Threat actors

Microsoft actively discovers and tracks threat actors across observed state-sponsored, ransomware, and criminal activities. Get insights from the 60 nation-state actors, 50 ransomware groups, and hundreds of other attackers we’ve tracked.

Refine Results

Filtered by

Clear All

threat-actors

Refine results

Sort By

Content Type

Topic

Products and services

Publish date

Start Date

End Date

Go beyond data protection with Microsoft Purview

Govern, protect, and manage all of your data with Microsoft Purview, comprehensive solutions to help give you better visibility and control.

Learn more
August 2, 2023

6 min read

Midnight Blizzard conducts targeted social engineering over Microsoft Teams

Microsoft Threat Intelligence has identified highly targeted social engineering attacks using credential theft phishing lures sent as Microsoft Teams chats by the threat actor that Microsoft tracks as Midnight Blizzard (previously tracked as NOBELIUM).
July 14, 2023

10 min read

Analysis of Storm-0558 techniques for unauthorized email access

Analysis of the techniques used by the threat actor tracked as Storm-0558 (now tracked as Antique Typhoon) for obtaining unauthorized access to email data, tools, and unique infrastructure characteristics.
July 11, 2023

7 min read

Storm-0978 attacks reveal financial and espionage motives

Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America.
June 14, 2023

13 min read

Cadet Blizzard emerges as a novel and distinct Russian threat actor

Microsoft attributes several campaigns to a distinct Russian state-sponsored threat actor tracked as Cadet Blizzard (DEV-0586), including the WhisperGate destructive attack, Ukrainian website defacements, and the hack-and-leak front “Free Civilian”.
Streamline privacy management with Microsoft Priva

Protect and govern personal information, reduce privacy risks, and manage subject rights requests at scale with Microsoft Priva privacy risk management solutions.

Learn more
June 8, 2023

12 min read

Detecting and mitigating a multi-stage AiTM phishing and BEC campaign

Microsoft Defender Experts observed a multi-stage adversary-in-the-middle (AiTM) and business email compromise (BEC) attack targeting banking and financial services organizations over two days.
May 24, 2023

10 min read

Volt Typhoon targets US critical infrastructure with living-off-the-land techniques

Chinese state-sponsored actor Volt Typhoon is using stealthy techniques to target US critical infrastructure, conduct espionage, and dwell in compromised environments.
April 18, 2023

14 min read

Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets

Today, Microsoft is reporting on a distinct subset of Mint Sandstorm (formerly known as PHOSPHORUS), an Iranian threat actor that specializes in hacking into and stealing sensitive information from high-value targets.
April 18, 2023

7 min read

Microsoft shifts to a new threat actor naming taxonomy

Microsoft is excited to announce that we are shifting to a new threat actor naming taxonomy aligned to the theme of weather.
Simplify endpoint management with Microsoft Intune

Microsoft Intune is a cloud-based unified endpoint management platform that empowers IT to manage, assess, and protect apps and devices.

Learn more
April 13, 2023

4 min read

Threat actors strive to cause Tax Day headaches

With U.S. Tax Day approaching, Microsoft has observed phishing attacks targeting accounting and tax return preparation firms to deliver the Remcos RAT and compromise target networks.
April 11, 2023

8 min read

Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign

This guide provides steps that organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2022-21894 via a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus.
April 11, 2023

14 min read

DEV-0196: QuaDream’s “KingsPawn” malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia

Microsoft analyzes a threat group tracked as DEV-0196, the actor’s iOS malware “KingsPawn”, and their link to an Israel-based private sector offensive actor (PSOA) known as QuaDream, which reportedly sells a suite of exploits, malware, and infrastructure called REIGN, that’s designed to exfiltrate data from mobile devices.
April 7, 2023

16 min read

MERCURY and DEV-1084: Destructive attack on hybrid environment

Microsoft detected a unique operation where threat actors carried out destructive actions in both on-premises and cloud environments.