days.

If a query provides high value insights into possible malicious or otherwise anomalous behavior, you can create a custom detection rule based on that query and surface those insights as custom alerts. To do this in the Defender XDR portal, run the query in the Advanced hunting page and select Create detection rule. To do this in the Sentinel portal, use hunting capabilities to run and view the query’s results, then select New alert rule > Create Microsoft Sentinel alert.

Campaign with suspicious keywords

In this detection, we track emails with suspicious keywords in subjects.

let PhishingKeywords = ()
  {pack_array("account", "alert", "bank", "billing", "card", "change", "confirmation","login", "password", "mfa", "authorize", "authenticate", "payment", "urgent", "verify", "blocked");};
  EmailEvents
  | where Timestamp > ago(1d)
  | where EmailDirection == "Inbound"
  | where DeliveryAction == "Delivered"
  | where isempty(SenderObjectId)
  | where Subject has_any (PhishingKeywords())

Determine successfully delivered phishing emails to Inbox/Junk folder

This query identifies threats which got successfully delivered to Inbox/Junk folder.

EmailEvents
  | where isnotempty(ThreatTypes) and DeliveryLocation in~ ("Inbox/folder","Junk folder")
  | extend Name = tostring(split(SenderFromAddress, '@', 0)[0]), UPNSuffix = tostring(split(SenderFromAddress, '@', 1)[0])
  | extend Account_0_Name = Name
  | extend Account_0_UPNSuffix = UPNSuffix
  | extend IP_0_Address = SenderIPv4
  | extend MailBox_0_MailboxPrimaryAddress = RecipientEmailAddress

Successful sign-in from phishing link

This content is employed to correlate with Microsoft Defender XDR phishing-related alerts. It focuses on instances where a user successfully connects to a phishing URL from a non-Microsoft network device and subsequently makes successful sign-in attempts from the phishing IP address.

let Alert_List= dynamic([
    "Phishing link click observed in Network Traffic",
    "Phish delivered due to an IP allow policy",
    "A potentially malicious URL click was detected",
    "High Risk Sign-in Observed in Network Traffic",
    "A user clicked through to a potentially malicious URL",
    "Suspicious network connection to AitM phishing site",
    "Messages containing malicious entity not removed after delivery",
    "Email messages containing malicious URL removed after delivery",
    "Email reported by user as malware or phish",
    "Phish delivered due to an ETR override",
    "Phish not zapped because ZAP is disabled"]);
    SecurityAlert
    | where AlertName in~ (Alert_List)
    //Findling Alerts which has the URL
    | where Entities has "url"
    //extracting Entities
    | extend Entities = parse_json(Entities)
    | mv-apply Entity = Entities on
        (
        where Entity.Type == 'url'
        | extend EntityUrl = tostring(Entity.Url)
        )
    | summarize
        Url=tostring(tolower(take_any(EntityUrl))),
        AlertTime= min(TimeGenerated),
        make_set(SystemAlertId, 100)
        by ProductName, AlertName
    // matching with 3rd party network logs and 3p Alerts
    | join kind= inner (CommonSecurityLog
        | where DeviceVendor has_any  ("Palo Alto Networks", "Fortinet", "Check Point", "Zscaler")
        | where DeviceProduct startswith "FortiGate" or DeviceProduct startswith  "PAN" or DeviceProduct startswith  "VPN" or DeviceProduct startswith "FireWall" or DeviceProduct startswith  "NSSWeblog" or DeviceProduct startswith "URL"
        | where DeviceAction != "Block"
        | where isnotempty(RequestURL)
        | project
            3plogTime=TimeGenerated,
            DeviceVendor,
            DeviceProduct,
            Activity,
            DestinationHostName,
            DestinationIP,
            RequestURL=tostring(tolower(RequestURL)),
            MaliciousIP,
            SourceUserName=tostring(tolower(SourceUserName)),
            IndicatorThreatType,
            ThreatSeverity,
            ThreatConfidence,
            SourceUserID,
            SourceHostName)
        on $left.Url == $right.RequestURL
    // matching successful Login from suspicious IP
    | join kind=inner (SigninLogs
        //filtering the Successful Login
        | where ResultType == 0
        | project
            IPAddress,
            SourceSystem,
            SigniningTime= TimeGenerated,
            OperationName,
            ResultType,
            ResultDescription,
            AlternateSignInName,
            AppDisplayName,
            AuthenticationRequirement,
            ClientAppUsed,
            RiskState,
            RiskLevelDuringSignIn,
            UserPrincipalName=tostring(tolower(UserPrincipalName)),
            Name = tostring(split(UserPrincipalName, "@")[0]),
            UPNSuffix =tostring(split(UserPrincipalName, "@")[1]))
        on $left.DestinationIP == $right.IPAddress and $left.SourceUserName == $right.UserPrincipalName
    | where SigniningTime between ((AlertTime - 6h) .. (AlertTime + 6h)) and 3plogTime between ((AlertTime - 6h) .. (AlertTime + 6h))

Phishing link click observed in network traffic

The purpose of this content is to identify successful phishing links accessed by users. Once a user clicks on a phishing link, we observe successful network activity originating from non-Microsoft network devices.

//Finding MDO Security alerts and extracting the Entities user, Domain, Ip, and URL.
    let Alert_List= dynamic([
    "Phishing link click observed in Network Traffic",
    "Phish delivered due to an IP allow policy",
    "A potentially malicious URL click was detected",
    "High Risk Sign-in Observed in Network Traffic",
    "A user clicked through to a potentially malicious URL",
    "Suspicious network connection to AitM phishing site",
    "Messages containing malicious entity not removed after delivery",
    "Email messages containing malicious URL removed after delivery",
    "Email reported by user as malware or phish",
    "Phish delivered due to an ETR override",
    "Phish not zapped because ZAP is disabled"]);
    SecurityAlert
    |where ProviderName in~ ("Office 365 Advanced Threat Protection", "OATP")
    | where AlertName in~ (Alert_List)
    //extracting Alert Entities
     | extend Entities = parse_json(Entities)
    | mv-apply Entity = Entities on
    (
    where Entity.Type == 'account'
    | extend EntityUPN = iff(isempty(Entity.UserPrincipalName), tostring(strcat(Entity.Name, "@", tostring (Entity.UPNSuffix))), tostring(Entity.UserPrincipalName))
    )
    | mv-apply Entity = Entities on
    (
    where Entity.Type == 'url'
    | extend EntityUrl = tostring(Entity.Url)
    )
    | summarize AccountUpn=tolower(tostring(take_any(EntityUPN))),Url=tostring(tolower(take_any(EntityUrl))),AlertTime= min(TimeGenerated)by SystemAlertId, ProductName
    // filtering 3pnetwork devices
    | join kind= inner (CommonSecurityLog
    | where DeviceVendor has_any  ("Palo Alto Networks", "Fortinet", "Check Point", "Zscaler")
    | where DeviceAction != "Block"
    | where DeviceProduct startswith "FortiGate" or DeviceProduct startswith  "PAN" or DeviceProduct startswith  "VPN" or DeviceProduct startswith "FireWall" or DeviceProduct startswith  "NSSWeblog" or DeviceProduct startswith "URL"
    | where isnotempty(RequestURL)
    | where isnotempty(SourceUserName)
    | extend SourceUserName = tolower(SourceUserName)
    | project
    3plogTime=TimeGenerated,
    DeviceVendor,
    DeviceProduct,
    Activity,
    DestinationHostName,
    DestinationIP,
    RequestURL=tostring(tolower(RequestURL)),
    MaliciousIP,
    Name = tostring(split(SourceUserName,"@")[0]),
    UPNSuffix =tostring(split(SourceUserName,"@")[1]),
    SourceUserName,
    IndicatorThreatType,
    ThreatSeverity,AdditionalExtensions,
    ThreatConfidence)on $left.Url == $right.RequestURL and $left.AccountUpn == $right.SourceUserName
    // Applied the condition where alert trigger 1st and then the 3p Network activity execution
    | where AlertTime between ((3plogTime - 1h) .. (3plogTime + 1h))

Suspicious URL clicked

This query correlates Microsoft Defender for Office 365 signals and Microsoft Entra ID identity data to find the relevant endpoint event BrowerLaunchedToOpen in Microsoft Defender ATP. This event reflects relevant clicks on the malicious URL in the spear phishing email recognized by Microsoft Defender for Office 365.

// Some URLs are wrapped with SafeLinks
// Let's get the unwrapped URL and clicks 
  AlertInfo
  | where ServiceSource =~ "Microsoft Defender for Office 365"
  | join (
          AlertEvidence
          | where EntityType =="Url"
          | project AlertId, RemoteUrl 
      )
      on AlertId
  | join (
          AlertEvidence
          | where EntityType =="MailMessage"
          | project AlertId, NetworkMessageId 
      )
      on AlertId
  // Get the unique NetworkMessageId for the email containing the Url
  | distinct RemoteUrl, NetworkMessageId
  | join EmailEvents on NetworkMessageId
  // Get the email RecipientEmailAddress and ObjectId from the email 
  | distinct RemoteUrl, NetworkMessageId, RecipientEmailAddress , RecipientObjectId
  | join kind = inner IdentityInfo on $left.RecipientObjectId  == $right.AccountObjectId 
  // get the UserSid of the Recipient
  | extend OnPremSid = AccountSID
  | distinct RemoteUrl, NetworkMessageId, RecipientEmailAddress , RecipientObjectId, OnPremSid 
  // Get the Url click event on the recipient device.
  | join kind = inner  
      (DeviceEvents 
      | where ActionType == "BrowserLaunchedToOpenUrl"| where isnotempty(RemoteUrl) 
      | project UrlDeviceClickTime = Timestamp , UrlClickedByUserSid = RemoteUrl, 
                  InitiatingProcessAccountSid, DeviceName, DeviceId, InitiatingProcessFileName
      ) 
     on $left.OnPremSid == $right.InitiatingProcessAccountSid and $left.RemoteUrl == $right.UrlClickedByUserSid
  | distinct UrlDeviceClickTime, RemoteUrl, NetworkMessageId, RecipientEmailAddress, RecipientObjectId, 
      OnPremSid, UrlClickedByUserSid, DeviceName, DeviceId, InitiatingProcessFileName 
  | sort by UrlDeviceClickTime desc

Anomalies in MailItemAccess by GraphAPI

This query looks for anomalies in mail item access events made by Graph API. It uses standard deviation to determine if the number of events is anomalous.

let starttime = 30d;
  let STDThreshold = 2.5;
  let allMailAccsessByGraphAPI = CloudAppEvents
  | where   ActionType == "MailItemsAccessed"
  | where Timestamp between (startofday(ago(starttime))..now())
  | where isnotempty(RawEventData['ClientAppId'] ) and RawEventData['AppId'] has "00000003-0000-0000-c000-000000000000"
  | extend ClientAppId = tostring(RawEventData['ClientAppId'])
  | extend OperationCount = toint(RawEventData['OperationCount'])
  | project Timestamp,OperationCount , ClientAppId;
  let calculateNumberOfMailPerDay = allMailAccsessByGraphAPI
  | summarize NumberOfMailPerDay =sum(toint(OperationCount)) by ClientAppId,format_datetime(Timestamp, 'y-M-d');
  let calculteAvgAndStdev=calculateNumberOfMailPerDay
  | summarize avg=avg(NumberOfMailPerDay),stev=stdev(NumberOfMailPerDay) by ClientAppId;
  calculteAvgAndStdev  | join calculateNumberOfMailPerDay on ClientAppId
  | sort by ClientAppId
  |  where NumberOfMailPerDay > avg + STDThreshold * stev
  | project ClientAppId,Timestamp,NumberOfMailPerDay,avg,stev

Indicators of compromise

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, on X (formerly Twitter) at https://x.com/MsftSecIntel, and on Bluesky at https://bsky.app/profile/threatintel.microsoft.com.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post New Russia-affiliated actor Void Blizzard targets critical sectors for espionage appeared first on Microsoft Security Blog.

Microsoft Threat Intelligence identified a shift in tactics by Silk Typhoon, a Chinese espionage group, now targeting common IT solutions like remote management tools and cloud applications to gain initial access. While they haven’t been observed directly targeting Microsoft cloud services, they do exploit unpatched applications that allow them to elevate their access in targeted organizations and conduct further malicious activities. After successfully compromising a victim, Silk Typhoon uses the stolen keys and credentials to infiltrate customer networks where they can then abuse a variety of deployed applications, including Microsoft services and others, to achieve their espionage objectives. Our latest blog explains how Microsoft security solutions detect these threats and offers mitigation guidance, aiming to raise awareness and strengthen defenses against Silk Typhoon’s activities.

Silk Typhoon is an espionage-focused Chinese state actor whose activities indicate that they are a well-resourced and technically efficient group with the ability to quickly operationalize exploits for discovered zero-day vulnerabilities in edge devices. This threat actor holds one of the largest targeting footprints among Chinese threat actors. Part of this is due to their opportunistic nature of acting on discoveries from vulnerability scanning operations, moving quickly to the exploitation phase once they discover a vulnerable public-facing device that they could exploit.

As a result, Silk Typhoon has been observed targeting a wide range of sectors and geographic regions, including but not limited to information technology (IT) services and infrastructure, remote monitoring and management (RMM) companies, managed service providers (MSPs) and affiliates, healthcare, legal services, higher education, defense,  government, non-governmental organizations (NGOs), energy, and others located in the United States and throughout the world.

Silk Typhoon has shown proficiency in understanding how cloud environments are deployed and configured, allowing them to successfully move laterally, maintain persistence, and exfiltrate data quickly within victim environments. Since Microsoft Threat Intelligence began tracking this threat actor in 2020, Silk Typhoon has used a myriad of web shells that allow them to execute commands, maintain persistence, and exfiltrate data from victim environments.

As with any observed nation-state threat actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments. We’re publishing this blog to raise awareness of Silk Typhoon’s recent and long-standing malicious activities, provide mitigation and hunting guidance, and help disrupt operations by this threat actor.

Recent Silk Typhoon activity

Supply chain compromise

Since late 2024, Microsoft Threat Intelligence has conducted thorough research and tracked ongoing attacks performed by Silk Typhoon. These efforts have significantly enhanced our understanding of the actor’s operations and uncovered new tradecraft used by the actor. In particular, Silk Typhoon was observed abusing stolen API keys and credentials associated with privilege access management (PAM), cloud app providers, and cloud data management companies, allowing the threat actor to access these companies’ downstream customer environments. Companies within these sectors are possible targets of interest to the threat actor. The observations below were observed once Silk Typhoon successfully stole the API key:

• Silk Typhoon used stolen API keys to access downstream customers/tenants of the initially compromised company.
• Leveraging access obtained via the API key, the actor performed reconnaissance and data collection on targeted devices via an admin account. Data of interest overlaps with China-based interests, US government policy and administration, and legal process and documents related to law enforcement investigations.
• Additional tradecraft identified included resetting of default admin account via API key, web shell implants, creation of additional users, and clearing logs of actor-performed actions.
• Thus far the victims of this downstream activity were largely in the state and local government, and the IT sector.

Password spray and abuse

Silk Typhoon has also gained initial access through successful password spray attacks and other password abuse techniques, including discovering passwords through reconnaissance. In this reconnaissance activity, Silk Typhoon leveraged leaked corporate passwords on public repositories, such as GitHub, and were successfully authenticated to the corporate account. This demonstrates the level of effort that the threat actor puts into their research and reconnaissance to collect victim information and highlights the importance of password hygiene and the use of multifactor authentication (MFA) on all accounts.

Silk Typhoon TTPs

Initial access

Silk Typhoon has pursued initial access attacks against targets of interest through development of zero-day exploits or discovering and targeting vulnerable third-party services and software providers. Silk Typhoon has also been observed gaining initial access via compromised credentials. The software or services targeted for initial access focus on IT providers, identity management, privileged access management, and RMM solutions.

In January 2025, Silk Typhoon was also observed exploiting a zero-day vulnerability in the public facing Ivanti Pulse Connect VPN (CVE-2025-0282). Microsoft Threat Intelligence Center reported the activity to Ivanti, which led to a rapid resolution of the critical exploit, significantly reducing the period that highly skilled and sophisticated threat actors could leverage the exploit.

Lateral movement to cloud

Once a victim has been successfully compromised, Silk Typhoon is known to utilize common yet effective tactics to move laterally from on-premises environments to cloud environments. Once the threat actor has gained access to an on-premises environment, they look to dump Active Directory, steal passwords within key vaults, and escalate privileges. Furthermore, Silk Typhoon has been observed targeting Microsoft AADConnect servers in these post-compromise activities. AADConnect (now Entra Connect) is a tool that synchronizes on-premises Active Directory with Entra ID (formerly Azure AD). A successful compromise of these servers could allow the actor to escalate privileges, access both on-premises and cloud environments, and move laterally.

Manipulating service principals/applications

While analyzing post-compromise tradecraft, Microsoft identified Silk Typhoon abusing service principals and OAuth applications with administrative permissions to perform email, OneDrive, and SharePoint data exfiltration via MSGraph. Throughout their use of this technique, Silk Typhoon has been observed gaining access to an application that was already consented within the tenant to harvest email data and adding their own passwords to the application. Using this access, the actors can steal email information via the MSGraph API. Silk Typhoon has also been observed compromising multi-tenant applications, potentially allowing the actors to move across tenants, access additional resources within the tenants, and exfiltrate data.

If the compromised application had privileges to interact with the Exchange Web Services (EWS) API, the threat actors were seen compromising email data via EWS.

In some instances, Silk Typhoon was seen creating Entra ID applications in an attempt to facilitate this data theft. The actors would typically name the application in a way to blend into the environment by using legitimate services or Office 365 themes.

Use of covert networks

Silk Typhoon is known to utilize covert networks to obfuscate their malicious activities. Covert networks, tracked by Microsoft as “CovertNetwork”, refer to a collection of egress IPs consisting of compromised or leased devices that may be used by one or more threat actors. Silk Typhoon was observed utilizing a covert network that is comprised of compromised Cyberoam appliances, Zyxel routers, and QNAP devices. The use of covert networks has become a common tactic among various threat actors, particularly Chinese threat actors.

Historical Silk Typhoon zero-day exploitation

Since 2021, Silk Typhoon has been observed targeting and compromising vulnerable unpatched Microsoft Exchange servers, GlobalProtect Gateway on Palo Alto Networks firewalls, Citrix NetScaler appliances, Ivanti Pulse Connect Secure appliances, and others. While not exhaustive, below are historical zero-day vulnerabilities that Silk Typhoon was observed compromising for initial access into victim environments.

GlobalProtect Gateway on Palo Alto Networks Firewalls

In March 2024, Silk Typhoon used a zero-day exploit for CVE-2024-3400 in GlobalProtect Gateway on Palo Alto Networks firewalls to compromise multiple organizations:

• CVE-2024-3400 – A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.

Citrix NetScaler ADC and NetScaler Gateway

In early 2024, Microsoft began to observe Silk Typhoon compromising zero-day vulnerabilities within Citrix NetScaler ADC and NetScaler Gateways:

• CVE-2023-3519 – An unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway

Microsoft Exchange Servers

In January 2021, Microsoft began to observe Silk Typhoon compromising zero-day vulnerabilities in Microsoft Exchange Servers. Upon discovery, Microsoft addressed those issues and issued security updates along with related guidance (related links below):

• CVE-2021-26855 – A server-side request forgery (SSRF) vulnerability in Exchange that could allow an attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
• CVE-2021-26857 – An insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave Silk Typhoon the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to be exploited.
• CVE-2021-26858 – A post-authentication arbitrary file write vulnerability in Exchange. If Silk Typhoon could authenticate with the Exchange server, then it could use this vulnerability to write a file to any path on the server. It could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate administrator’s credentials.
• CVE-2021-27065 – A post-authentication arbitrary file write vulnerability in Exchange. If Silk Typhoon could authenticate with the Exchange server, then it could use this vulnerability to write a file to any path on the server. It could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate administrator’s credentials.

During recent activities and historical exploitation of these appliances, Silk Typhoon utilized a variety of web shells to maintain persistence and to allow the actors to remotely access victim environments.

Hunting guidance

To help mitigate and surface various aspects of recent Silk Typhoons activities, Microsoft recommends the following:

• Inspect log activity related to Entra Connect serversfor anomalousactivity.
• Where these targeted applications have highly privileged accounts, inspect service principals for newly created secrets (credentials).
• Identify and analyze any activity related to newly created applications.
• Identify all multi-tenant applications and scrutinize authentications to them.
• Analyze any observed activity related to use of Microsoft Graph or eDiscovery particularly for SharePoint or email data exfiltration
• Look for newly created users on devices impacted by vulnerabilities targeted by Silk Typhoon and investigate virtual private network (VPN) logs for evidence of VPN configuration modifications or sign-in activity during the possible window of compromise of unpatched devices.

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Microsoft Sentinel customers can use the following queries to detect behavior associated with Silk Typhoon:

• Anomalous password reset
• Privileged logon from new ASN
• Anomalous account creation
• Web shell activity
• Potential web shell
• Sign-in password spray
• Smart lockouts
• Credential dumping tools file artifacts
• NTDS theft
• Time series keyvault access anomaly
• Keyvault mass secret retrieval
• Suspicious sign-in by AADConnect account
• New service principal running queries
• SharePoint downloads by IP
• Anomaly of MailItem access by GraphAPI

Customers can use the following query to detect vulnerabilities exploited by Silk Typhoon:

DeviceTvmSoftwareVulnerabilities
| where CveId in ("CVE-2025-0282")
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,
CveId,VulnerabilitySeverityLevel
| join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,
CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware

Recommendations

To help detect and mitigate Silk Typhoon’s activity, Microsoft recommends the following:

• Ensure all public facing devices are patched. It’s important to note that patching a vulnerable device does not remediate any post-compromise activities by a threat actor who gained privileged access to a vulnerable device.
• Validate any Ivanti Pulse Connect VPN are patched to address CVE-2025-0282 and run the suggested Integrity Checker Tool as suggested in their Advisory. Consider terminating any active or persistent sessions following patch cycles.
• Defend against legitimate application and service principal abuse by establishing strong controls and monitoring for these security identities. Microsoft recommends the following mitigations to reduce the impact of this threat:
  • Audit the current privilege level of all identities, users, service principals, and Microsoft Graph Data Connect applications (use the Microsoft Graph Data Connect authorization portal) to understand which identities are highly privileged. Scrutinize privileges more closely if they belong to an unknown identity, belong to identities that are no longer in use, or are not fit for purpose. Admins may assign identities privileges over and above what is required. Defenders should pay attention to apps with app-only permissions as those apps might have over-privileged access. Read additional guidance for investigating compromised and malicious applications.Identify abused OAuth apps using anomaly detection policies. Detect abused OAuth apps that make sensitive Exchange Online administrative activities through Microsoft Defender for Cloud Apps. Investigate and remediate any risky OAuth apps.Review any applications that hold EWS.AccessAsUser.All and EWS.full_access_as_app permissions and understand whether they are still required in the tenant. This can be done using App governance in Microsoft Defender for Cloud Apps. If these permissions are no longer required, they should be removed.
  • If applications must access mailboxes, granular and scalable access can be implemented using role-based access control for applications in Exchange Online. This access model ensures applications are only granted to the specific mailboxes required.
• Monitor for service principal sign-ins from unusual locations. Two important reports can provide useful daily activity monitoring:
  • The risky sign-ins report surfaces attempted and successful user access activities where the legitimate owner might not have performed the sign-in. 
  • The risky users report surfaces user accounts that might have been compromised, such as a leaked credential that was detected or the user signing in from an unexpected location in the absence of planned travel. 
• Defend against credential compromise by building credential hygiene, practicing the principle of least privilege, and reducing credential exposure. Microsoft recommends the following mitigations to reduce the impact of this threat.
• Implement the Azure Security Benchmark and general best practices for securing identity infrastructure, including:
  • Prevent on-premises service accounts from having direct rights to the cloud resources to prevent lateral movement to the cloud.
  • Ensure that “break glass” account passwords are stored offline and configure honey-token activity for account usage.
  • Implement Conditional Access policies enforcing Microsoft’s Zero Trust principles.
• Enable risk-based user sign-in protection and automate threat response to block high-risk sign-ins from all locations and enable multifactor authentication (MFA) for medium-risk ones.
• Ensure that VPN access is protected using modern authentication methods.
• Identify all multi-tenant applications, assess permissions, and investigate suspicious sign-ins.

Indicators of compromise

Silk Typhoon is not known to use their own dedicated infrastructure in their operations. Typically, the threat actor uses compromised covert networks, proxies, and VPNs for infrastructure, likely to obfuscate their operations. However, they have also been observed using short-lease virtual private server (VPS) infrastructure to support their operations.

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:

• Silk Typhoon activity group

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

• Possible exploitation of Exchange Server vulnerabilities
• Suspicious web shell detected
• Suspicious Active Directory snapshot dump
• Suspicious credential dump from NTDS.dit

Microsoft Defender for Identity

The following Microsoft Defender for Identity alerts can indicate associated threat activity:

• Suspicious Interactive Logon to the Entra Connect Server
• Suspicious writeback by Entra Connect on a sensitive user
• User Password Reset by Entra Connect Account
• Suspicious Entra sync password change

Microsoft Defender XDR

The following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

• Suspicious activities related to Azure Key Vault by a risky user

Microsoft Defender for Cloud

The following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

• Unusual user accessed a key vault
• Unusual application accessed a key vault
• Access from a suspicious IP to a key vault
• Denied access from a suspicious IP to a key vault

Microsoft Defender for Cloud Apps

The following Microsoft Defender for Cloud Apps alerts can indicate associated threat activity if app governance is enabled:

• Unusual addition of credentials to an OAuth app
• Suspicious credential added to dormant app
• Unused app newly accessing APIs
• App with suspicious metadata has Exchange permission
• App with an unusual user agent accessed email data through Exchange Web Services
• App with EWS application permissions accessing numerous emails
• App made anomalous Graph calls to Exchange workload post certificate update or addition of new credentials
• Suspicious user created an OAuth app that accessed mailbox items
• Suspicious OAuth app used for collection activities using Graph API
• Risky user updated an app that accessed Email and performed Email activity through Graph API
• Suspicious OAuth app email activity through Graph API
• Suspicious OAuth app email activity through EWS API

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:

• CVE-2021-26855
• CVE-2021-26857
• CVE-2021-26858
• CVE-2021-27065

Microsoft Defender External Attack Surface Management

Attack Surface Insights with the following title can indicate vulnerable devices on your network but is not necessarily indicative of exploitation:

• [Potential] CVE-2024-3400 – Palo Alto Networks PAN-OS Command Injection Vulnerability’
• [Potential] CVE-2023-3519 – Citrix NetScaler ADC and Gateway Unauthenticated
• ProxyLogon – Microsoft Exchange Server Vulnerabilities (Hotfix Available)

Note: An Attack Surface Insight marked as [Potential] indicates a service is running but cannot validate whether that service is running a vulnerable version. Customers should check resources to verify that they are up to date as part of their investigation.

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article (see Threat intelligence reports below)
• Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

• Silk Typhoon
• Analyzing attacks taking advantage of the Exchange Server vulnerabilities
• Vulnerability Profile: CVE-2025-0282 – Ivanti Connect Secure, Policy Secure, and ZTA Gateway

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Silk Typhoon targeting IT supply chain appeared first on Microsoft Security Blog.

Secure and govern AI apps built with the DeepSeek R1 model on Azure AI Foundry and GitHub 

Develop with trustworthy AI 

Last week, we announced DeepSeek R1’s availability on Azure AI Foundry and GitHub, joining a diverse portfolio of more than 1,800 models.   

Customers today are building production-ready AI applications with Azure AI Foundry, while accounting for their varying security, safety, and privacy requirements. Similar to other models provided in Azure AI Foundry, DeepSeek R1 has undergone rigorous red teaming and safety evaluations, including automated assessments of model behavior and extensive security reviews to mitigate potential risks. Microsoft’s hosting safeguards for AI models are designed to keep customer data within Azure’s secure boundaries. 

With Azure AI Content Safety, built-in content filtering is available by default to help detect and block malicious, harmful, or ungrounded content, with opt-out options for flexibility. Additionally, the safety evaluation system allows customers to efficiently test their applications before deployment. These safeguards help Azure AI Foundry provide a secure, compliant, and responsible environment for enterprises to confidently build and deploy AI solutions. See Azure AI Foundry and GitHub for more details.

Start with Security Posture Management

AI workloads introduce new cyberattack surfaces and vulnerabilities, especially when developers leverage open-source resources. Therefore, it’s critical to start with security posture management, to discover all AI inventories, such as models, orchestrators, grounding data sources, and the direct and indirect risks around these components. When developers build AI workloads with DeepSeek R1 or other AI models, Microsoft Defender for Cloud’s AI security posture management capabilities can help security teams gain visibility into AI workloads, discover AI cyberattack surfaces and vulnerabilities, detect cyberattack paths that can be exploited by bad actors, and get recommendations to proactively strengthen their security posture against cyberthreats.

By mapping out AI workloads and synthesizing security insights such as identity risks, sensitive data, and internet exposure, Defender for Cloud continuously surfaces contextualized security issues and suggests risk-based security recommendations tailored to prioritize critical gaps across your AI workloads. Relevant security recommendations also appear within the Azure AI resource itself in the Azure portal. This provides developers or workload owners with direct access to recommendations and helps them remediate cyberthreats faster. 

Safeguard DeepSeek R1 AI workloads with cyberthreat protection

While having a strong security posture reduces the risk of cyberattacks, the complex and dynamic nature of AI requires active monitoring in runtime as well. No AI model is exempt from malicious activity and can be vulnerable to prompt injection cyberattacks and other cyberthreats. Monitoring the latest models is critical to ensuring your AI applications are protected.

Integrated with Azure AI Foundry, Defender for Cloud continuously monitors your DeepSeek AI applications for unusual and harmful activity, correlates findings, and enriches security alerts with supporting evidence. This provides your security operations center (SOC) analysts with alerts on active cyberthreats such as jailbreak cyberattacks, credential theft, and sensitive data leaks. For example, when a prompt injection cyberattack occurs, Azure AI Content Safety prompt shields can block it in real-time. The alert is then sent to Microsoft Defender for Cloud, where the incident is enriched with Microsoft Threat Intelligence, helping SOC analysts understand user behaviors with visibility into supporting evidence, such as IP address, model deployment details, and suspicious user prompts that triggered the alert. 

Additionally, these alerts integrate with Microsoft Defender XDR, allowing security teams to centralize AI workload alerts into correlated incidents to understand the full scope of a cyberattack, including malicious activities related to their generative AI applications. 

Secure and govern the use of the DeepSeek app

In addition to the DeepSeek R1 model, DeepSeek also provides a consumer app hosted on its local servers, where data collection and cybersecurity practices may not align with your organizational requirements, as is often the case with consumer-focused apps. This underscores the risks organizations face if employees and partners introduce unsanctioned AI apps leading to potential data leaks and policy violations. Microsoft Security provides capabilities to discover the use of third-party AI applications in your organization and provides controls for protecting and governing their use.

Secure and gain visibility into DeepSeek app usage 

Microsoft Defender for Cloud Apps provides ready-to-use risk assessments for more than 850 Generative AI apps, and the list of apps is updated continuously as new ones become popular. This means that you can discover the use of these Generative AI apps in your organization, including the DeepSeek app, assess their security, compliance, and legal risks, and set up controls accordingly. For example, for high-risk AI apps, security teams can tag them as unsanctioned apps and block user’s access to the apps outright.

Comprehensive data security 

In addition, Microsoft Purview Data Security Posture Management (DSPM) for AI provides visibility into data security and compliance risks, such as sensitive data in user prompts and non-compliant usage, and recommends controls to mitigate the risks. For example, the reports in DSPM for AI can offer insights on the type of sensitive data being pasted to Generative AI consumer apps, including the DeepSeek consumer app, so data security teams can create and fine-tune their data security policies to protect that data and prevent data leaks. 

Prevent sensitive data leaks and exfiltration  

The leakage of organizational data is among the top concerns for security leaders regarding AI usage, highlighting the importance for organizations to implement controls that prevent users from sharing sensitive information with external third-party AI applications.

Microsoft Purview Data Loss Prevention (DLP) enables you to prevent users from pasting sensitive data or uploading files containing sensitive content into Generative AI apps from supported browsers. Your DLP policy can also adapt to insider risk levels, applying stronger restrictions to users that are categorized as ‘elevated risk’ and less stringent restrictions for those categorized as ‘low-risk’. For example, elevated-risk users are restricted from pasting sensitive data into AI applications, while low-risk users can continue their productivity uninterrupted. By leveraging these capabilities, you can safeguard your sensitive data from potential risks from using external third-party AI applications. Security admins can then investigate these data security risks and perform insider risk investigations within Purview. These same data security risks are surfaced in Defender XDR for holistic investigations.

This is a quick overview of some of the capabilities to help you secure and govern AI apps that you build on Azure AI Foundry and GitHub, as well as AI apps that users in your organization use. We hope you find this useful!

To learn more and to get started with securing your AI apps, take a look at the additional resources below:  

• AI security posture management in Microsoft Defender for Cloud 
• Threat protection for AI workloads in Microsoft Defender for Cloud
• Get visibility into your DeepSeek use with Defender for Cloud Apps 
• Microsoft Purview data security and compliance protections for generative AI apps 

Learn more with Microsoft Security

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post Securing DeepSeek and other AI systems with Microsoft Security appeared first on Microsoft Security Blog.