AI has quickly become a powerful tool misused by threat actors, who use it to slip into the tiniest crack in your defenses. They use AI to automate and launch password attacks and phishing attempts at scale, craft emails that seem to come from people you know, manufacture voicemails and videos that impersonate people, join calls, request IT support, and reset passwords. They even use AI to rewrite AI agents on the fly as they compromise and traverse your network.

To stay ahead in the coming year, we recommend four priorities for identity security leaders:

1. Implement fast, adaptive, and relentless AI-powered protection.
2. Manage, govern, and protect AI and agents.
3. Extend Zero Trust principles everywhere with an integrated Access Fabric security solution.
4. Strengthen your identity and access foundation to start secure and stay secure.

Secure Access Webinar

Enhance your security strategy: Deep dive into how to unify identity and network access through practical Zero Trust measures in our comprehensive four-part series.

Sign up for the webinar

1. Implement fast, adaptive, and relentless AI-powered protection

2026 is the year to integrate AI agents into your workflows to reduce risk, accelerate decisions, and strengthen your defenses.

While security systems generate plenty of signals, the work of turning that data into clear next steps is still too manual and error-prone. Investigations, policy tuning, and response actions require stitching together an overwhelming volume of context from multiple tools, often under pressure. When cyberattackers are operating at the speed and scale of AI, human-only workflows constrain defenders.

That’s where generative AI and agentic AI come in. Instead of reacting to incidents after the fact, AI agents help your identity teams proactively design, refine, and govern access. Which policies should you create? How do you keep them current? Agents work alongside you to identify policy gaps, recommend smarter and more consistent controls, and continuously improve coverage without adding friction for your users. You can interact with these agents the same way you’d talk to a colleague. They can help you analyze sign-in patterns, existing policies, and identity posture to understand what policies you need, why they matter, and how to improve them.

In a recent study, identity admins using the Conditional Access Optimization Agent in Microsoft Entra completed Conditional Access tasks 43% faster and 48% more accurately across tested scenarios. These gains directly translate into a stronger identity security posture with fewer gaps for cyberattackers to exploit. Microsoft Entra also includes built-in AI agents for reasoning over users, apps, sign-ins, risks, and configurations in context. They can help you investigate anomalies, summarize risky behavior, review sign-in changes, remediate and investigate risks, and refine access policies.

The real advantage of AI-powered protection is speed, scale, and adaptability. Static, human-only workflows just can’t keep up with constantly evolving cyberattacks. Working side-by-side with AI agents, your teams can continuously assess posture, strengthen access controls, and respond to emerging risks before they turn into compromise.

2. Manage, govern, and protect AI and agents 

Another critical shift is to make every AI agent a first-class identity and govern it with the same rigor as human identities. This means inventorying agents, assigning clear ownership, governing what they can access, and applying consistent security standards across all identities.

Just as unsanctioned software as a service (SaaS) apps once created shadow IT and data leakage risks, organizations now face agent sprawl—an exploding number of AI systems that can access data, call external services, and act autonomously. While you want your employees to get the most out of these powerful and convenient productivity tools, you also want to protect them from new risks.

Fortunately, the same Zero Trust principles that apply to human employees apply to AI agents, and now you can use the same tools to manage both. You can also add more advanced controls: monitoring agent interaction with external services, enforcing guardrails around internet access, and preventing sensitive data from flowing into unauthorized AI or SaaS applications.

With Microsoft Entra Agent ID, you can register and manage agents using familiar Entra experiences. Each agent receives its own identity, which improves visibility and auditability across your security stack. Requiring a human sponsor to govern an agent’s identity and lifecycle helps prevent orphaned agents and preserves accountability as agents and teams evolve. You can even automate lifecycle actions to onboard and retire agents. With Conditional Access policies, you can block risky agents and set guardrails for least privilege and just in time access to resources.

To govern how employees use agents and to prevent misuse, you can turn to Microsoft Entra Internet Access, included in Microsoft Entra Suite. It’s now a secure web and AI gateway that works with Microsoft Defender to help you discover use of unsanctioned private apps, shadow IT, generative AI, and SaaS apps. It also protects against prompt injection attacks and prevents data exfiltration by integrating network filtering with Microsoft Purview classification policies.

When you have observability into everything that traverses your network, you can embrace AI confidently while ensuring that agents operate safely, responsibly, and in line with organizational policy.

3. Extend Zero Trust principles everywhere with an integrated Access Fabric security solution

There’s often a gap between what your identity system can see and what’s happening on the network. That’s why our next recommendation is to unify the identity and network access layers of your Zero Trust architecture, so they can share signals and reinforce each other’s strengths through a unified policy engine. This gives you deeper visibility into and finer control over every user session.

Today, enterprise organizations juggle an average of five different identity solutions and four different network access solutions, usually from multiple vendors.¹ Each solution enforces access differently with disconnected policies that limit visibility across identity and network layers. Cyberattackers are weaponizing AI to scale phishing campaigns and automate intrusions to exploit the seams between these siloed solutions, resulting in more breaches.²

An access security platform that integrates context from identity, network, and endpoints creates a dynamic safety net—an Access Fabric—that surrounds every digital interaction and helps keep organizational resources secure. An Access Fabric solution wraps every connection, session, and resource in consistent, intelligent access security, wherever work happens—in the cloud, on-premises, or at the edge. Because it reasons over context from identity, network, devices, agents, and other security tools, it determines access risk more accurately than an identity-only system. It continuously re‑evaluates trust across authentication and network layers, so it can enforce real‑time, risk‑based access decisions beyond first sign‑in.

Microsoft Entra delivers integrated access security across AI and SaaS apps, internet traffic, and private resources by bringing identity and network access controls together under a unified Zero Trust policy engine, Microsoft Entra Conditional Access. It continuously monitors user and network risk levels. If any of those risk levels change, it enforces policies that adapt in real time, so you can block access for users, apps, and even AI agents before they cause damage.

Your security teams can set policies in one central place and trust Entra to enforce them everywhere. The same adaptive controls protect human users, devices, and AI agents wherever they move, closing access security gaps while reducing the burden of managing multiple policies across multiple tools.

4. Strengthen your identity and access foundation to start secure and stay secure

To address modern cyberthreats, you need to start from a secure baseline—anchored in phishing‑resistant credentials and strong identity proofing—so only the right person can access your environment at every step of authentication and recovery.

A baseline security model sets minimum guardrails for identity, access, hardening, and monitoring. These guardrails include must-have controls, like those in security defaults, Microsoft-managed Conditional Access policies, or Baseline Security Mode in Microsoft 365. This approach includes moving away from easily compromised credentials like passwords and adopting passkeys to balance security with a fast, familiar sign-in experience. Equally important is high‑assurance account recovery and onboarding that combines a government‑issued ID with a biometric match to ensure that no bad actors or AI impersonators gain access.

Microsoft Entra makes it easy to implement these best practices. You can require phishing‑resistant credentials for any account accessing your environment and tailor passkey policies based on risk and regulatory needs. For example, admins or users in highly regulated industries can be required to use device‑bound passkeys such as physical security keys or Microsoft Authenticator, while other worker groups can use synced passkeys for a simpler experience and easier recovery. At a minimum, protect all admin accounts with phishing‑resistant credentials included in Microsoft Entra ID. You can even require new employees to set up a passkey before they can access anything. With Microsoft Entra Verified ID, you can add a live‑person check and validate government‑issued ID for both onboarding and account recovery.

Combining access control policies with device compliance, threat detection, and identity protection will further fortify your foundation. 

Support your identity and network access priorities with Microsoft

The plan for 2026 is straightforward: use AI to automate protection at speed and scale, protect the AI and agents your teams use to boost productivity, extend Zero Trust principles with an Access Fabric solution, and strengthen your identity security baseline. These measures will give your organization the resilience it needs to move fast without compromise. The threats will keep evolving—but you can tip the scales in your favor against increasingly sophisticated cyberattackers.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Secure employee access in the age of AI report, Microsoft.

²Microsoft Digital Defense Report 2025.

The post Four priorities for AI-powered identity and network access security in 2026 appeared first on Microsoft Security Blog.

Phishing actors are exploiting complex routing scenarios and misconfigured spoof protections to effectively spoof organizations’ domains and deliver phishing emails that appear, superficially, to have been sent internally. Threat actors have leveraged this vector to deliver a wide variety of phishing messages related to various phishing-as-a-service (PhaaS) platforms such as Tycoon2FA. These include messages with lures themed around voicemails, shared documents, communications from human resources (HR) departments, password resets or expirations, and others, leading to credential phishing.

This attack vector is not new but has seen increased visibility and use since May 2025. The phishing campaigns Microsoft has observed using this attack vector are opportunistic rather than targeted in nature, with messages sent to a wide variety of organizations across several industries and verticals. Notably, Microsoft has also observed a campaign leveraging this vector to conduct financial scams against organizations. While these attacks share many characteristics with other credential phishing email campaigns, the attack vector abusing complex routing and improperly configured spoof protections distinguishes these campaigns. The phishing attack vector covered in this blog post does not affect customers whose Microsoft Exchange mail exchanger (MX) records point to Office 365; these tenants are protected by native built-in spoofing detections.

Phishing messages sent through this vector may be more effective as they appear to be internally sent messages. Successful credential compromise through phishing attacks may lead to data theft or business email compromise (BEC) attacks against the affected organization or partners and may require extensive remediation efforts, and/or lead to loss of funds in the case of financial scams. While Microsoft detects the majority of these phishing attack attempts, organizations can further reduce risk by properly configuring spoof protections and any third-party connectors to prevent spoofed phish or scam messages sent through this attack vector from reaching inboxes.

In this blog, we explain how threat actors are exploiting these routing scenarios and provide observations from related attacks. We provide specific examples—including technical analysis of phishing messages, spoof protections, and email headers—to help identify this attack vector. This blog also provides additional resources with information on how to set up mail flow rules, enforce spoof protections, and configure third-party connectors to prevent spoofed phishing messages from reaching user inboxes.

Spoofed phishing attacks

In cases where a tenant has configured a complex routing scenario, where the MX records are not pointed to Office 365, and the tenant has not configured strictly enforced spoof protections, threat actors may be able to send spoofed phishing messages that appear to have come from the tenant’s own domain. Setting strict Domain-based Message Authentication, Reporting, and Conformance (DMARC) reject and SPF hard fail (rather than soft fail) policies and properly configuring any third-party connectors will prevent phishing attacks spoofing organizations’ domains.

This vector is not, as has been publicly reported, a vulnerability of Direct Send, a mail flow method in Microsoft 365 Exchange Online that allows devices (like printers, scanners), applications, or third-party services to send email without authentication using the organization’s accepted domain, but rather takes advantage of complex routing scenarios and misconfigured spoof protections. Tenants with MX records pointed directly to Office 365 are not vulnerable to this attack vector of sending spoofed phishing messages.

As with most other phishing attacks observed by Microsoft Threat intelligence throughout 2025, the bulk of phishing campaigns observed using this attack vector employ the Tycoon2FA PhaaS platform, in addition to several other phishing services in use as well. In October 2025, Microsoft Defender for Office 365 blocked more than 13 million malicious emails linked to Tycoon2FA, including many attacks spoofing organizations’ domains. PhaaS platforms such as Tycoon2FA provide threat actors with a suite of capabilities, support, and ready-made lures and infrastructure to carry out phishing attacks and compromise credentials. These capabilities include adversary-in-the-middle (AiTM) phishing, which is intended to circumvent multifactor authentication (MFA) protections. Credential phishing attacks sent through this method employ a variety of themes such as voicemail notifications, password resets, HR communications, among others.

Microsoft Threat Intelligence has also observed emails intended to trick organizations into paying fake invoices, potentially leading to financial losses. Generally, in these spoofed phishing attacks, the recipient email address is used in both the “To” and “From” fields of the email, though some attacks will change the display name of the sender to make the attack more convincing and the “From” field could contain any valid internal email address.

Credential phishing with spoofed emails

The bulk of phishing messages sent through this attack vector uses the same lures as conventionally sent phishing messages, masquerading as services such as Docusign, or communications from HR regarding salary or benefits changes, password resets, and so on. They may employ clickable links in the email body or QR codes in attachments or other means of getting the recipient to navigate to a phish landing page. The appearance of having been sent from an internal email address is the most visible distinction to an end user, often with the same email address used in the “To” and “From” fields.

Email headers provide more information regarding the delivery of spoofed phishing emails, such as the appearance of an external IP address used by the threat actor to initiate the phishing attack. Depending on the configuration of the tenant, there will be SPF soft or hard fail, DMARC fail, and DKIM will equal none as both the sender and recipient appear to be in the same domain. At a basic level of protection, these should cause a message to land in a spam folder, but a user may retrieve and interact with phishing messages routed to spam. The X-MS-Exchange-Organization-InternalOrgSender will be set to True, but X-MS-Exchange-Organization-MessageDirectionality will be set to Incoming and X-MS-Exchange-Organization-ASDirectionalityType will have a value of “1”, indicating that the message was sent from outside of the organization. The combination of internal organization sender and incoming directionality is indicative of a message spoofed to appear as an internal communication, but not necessarily indicative of maliciousness. X-MS-Exchange-Organization-AuthAs will be set to Anonymous, indicating that the message came from an external source.

The Authentication-Results header example provided below illustrates the result of enforced authentication. 000 is an explicit DMARC failure. The resultant action is either reject or quarantine. The headers shown here are examples of properly configured environments, effectively blocking phishing emails sent through this attack vector:

spf=fail (sender IP is 51.89.59[.]188) smtp.mailfrom=contoso.com; dkim=none (message not signed) header.d=none;dmarc=fail action=quarantine header.from=contoso.com;compauth=fail reason=000

spf=fail (sender IP is 51.68.182[.]101) smtp.mailfrom= contoso.com; dkim=none (message not signed) header.d=none;dmarc=fail action=oreject header.from=contoso.com;

Any third-party connectors—such as a spam filtering service, security solution, or archiving service—must be configured properly or spoof detections cannot be calculated correctly, allowing phishing emails such as the examples below to be delivered. The first of these examples indicate the expected authentication failures in the header, but no action is taken due to reason 905, which indicates that the tenant has set up complex routing where the mail exchanger record (MX record) points to either an on-premises Exchange environment or a third-party service before reaching Microsoft 365:

spf=fail (sender IP is 176.111.219[.]85) smtp.mailfrom= contoso.com; dkim=none (message not signed) header.d=none;dmarc=fail action=none header.from= contoso.com;compauth=none reason=905

The phishing message masquerades as a notification from Microsoft Office 365 informing the recipient that their password will soon expire, although the subject line appears to be intended for a voicemail themed lure. The link in the email is a nested Google Maps URL pointing to an actor-controlled domain at online.amphen0l-fci[.]com.

The second example also shows the expected authentication failures, but with an action of “oreject” with reason 451, indicating complex routing and that the message was delivered to the spam folder.

spf=softfail (sender IP is 162.19.129[.]232) smtp.mailfrom=contoso.com; dkim=none (message not signed) header.d=none;dmarc=fail action=oreject header.from=contoso.com;compauth=none reason=451

This email masquerades as a SharePoint communication asking the recipient to review a shared document. The sender and recipient addresses are the same, though the threat actor has set the display name of the sender to “Pending Approval”. The InternalOrgSender header is set to True. On the surface, this appears to be an internally sent email, though the use of the recipient’s address in both the “To” and “From” fields may alert an end user that this message is not legitimate.

The nested Google URL in the email body points to actor-controlled domain scanuae[.]com. This domain acts as a redirector, loading a script that constructs a URL using the recipient’s Base64-encoded email before loading a custom CAPTCHA page on the Tycoon2FA domain valoufroo.in[.]net. A sample of the script loaded on scanuae[.]com is shown here:

The below example of the custom CAPTCHA page is loaded at the Tycoon2FA domain goorooyi.yoshemo.in[.]net. The CAPTCHA is one of many similar CAPTCHAs observed in relation to Tycoon2FA phishing sequences. Clicking through it leads to a Tycoon2FA phish landing page where the recipient is prompted to input their credentials. Alternatively, clicking through the CAPTCHA may lead to a benign page on a legitimate domain, a tactic intended to evade detection and analysis.

Spoofed email financial scams

Microsoft Threat Intelligence has also observed financial scams sent through spoofed emails. These messages are crafted to look like an email thread between a highly placed employee at the targeted organization, often the CEO of the organization, an individual requesting payment for services rendered, or the accounting department at the targeted organization. In this example, the message was initiated from 163.5.169[.]67 and authentication failures were not enforced, as DMARC is set to none and action is set to none, a permissive mode that does not protect against spoofed messages, allowing the message to reach the inbox on a tenant whose MX record is not pointed to Office 365.

Authentication-Results	spf=fail (sender IP is 163.5.169[.]67) smtp.mailfrom=contoso.com; dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=contoso.com;compauth=fail reason=601

The scam message is crafted to appear as an email thread with a previous message between the CEO of the targeted organization, using the CEO’s real name, and an individual requesting payment of an invoice. The name of the individual requesting payment (here replaced with “John Doe”) appears to be a real person, likely a victim of identity theft. The “To” and “From” fields both use the address for the accounting department at the targeted organization, but with the CEO’s name used as the display name in the “From” field. As with our previous examples, this email superficially appears to be internal to the organization, with only the use of the same address as sender and recipient indicating that the message may not be legitimate. The body of the message also attempts to instill a sense of urgency, asking for prompt payment to retain a discount.

Most of the emails observed as part of this campaign include three attached files. The first is the fake invoice requesting several thousand dollars to be sent through ACH payment to a bank account at an online banking company. The name of the individual requesting payment is also listed along with a fake company name and address. The bank account was likely set up using the individual’s stolen personally identifiable information.

The second attachment (not pictured) is an IRS W-9 form that lists the name and social security number of the individual used to set up the bank account. The third attachment is a fake “bank letter” ostensibly provided by an employee at the online bank used to set up the fraudulent account. The letter provides the same banking information as the invoice and attempts to add another layer of believability to the scam.

Falling victim to this scam could result in significant financial losses that may not be recoverable as the funds will likely be moved quickly by the actor in control of the fraudulent bank account.  

Mitigation and protection guidance

Preventing spoofed email attacks

The following links provide information for customers whose MX records are not pointed to Office 365 on how to configure mail flow connectors and rules to prevent spoofed emails from reaching inboxes.

• These links provide information on how to properly configure mail flow with connectors:
  • Manage mail flow using a third-party cloud service with Exchange Online
  • Configure mail flow using connectors in Exchange Online
  • Mail flow rules (transport rules) in Exchange Online
  • Enhanced filtering for connectors in Exchange Online
• These links provide information on configuring SPF, DKIM, and DMARC:
  • Email authentication in cloud organizations
  • Set up SPF to identify valid email sources for your custom cloud domains
  • Set up DKIM to sign mail from your cloud domain
  • Set up DMARC to validate the From address domain for cloud senders
• The following links provide more in-depth information on Direct Send:
  • Introducing more control over Direct Send in Exchange Online
  • Direct Send vs sending directly to an Exchange Online tenant

Mitigating AiTM phishing attacks

Microsoft Threat Intelligence recommends the following mitigations, which are effective against a range of phishing threats.

• Review our recommended settings for Exchange Online Protection and Microsoft Defender for Office 365.
• Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Microsoft 365 applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links used in phishing and other attacks.
• Turn on Zero-hour auto purge (ZAP) in Defender for Office 365 to quarantine sent mail in response to newly-acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attack tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants
• Configure Microsoft Entra with increased security.
• Pilot and deploy phishing-resistant authentication methods for users.
• Implement Entra ID Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.

Mitigating threats from phishing actors begins with securing user identity by eliminating traditional credentials and adopting passwordless, phishing-resistant MFA methods such as FIDO2 security keys, Windows Hello for Business, and Microsoft Authenticator passkeys.

Microsoft recommends enforcing phishing-resistant MFA for privileged roles in Microsoft Entra ID to significantly reduce the risk of account compromise. Learn how to require phishing-resistant MFA for admin roles and plan a passwordless deployment.

Passwordless authentication improves security as well as enhances user experience and reduces IT overhead. Explore Microsoft’s overview of passwordless authentication and authentication strength guidance to understand how to align your organization’s policies with best practices. For broader strategies on defending against identity-based attacks, refer to Microsoft’s blog on evolving identity attack techniques.

If Microsoft Defender alerts indicate suspicious activity or confirmed compromised account or a system, it’s essential to act quickly and thoroughly. Below are recommended remediation steps for each affected identity:

1. Reset credentials – Immediately reset the account’s password and revoke any active sessions or tokens. This ensures that any stolen credentials can no longer be used.
2. Re-register or remove MFA devices – Review users MFA devices, specifically those recently added or updated.
3. Revert unauthorized payroll or financial changes – If the attacker modified payroll or financial configurations, such as direct deposit details, revert them to their original state and notify the appropriate internal teams.
4. Remove malicious inbox rules – Attackers often create inbox rules to hide their activity or forward sensitive data. Review and delete any suspicious or unauthorized rules.
5. Verify MFA reconfiguration – Confirm that the user has successfully reconfigured MFA and that the new setup uses secure, phishing-resistant methods.

Microsoft Defender XDR detections

Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article
• Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

• Actor profile: Storm-1747
• Technique profile: Adversary-in-the-middle credential phishing

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Finding potentially spoofed emails:

EmailEvents
| where Timestamp >= ago(30d)
| where EmailDirection == "Inbound"
| where Connectors == ""  // No connector used
| where SenderFromDomain in ("contoso.com")  // Replace with your domain(s)
| project Timestamp, NetworkMessageId, InternetMessageId, SenderMailFromAddress,
          SenderFromAddress, SenderDisplayName, SenderFromDomain, SenderIPv4,
          RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation

Finding more suspicious, potentially spoofed emails:

EmailEvents
| where EmailDirection == "Inbound"
| where Connectors == ""  // No connector used
| where SenderFromDomain in ("contoso.com", "fabrikam.com") // Replace with your accepted domains
| where AuthenticationDetails !contains "SPF=pass" // SPF failed or missing
| where AuthenticationDetails !contains "DKIM=pass" // DKIM failed or missing
| where AuthenticationDetails !contains "DMARC=pass" // DMARC failed or missing
| where SenderIPv4 !in ("") // Exclude known relay IPs
| where ThreatTypes has_any ("Phish", "Spam") or ConfidenceLevel == "High" // 
| project Timestamp, NetworkMessageId, InternetMessageId, SenderMailFromAddress,
          SenderFromAddress, SenderDisplayName, SenderFromDomain, SenderIPv4,
          RecipientEmailAddress, Subject, AuthenticationDetails, DeliveryAction

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

The below hunting queries can also be found in the Microsoft Defender portal for customers who have Microsoft Defender XDR installed from the Content Hub, or accessed directly from GitHub.

• Spoof and impersonation phish detections
• Spoof attempts with auth failure

Below are the queries using Sentinel Advanced Security Information Model (ASIM) functions to hunt threats across both Microsoft first-party and third-party data sources. ASIM also supports deploying parsers to specific workspaces from GitHub, using an ARM template or manually.

Detect network IP and domain indicators of compromise using ASIM

The following query checks domain and URL IOCs across data sources supported by ASIM web session parser:

//IP list and domain list- _Im_NetworkSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["162.19.196.13", "163.5.221.110", "51.195.94.194", "51.89.59.188"]);
let ioc_domains = dynamic(["2fa.valoufroo.in.net", "valoufroo.in.net", "integralsm.cl", "absoluteprintgroup.com"]);
_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)
| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),
  EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor

Detect web sessions IP and file hash indicators of compromise using ASIM

The following query checks domain and URL IOCs across data sources supported by ASIM web session parser:

//IP list - _Im_WebSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["162.19.196.13", "163.5.221.110", "51.195.94.194", "51.89.59.188"]);
_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr)
| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),
  EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor

Detect domain and URL indicators of compromise using ASIM

The following query checks domain and URL IOCs across data sources supported by ASIM web session parser:

// file hash list - imFileEvent
// Domain list - _Im_WebSession
let ioc_domains = dynamic(["2fa.valoufroo.in.net", "valoufroo.in.net", "integralsm.cl", "absoluteprintgroup.com"]);
_Im_WebSession (url_has_any = ioc_domains)

Spoofing attempts from specific domains

// Add the list of domains to search for.
let DomainList = dynamic(["2fa.valoufroo.in.net", "valoufroo.in.net", "integralsm.cl", "absoluteprintgroup.com"]); 
EmailEvents 
| where TimeGenerated > ago (1d) and DetectionMethods has "spoof" and SenderFromDomain in~ (DomainList)
| project TimeGenerated, AR=parse_json(AuthenticationDetails) , NetworkMessageId, EmailDirection, Subject, SenderFromAddress, SenderIPv4, ThreatTypes, DetectionMethods, ThreatNames  
| evaluate bag_unpack(AR)  
| where column_ifexists('SPF','') =~ "fail" or  column_ifexists('DMARC','') =~ "fail" or column_ifexists('DKIM','') =~ "fail" or column_ifexists('CompAuth','') =~ "fail"
| extend Name = tostring(split(SenderFromAddress, '@', 0)[0]), UPNSuffix = tostring(split(SenderFromAddress, '@', 1)[0])
| extend Account_0_Name = Name
| extend Account_0_UPNSuffix = UPNSuffix
| extend IP_0_Address = SenderIPv4

Indicators of compromise

References

• https://www.mimecast.com/threat-intelligence-hub/microsoft-direct-send-abuse/
• https://www.proofpoint.com/us/blog/email-and-cloud-threats/attackers-abuse-m365-for-internal-phishing
• https://www.varonis.com/blog/direct-send-exploit

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky. To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

The post Phishing actors exploit complex routing and misconfigurations to spoof domains appeared first on Microsoft Security Blog.

What happened?

What began as a routine onboarding turned into a covert operation. In this case, four compromised user accounts were discovered connecting PiKVM devices to employer-issued workstations—hardware that enables full remote control as if the threat actor were physically present. This allowed unknown third parties to bypass normal access controls and extract sensitive data directly from the network. With support from Microsoft Threat Intelligence, we quickly traced the activity to the North Korean remote IT workforce known as Jasper Sleet.

DART quickly pivoted from proactive threat hunting to full-scale investigation, leveraging numerous specialized tools and techniques. These included, but were not limited to, Cosmic and Arctic for Azure and Active Directory analysis, Fennec for forensic evidence collection across multiple operating system platforms, and telemetry from Microsoft Entra ID protection and Microsoft Defender solutions for endpoint, identity, and cloud apps. Together, these tools and capabilities helped trace the intrusion, contain the threat, and restore operational integrity.

How did Microsoft respond?

Once the scope of the compromise was clear, DART acted immediately to contain and disrupt the cyberattack. The team disabled compromised accounts, restored affected devices to clean backups, and analyzed Unified Audit Logs—a feature of Microsoft 365 within the Microsoft Purview Compliance Manager portal—to trace the threat actor’s movements. Advanced detection tools, including Microsoft Defender for Identity and Microsoft Defender for Endpoint, were deployed to uncover lateral movement and credential misuse. To blunt the broader campaign, Microsoft also suspended thousands of accounts linked to North Korean IT operatives.

What can customers do to strengthen their defenses?

This cyberthreat is challenging, but it’s not insurmountable. By combining strong security operations center (SOC) practices with insider risk strategies, companies can close the gaps that threat actors exploit. Many organizations start by improving visibility through Microsoft 365 Defender and Unified Audit Log integration and protecting sensitive data with Microsoft Purview Data Loss Prevention policies. Additionally, Microsoft Purview Insider Risk Management can help organizations identify risky behaviors before they escalate, while strict pre-employment vetting and enforcing the principle of least privilege reduce exposure from the start. Finally, monitor for unapproved IT tools like PiKVM devices and stay informed through the Threat Analytics dashboard in Microsoft Defender. These cybersecurity practices and real-world strategies, paired with proactive alert management, can give your defenders the confidence to detect, disrupt, and prevent similar attacks.

What is the Cyberattack Series?

In our Cyberattack Series, customers discover how DART investigates unique and notable attacks. For each cyberattack story, we share:

• How the cyberattack happened.
• How the breach was discovered.
• Microsoft’s investigation and eviction of the threat actor.
• Strategies to avoid similar cyberattacks.

DART is made up of highly skilled investigators, researchers, engineers, and analysts who specialize in handling global security incidents. We’re here for customers with dedicated experts to work with you before, during, and after a cybersecurity incident.

Learn more

To learn more about DART capabilities, please visit our website, or reach out to your Microsoft account manager or Premier Support contact. To learn more about the cybersecurity incidents described above, including more insights and information on how to protect your own organization, download the full report.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹AI Fuels Mistrust Between Employers and Job Candidates; Recruiters Worry About Fraud, Candidates Fear Bias

The post Imposter for hire: How fake people can gain very real access appeared first on Microsoft Security Blog.

This evolution demands a fundamental shift in Identity Threat Detection and Response (ITDR). It’s no longer simply about protecting users; it requires consistent, comprehensive protection for every piece of the identity fabric, whether human or non-human, on-premises or in the cloud, from Microsoft or another vendor.

ITDR for the modern enterprise

Successful identity security practices understand that seams in protection are the real enemy of identity security. A unified approach between identity and security teams is a necessity  and our unique perspective as both a leading identity and security provider allow us to further streamline the flow of contextual insights, actions, and workflows across these groups, minimizing the potential for gaps or oversight.

While both identity and security teams play critical roles in ITDR, it is just one piece of their overall charter and goal. For security operations center (SOC) professionals their core mission remains to prevent, detect, and respond to cyberthreats that could impact their organization’s security and business continuity. On a day-to-day basis, identity and security teams proactively harden their security posture, triage and investigate incoming alerts, and, when a true cyberthreat is confirmed, coordinate a rapid and effective response. Within this broader mission, ITDR resents a critical but focused subset. For instance, identity security posture recommendations are essential but only one piece of broader security hardening.

Similarly, identity alerts offer invaluable insights needed to detect anomalous identity activity, but they must be understood in the context of the overall cyberattack. And while identity response actions such as revoking sessions or enforcing multifactor authentication are critical to stop attacks, they must be coordinated with other response actions across endpoints and other domains to block lateral movement.

True defense requires enriching identity signals and delivering them in context as part of a unified threat picture, enabling coordinated response across domains, and continuously improving posture to stay ahead of evolving cyberthreats.

This blog explores how Microsoft is reimagining identity security to meet these challenges head-on—empowering defenders with the clarity, context, and control they need to stay ahead of identity-based threats.

Enriched and insightful: Building the foundation for identity security

Identity security starts with ensuring your environment is protected as a foundation. Visibility across your organization’s unique fabric of interconnected identities, infrastructure, and applications is what enables SOC teams to detect cyberthreats earlier, respond faster, and reduce risk across the board. Because in today’s identity-driven cyberthreat landscape, partial visibility is no longer an option. To meet this challenge, organizations need sensors for on-premises infrastructure and integrations with cloud-based identity solutions to pull in insights from the entirety of their identity fabric.

Understanding this, Microsoft is proud to offer one of the widest sets of dedicated sensors for on-premises identity infrastructure. Domain controllers, Active Directory Federation Services (AD FS), Active Directory Certificate Services (AD CS), and Microsoft Entra ID Connect each serve a distinct purpose within on-premises identity footprint and our dedicated sensors are purpose built to monitor and detect anomalies within their specific activity or configurations.

Additionally, I am excited to announce the general availability of the unified identity and endpoint sensors we unveiled at Microsoft Ignite in 2024. This amazing milestone makes it even easier for new Microsoft Defender for Identity customers to activate identity protections on qualifying domain controllers and start benefiting from identity-specific visibility, posture recommendations, alerts, and automatic attack disruption capabilities within the Defender experience.

Our protections don’t end on-premises, however. Defender’s native integration with Microsoft Entra ID empowers the SOC with real-time visibility into Entra identity activity, risk level, and seamless integration into Zero Ttrust policies through Conditional Access and user containment. And because identity fabrics are rarely homogenous, Microsoft also supports other cloud identities like Okta, offering unified visibility, posture insights, and ITDR capabilities across platforms.

The raw data into cloud and on-premises accounts is important but to be truly insightful it needs to be enriched. To do this we are shifting the paradigm from account-centric to identity-centric. This means correlating information across accounts, platforms, and environments to reveal an identity’s true footprint. With an understanding of how multiple accounts map back to a single identity, the SOC can more accurately investigate and respond to cyberthreats.

This enriched view is especially critical when dealing with privileged identities. Integrations with Privileged Access Management (PAM) solutions further empower security organizations to monitor and protect high-value identities.   

All of this is in addition to the native extended detection and response (XDR) correlation done by Microsoft Defender that automatically links identity signals with insights from other security domains, giving security teams a unified threat picture, breaking down silos, and improving response efficiency. From the Identity page in the Defender portal, SOC analysts can see related devices, applications, and alerts—creating a connected view of the threat landscape. These relationships are also exposed in Advanced Hunting, allowing defenders to query across domains and uncover patterns that would otherwise remain hidden. And because Microsoft extends protections to AI agents, service accounts, third-party identities and more, it can use behavioral signals to detect drift and enforce policy—an area where many competitors simply can’t match.

Context is everything

Microsoft Defender delivers deep, enriched visibility into your unique identity fabric. But the true magic lies in how this intelligence is operationalized within the SOC experience. Defender and Microsoft Entra work together generate identity alerts, which get correlated into broader security incidents within Microsoft Defender XDR, giving analysts a unified view of threat activity across endpoints, identities, and cloud resources. Similarly, identity-posture recommendations are part of Microsoft’s Exposure Management strategy, where they are surfaced alongside other risk signals to help teams proactively reduce their attack surface. And when a threat is confirmed, automatic attack disruption can dynamically contain not only the compromised user but also the devices and sessions associated with the attack. This contextualization turns the powerful insights into decisive action. And in today’s threat landscape it’s not just about seeing more—it’s about responding smarter, faster.

Getting started

New Defender for Identity customers interested in activating the unified sensor can learn more, including how to deploy, within our documentation here. Existing customers that have already deployed the Defender for Identity sensors do not need to do anything at this time, stay tuned for migration guidance in the coming months.  

Learn more about Microsoft ITDR solutions.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹State of Multicloud Security Risk, Microsoft, 2024.

The post Harden your identity defense with improved protection, deeper correlation, and richer context appeared first on Microsoft Security Blog.

Recognizing these risks, Microsoft’s Secure Future Initiative (SFI) has strengthened default security by design, but defenders must continue to follow security baseline recommendations and leverage customer-facing security capabilities to stay ahead of evolving threats. In alignment with the MITRE ATT&CK framework, Microsoft Threat Intelligence continually updates threat matrices to map the evolving tactics and techniques targeting cloud environments. While some of our previous work has focused on Kubernetes and containerized workloads at the compute layer of the cloud stack, this blog shifts the lens to the data storage layer—specifically, Azure Blob Storage.

Therefore, in this blog, we outline some of the unique threats associated with the data storage layer, including relevant stages of the attack chain for Blob Storage to connect these risks to actionable Azure Security controls and applicable security recommendations. We also provide threat detections to help contain and prevent Blob Storage threat activity with Microsoft Defender for Cloud’s Defender for Storage plan. By understanding the unique threats facing Azure Blob Storage and implementing targeted security controls, organizations can better safeguard their most critical workloads and data repositories against evolving attacker tactics.

How Azure Blob Storage works

Azure Storage supports a wide range of options for handling exabytes of blob data from many sources at scale. Blobs store everything from checkpoint and model files for AI to parquet datasets for analytics. These blobs are organized into containers, which function like folders grouping sets of blobs. A single storage account can contain an unlimited number of containers, and each container can store an unlimited number of blobs.

Blob Storage also supports HPC, backup, and disaster recovery scenarios for more resiliency and business continuity, like backing up on-premises resources or Infrastructure as a Service (IaaS) virtual machine-hosted SQL Server data. Azure Data Lake Storage offers specific optimizations well suited for file system and analytics workloads such as hierarchical namespace and fast atomic operations. Blob storage also supports public access scenarios such as download for static files—not all files are accessible for download over internet.

Azure Storage fulfils the cloud shared responsibility model through best practices across identity and access management, secure networking, data protection, and continuous monitoring. It supports best practices that help defend across the attack chain when implemented as part of both a cloud-native identity and access management solution such as Microsoft Entra ID, and a cloud-native application protection platform such as Defender for Cloud. Azure Storage integrates with both, allowing least-privilege access through Entra role-based access control (RBAC) and fine-grained Entra Azure attribute-based access control (ABAC).

Azure Storage safeguards data in transit with network protections such as network security perimeter, private endpoint/Private Link and virtual networks, and encryption for data in transit via TLS. It uses service-side encryption (SSE) to automatically encrypt all Azure Storage resources persisted to the cloud, including blobs and object metadata, and cannot be disabled. While Storage automatically encrypts all data in a storage account at the service level using 256-bit AES encryption (one of the strongest block ciphers available), it is also possible to enable 256-bit AES encryption at the infrastructure level for double encryption to protect against a scenario where one of the encryption algorithms or keys might be compromised.

Azure Storage integrates with Azure Backup and Microsoft Defender for ransomware and malware protection. Azure Storage also supports a wide range of data protection scenarios, such as preventing deletion or modification of accounts and blobs through immutability settings and enabling recovery from data deletion or overwrites through soft delete and versioning.  

A look at the attack chain

To help defenders apply appropriate controls and our recommendations against various threat scenarios across the attack chain, we take a closer look at the progression.

Reconnaissance

Threat actors enumerate Blob Storage to identify publicly exposed data and credentials that they can leverage later in the attack chain. Common tactics include DNS and HTTP header probing to scan for valid *.blob.core.windows.net subdomains. Threat actors can now also use language models to generate plausible storage account or container names to make brute-forcing more effective.

Enumeration tools like Goblob have long been made available on GitHub, and threat actors can extend this type of capability misusing other tools on GitHub like QuickAZ, which combines storage enumeration with other Azure reconnaissance capabilities. Threat actors may also try to leverage PowerShell-based scanners easily accessible to brute-force prefix and suffix combinations for hours using permutation dictionary scripts. They can also turn to dedicated indexers cataloging tens of thousands of publicly exposed containers.  

When sensitive credentials, such as storage account keys, shared access signatures (SAS), or Microsoft Entra ID principal credentials are discovered in source code repositories or configuration files (including version histories), threat actors can more easily gain an initial foothold. Storage account keys are particularly high risk if they grant full read, write, and delete access to storage resources. With these credentials, threat actors can escalate privileges, move laterally, or proceed directly to exfiltrate data.

Resource development

Threat actors try to exploit misconfigured or missing identity controls to create malicious resources in Blob Storage in furtherance of their operations and targeting. They may attempt to leverage Azure Blob Storage to host spoofed versions of legitimate Microsoft sign-in pages to make it more challenging for potential victims to discern based on an inspection of the SSL certificates alone.

Threat actors may attempt to place malicious executables or macro-enabled documents in containers left open to anonymous access or secured by weak or compromised SAS. This could lead to victims downloading harmful content directly from those blob URLs.

Since Blob Storage often stores machine learning training datasets, threat actors may exploit it for data poisoning by injecting mislabeled or malicious samples to skew model behavior and produce incorrect predictions.

Initial access

A single misconfigured endpoint could expose sensitive information. Theoretically, a threat actor could attempt to exploit blob-triggered Azure Functions using Event Grid that process files in storage containers, or Azure Logic Apps that automate file transfers from external sources like FTP servers, to gain entry to downstream workflows linked to Azure Storage—if those workflows rely on misconfigured or insufficiently secured authentication mechanisms. This could allow an attacker to maliciously trigger trusted automation or hijack event routing to escalate privileges or move laterally within the environment.

Persistence

If a threat actor gains access to an environment through Blob Storage, they may attempt to establish a long-term foothold by manipulating identity and access configurations that are resilient to standard remediation efforts such as key rotations or password resets. These techniques may include assigning built-in roles or custom roles with elevated privileges to identities under their control, generating SAS with broad permissions and extended expiration periods, modifying container-level access policies to permit anonymous read access, enabling Secure File Transfer Protocol (SFTP) on storage accounts, or leveraging soft-delete capabilities to conceal malicious payloads by uploading, deleting, and later restoring blobs.

Threat actors frequently abuse legitimate tools such as AADInternals to establish backdoors and persist, enabling access to both cloud and hybrid resources. Additionally, frameworks like AzureHound are extensively leveraged to identify privileged escalation paths from enumerated Azure resources.

Defense evasion

Threat actors may attempt to evade detection by tampering with Blob Storage networking and logging configurations—loosening or deleting firewall rules, adding overly permissive IP address ranges or virtual network (VNet) rules, creating unauthorized private endpoints, distributing requests across regions, or disabling diagnostic logging.

Credential access

Threat actors may attempt to obtain Blob Storage credentials through several vectors, including token and key extraction, cloud shell persistence abuse, and exposure through misconfigurations. For token and key extraction, threat actors with access to Entra ID tokens may reuse refresh tokens to obtain new access tokens, or invoke privileged management APIs (for example, listKeys) to extract primary and secondary storage account keys. These keys may grant full data-plane access and bypass identity-based controls. For cloud shell persistence abuse, because Azure Cloud Shell stores session data within a hidden blob container within the user’s storage account, threat actors with access may retrieve cached credentials, command history, or configuration files containing sensitive information. Finally, for exposure through misconfiguration, if secure transfer is not enforced or network access controls are overly permissive, shared keys or SAS tokens may be exposed in transit or through public endpoints. This includes keys and tokens found in exposed or compromised endpoints or code-repositories. These credentials can then possibly be reused by threat actors to access or exfiltrate data.

Discovery

After gaining a foothold in Azure, threat actors might map Blob Storage to locate valuable data and understand defensive settings. To uncover blob containers unintentionally exposed publicly, they could enumerate the broader cloud estate—querying subscriptions, resource groups, and storage account inventories. After identifying accounts, threat actors could probe deeper: listing containers and blobs, inspecting metadata, and retrieving configuration details such as firewall rules, logging targets, immutability policies, and backup schedules. This would enable them to identify where sensitive data resides and assess which controls can be bypassed or disabled to facilitate collection, exfiltration, or destruction.

Lateral movement

When a new blob is added to a container, Azure can trigger Azure Functions, Logic Apps, or other workflows. If a threat actor controls the source container and an Event Grid subscription is configured, they may upload specially crafted files that trigger downstream compute resources running under managed identities, which may have elevated permissions to move laterally into other services.

If Azure Functions store their code in Azure Storage and threat actors gain write access, they may attempt to replace the code with malicious files. When the function is triggered by a blob event, HTTP request or timer, it could run malicious code under the function’s identity, potentially granting access to other resources.

Threat actors may also target automated data pipelines or third-party integrations that trust blob-based inputs. Enterprises often use Azure Data Factory and Azure Synapse Analytics to copy and transform data from Azure Blob Storage. These pipelines typically authenticate to Blob using managed identities, service principals, SAS tokens, or account keys, and may connect over managed private endpoints. If an attacker can modify data in a source container, they may influence downstream processing or gain access to services that trust the pipeline’s identity, enabling further lateral movement.

Collection

If blob containers are misconfigured, threat actors may be able to list and download large volumes of data directly from storage. If access is obtained, they may copy or export sensitive files into a staging container they control, using Storage operations like StartCopy, SyncCopy, or CopyBlob through AzCopy or the Azure Storage REST API to stay within Azure and evade detection. They may compress or encrypt the data cache internally as well before attempting to exfiltrate it.

Command and control

Blob Storage can be abused to distribute malware if the account or credentials are compromised. Threat actors may try to use Blob Storage as a covert beacon channel, where malware running on compromised hosts periodically polls for new blobs or metadata updates containing command payloads. After infecting a target, malware might send HEAD or GET requests to the Azure blob’s REST API, retrieving metadata without downloading the file content. If malware parses these headers as communication channels, it may send exfiltrated data back by writing separate metadata updates. Threat actors could embed new commands within metadata fields, meaning the blob’s content remains unchanged while the metadata plane acts as a persistent, stealthy command-and-control (C2) server. 

Additionally, threat actors may attempt to exploit object replication to propagate payloads across environments. If a replication policy is successfully configured, any new blobs added to a compromised source container are automatically copied to a trusted destination container—turning it into a distribution hub and enabling supply chain–style attacks.

Exfiltration

If threat actors gain access to the environment, they might leverage Azure-native tools like Azure Storage Explorer or AzCopy to exfiltrate data at scale—exploiting Azure’s high bandwidth and trusted domains to evade detection. 

For instance, they could enable static website hosting and copy sensitive blobs into the publicly accessible $web container. Disabling anonymous access on the storage account-level offers no protection here, because the $web container always remains publicly accessible. In another scenario, threat actors could exfiltrate data into a separate Azure subscription they control, using Microsoft’s internal network as a covert transport layer to bypass controls. 

Threat actors could also embed exfiltration logic within Azure Functions, Logic Apps, or Automation runbooks, disguising them as legitimate maintenance tasks and throttling transfers to stay below volume or rate thresholds.

Third-party integrations can also lead to indirect exposure if the integrated products are compromised. For example, in 2023, defenders whose environments had MOVEit Transfer application connected to Blob Storage for file transfers or archiving partially contained a zero-day vulnerability, which was later attributed in a tweet by Microsoft to Lace Tempest (known for ransomware operations and running the Clop extortion site).

Impact

If threat actors obtain high privilege roles, storage account keys, or broadly scoped SAS tokens, they can cause extensive damage—for example, issuing mass DeleteBlob or DeleteContainer operations, overwriting objects including with empty content, or re-encrypting data by reuploading modified content or writing new content to blobs. With the necessary privileges, threat actors can also modify file contents or metadata, change access tiers, and remove legal holds. In many scenarios, simply reading or exfiltrating data can result in long-term impact, even without immediate disruption—such as in cases of espionage.

Recommendations

Microsoft recommends the following mitigations to reduce the impact of this threat. 

Apply zero trust principles to Azure Storage.

Business asset security depends on the integrity of the privileged accounts that administer your IT systems. Refer to our FAQ for answers on securing privileged access. Learn to enable the Azure identity management and access control security best practices, such as ensuring separate user accounts and mail forwarding for Global Administrator accounts. Follow best practices for using Microsoft Entra role-based access control.

Implement our security recommendations for Blob Storage.

• Data protection
• Identity and access management
• Networking
• Logging and monitoring

Monitor the Azure security baseline for Storage and its recommendations using Defender for Cloud.

Microsoft Defender for Cloud periodically analyzes the security state of your Azure resources to identify potential security vulnerabilities and then provides security recommendations on how to address them. For more information, see Review your security recommendations.

Enable Microsoft Defender for Storage.

Defender for Storage provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts. Its alerts detect and prevent top cloud storage threats, including sensitive data exfiltration, data corruption, and malicious file uploads. For more information, see Understand security threats and alerts in Microsoft Defender for Storage.

You don’t need to enable diagnostic logs for analysis. Defender for Storage also detects suspicious activities from entities without identities that access your data using misconfigured and overly permissive SAS. These SAS might be leaked or compromised.

Sensitive data threat detection considers the sensitivity of the data at risk, quickly identifying and addressing the most significant risks. It also detects exposure events and suspicious activities on resources containing sensitive data. Learn more about sensitive data threat detection.

Enable Defender for Storage via built-in policy. Monitor compliance states to detect if an attacker attempts to tamper with Defender for Storage to evade defenses, and automatically respond with alerts and recovery tasks.

• Enable malware scanning.

Malware scanning in Defender for Storage detects in near real-time and mitigates a wide variety of malware threats either by scanning blobs automatically when blobs are being frequently uploaded or modified, or on-demand for proactive security, incident response, integrating partner data, and securing data pipelines and machine learning datasets.

You can store scan results using index tags, which can be used by applications to automate workflows. Microsoft Defender for Cloud also generates relevant security alerts in the portal, so you can configure automations or export them to Microsoft Sentinel or another SIEM. You can also send results to an Event Grid for automating response and create an audit trail with Log Analytics.

Scanning supports automated remediation through built-in soft deletion of malicious blobs discovered during scanning, blocking access, quarantining and forwarding clean files.

Enable Defender Cloud Security Posture Management (CSPM).

Enabling the CSPM plan extends CSPM capabilities that are automatically enabled as part of Defender for Cloud to offer extra protections for your environment such as cloud security explorer, attack path analysis, and agentless scanning for machines.  

• Use sensitive data discovery.

The Sensitive data discovery component of CSPM identifies sensitive resources and their related risks, then helps prioritize and remediate those risks using the Microsoft Purview classification engine.

Use the cloud security checklist as a structured approach for securing your Azure cloud estate.

This checklist provides security guidance for those managing the technology infrastructure that supports all the workload development and operations hosted on Azure. To help ensure your workloads are secure and aligned with the Zero Trust model, use the design review checklist for security. We also provide complementary guidance on applying security practices and DevSecOps controls in a security development lifecycle.

Enable threat protection for AI services.

Blob Storage is often used to store training datasets for Azure Machine Learning. Because data poisoning is among the most severe machine learning threats, it is critical to scan uploads before they ever enter your pipeline to prevent targeted poisoning attacks.

Microsoft Defender XDR detections

Microsoft Defender for Cloud

When Defender for Storage is enabled, the following alerts in Defender for Cloud may indicate Azure Blob Storage threat activity. Note that other alerts apply to Azure Files.

Some of these alerts will not work if sensitive data threat detection is disabled. Some alerts may be relevant to secondary stages of the attack chain or only be an indication of a penetration test in your organization.

Reconnaissance

• Publicly accessible storage containers successfully discovered
• Publicly accessible storage containers unsuccessfully scanned
• Access from a known suspicious IP address to a sensitive blob container
• Access from a Tor exit node to a sensitive blob container
• Access from a suspicious IP address
• Unusual data exploration in a storage account

Resource Development

• Phishing content hosted on a storage account
• Suspicious external access to an Azure storage account with overly permissive SAS token 
• Suspicious external operation to an Azure storage account with overly permissive SAS token 
• Unusual SAS token was used to access an Azure storage account from a public IP address

Initial Access

• Access from a known suspicious application to a sensitive blob container
• Access from a suspicious application
• Access from an unusual location to a sensitive blob container
• Access from an unusual location to a storage account
• Authenticated access from a Tor exit node
• Unusual unauthenticated access to a storage container
• Unusual unauthenticated public access to a sensitive blob container 

Discovery

• Unusual access inspection in a storage account 

Lateral Movement

• Unusual application accessed a storage account 
• Malicious blob was downloaded from a storage account (with malware scanning add-on enabled)

Collection

• The access level of a potentially sensitive storage blob container was changed to allow unauthenticated public access
• The access level of a sensitive storage blob container was changed to allow unauthenticated public access 

Command and control

• Potential malware uploaded to a storage account
• Malicious file uploaded to storage account (with malware scanning add-on enabled; this alert may be an indication that a threat actor intentionally uploaded malware or that a legitimate user unintentionally uploaded a malicious file)

Exfiltration

• Unusual amount of data extracted from a sensitive blob container
• Unusual amount of data extracted from a storage account 
• Unusual number of blobs extracted from a sensitive blob container 

Impact

• Unusual deletion in a storage account 

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

• Threats targeting or leveraging Azure Blob Storage

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article
• Vulnerability impact assessment

Note that some promptbooks require access to Microsoft plugins such as for either Microsoft Defender XDR or Microsoft Sentinel.

MITRE ATT&CK Techniques observed

This threat exhibits the use of the following attack techniques. For standard industry documentation about these techniques, refer to the MITRE ATT&CK framework.

Reconnaissance

T1593.002 Search Open Websites/Domains: Search Engines | Threat actors may use search engines and advanced querying (for example, site:*.blob.core.windows.net) to discover exposed Blob Storage accounts.

T1594 Search Victim-Owned Websites | Threat actors might look for storage accounts of a victim enterprise by searching its websites. Victim-owned website pages might be stored on a storage account or contain links to retrieve data stored in a storage account. The links contain the URL of the storage and provide an entry point into the account.

T1595.003 Active Scanning: Wordlist Scanning | Threat actors might attempt to locate publicly accessible cloud storage accounts or containers by iteratively trying different permutations or using target-specific wordlists to discover storage endpoints that can be probed for vulnerabilities or misconfigurations.

T1596 Search Open Technical Databases | Threat actors might search public databases for publicly available storage accounts that can be used during targeting.

T1596.001 Search Open Technical Databases: DNS/Passive DNS | Threat actors might search for DNS data for valid storage account names that could become potential targets by querying nameservers using brute-force techniques to enumerate existing storage accounts in the wild or searching through centralized repositories of DNS query responses.

Resource Development

T1583.004 Acquire Infrastructure: Server | If threat actors exploit weak or misconfigured identity controls, Blob Storage could be misused as attacker-controlled infrastructure for hosting malicious payloads, phishing, or C2 scripts.

Initial Access

T1566.001 Phishing: Spearphishing Attachment | Blob Storage could host malicious attachments for spear phishing if threat actors leverage compromised SAS tokens or misconfigured anonymous access.

T1566.002 Phishing: Spearphishing Link | Blob Storage could be misused as a publicly accessible host for spear-phishing links if anonymous or misconfigured containers exist.

T1078.004 Valid Accounts: Cloud Accounts | Threat actors could gain an account-like foothold in Blob Storage if they compromise SAS or storage account keys or successfully take control of a Microsoft Entra ID principal account that holds roles or permissions over Blob Storage. 

Persistence

T1098.001 Account Manipulation: Additional Cloud Credentials | To maintain access even if compromised credentials are revoked, threat actors may try to exploit Blob Storage’s Role-Based Access Control (RBAC) by modifying permissions on identity objects, like Microsoft Entra ID security principals. They may also create high-privilege SAS tokens with long expiry, modify container access levels to allow anonymous reads, or provision SFTP accounts that bypass key rotation.

Defense Evasion

T1562.011 Impair Defenses: Disable or Modify Tools | Threat actors can try to disable, suppress, or modify Defender for Storage scanning features.

T1562.007 Impair Defenses: Disable or Modify Cloud Firewall | Threat actors may try to disable, modify, or reconfigure Blob Storage’s firewall and virtual network rules—such as by granting exceptions for trusted services through managed identities, establishing private endpoints, or leveraging geo-replication—to mask access channels and maintain persistent, covert access even if primary credentials are revoked. 

Credential Access

T1528 Steal Application Access Token | Threat actors may compromise Blob Storage by stealing OAuth-based application access tokens (including refresh tokens) or by leveraging subscription-level privileges to query management APIs and extract primary and secondary storage account keys. While compromised tokens enable impersonation of legitimate users with constrained, renewable privileges, keys grant unrestricted data-plane access that bypasses identity-based controls. Possession of either credential type can lead to full access to blob containers, facilitating data compromise and lateral movement across the cloud environment.

T1003 OS Credential Dumping | Threat actors might dump Cloud Shell profiles and session history—stored in blob containers of an Azure Storage account—to extract sensitive credentials such as OAuth tokens, API keys, or other authentication secrets. While these credentials differ from traditional OS password hashes, their extraction is analogous to conventional credential dumping because threat actors can use them to impersonate legitimate users and gain unauthorized, persistent access to Blob Storage, facilitating lateral movement and data compromise.

T1040 Network Sniffing | Threat actors might passively intercept network traffic destined for Blob Storage when unencrypted protocols are allowed, exposing shared keys, SAS tokens, or API tokens that could then be used to gain unauthorized access to the blob data plane. By exploiting cloud-native traffic mirroring tools, a threat actor could intercept and analyze the network data flowing to and from the virtual machines interacting with Blob Storage.

Discovery

T1580 Cloud Infrastructure Discovery | Blob Storage could be enumerated post-compromise to list subscriptions, resource groups, or container names that are not externally visible.

T1619 Cloud Storage Object Discovery | Blob Storage could be enumerated post-compromise to find specific blob data and configuration details, such as by call listing APIs to inventory objects or use control-plane access to retrieve firewall rules, logging, and backup policies.

Lateral Movement

T1021.007 Remote Services: Cloud Services | Threat actors might manipulate Blob Storage to trigger a compute service, such as Azure Functions, after placing a malicious blob in a monitored container. This automatic execution chain lets attackers pivot from the compromised container to the compute resource, potentially infiltrating additional components.

Collection

T1074.002 Data Staged: Remote Data Staging | Blob Storage could be used as a “staging area” if permissions are overly broad.

T1530 Data from Cloud Storage Object | Blob Storage could be abused to retrieve or copy data directly from containers if they are misconfigured, publicly accessible, or if keys or SAS tokens are obtained. This might include selectively downloading stored files.

Command and Control

T1105 Ingress Tool Transfer | Threat actors might upload and store malicious programs or scripts in Blob Storage after compromising the storage account or its credentials, leverage automatic synchronization to “fan out” malicious payloads across hosts that regularly pull from blob containers, and facilitate ongoing C2 to enable additional compromise and lateral movement. By merging malicious uploads with normal blob usage, threat actors could stealthily distribute harmful tools to multiple hosts simultaneously, reinforcing both C2 and lateral movement.

Exfiltration

T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage | Blob Storage may facilitate data exfiltration if permissions are overly permissive or credentials (for example, account keys, SAS tokens) are compromised. Threat actors may abuse the “static website” feature to expose blob containers through public web endpoints or use tools like AzCopy to transfer stolen data.

T1030 Data Transfer Size Limits | A threat actor might deliberately constrain the packet sizes of Blob Storage data to remain below established thresholds by transferring it in fixed-size chunks rather than as entire blobs.

T1020 Automated Exfiltration | Threat actors might embed exfiltration routines in predefined automation processes in Blob Storage to evade detection.

T1537 Transfer Data to Cloud Account | Threat actors might transfer Blob Storage data to another cloud account that is under their control by using internal APIs and network paths that evade detection mechanisms focused on external data transfers.

Impact

T1485 Data Destruction | Blob Storage could be compromised or misused for data destruction, where a threat actor deletes or overwrites blob data for impact.

T1486 Data Encrypted for Impact | Blob Storage could be targeted by ransomware if threat actors obtain privileged access or compromise keys.

T1565 Data Manipulation | Threat actors might insert, delete, or modify Blob Storage data to compromise data integrity and influence outcomes by altering blob contents or metadata, disrupting business processes, distorting organizational insights, or concealing malicious activities.

References

• https://attack.mitre.org/
• https://cyberdom.blog/azure-blob-storage-powershell-scanning-script/
• https://grayhatwarfare.medium.com/how-to-search-for-open-amazon-s3-buckets-and-their-contents-https-buckets-grayhatwarfare-com-577b7b437e01
• https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-abuse-microsoft-azure-tool-for-data-theft/
• https://www.progress.com/moveit
• https://x.com/MsftSecIntel/status/1665537730946670595

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

The post Inside the attack chain: Threat activity targeting Azure Blob Storage appeared first on Microsoft Security Blog.

What happened?

The cases we’re examining in detail spanned two parts—Reactive 1 and Reactive 2. Reactive 1 began when a retail customer received a Microsoft Defender Experts alert titled “Possible web shell installation.” The Investigation revealed a malicious ASPX file on their SharePoint server, linked to vulnerabilities CVE-2025-49706 and CVE-2025-49704. These allowed cyberattackers to spoof identities and inject remote code.

Reactive 2 started with a single compromised identity. Cyberattackers gained persistence by abusing self-service password reset features and mapped the organization’s identity structure using Microsoft Entra ID and Microsoft Graph API. The issue escalated access using Azure Virtual Desktop and Remote Desktop Protocol (RDP), deployed tools like PsExec and SQL Server Management Studio, and maintained control using Teleport, Azure CLI, and Rsocx proxy. Credential manipulation and directory exploration followed, confirmed by Entra ID risk events. The Detection and Response Team (DART) again provided expert support to contain and analyze the threat.

In both cases, the customer engaged DART quickly, which helped validate the scope of the compromise and assess cyberattacker activity and persistence mechanisms.

How did Microsoft respond?

DART swiftly addressed the two security incidents by executing a comprehensive set of actions aimed at restoring control, containing cyberthreats, and reinforcing long-term resilience. The team began by reclaiming identity systems—both on-premises and cloud—through Active Directory takeback and Entra ID isolation. It neutralized threat actor access by deprivileging compromised accounts, revoking tokens, and identifying persistence mechanisms like Teleport and multifactor authentication (MFA) device registration. Malicious web shells were detected and removed within hours, showcasing rapid containment capabilities.

To investigate and remediate the incidents, Microsoft deployed proprietary forensic tools across critical infrastructure, enabling root cause analysis and operational recovery. The team also guided the affected organization through security configuration enhancements aligned with Zero Trust principles, including MFA enforcement. Threat intelligence from Defender and Microsoft Sentinel confirmed systemic identity compromise, prompting patching of vulnerable systems and a phased mass password reset with user identity re-attestation. Additionally, reverse engineering of ransomware revealed targeted attacks on ESXi directories, informing further mitigation strategies.

What can customers do to prepare?

In the case of Reactive 1, we recommended critical security actions to fortify on-premises SharePoint environments and minimize exposure to known vulnerabilities, something we recommend for all customers. Customers can reduce their risk by deploying endpoint detection and response (EDR) across all devices, conducting regular vulnerability scans, and strengthening identity and access controls. Centralized logging and threat intelligence should also be implemented, along with preserving evidence and maintaining a robust incident response plan. Tools to monitor behavioral anomalies, suspicious processes, and malware indicators are increasingly necessary to protect against today’s threat actors.

Patching promptly—especially for known exploited vulnerabilities—remains a key defense for customers. Regular security hygiene practices—like enforcing MFA across all accounts, removing inactive credentials, and applying least privileged access principles—can improve defenses in real time as threats change fast.

Secure your spot

Ready to strengthen your security strategy for the AI era? Register now for Microsoft Secure, on September 30, to explore the latest AI-first solutions. Then, join us at Microsoft Ignite—November 17–21 in San Francisco, CA or online—to deep dive into more innovations, connect with industry experts, experience hands-on labs, and earn certifications.

What is the Cyberattack Series?

With our Cyberattack Series, customers discover how DART investigates unique and notable cyberattacks. For each cyberattack story, we share:

• How the cyberattack happened
• How the security compromise was discovered
• Microsoft’s investigation and eviction of the threat actor
• Strategies to avoid similar cyberattacks

While retail customers were the target of cyberattackers this time, these incidents serve as a stark reminder that proactive patching, identity segmentation, and continuous monitoring are essential security practices to defend against modern cyber threats for all customers. DART is made up of highly skilled investigators, researchers, engineers, and analysts who specialize in handling global security incidents. We’re here for customers with dedicated experts to work with you before, during, and after a cybersecurity incident.

Learn more with Microsoft Security

To learn more about DART capabilities, please visit our website, or reach out to your Microsoft account manager or premier support contact. To learn more about the cybersecurity incidents described above, including more insights and information on how to protect your own organization, download the full report.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Retail Cybersecurity Statistics: Market Data Report 2025 

The post Retail at risk: How one alert uncovered a persistent cyberthreat​​ appeared first on Microsoft Security Blog.

By 2026, enterprises may have more autonomous agents than human users. Are we ready to secure and govern them?

2024 was a year defined by learning about generative AI. Organizations were experimenting with it: testing its boundaries and exploring its potential. In 2025, organizations moved into execution. Autonomous agents are no longer theoretical. They’re now being deployed across development, operations, and business workflows.

This shift is being driven by platforms like Microsoft Copilot Studio and Azure AI Foundry and accelerated by patterns like Model Context Protocol (MCP) and Agent-to-Agent (A2A) interactions. These agents are evolving from tools into digital actors—ones capable of reasoning, acting, and collaborating.

That evolution brings real value. But it also introduces a new class of risk—and with it, a new set of responsibilities.

The rise of the agent: What’s here and what’s next

To understand the rise of autonomous agents, it’s worth starting at the beginning. Generative AI first captured the spotlight with models that could produce human-like text, code, and imagery. Meanwhile, researchers were also advancing autonomous systems designed to perceive, decide, and act independently. As these two domains converged, a new class of AI emerged—agents capable not just of generating output, but of taking action towards goals with limited human input. Today, these agents are beginning to surface across each layer of the cloud stack, each designed to tackle different layers of complexity:

• Software as a service (SaaS)-based agents, often built using low-code or no-code platforms like Copilot Studio, are enabling business users to automate tasks with minimal technical support.
• Platform as a service (PaaS)-based agents support both low-code and pro-code development, offering flexibility for teams building more sophisticated solutions. Azure AI Foundry is a good example.
• Infrastructure as a service (IaaS)-based agents are typically deployed in virtual networks (VNETs), virtual private clouds (VPCs), or on-premises environments, often as custom models or services integrated into enterprise infrastructure.

Each of these categories includes both custom-built first-party and third-party individual software vendors (ISVs) agents, all of whom are rapidly multiplying across the enterprise. As organizations embrace this diversity and scale, the number of agents will soon outpace human users—making visibility, oversight, and robust governance not just important, but essential.

The new risk landscape: Why agents are different

While autonomous agents unlock new levels of efficiency, scalability, and continuous operation for organizations, they also introduce a fundamentally different risk profile:

• Self-initiating: Agents can act without direct human prompts, enabling automation and responsiveness at scale—but this autonomy also means they may take unintended actions or operate outside established guardrails.
• Persistent: Running continuously with long-lived access allows agents to deliver ongoing value and handle tasks around the clock. However, persistent presence increases the risk of over-permissioning, lifecycle drift, and undetected misuse.
• Opaque: Their ability to operate as “black boxes” can simplify complex workflows and abstract away technical details, but it also makes them difficult to audit, explain, or troubleshoot—especially when built on large language models (LLMs).
• Prolific: The ease with which agents can be created, even by non-technical users, accelerates innovation and experimentation—while simultaneously increasing the risk of shadow agents, sprawl, and inconsistent governance.
• Interconnected: By calling other agents and services, they can orchestrate complex, multi-step processes—but this interconnectedness creates complex dependencies and new attack surfaces that are challenging to secure and monitor.

Given this new risk profile, these autonomous agents aren’t a minor extension of existing identity or application governance—they’re a new workload. Treat them accordingly.

What’s more—as they scale, they will soon outnumber human users in the enterprise.

Common failure points in autonomous agents

Despite their impressive capabilities, AI agents can still make mistakes. These errors tend to arise during long-running tasks, where “task drift” can occur, or when the agent encounters malicious input such as Cross Prompt Injection Attacks (XPIA). In these cases, the agent may veer off course or even be manipulated into acting against its intended purpose.

That’s why it’s useful to approach agent security the same way you would approach working with a junior employee: by setting clear guardrails, monitoring behavior, and establishing strong protections. Microsoft is addressing XPIA with prompt shields and evolving best practices. Robust authentication can help counter deepfakes, and improved prompt engineering through orchestration or employee training can reduce hallucinations and strengthen overall response accuracy.

Understanding Model Context Protocol for agent governance

One of the most powerful enablers of the growth of autonomous agents is the Model Context Protocol (MCP). MCP is an open standard that allows AI agents to securely and effectively connect with external data sources, tools, and services—providing flexibility to fetch real-time data, call external tools, and operate autonomously. This open standard essentially acts as a “USB-C port for AI.”

But with that flexibility comes risk. Poorly governed MCP implementations can expose agents to data exfiltration, prompt injection, or access to unvetted services. Because MCPs are easy to create, they can proliferate quickly, often without proper access controls or oversight. This is where role-based access control (RBAC) becomes critical: MCP’s ability to connect agents to a wide range of resources means that robust, granular access controls are essential to prevent misuse. However, implementing effective role-based access control for MCP-enabled agents is complex: it requires dynamic, context-aware permissions that can adapt to rapidly changing agent behaviors and access needs. Without this rigor, organizations risk over-permissioning agents, losing visibility into who can access what, and ultimately exposing sensitive data or critical services to unauthorized use.

In short, agents don’t sleep, they don’t forget, and they don’t always follow the rules. That’s why governance and thought-through authorization can’t be optional, for both agents and MCP servers.

Securing and governing agents starts with visibility

The first challenge customers raise is simple: “Do I even know which agents I have?” Before any meaningful governance or security can take place, organizations must achieve observability. Without a clear inventory of agents—across SaaS, PaaS, IaaS, and local environments—governance is guesswork. Visibility provides the foundation for everything that follows: it helps organizations to audit agent activity, understand ownership, and assess access patterns. Only with this single, unified view can organizations move from reactive oversight to proactive control.

Once visibility is in place, securing and governing agents requires a layered approach built on seven core capabilities:

Identity management

Agents must have unique, traceable identities. These identities might be identities derived, but distinguishable, from user identities or independent identities like those used by services—but no matter what they are, these identities need to be governed throughout their lifecycle (from creation to deactivation) with clear sponsorship and accountability to prevent sprawl.

Access control

Agents should operate with the minimum permissions required. Whether acting autonomously or on behalf of a user, access must be scoped, time-bound, and revocable in real time.

Data security

Sensitive data must be protected at every step. This requires implementing inline data loss prevention (DLP), sensitivity-aware controls, and adaptive policies to prevent oversharing. These safeguards are especially critical in low-code environments where agents are created quickly and often without sufficient oversight.

Posture management

Security posture must be continuously assessed. Organizations need to continually identify misconfigurations, excessive permissions, and vulnerable components across the agent stack to maintain a strong baseline.

Threat protection

Agents introduce new attack surfaces; therefore, prompt injection, misuse, and anomalous behavior must be detected early. To mitigate this increased surface area for attacks, signals from across the compute, data, and AI layers should feed into existing extended detection and response (XDR) platforms for proactive defense.

Network security

Just like users and devices, agents need secure network access. That includes controlling which agents can access which resources, inspecting traffic, and blocking access to malicious or non-compliant destinations.

Compliance

Agent activities must align with internal policies and external regulations. Organizations should audit interactions, enforce retention policies, and demonstrate compliance across the agent lifecycle.

These are not theoretical requirements; they are essential for building trust in agentic systems at scale.

Building the foundation: Agent identity

To address the need for augmented governance, Microsoft is introducing Entra Agent ID—a new identity designed specifically for AI agents. You can think of them the same way as managed identities (MSIs) with no default permissions. They can act on behalf of users, other agents, or independently, with just-in-time access that’s automatically revoked when no longer needed. They’re secure by default, auditable, and easy for developers to use. As organizations move beyond managing just users and applications, the need to extend these foundational identity principles to AI agents becomes increasingly important.

An emerging strategy to manage AI agents at scale and improve risk management is the concept of an agent registry. While the directory of Microsoft Entra ID is an authoritative source for both human users and application artifacts, there is a need to provide a similar authoritative store for all agent-specific metadata. This is where the concept of an agent registry comes in—serving as a natural extension to the directory, tailored to capture the unique attributes, relationships, and operational context of AI agents as they proliferate across the enterprise. As these registries evolve, they are likely to integrate with core components like MCP servers, reflecting the expanding role of agents within the ecosystem. Together, these tools will allow organizations to achieve observability, manage risk, and scale governance.

Extending Microsoft Security to meet the moment

To meet organizational needs that come with autonomous agents, Microsoft is building on a strong foundation and extending our existing security products to meet the unique demands of the agentic era, grounded in a Zero Trust approach that protects both people and AI agents.

Microsoft’s security stack—including Entra, Purview, Defender, and more—adapts identity management, access control, data protection, secure network access, threat detection, posture management, and compliance to support AI agents across both first-party and third-party ecosystems. We are innovating from this baseline to deliver agent-specific capabilities:

• Microsoft Entra extends identity management and access control to AI agents, ensuring each agent has a unique, governed identity and operates with just-in-time, least-privilege access.
• Microsoft Purview brings robust data security and compliance controls to AI agents, helping organizations prevent data oversharing, manage regulatory requirements, and gain visibility into AI-specific risks.
• Microsoft Defender integrates AI security posture management and runtime threat protection, empowering developers and security teams to proactively mitigate risks and respond to emerging threats in agentic environments.

This isn’t a separate security silo for AI. It’s agent governance becoming a natural extension of the security investments customers already trust—ones that are integrated, consistent, and ready to scale with them.

Microsoft
Deputy CISOs

To hear more from Microsoft Deputy CISOs, check out the OCISO blog series:

To stay on top of important security industry updates, explore resources specifically designed for CISOs, and learn best practices for improving your organization’s security posture, join the Microsoft CISO Digest distribution list.

A call to action

The agentic era is here, and the opportunities are real—but so are the risks.

To move quickly without compromising trust, we need to integrate governance into the core of agent design. This begins with visibility, scales with identity, access, and data controls, and matures with posture, threat, and compliance capabilities that treat agents as first-class workloads.

Let’s build a future where agents are not just powerful—but trustworthy by design.

Learn more with Microsoft Security

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Securing and governing the rise of autonomous agents​​ appeared first on Microsoft Security Blog.

To help protect and inform customers, this blog highlights the protection coverage across the Microsoft Defender and Microsoft Sentinel security ecosystem and provides security posture hardening recommendations to protect against threat actors like Octo Tempest.

Overview of Octo Tempest 

Octo Tempest, also known in the industry as Scattered Spider, Muddled Libra, UNC3944, or 0ktapus, is a financially motivated cybercriminal group that has been observed impacting organizations using varying methods in their end-to-end attacks. Their approach includes: 

• Gaining initial access using social engineering attacks and impersonating a user and contacting service desk support through phone calls, emails, and messages.
• Short Message Service (SMS)-based phishing using adversary-in-the-middle (AiTM) domains that mimic legitimate organizations.
• Using tools such as ngrok, Chisel, and AADInternals.
• Impacting hybrid identity infrastructures and exfiltrating data to support extortion or ransomware operations.  

Recent activity shows Octo Tempest has deployed DragonForce ransomware with a particular focus on VMWare ESX hypervisor environments. In contrast to previous patterns where Octo Tempest used cloud identity privileges for on-premises access, recent activities have involved impacting both on-premises accounts and infrastructure at the initial stage of an intrusion before transitioning to cloud access. 

Octo Tempest detection coverage 

Microsoft Defender has a wide range of detections to detect Octo Tempest related activities and more. These detections span across all areas of the security portfolio including endpoints, identities, software as a service (SaaS) apps, email and collaboration tools, cloud workloads, and more to provide comprehensive protection coverage. Shown below is a list of known Octo Tempest tactics, techniques, and procedures (TTPs) observed in recent attack chains mapped to detection coverage.

Disrupting Octo Tempest attacks  

Disrupt in-progress attacks with automatic attack disruption:
Attack disruption is Microsoft Defender’s unique, built-in self-defense capability that consumes multi-domain signals, the latest threat intelligence, and AI-powered machine learning models to automatically predict and disrupt an attacker’s next move by containing the compromised asset (user, device). This technology uses multiple potential indicators and behaviors, including all the detections listed above, possible Microsoft Entra ID sign-in attempts, possible Octo Tempest-related sign-in activities and correlate them across the Microsoft Defender workloads into a high-fidelity incident. 

Based on previous learnings from popular Octo Tempest techniques, attack disruption will automatically disable the user account used by Octo Tempest and revokes all existing active sessions by the compromised user. 

While attack disruption can contain the attack by cutting off the attacker, it is critical for security operations center (SOC) teams to conduct incident response activities and post-incident analysis to help ensure the threat is fully contained and remediated.  

Investigate and hunt for Octo Tempest related activity:
Octo Tempest is infamously known for aggressive social engineering tactics, often impacting individuals with specific permissions to gain legitimate access and move laterally through networks. To help organizations identify these activities, customers can use Microsoft Defender’s advanced hunting capability to proactively investigate and respond to threats across their environment. Analysts can query across both first- and third-party data sources powered by Microsoft Defender XDR and Microsoft Sentinel. In addition to these tables, analysts can also use exposure insights from Microsoft Security Exposure Management.  

Using advanced hunting and the Exposure Graph, defenders can proactively assess and hunt for the threat actor’s related activity and identify which users are most likely to be targeted and what will be the effect of a compromise, strengthening defenses before an attack occurs.  

Proactive defense against Octo Tempest 

Microsoft Security Exposure Management, available in the Microsoft Defender portal, equips security teams with capabilities such as critical asset protection, threat actor initiatives, and attack path analysis that enable security teams to proactively reduce exposure and mitigate the impact of Octo Tempest’s hybrid attack tactics.

Ensure critical assets stay protected 

Customers should ensure critical assets are classified as critical in the Microsoft Defender portal to generate relevant attack paths and recommendations in initiatives. Microsoft Defender automatically identifies critical devices in your environment, but teams should also create custom rules and expand critical asset identifiers to enhance protection.  

Take action to minimize impact with initiatives 

Exposure Management’s initiatives feature provides goal-driven programs that unify key insights to help teams harden defenses and act fast on real threats. To address the most pressing risks related to Octo Tempest, we recommend organizations begin with the initiatives below: 

• Octo Tempest Threat Initiative: Octo Tempest is known for tactics like extracting credentials from Local Security Authority Subsystem Service (LSASS) using tools like Mimikatz and signing in from attacker-controlled IPs—both of which can be mitigated through controls like attack surface reduction (ASR) rules and sign-in policies. This initiative brings these mitigations together into a focused program, mapping real-world attacker behaviors to actionable controls that help reduce exposure and disrupt attack paths before they escalate.
• Ransomware Initiative: A broader initiative focused on reducing exposure to extortion-driven attacks through hardening identity, endpoint, and infrastructure layers. This will provide recommendations tailored for your organization.  

Investigate on-premises and hybrid attack paths

Security teams can use attack path analysis to trace cross-domain threats—like those used by Octo Tempest—who’ve exploited the critical Entra Connect server to pivot into cloud workloads, escalate privileges, and expand their reach. Teams can use the ‘Chokepoint’ view in the attack path dashboard to highlight entities appearing in multiple paths, making it easy to filter for helpdesk-linked accounts, a known Octo target, and prioritize their remediation.  

Given Octo Tempest’s hybrid attack strategy, a representative attack path may look like this: 

Recommendations 

In today’s threat landscape, proactive security is essential. By following security best practices, you reduce the attack surface and limit the potential impact of adversaries like Octo Tempest. Microsoft recommends implementing the following to help strengthen your overall posture and stay ahead of threats: 

Identity security recommendations 

• Ensure multifactor authentication is enabled for all users: Adding more authentication methods, such as the Microsoft Authenticator app or a phone number, increases the level of protection if one factor is compromised.
• Enable Microsoft Entra ID Identity Protection sign-in risk policies: Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for.
• Ensure phishing-resistant multifactor authentication strength is required for Administrators.
• Ensure Microsoft Azure overprovisioned identities should have only the necessary permissions.
• Enable Microsoft Entra Privileged Identity Management as well as other protective measures to mitigate the risk of unnecessary or unauthorized access.

Endpoint security recommendations 

• Enable Microsoft Defender Antivirus cloud-delivered protection for Linux.
• Turn on Microsoft Defender Antivirus real-time protection for Linux.
• Enable Microsoft Defender for Endpoint EDR in block mode to block post breach malicious behavior on the device through behavior blocking and containment capabilities.
• Turn on tamper protection that essentially prevents Microsoft Defender for Endpoint (your security settings) from being modified.
• Block credential stealing from the Windows local security authority subsystem: Attack surface reduction (ASR) rules are the most effective method for blocking the most common attack techniques being used in cyber-attacks and malicious software.
• Turn on Microsoft Defender Credential Guard to isolate secrets so that only privileged system software can access them.

Cloud security recommendations 

• Key Vaults should have purge protection enabled to prevent immediate, irreversible deletion of vaults and secrets.
• To reduce risks of overly permissive inbound rules on virtual machines’ management ports, enable just-in-time (JIT) network access control. 
• Microsoft Defender for Cloud recommends encrypting data with customer-managed keys (CMK) to support strict compliance or regulatory requirements. To reduce risk and increase control, enable CMK to manage your own encryption keys through Microsoft Azure Key Vault.
• Enable logs in Azure Key Vault and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
• Microsoft Azure Backup should be enabled for virtual machines to protect the data on your Microsoft Azure virtual machines, and to create recovery points that are stored in geo-redundant recovery vaults.

Microsoft Defender

Comprehensive threat prevention, detection and response capabilities for everyone.

Discover more

Explore security solutions

​​To learn more about Microsoft Security solutions, visit our website. Bookmark the Microsoft Security blog to keep up with our expert coverage on security matters.

Also, follow us on Microsoft Security LinkedIn and @MSFTSecurity on X for the latest news and updates on cybersecurity. 

The post Protecting customers from Octo Tempest attacks across multiple industries appeared first on Microsoft Security Blog.

In today’s evolving cyber threat landscape, threat actors are committed to advancing the sophistication of their attacks. The increasing adoption of essential security features like multifactor authentication (MFA), passwordless solutions, and robust email protections has changed many aspects of the phishing landscape, and threat actors are more motivated than ever to acquire credentials—particularly for enterprise cloud environments. Despite these evolutions, social engineering—the technique of convincing or deceiving users into downloading malware, directly divulging credentials, or more—remains a key aspect of phishing attacks.

Implementing phishing-resistant and passwordless solutions, such as passkeys, can help organizations improve their security stance against advanced phishing attacks. Microsoft is dedicated to enhancing protections against phishing attacks and making it more challenging for threat actors to exploit human vulnerabilities. In this blog, I’ll cover techniques that Microsoft has observed threat actors use for phishing and social engineering attacks that aim to compromise cloud identities. I’ll also share what organizations can do to defend themselves against this constant threat.

While the examples in this blog do not represent the full range of phishing and social engineering attacks being leveraged against enterprises today, they demonstrate several efficient techniques of threat actors tracked by Microsoft Threat Intelligence. Understanding these techniques and hardening your organization with the guidance included here will help contribute to a significant part of your defense-in-depth approach.

Pre-compromise techniques for stealing identities

Modern phishing techniques attempt to defeat authentication flows

Adversary-in-the-middle (AiTM)

Today’s authentication methods have changed the phishing landscape. The most prevalent example is the increase in adversary-in-the-middle (AiTM) credential phishing as the adoption of MFA grows. The phish kits available from phishing-as-a-service (PhaaS) platforms has further increased the impact of AiTM threats; the Evilginx phish kit, for example, has been used by multiple threat actors in the past year, from the prolific phishing operator Storm-0485 to the Russian espionage actor Star Blizzard.

Evilginx is an open-source framework that provides AiTM capabilities by deploying a proxy server between a target user and the website that the user wishes to visit (which the threat actor impersonates). Microsoft tracked Storm-0485 directing targets to Evilginx infrastructure using lures with themes such as payment remittance, shared documents, and fake LinkedIn account verifications, all designed to prompt a quick response from the recipient. Storm-0485 also consistently uses evasion tactics, notably passing initial links through obfuscated Google Accelerated Mobile Pages (AMP) URLs to make links harder to identify as malicious.

To protect against AiTM attacks, consider complementing MFA with risk-based Conditional Access policies, available in Microsoft Entra ID Protection, where sign-in requests are evaluated using additional identity-driven signals like IP address location information or device status, among others. These policies use real-time and offline detections to assess the risk level of sign-in attempts and user activities. This dynamic evaluation helps mitigate risks associated with token replay and session hijacking attempts common in AiTM phishing campaigns.

Additionally, consider implementing Zero Trust network security solutions, such as Global Secure Access which provides a unified pane of glass for secure access management of networks, identities, and endpoints.

Device code phishing

Device code phishing is a relatively new technique that has been incorporated by multiple threat actors into their attacks. In device code phishing, threat actors like Storm-2372 exploit the device code authentication flow to capture authentication tokens, which they then use to access target accounts. Storm-1249, a China-based espionage actor, typically uses generic phishing lures—with topics like taxes, civil service, and even book pre-orders—to target high-level officials at organizations of interest. Microsoft has also observed device code phishing being used for post-compromise activity, which are discussed more in the next sections.

At Microsoft, we strongly encourage organizations to block device code flow where possible; if needed, configure Microsoft Entra ID’s device code flow in your Conditional Access policies.

OAuth consent phishing

Another modern phishing technique is OAuth consent phishing, where threat actors employ the Open Authorization (OAuth) protocol and send emails with a malicious consent link for a third-party application. Once the target clicks the link and authorizes the application, the threat actor gains access tokens with the requested scopes and refresh tokens for persistent access to the compromised account. In one OAuth consent phishing campaign recently identified by Microsoft, even if a user declines the requested app permissions (by clicking Cancel on the prompt), the user is still sent to the app’s reply URL, and from there redirected to an AiTM domain for a second phishing attempt.

You can prevent employees from providing consent to specific apps or categories of apps that are not approved by your organization by configuring app consent policies to restrict user consent operations. For example, configure policies to allow user consent only to apps requesting low-risk permissions with verified publishers, or apps registered within your tenant.

Device join phishing

Finally, it’s worth highlighting recent device join phishing operations, where threat actors use a phishing link to trick targets into authorizing the domain-join of an actor-controlled device. Since April 2025, Microsoft has observed suspected Russian-linked threat actors using third-party application messages or emails referencing upcoming meeting invitations to deliver a malicious link containing valid authorization code. When clicked, the link returns a token for the Device Registration Service, allowing registration of the threat actor’s device to the tenant. You can harden against this type of phishing attack by requiring authentication strength for device registration in your environment.

Lures remain an effective phishing weapon

While both end users and automated security measures have become more capable at identifying malicious phishing attachments and links, motivated threat actors continue to rely on exploiting human behavior with convincing lures. As these attacks hinge on deceiving users, user training and awareness of commonly identified social engineering techniques are key to defending against them.

Impersonation lures

One of the most effective ways Microsoft has observed threat actors deliver lures is by impersonating people familiar to the target or using malicious infrastructure spoofing legitimate enterprise resources. In the last year, Star Blizzard has shifted from primarily using weaponized document attachments in emails to spear phishing with a malicious link leading to an AiTM page to target the government, non-governmental organizations (NGO), and academic sectors. The threat actor’s highly personalized emails impersonate individuals from whom the target would reasonably expect to receive emails, including known political and diplomatic figures, making the target more likely to be deceived by the phishing attempt.

QR codes

We have seen threat actors regularly iterating on the types of lure links incorporated into their attacks to make social engineering more effective. As QR codes have become a ubiquitous feature in communications, threat actors have adopted their use as well. For example, over the past two years, Microsoft has seen multiple actors incorporate QR codes, encoded with links to AiTM phishing pages, into opportunistic tax-themed phishing campaigns.

The threat actor Star Blizzard has even leveraged nonfunctional QR codes as a part of a spear-phishing campaign offering target users an opportunity to join a WhatsApp group: the initial spear-phishing email contained a broken QR code to encourage the targeted users to contact the threat actor. Star Blizzard’s follow-on email included a URL that redirected to a webpage with a legitimate QR code, used by WhatsApp for linking a device to a user’s account, giving the actor access to the user’s WhatsApp account.

Use of AI

Threat actors are increasingly leveraging AI to enhance the quality and volume of phishing lures. As AI tools become more accessible, these actors are using them to craft more convincing and sophisticated lures. In a collaboration with OpenAI, Microsoft Threat Intelligence has seen threat actors such as Emerald Sleet and Crimson Sandstorm interacting with large language models (LLMs) to support social engineering operations. This includes activities such as drafting phishing emails and generating content likely intended for spear-phishing campaigns.

We have also seen suspected use of generative AI to craft messages in a large-scale credential phishing campaign against the hospitality industry, based on the variations of language used across identified samples. The initial email contains a request for information designed to elicit a response from the target and is then followed by a more generic phishing email containing a lure link to an AiTM phishing site.

AI helps eliminate the common grammar mistakes and awkward phrasing that once made phishing attempts easier to spot. As a result, today’s phishing lures are more polished and harder for users to detect, increasing the likelihood of successful compromise. This evolution underscores the importance of securing identities in addition to user awareness training.

Phishing risks continue to expand beyond email

Enterprise communication methods have diversified to support distributed workforce and business operations, so phishing has expanded well beyond email messages. Microsoft has seen multiple threat actors abusing enterprise communication applications to deliver phishing messages, and we’ve also observed continued interest by threat actors to leverage non-enterprise applications and social media sites to reach targets.

Teams phishing

Microsoft Threat Intelligence has been closely tracking and responding to the abuse of the Microsoft Teams platform in phishing attacks and has taken action against confirmed malicious tenants by blocking their ability to send messages. The cybercrime access broker Storm-1674, for example, creates fraudulent tenants to create Teams meetings to send chat messages to potential victims using the meeting’s chat functionality; more recently, since November 2024, the threat actor has started compromising tenants and directly calling users over Teams to phish for credentials as well. Businesses can follow our security best practices for Microsoft Teams to further defend against attacks from external tenants.

Leveraging social media

Outside of business-managed applications, employees’ activity on social media sites and third-party communication platforms has widened the digital footprint for phishing attacks. For instance, while the Iranian threat actor Mint Sandstorm primarily uses spear-phishing emails, they have also sent phishing links to targets on social media sites, including Facebook and LinkedIn, to target high-profile individuals in government and politics. Mint Sandstorm, like many threat actors, also customizes and enhances their phishing messages by gathering publicly available information, such as personal email addresses and contacts, of their targets on social media platforms. Global Secure Access (GSA) is one solution that can reduce this type of phishing activity and manage access to social media sites on company-owned devices.

Post-compromise identity attacks

In addition to using phishing techniques for initial access, in some cases threat actors leverage the identity acquired from their first-stage phishing attack to launch subsequent phishing attacks. These follow-on phishing activities enable threat actors to move laterally within an organization, maintain persistence across multiple identities, and potentially acquire access to a more privileged account or to a third-party organization.

You can harden your environment against internal phishing activity by configuring the Microsoft Defender for Office 365 Safe Links policy to apply to internal recipients as well as by educating users to be wary of unsolicited documents and to report suspected phishing messages.

AiTM phishing crafted using legitimate company resources

Storm-0539, a threat actor that persistently targets the retail industry for gift card fraud, uses their initial access to a compromised identity to acquire legitimate emails—such as help desk tickets—that serve as templates for phishing emails. The crafted emails contain links directing users to AiTM phishing pages that mimic the federated identity service provider of the compromised organization. Because the emails resemble the organization’s legitimate messages, lead to convincing AiTM landing pages, and are sent from an internal account, they could be highly convincing. In this way, Storm-0539 moves laterally, seeking an identity with access to key cloud resources.

Intra-organization device code phishing

In addition to their use of device code phishing for initial access, Storm-2372 also leverages this technique in their lateral movement operations. The threat actor uses compromised accounts to send out internal emails with subjects such as “Document to review” and containing a device code authentication phishing payload. Because of the way device code authentication works, the payloads only work for 15 minutes, so Microsoft has seen multiple waves of post-compromise phishing attacks as the threat actor searches for additional credentials.

Defending against credential phishing and social engineering

Defending against phishing attacks begins at the primary gateways: email and other communication platforms. Review our recommended settings for Exchange Online Protection and Microsoft Defender for Office 365, or the equivalent for your email security solution, to ensure your organization has established essential defenses and knows how to monitor and respond to threat activity.

A holistic security posture for phishing must also account for the human aspect of social engineering. Investing in user awareness training and phishing simulations is critical for arming employees with the needed knowledge to defend against tried-and-true social engineering methods. Training can also help when threat actors inevitably refine and improve their techniques. Attack simulation training in Microsoft Defender for Office 365, which also includes simulating phishing messages in Microsoft Teams, is one approach to running realistic attack scenarios in your organization.

Hardening credentials and cloud identities is also necessary to defend against phishing attacks. By implementing the principles of least privilege and Zero Trust, you can significantly slow down determined threat actors who may have been able to gain initial access and buy time for defenders to respond. To get started, follow our steps to configure Microsoft Entra with increased security.

As part of hardening cloud identities, authentication using passwordless solutions like passkeys is essential, and implementing MFA remains a core pillar in identity security. Use the Microsoft Authenticator app for passkeys and MFA, and complement MFA with conditional access policies, where sign-in requests are evaluated using additional identity-driven signals. Conditional access policies can also be scoped to strengthen privileged accounts with phishing resistant MFA. Your passkey and MFA policy can be further secured by only allowing MFA and passkey registrations from trusted locations and devices.

Finally, a Security Service Edge solution like Global Secure Access (GSA) provides identity-focused secure network access. GSA can help to secure access to any app or resource using network, identity, and endpoint access controls.

Among Microsoft Incident Response cases over the past year where we identified the initial access vector, almost a quarter incorporated phishing or social engineering. To achieve phishing resistance and limit the opportunity to exploit human behavior, begin planning for passkey rollouts in your organization today, and  at a minimum, prioritize phishing-resistant MFA for privileged accounts as you evaluate the effect of this security measure on your wider organization. In the meantime, use the other defense-in-depth approaches I’ve recommended in this blog to defend against phishing and social engineering attacks.

Stay vigilant and prioritize your security at every step.

Recommendations

Several recommendations were made throughout this blog to address some of the specific techniques being used by threat actors tracked by Microsoft, along with essential practices for securing identities. Here is a consolidated list for your security team to evaluate.

• Configure Microsoft Entra with increased security.
• Use the Microsoft Authenticator app for passkeys and MFA.
• Strengthen privileged accounts with phishing resistant MFA.
• Complement MFA with risk-based Conditional Access policies, where sign-in requests are evaluated using additional identity-driven signals like IP address location information or device status, among others. Implementing Microsoft Entra ID Protection with these policies can automatically block or challenge access based on indicators like unfamiliar sign-in patterns or potential token theft attempts. When combined with Global Secure Access (GSA), organizations can extend this protection by enforcing Conditional Access decisions at the network layer to help secure access to any app or resource.
• Only allowing MFA and passkey registrations from trusted locations and devices.
• Review our recommended settings for Exchange Online Protection and Microsoft Defender for Office 365.
• Use attack simulation training in Microsoft Defender for Office 365, which also includes simulating phishing messages in Microsoft Teams, to run realistic attack scenarios in your organization for educating users.
• Use Global Secure Access to secure access to any app or resource using network, identity, and endpoint access controls.
• Block device code flow where possible; if needed, configure Microsoft Entra ID’s device code flow in your Conditional Access policies.
• Configure app consent policies to restrict user consent operations. For example, configure policies to allow user consent only to apps requesting low-risk permissions with verified publishers, or apps registered within your tenant.
• Require authentication strength for device registration in your environment.
• Follow our security best practices for Microsoft Teams.
• Configure the Microsoft Defender for Office 365 Safe Links policy to apply to internal recipients.

At Microsoft, we are accelerating security with our work on the Secure by Default framework. Specific Microsoft-managed policies are enabled for every new tenant and raise your security posture with security defaults that provide a baseline of protection for Entra ID and resources like Office 365.

Learn more  

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog. 

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky. 

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast. 

The post Defending against evolving identity attack techniques appeared first on Microsoft Security Blog.

Microsoft maintains a continuous effort to protect its platforms and customers from fraud and abuse. From blocking imposters on Microsoft Azure and adding anti-scam features to Microsoft Edge, to fighting tech support fraud with new features in Windows Quick Assist, this edition of Cyber Signals takes you inside the work underway and important milestones achieved that protect customers.

We are all defenders. 

Between April 2024 and April 2025, Microsoft:

• Thwarted $4 billion in fraud attempts.
• Rejected 49,000 fraudulent partnership enrollments.
• Blocked about 1.6 million bot signup attempts per hour.

The evolution of AI-enhanced cyber scams

AI has started to lower the technical bar for fraud and cybercrime actors looking for their own productivity tools, making it easier and cheaper to generate believable content for cyberattacks at an increasingly rapid rate. AI software used in fraud attempts runs the gamut, from legitimate apps misused for malicious purposes to more fraud-oriented tools used by bad actors in the cybercrime underground.

AI tools can scan and scrape the web for company information, helping cyberattackers build detailed profiles of employees or other targets to create highly convincing social engineering lures. In some cases, bad actors are luring victims into increasingly complex fraud schemes using fake AI-enhanced product reviews and AI-generated storefronts, where scammers create entire websites and e-commerce brands, complete with fake business histories and customer testimonials. By using deepfakes, voice cloning, phishing emails, and authentic-looking fake websites, threat actors seek to appear legitimate at wider scale.

According to the Microsoft Anti-Fraud Team, AI-powered fraud attacks are happening globally, with much of the activity coming from China and Europe, specifically Germany due in part to Germany’s status as one of the largest e-commerce and online services markets in the European Union (EU). The larger a digital marketplace in any region, the more likely a proportional degree of attempted fraud will take place.

E-commerce fraud

Fraudulent e-commerce websites can be set up in minutes using AI and other tools requiring minimal technical knowledge. Previously, it would take threat actors days or weeks to stand up convincing websites. These fraudulent websites often mimic legitimate sites, making it challenging for consumers to identify them as fake. 

Using AI-generated product descriptions, images, and customer reviews, customers are duped into believing they are interacting with a genuine merchant, exploiting consumer trust in familiar brands.

AI-powered customer service chatbots add another layer of deception by convincingly interacting with customers. These bots can delay chargebacks by stalling customers with scripted excuses and manipulating complaints with AI-generated responses that make scam sites appear professional.

In a multipronged approach, Microsoft has implemented robust defenses across our products and services to protect customers from AI-powered fraud. Microsoft Defender for Cloud provides comprehensive threat protection for Azure resources, including vulnerability assessments and threat detection for virtual machines, container images, and endpoints.

Microsoft Edge features website typo protection and domain impersonation protection using deep learning technology to help users avoid fraudulent websites. Edge has also implemented a machine learning-based Scareware Blocker to identify and block potential scam pages and deceptive pop-up screens with alarming warnings claiming a computer has been compromised. These attacks try to frighten users into calling fraudulent support numbers or downloading harmful software.

Job and employment fraud

The rapid advancement of generative AI has made it easier for scammers to create fake listings on various job platforms. They generate fake profiles with stolen credentials, fake job postings with auto-generated descriptions, and AI-powered email campaigns to phish job seekers. AI-powered interviews and automated emails enhance the credibility of job scams, making it harder for job seekers to identify fraudulent offers.

To prevent this, job platforms should introduce multifactor authentication for employer accounts to make it harder for bad actors to take over legitimate hirers’ listings and use available fraud-detection technologies to catch suspicious content.

Fraudsters often ask for personal information, such as resumes or even bank account details, under the guise of verifying the applicant’s information. Unsolicited text and email messages offering employment opportunities that promise high pay for minimal qualifications are typically an indicator of fraud.

Employment offers that include requests for payment, offers that seem too good to be true, unsolicited offers or interview requests over text message, and a lack of formal communication platforms can all be indicators of fraud.

Tech support scams

Tech support scams are a type of fraud where scammers trick victims into unnecessary technical support services to fix a device or software problems that don’t exist. The scammers may then gain remote access to a computer—which lets them access all information stored on it, and on any network connected to it or install malware that gives them access to the computer and sensitive data.

Tech support scams are a case where elevated fraud risks exist, even if AI does not play a role. For example, in mid-April 2024, Microsoft Threat Intelligence observed the financially motivated and ransomware-focused cybercriminal group Storm-1811 abusing Windows Quick Assist software by posing as IT support. Microsoft did not observe AI used in these attacks; Storm-1811 instead impersonated legitimate organizations through voice phishing (vishing) as a form of social engineering, convincing victims to grant them device access through Quick Assist. 

Quick Assist is a tool that enables users to share their Windows or macOS device with another person over a remote connection. Tech support scammers often pretend to be legitimate IT support from well-known companies and use social engineering tactics to gain the trust of their targets. They then attempt to employ tools like Quick Assist to connect to the target’s device. 

Quick Assist and Microsoft are not compromised in these cyberattack scenarios; however, the abuse of legitimate software presents risk Microsoft is focused on mitigating. Informed by Microsoft’s understanding of evolving cyberattack techniques, the company’s anti-fraud and product teams work closely together to improve transparency for users and enhance fraud detection techniques. 

The Storm-1811 cyberattacks highlight the capability of social engineering to circumvent security defenses. Social engineering involves collecting relevant information about targeted victims and arranging it into credible lures delivered through phone, email, text, or other mediums. Various AI tools can quickly find, organize, and generate information, thus acting as productivity tools for cyberattackers. Although AI is a new development, enduring measures to counter social engineering attacks remain highly effective. These include increasing employee awareness of legitimate helpdesk contact and support procedures, and applying Zero Trust principles to enforce least privilege across employee accounts and devices, thereby limiting the impact of any compromised assets while they are being addressed. 

Microsoft has taken action to mitigate attacks by Storm-1811 and other groups by suspending identified accounts and tenants associated with inauthentic behavior. If you receive an unsolicited tech support offer, it is likely a scam. Always reach out to trusted sources for tech support. If scammers claim to be from Microsoft, we encourage you to report it directly to us at http://approjects.co.za/?big=reportascam. 

Building on the Secure Future Initiative (SFI), Microsoft is taking a proactive approach to ensuring our products and services are “Fraud-resistant by Design.” In January 2025, a new fraud prevention policy was introduced: Microsoft product teams must now perform fraud prevention assessments and implement fraud controls as part of their design process. 

Recommendations

• Strengthen employer authentication: Fraudsters often hijack legitimate company profiles or create fake recruiters to deceive job seekers. To prevent this, job platforms should introduce multifactor authentication and Verified ID as part of Microsoft Entra ID for employer accounts, making it harder for unauthorized users to gain control.
• Monitor for AI-based recruitment scams: Companies should deploy deepfake detection algorithms to identify AI-generated interviews where facial expressions and speech patterns may not align naturally.
• Be cautious of websites and job listings that seem too good to be true: Verify the legitimacy of websites by checking for secure connections (https) and using tools like Microsoft Edge’s typo protection.
• Avoid providing personal information or payment details to unverified sources: Look for red flags in job listings, such as requests for payment or communication through informal platforms like text messages, WhatsApp, nonbusiness Gmail accounts, or requests to contact someone on a personal device for more information.

Using Microsoft’s security signal to combat fraud

Microsoft is actively working to stop fraud attempts using AI and other technologies by evolving large-scale detection models based on AI, such as machine learning, to play defense by learning from and mitigating fraud attempts. Machine learning is the process that helps a computer learn without direct instruction using algorithms to discover patterns in large datasets. Those patterns are then used to create a comprehensive AI model, allowing for predictions with high accuracy.

We have developed in-product safety controls that warn users about potential malicious activity and integrate rapid detection and prevention of new types of attacks.

Our fraud team has developed domain impersonation protection using deep-learning technology at the domain creation stage, to help protect against fraudulent e-commerce websites and fake job listings. Microsoft Edge has incorporated website typo protection, and we have developed AI-powered fake job detection systems for LinkedIn.

Microsoft Defender Smartscreen is a cloud-based security feature that aims to prevent unsafe browsing habits by analyzing websites, files, and applications based on their reputation and behavior. It is integrated into Windows and the Edge browser to help protect users from phishing attacks, malicious websites, and potentially harmful downloads.

Furthermore, Microsoft’s Digital Crimes Unit (DCU) partners with others in the private and public sector to disrupt the malicious infrastructure used by criminals perpetuating cyber-enabled fraud. The team’s longstanding collaboration with law enforcement around the world to respond to tech support fraud has resulted in hundreds of arrests and increasingly severe prison sentences worldwide. The DCU is applying key learnings from past actions to disrupt those who seek to abuse generative AI technology for malicious or fraudulent purposes. 

Quick Assist features and remote help combat tech support fraud

To help combat tech support fraud, we have incorporated warning messages to alert users about possible tech support scams in Quick Assist before they grant access to someone approaching them purporting to be an authorized IT department or other support resource.

Windows users must read and click the box to acknowledge the security risk of granting remote access to the device.

Microsoft has significantly enhanced Quick Assist protection for Windows users by leveraging its security signal. In response to tech support scams and other threats, Microsoft now blocks an average of 4,415 suspicious Quick Assist connection attempts daily, accounting for approximately 5.46% of global connection attempts. These blocks target connections exhibiting suspicious attributes, such as associations with malicious actors or unverified connections.

Microsoft’s continual focus on advancing Quick Assist safeguards seeks to counter adaptive cybercriminals, who previously targeted individuals opportunistically with fraudulent connection attempts, but more recently have sought to target enterprises with more organized cybercrime campaigns that Microsoft’s actions have helped disrupt.

Our Digital Fingerprinting capability, which leverages AI and machine learning, drives these safeguards by providing fraud and risk signals to detect fraudulent activity. If our risk signals detect a possible scam, the Quick Assist session is automatically ended. Digital Fingerprinting works by collecting various signals to detect and prevent fraud.

For enterprises combating tech support fraud, Remote Help is another valuable resource for employees. Remote Help is designed for internal use within an organization and includes features that make it ideal for enterprises.

By reducing scams and fraud, Microsoft aims to enhance the overall security of its products and protect its users from malicious activities.

Consumer protection tips

Fraudsters exploit psychological triggers such as urgency, scarcity, and trust in social proof. Consumers should be cautious of:

• Impulse buying—Scammers create a sense of urgency with “limited-time” deals and countdown timers.
• Trusting fake social proof—AI generates fake reviews, influencer endorsements, and testimonials to appear legitimate.
• Clicking on ads without verification—Many scam sites spread through AI-optimized social media ads. Consumers should cross-check domain names and reviews before purchasing.
• Ignoring payment security—Avoid direct bank transfers or cryptocurrency payments, which lack fraud protections.

Job seekers should verify employer legitimacy, be on the lookout for common job scam red flags, and avoid sharing personal or financial information with unverified employers.

• Verify employer legitimacy—Cross-check company details on LinkedIn, Glassdoor, and official websites to verify legitimacy.
• Notice common job scam red flags—If a job requires upfront payments for training materials, certifications, or background checks, it is likely a scam. Unrealistic salaries or no-experience-required remote positions should be approached with skepticism. Emails from free domains (such as johndoehr@gmail.com instead of hr@company.com) are also typically indicators of fraudulent activity.
• Be cautious of AI-generated interviews and communications—If a video interview seems unnatural, with lip-syncing delays, robotic speech, or odd facial expressions, it could be deepfake technology at work. Job seekers should always verify recruiter credentials through the company’s official website before engaging in any further discussions.
• Avoid sharing personal or financial information—Under no circumstances should you provide a Social Security number, banking details, or passwords to an unverified employer.

Microsoft is also a member of the Global Anti-Scam Alliance (GASA), which aims to bring governments, law enforcement, consumer protection organizations, financial authorities and providers, brand protection agencies, social media, internet service providers, and cybersecurity companies together to share knowledge and protect consumers from getting scammed.

Recommendations

• Remote Help: Microsoft recommends using Remote Help instead of Quick Assist for internal tech support. Remote Help is designed for internal use within an organization and incorporates several features designed to enhance security and minimize the risk of tech support hacks. It is engineered to be used only within an organization’s tenant, providing a safer alternative to Quick Assist.
• Digital Fingerprinting: This identifies malicious behaviors and ties them back to specific individuals. This helps in monitoring and preventing unauthorized access.
• Blocking full control requests: Quick Assist now includes warnings and requires users to check a box acknowledging the security implications of sharing their screen. This adds a layer of helpful “security friction” by prompting users who may be multitasking or preoccupied to pause to complete an authorization step.

Kelly Bissell: A cybersecurity pioneer combating fraud in the new era of AI

Kelly Bissell’s journey into cybersecurity began unexpectedly in 1990. Initially working in computer science, Kelly was involved in building software for healthcare patient accounting and operating systems at Medaphis and Bellsouth, now AT&T.

His interest in cybersecurity was sparked when he noticed someone logged into a phone switch attempting to get free long-distance calls and traced the intruder back to Romania. This incident marked the beginning of Kelly’s career in cybersecurity.

“I stayed in cybersecurity hunting for bad actors, integrating security controls for hundreds of companies, and helping shape the NIST security frameworks and regulations such as FFIEC, PCI, NERC-CIP,” he explains.

Currently, Kelly is Corporate Vice President of Anti-Fraud and Product Abuse within Microsoft Security. Microsoft’s fraud team employs machine learning and AI to build better detection code and understand fraud operations. They use AI-powered solutions to detect and prevent cyberthreats, leveraging advanced fraud detection frameworks that continuously learn and evolve.

“Cybercrime is a trillion-dollar problem, and it’s been going up every year for the past 30 years. I think we have an opportunity today to adopt AI faster so we can detect and close the gap of exposure quickly. Now we have AI that can make a difference at scale and help us build security and fraud protections into our products much faster.”

Previously Kelly managed the Microsoft Detection and Response Team (DART) and created the Global Hunting, Oversight, and Strategic Triage (GHOST) team that detected and responded to attackers such as Storm-0558 and Midnight Blizzard.

Prior to Microsoft, during his time at Accenture and Deloitte, Kelly collaborated with companies and worked extensively with government agencies like the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation, where he helped build security systems inside their operations.

His time as Chief Information Security Officer (CISO) at a bank exposed him to addressing both cybersecurity and fraud, leading to his involvement in shaping regulatory guidelines to protect banks and eventually Microsoft.

Kelly has also played a significant role in shaping regulations around the National Institute of Standards and Technology (NIST) and Payment Card Industry (PCI) compliance, which helps ensure the security of businesses’ credit card transactions, among others.

Internationally, Kelly played a crucial role in helping establish agencies and improve cybersecurity measures. As a consultant in London, he helped stand up the United Kingdom’s National Cyber Security Centre (NCSC), which is part of the Government Communications Headquarters (GCHQ), the equivalent of CISA. Kelly’s efforts in content moderation with several social media companies, including YouTube, were instrumental in removing harmful content.

That’s why he’s excited about Microsoft’s partnership with GASA. GASA brings together governments, law enforcement, consumer protection organizations, financial authorities, internet service providers, cybersecurity companies, and others to share knowledge and define joint actions to protect consumers from getting scammed.

“If I protect Microsoft, that’s good, but it’s not sufficient. In the same way, if Apple does their thing, and Google does their thing, but if we’re not working together, we’ve all missed the bigger opportunity. We must share cybercrime information with each other and educate the public. If we can have a three-pronged approach of tech companies building security and fraud protection into their products, public awareness, and sharing cybercrime and fraudster information with law enforcement, I think we can make a big difference,” he says.

Next steps with Microsoft Security

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Methodology: Microsoft platforms and services, including Azure, Microsoft Defender for Office, Microsoft Threat Intelligence, and Microsoft Digital Crimes Unit (DCU), provided anonymized data on threat actor activity and trends. Additionally, Microsoft Entra ID provided anonymized data on threat activity, such as malicious email accounts, phishing emails, and attacker movement within networks. Additional insights are from the daily security signals gained across Microsoft, including the cloud, endpoints, the intelligent edge, and telemetry from Microsoft platforms and services. The $4 billion figure represents an aggregated total of fraud and scam attempts against Microsoft and our customers in consumer and enterprise segments (in 12 months).

The post Cyber Signals Issue 9 | AI-powered deception: Emerging fraud threats and countermeasures appeared first on Microsoft Security Blog.