In mid-January 2026, Microsoft Defender Experts identified a credential theft campaign that uses fake virtual private network (VPN) clients distributed through search engine optimization (SEO) poisoning. The campaign redirects users searching for legitimate enterprise software to malicious ZIP files on attacker-controlled websites to deploy digitally signed trojans that masquerade as trusted VPN clients while harvesting VPN credentials. Microsoft Threat Intelligence attributes this activity to the cybercriminal threat actor Storm-2561.

Active since May 2025, Storm-2561 is known for distributing malware through SEO poisoning and impersonating popular software vendors. The techniques they used in this campaign highlight how threat actors continue to exploit trusted platforms and software branding to avoid user suspicion and steal sensitive information. By targeting users who are actively searching for enterprise VPN software, attackers take advantage of both user urgency and implicit trust in search engine rankings. The malicious ZIP files that contain fake installer files are hosted on GitHub repositories, which have since been taken down. Additionally, the trojans are digitally signed by a legitimate certificate that has since been revoked.

In this blog, we share our in-depth analysis of the tactics, techniques, and procedures (TTPs) and indicators of compromise in this Storm-2561 campaign, highlighting the social engineering techniques that the threat actor used to improve perceived legitimacy, avoid suspicion, and evade detection. We also share protection and mitigation recommendations, as well as Microsoft Defender detection and hunting guidance.

From search to stolen credentials: Storm-2561 attack chain

In this campaign, users searching for legitimate VPN software are redirected from search results to spoofed websites that closely mimic trusted VPN products but instead deploy malware designed to harvest credentials and VPN data. When users click to download the software, they are redirected to a malicious GitHub repository (no longer available) that hosts the fake VPN client for direct download.

The GitHub repo hosts a ZIP file containing a Microsoft Windows Installer (MSI) installer file that mimics a legitimate VPN software and side-loads malicious dynamic link library (DLL) files during installation. The fake VPN software enables credential collection and exfiltration while appearing like a benign VPN client application.

This campaign exhibits characteristics consistent with financially motivated cybercrime operations employed by Storm-2561. The malicious components are digitally signed by “Taiyuan Lihua Near Information Technology Co., Ltd.”

Initial access and execution

The initial access vector relies on abusing SEO to push malicious websites to the top of search results for queries such as “Pulse VPN download” or “Pulse Secure client,” but Microsoft has observed spoofing of various VPN software brands and has observed the GitHub link at the following two domains: vpn-fortinet[.]com and ivanti-vpn[.]org.

Once the user lands on the malicious website and clicks to download the software, the malware is delivered through a ZIP download hosted at hxxps[:]//github[.]com/latestver/vpn/releases/download/vpn-client2/VPN-CLIENT.zip. At the time of this report, this repository is no longer active.

When the user launches the malicious MSI masquerading as a legitimate Pulse Secure VPN installer embedded within the downloaded ZIP file, the MSI file installs Pulse.exe along with malicious DLL files to a directory structure that closely resembles a real Pulse Secure installation path: %CommonFiles%\Pulse Secure. This installation path blends in with legitimate VPN software to appear trustworthy and avoid raising user suspicion.

Alongside the primary application, the installer drops malicious DLLs, dwmapi.dll and inspector.dll, into the Pulse Secure directory. The dwmapi.dll file is an in-memory loader that drops and launches an embedded shellcode payload that loads and launches the inspector.dll file, a variant of the infostealer Hyrax. The Hyrax infostealer extracts URI and VPN sign-in credentials before exfiltrating them to attacker-controlled command-and-control (C2) infrastructure.

Code signing abuse

The MSI file and the malicious DLLs are signed with a valid digital certificate, which is now revoked, from Taiyuan Lihua Near Information Technology Co., Ltd. This abuse of code signing serves multiple purposes:

• Bypasses default Windows security warnings for unsigned code
• Might bypass application whitelisting policies that trust signed binaries
• Reduces security tool alerts focused on unsigned malware
• Provides false legitimacy to the installation process

Microsoft identified several other files signed with the same certificates. These files also masqueraded as VPN software. These IOCs are included in the below.

Credential theft

The fake VPN client presents a graphical user interface that closely mimics the legitimate VPN client, prompting the user to enter their credentials. Rather than establishing a VPN connection, the application captures the credentials entered and exfiltrates them to attacker-controlled C2 infrastructure (194.76.226[.]93:8080). This approach relies on visual deception and immediate user interaction, allowing attackers to harvest credentials as soon as the target attempts to sign in. The credential theft operation follows the below structured sequence:

• UI presentation: A fake VPN sign-in dialog is displayed to the user, closely resembling the legitimate Pulse Secure client.
• Error display: After credentials are submitted, a fake error message is shown to the user.
• Redirection: The user is instructed to download and install the legitimate Pulse Secure VPN client.
• Access to stored VPN data: The inspector.dll component accesses stored VPN configuration data from C:\ProgramData\Pulse Secure\ConnectionStore\connectionstore.dat.
• Data exfiltration: Stolen credentials and VPN configuration data are transmitted to attacker-controlled infrastructure.

Persistence

To maintain access, the MSI malware establishes persistence during installation through the Windows RunOnce registry key, adding the Pulse.exe malware to run when the device reboots.

Defense evasion

One of the most sophisticated aspects of this campaign is the post-credential theft redirection strategy. After successfully capturing user credentials, the malicious application conducts the following actions:

• Displays a convincing error message indicating installation failure
• Provides instructions to download the legitimate Pulse VPN client from official sources
• In certain instances, opens the user’s browser to the legitimate VPN website

If users successfully install and use legitimate VPN software afterward, and the VPN connection works as expected, there are no indications of compromise to the end user. Users are likely to attribute the initial installation failure to technical issues, not malware.

Defending against credential theft campaigns

Microsoft recommends the following mitigations to reduce the impact of this threat.

• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants. 
• Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. 
• Enable network protection in Microsoft Defender for Endpoint. 
• Turn on web protection in Microsoft Defender for Endpoint. 
• Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. 
• Enforce multifactor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly require MFA from all devices, in all locations, at all times. 
• Remind employees that enterprise or workplace credentials should not be stored in browsers or password vaults secured with personal credentials. Organizations can turn off password syncing in browser on managed devices using Group Policy. 
• Turn on the following attack surface reduction rule to block or audit activity associated with this threat:
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion 

Microsoft Defender detection and hunting guidance

Microsoft Defender customers can refer to the list of applicable detections below. Microsoft Defender coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Microsoft Security Copilot

Microsoft Security Copilot is embedded in Microsoft Defender and provides security teams with AI-powered capabilities to summarize incidents, analyze files and scripts, summarize identities, use guided responses, and generate device summaries, hunting queries, and incident reports.

Customers can also deploy AI agents, including the following Microsoft Security Copilot agents, to perform security tasks efficiently:

• Threat Intelligence Briefing agent
• Phishing Triage agent
• Threat Hunting agent
• Dynamic Threat Detection agent

Security Copilot is also available as a standalone experience where customers can perform specific security-related tasks, such as incident investigation, user analysis, and vulnerability impact assessment. In addition, Security Copilot offers developer scenarios that allow customers to build, test, publish, and integrate AI agents and plugins to meet unique security needs.

Threat intelligence reports

Microsoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

• Actor Profile: Storm-2561
• Activity Profile: Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries

Microsoft Defender XDR customers can run the following advanced hunting queries to find related activity in their networks:

Files signed by Taiyuan Lihua Near Information Technology Co., Ltd.

Look for files signed with Taiyuan Lihua Near Information Technology Co., Ltd. signer.

let a = DeviceFileCertificateInfo
| where Signer == "Taiyuan Lihua Near Information Technology Co., Ltd."
| distinct SHA1;
DeviceProcessEvents
| where SHA1 in(a)

Identify suspicious DLLs in Pulse Secure folder

Identify launching of malicious DLL files in folders masquerading as Pulse Secure.

DeviceImageLoadEvents
| where FolderPath contains "Pulse Secure" and FolderPath contains "Program Files" and (FolderPath contains "\\JUNS\\" or FolderPath contains "\\JAMUI\\")
| where FileName has_any("inspector.dll","dwmapi.dll")

Indicators of compromise

References

• SEO Poisoning Targets Ivanti VPN: Credential Theft Alert (Zscaler)
• Storm-2561 distributes trojanized SonicWall NetExtender SilentRoute (Microsoft)
• A Sting on Bing: Bumblebee delivered through Bing SEO poisoning campaign (Cyjax)

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

The post Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft appeared first on Microsoft Security Blog.

Exploitation activity related to this vulnerability was detected as early as December 5, 2025. Most successful exploits originated from red team assessments; however, we also observed real-world exploitation attempts by threat actors delivering multiple subsequent payloads, majority of which are coin miners. Both Windows and Linux environments have been observed to be impacted.

The React Server Components ecosystem is a collection of packages, frameworks, and bundlers that enable React 19 applications to run parts of their logic on the server rather than the browser. It uses the Flight protocol to communicate between client and server. When a client requests data, the server receives a payload, parses this payload, executes server-side logic, and returns a serialized component tree. The vulnerability exists because affected React Server Components versions fail to validate incoming payloads. This could allow attackers to inject malicious structures that React accepts as valid, leading to prototype pollution and remote code execution.

This vulnerability presents a significant risk because of the following factors:

• Default configurations are vulnerable, requiring no special setup or developer error.
• Public proof-of-concept exploits are readily available with near-100% reliability.
• Exploitation can happen without any user authentication since this is a pre-authentication vulnerability.
• The vulnerability could be exploited using a single malicious HTTP request.

In this report, Microsoft Defender researchers share insights from observed attacker activity exploiting this vulnerability. Detailed analyses, detection insights, as well as mitigation recommendations and hunting guidance are covered in the next sections. Further investigation towards providing stronger protection measures is in progress, and this report will be updated when more information becomes available.

Analyzing CVE-2025-55182 exploitation activity

React is widely adopted in enterprise environments. In Microsoft Defender telemetry, we see tens of thousands of distinct devices across several thousand organizations running some React or React-based applications. Some of the vulnerable applications are deployed inside containers, and the impact on the underlying host is dependent on the security configurations of the container.

We identified several hundred machines across a diverse set of organizations compromised using common tactics, techniques, and procedures (TTPs) observed with web application RCE. To exploit CVE-2025-55182, an attacker sends a crafted input to a web application running React Server Components functions in the form of a POST request. This input is then processed as a serialized object and passed to the backend server, where it is deserialized. Due to the default trust among the components, the attacker-provided input is then deserialized and the backend runs attacker-provided code under the NodeJS runtime.

Post-exploitation, attackers were observed to run arbitrary commands, such as reverse shells to known Cobalt Strike servers. To achieve persistence, attackers added new malicious users, utilized remote monitoring and management (RMM) tools such as MeshAgent, modified authorized_keys file, and enabled root login. To evade security defenses, the attackers downloaded from attacker-controlled CloudFlare Tunnel endpoints (for example, *.trycloudflare.com) and used bind mounts to hide malicious processes and artifacts from system monitoring tools.

The malware payloads seen in campaigns investigated by Microsoft Defender vary from remote access trojans (RATs) like VShell and EtherRAT, the SNOWLIGHT memory-based malware downloader that enabled attackers to deploy more payloads to target environments, ShadowPAD, and XMRig cryptominers. The attacks proceeded by enumerating system details and environment variables to enable lateral movement and credential theft.

Credentials that were observed to be targeted included Azure Instance Metadata Service (IMDS) endpoints for Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and Tencent Cloud to acquire identity tokens, which could be used to move laterally to other cloud resources. Attackers also deployed secret discovery tools such as TruffleHog and Gitleaks, along with custom scripts to extract several different secrets. Attempts to harvest AI and cloud-native credentials, such as OpenAI API keys, Databricks tokens, and Kubernetes service‑account credentials were also observed. Azure Command-Line Interface (CLI) (az) and Azure Developer CLI (azd) were also used to obtain tokens.

Mitigation and protection guidance

Microsoft recommends customers to act on these mitigation recommendations:

Manual identification guidance

Until full in-product coverage is available, you can manually assess exposure on servers or containers:

1. Navigate to your project directory and open the node_modules folder.
2. Review installed packages and look for:
   • react-server-dom-webpack
   • react-server-dom-parcel
   • react-server-dom-turbopack
   • next
3. Validate versions against the known affected range:
   • React: 19.0.0,19.1.0, 19.1.1, 19.2.0
   • Next.js: 15.0.0 – 15.0.4, 15.1.0 – 15.1.8, 15.2.0 – 15.2.5, 15.3.0 – 15.3.5, 15.4.0 – 15.4.7, 15.5.0 – 15.5.6, 16.0.0 – 16.0.6, 14.3.0-canary.77 and later canary releases
4. If any of these packages match the affected versions, remediation is required. Prioritize internet-facing assets first, especially those identified by Defender as externally exposed.

Mitigation best practices

1. Patch immediately
   • React and Next.js have released fixes for the impacted packages. Upgrade to one of the following patched versions (or later within the same release line):
     • React: 19.0.1, 19.1.2, 19.2.1
     • Next.js: 5.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7
   • Because many frameworks and bundlers rely on these packages, make sure your framework-level updates also pull in the corrected dependencies.
2. Prioritize exposed services
   • Patch all affected systems, starting with internet-facing workloads.
   • Use Microsoft Defender Vulnerability Management (MDVM) to surface vulnerable package inventory and to track remediation progress across your estate.
3. Monitor for exploit activity
   • Review MDVM dashboards and Defender alerts for indicators of attempted exploitation.
   • Correlate endpoint, container, and cloud signals for higher confidence triage.
   • Invoke incident response process to address any related suspicious activity stemming from this vulnerability.
4. Add WAF protections where appropriate
   • Apply Azure Web Application Firewall (WAF) custom rules for Application Gateway and Application Gateway for Containers to help block exploit patterns while patching is in progress. Microsoft has published rule guidance and JSON examples in the Azure Network Security Blog, with ongoing updates as new attack permutations are identified.

Recommended customer action checklist

• Identify affected React Server Components packages in your applications and images.
• Upgrade to patched versions. Refer to the React page for patching guidance.
• Prioritize internet-facing services for emergency change windows.
• Enable and monitor Defender alerts tied to React Server Components exploitation attempts.
• Apply Azure WAF custom rules as a compensating control where feasible.
• Use MDVM to validate coverage and confirm risk reduction post-update.

CVE-2025-55182 represents a high-impact, low-friction attack path against modern React Server Components deployments. Rapid patching combined with layered Defender monitoring and WAF protections provides the strongest short-term and long-term risk reduction strategy.

Microsoft Defender XDR detections 

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

In many cases subsequent activity post exploitation was detected and following alerts were triggered on the victim devices. Note that the following alerts below can also be triggered by unrelated threat activity.

Automatic attack disruption through Microsoft Defender for Endpoint alerts

To better support customers in the event of exploitation, we are expanding our detection framework to identify and alert on CVE-2025-55182 activity across all operating systems for Microsoft Defender for Endpoint customers. These detections are integrated with automatic attack disruption.

When these alerts, combined with other signals, provide high confidence of active attacker behavior, automatic attack disruption can initiate autonomous containment actions to help stop the attack and prevent further progression.

Microsoft Defender Vulnerability Management and Microsoft Defender for Cloud

Microsoft Defender for Cloud rolled out support to surface CVE-2025-55182 with agentless scanning across containers and cloud virtual machines (VMs). Follow the documentation on how to enable agentless scanning:

• Protect your servers with Defender for Servers
• Defender for Containers Deployment Overview

Microsoft Defender Vulnerability Management (MDVM) can surface impacted Windows, Linux, and macOS devices. In addition, MDVM and Microsoft Defender for Cloud dashboards can surface:

• Identification of exposed assets in the organization
• Clear remediation guidance tied to your affected assets and workloads

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article
• Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender XDR threat analytics

• Vulnerability Profile: CVE-2025-55182 – React Server Components

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries and recommendations

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Detect potential React2Shell command injection attempt

CloudAuditEvents
| where (ProcessCommandLine == "/bin/sh -c (whoami)" and (ParentProcessName == "node" or ParentProcessName has "next-server"))
        or (ProcessCommandLine has_any ("echo","powershell") and ProcessCommandLine matches regex @'(echo\s+\$\(\(\d+\*\d+\)\)|powershell\s+-c\s+"\d+\*\d+")')
| project Timestamp, KubernetesPodName, KubernetesNamespace, ContainerName, ContainerId, ContainerImageName, FileName, ProcessName, ProcessCommandLine, ProcessCurrentWorkingDirectory, ParentProcessName, ProcessId, ParentProcessId, AccountName

Identify encoded PowerShell attempts

let lookback = 10d;
DeviceProcessEvents
| where Timestamp >= ago(lookback)
| where InitiatingProcessParentFileName has "node"
| where InitiatingProcessCommandLine  has_any ("next start", "next-server") or ProcessCommandLine  has_any ("next start", "next-server")
| summarize  make_set(InitiatingProcessCommandLine), make_set(ProcessCommandLine) by DeviceId, Timestamp
//looking for powershell activity
| where set_ProcessCommandLine  has_any ("cmd.exe","powershell")
| extend decoded_powershell_1 = replace_string(tostring(base64_decode_tostring(tostring(split(tostring(split(set_ProcessCommandLine.[0],"EncodedCommand ",1).[0]),'"',0).[0]))),"\0","")
| extend decoded_powershell_1b = replace_string(tostring(base64_decode_tostring(tostring(split(tostring(split(set_ProcessCommandLine.[0],"Enc ",1).[0]),'"',0).[0]))),"\0","")
| extend decoded_powershell_2 = replace_string(tostring(base64_decode_tostring(tostring(split(tostring(split(set_ProcessCommandLine.[0],"enc ",1).[0]),'"',0).[0]))),"\0","")
| extend decoded_powershell_3 = replace_string(tostring(base64_decode_tostring(tostring(split(tostring(split(set_ProcessCommandLine.[0],"ec ",1).[0]),'"',0).[0]))),"\0","")
| where set_ProcessCommandLine !has "'powershell -c " 
| extend decoded_powershell = iff( isnotempty( decoded_powershell_1),decoded_powershell_1, 
                                                    iff(isnotempty( decoded_powershell_2), decoded_powershell_2,
                                                        iff(isnotempty( decoded_powershell_3), decoded_powershell_3,decoded_powershell_1b)))
| project-away decoded_powershell_1, decoded_powershell_1b, decoded_powershell_2,decoded_powershell_3
| where isnotempty( decoded_powershell)

Identify execution of suspicious commands initiated by the next-server parent process post-exploitation

let lookback = 10d;
DeviceProcessEvents
| where Timestamp >= ago(lookback)
| where InitiatingProcessFileName =~ "node.exe" and InitiatingProcessCommandLine has ".js"
| where FileName =~ "cmd.exe"
| where (ProcessCommandLine has_any (@"\next\", @"\npm\npm\node_modules\", "\\server.js")
    and (ProcessCommandLine has_any ("powershell -c \"", "curl", "wget", "echo $", "ipconfig", "start msiexec", "whoami", "systeminfo", "$env:USERPROFILE", "net user", "net group", "localgroup administrators",  "-ssh", "set-MpPreference", "add-MpPreference", "rundll32", "certutil", "regsvr32", "bitsadmin", "mshta", "msbuild")   
         or (ProcessCommandLine has "powershell" and
             (ProcessCommandLine has_any ("Invoke-Expression", "DownloadString", "DownloadFile", "FromBase64String", "Start-Process", "System.IO.Compression", "System.IO.MemoryStream", "iex ", "iex(", "Invoke-WebRequest", "iwr ", ".UploadFile", "System.Net.WebClient")
                or ProcessCommandLine matches regex @"[-/–][Ee^]{1,2}[NnCcOoDdEeMmAa^]*\s[A-Za-z0-9+/=]{15,}"))))
   or ProcessCommandLine matches regex @'cmd\.exe\s+/d\s+/s\s+/c\s+"powershell\s+-c\s+"[0-9]+\*[0-9]+""'

Identify execution of suspicious commands initiated by the next-server parent process post-exploitation

let lookback = 10d;
DeviceProcessEvents
| where Timestamp >= ago(lookback)
| where InitiatingProcessFileName == "node"
| where InitiatingProcessCommandLine has_any (" server.js", " start", "/server.js")
| where ProcessCommandLine  has_any ("| sh", "openssl,", "/dev/tcp/", "| bash", "|sh", "|bash", "bash,", "{sh,}", "SOCK_STREAM", "bash -i", "whoami", "| base64 -d", "chmod +x /tmp", "chmod 777")
| where ProcessCommandLine !contains "vscode" and ProcessCommandLine !contains "/.claude/"  and ProcessCommandLine !contains "/claude"

Microsoft Defender XDR’s blast radius analysis capability, incorporated into the incident investigation view, allows security teams to visualize and understand the business impact of a security compromise by showing potential propagation paths towards the organization’s critical assets before it escalates into a full blown incident. This capability merges pre-breach estate understanding with post-breach views allowing security teams to map their interconnected assets and highlights potential paths teams can prioritize for remediation efforts based on the criticality of assets and their interconnectivity to the compromised entities.

Microsoft Defender for Cloud

Microsoft Defender for Cloud customers can use security explorer templates to locate exposed containers running vulnerable container images and vulnerable virtual machines. Template titled Internet exposed containers running container images vulnerable to React2Shell vulnerability CVE-2025-55182 and Internet exposed virtual machines vulnerable to React2Shell vulnerability CVE-2025-55182 are added to the gallery.

Microsoft Security Exposure Management

Microsoft Security Exposure Management’s automated attack path analysis maps out potential threats by identifying exposed resources and tracing the routes an attacker might take to compromise critical assets. This analysis highlights vulnerable cloud compute resources, such as virtual machines and Kubernetes containers, that are susceptible to remote code execution vulnerabilities, including React2Shell CVEs. It also outlines possible lateral movement steps an adversary might take within the environment. The attack paths are presented for all supported cloud environments, including Azure, AWS, and GCP.

To view these paths, filter the view in Microsoft Security Exposure Management, filter by entry point type:

• Kubernetes container
• Virtual Machine
• AWS EC2 instance
• GCP compute instance.

Alternatively, in Microsoft Defender for Cloud, customers can filter by titles such as:

• Internet exposed container with high severity vulnerabilities
• Internet exposed Azure VM with RCE vulnerabilities
• Internet exposed GCP compute instance with RCE vulnerabilities
• Internet exposed AWS EC2 instance with RCE vulnerabilities

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. 

Detect network IP and domain indicators of compromise using ASIM

//IP list and domain list- _Im_NetworkSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["194.69.203.32", "162.215.170.26", "216.158.232.43", "196.251.100.191", "46.36.37.85", "92.246.87.48"]);
let ioc_domains = dynamic(["anywherehost.site", "xpertclient.net", "superminecraft.net.br", "overcome-pmc-conferencing-books.trycloudflare.com", "donaldjtrmp.anondns.net", "labubu.anondns.net", "krebsec.anondns.net", "hybird-accesskey-staging-saas.s3.dualstack.ap-northeast-1.amazonaws.com", "ghostbin.axel.org", "194.69.203.32:81", "194.69.203.32:81", "194.69.203.32:81", "162.215.170.26:3000", "216.158.232.43:12000", "overcome-pmc-conferencing-books.trycloudflare.com", "donaldjtrmp.anondns.net:1488", "labubu.anondns.net:1488", "krebsec.anondns.net:2316/dong", "hybird-accesskey-staging-saas.s3.dualstack.ap-northeast-1.amazonaws.com", "ghostbin.axel.org"]);n_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())n| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)
| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),
  EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor

Detect Web Sessions IP and file hash indicators of compromise using ASIM

//IP list - _Im_WebSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["194.69.203.32", "162.215.170.26", "216.158.232.43", "196.251.100.191", "46.36.37.85", "92.246.87.48"]);
let ioc_sha_hashes =dynamic(["c2867570f3bbb71102373a94c7153239599478af84b9c81f2a0368de36f14a7c", "9e9514533a347d7c6bc830369c7528e07af5c93e0bf7c1cd86df717c849a1331", "b63860cefa128a4aa5d476f300ac45fd5d3c56b2746f7e72a0d27909046e5e0f", "d60461b721c0ef7cfe5899f76672e4970d629bb51bb904a053987e0a0c48ee0f", "d3c897e571426804c65daae3ed939eab4126c3aa3fa8531de5e8f0b66629fe8a", "d71779df5e4126c389e7702f975049bd17cb597ebcf03c6b110b59630d8f3b4d", "b5acbcaccc0cfa54500f2bbb0745d4b5c50d903636f120fc870082335954bec8", "4cbdd019cfa474f20f4274310a1477e03e34af7c62d15096fe0df0d3d5668a4d", "f347eb0a59df167acddb245f022a518a6d15e37614af0bbc2adf317e10c4068b", "661d3721adaa35a30728739defddbc72b841c3d06aca0abd4d5e0aad73947fb1", "876923709213333099b8c728dde9f5d86acfd0f3702a963bae6a9dde35ba8e13", "2ebed29e70f57da0c4f36a9401a7bbd36e6ddd257e0920aa4083240afa3a6457", "f1ee866f6f03ff815009ff8fd7b70b902bc59b037ac54b6cae9b8e07beb854f7", "7e90c174829bd4e01e86779d596710ad161dbc0e02a219d6227f244bf271d2e5"]);b_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())b| where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)
| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),
  EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor

Detect domain and URL indicators of compromise using ASIM

// Domain list - _Im_WebSession
let ioc_domains = dynamic(["anywherehost.site", "xpertclient.net", "superminecraft.net.br", "overcome-pmc-conferencing-books.trycloudflare.com", "donaldjtrmp.anondns.net", "labubu.anondns.net", "krebsec.anondns.net", "hybird-accesskey-staging-saas.s3.dualstack.ap-northeast-1.amazonaws.com", "ghostbin.axel.org", "194.69.203.32:81", "194.69.203.32:81", "194.69.203.32:81", "162.215.170.26:3000", "216.158.232.43:12000", "overcome-pmc-conferencing-books.trycloudflare.com", "donaldjtrmp.anondns.net:1488", "labubu.anondns.net:1488", "krebsec.anondns.net:2316/dong", "hybird-accesskey-staging-saas.s3.dualstack.ap-northeast-1.amazonaws.com", "ghostbin.axel.org"]);
_Im_WebSession (url_has_any = ioc_domains)

Detect files hashes indicators of compromise using ASIM

// file hash list - imFileEvent
let ioc_sha_hashes = dynamic(["c2867570f3bbb71102373a94c7153239599478af84b9c81f2a0368de36f14a7c", "9e9514533a347d7c6bc830369c7528e07af5c93e0bf7c1cd86df717c849a1331", "b63860cefa128a4aa5d476f300ac45fd5d3c56b2746f7e72a0d27909046e5e0f", "d60461b721c0ef7cfe5899f76672e4970d629bb51bb904a053987e0a0c48ee0f", "d3c897e571426804c65daae3ed939eab4126c3aa3fa8531de5e8f0b66629fe8a", "d71779df5e4126c389e7702f975049bd17cb597ebcf03c6b110b59630d8f3b4d", "b5acbcaccc0cfa54500f2bbb0745d4b5c50d903636f120fc870082335954bec8", "4cbdd019cfa474f20f4274310a1477e03e34af7c62d15096fe0df0d3d5668a4d", "f347eb0a59df167acddb245f022a518a6d15e37614af0bbc2adf317e10c4068b", "661d3721adaa35a30728739defddbc72b841c3d06aca0abd4d5e0aad73947fb1", "876923709213333099b8c728dde9f5d86acfd0f3702a963bae6a9dde35ba8e13", "2ebed29e70f57da0c4f36a9401a7bbd36e6ddd257e0920aa4083240afa3a6457", "f1ee866f6f03ff815009ff8fd7b70b902bc59b037ac54b6cae9b8e07beb854f7", "7e90c174829bd4e01e86779d596710ad161dbc0e02a219d6227f244bf271d2e5"]);dimFileEventd| where SrcFileSHA256 in (ioc_sha_hashes) or
TargetFileSHA256 in (ioc_sha_hashes)
| extend AccountName = tostring(split(User, @'')[1]), 
  AccountNTDomain = tostring(split(User, @'')[0])
| extend AlgorithmType = "SHA256"

Find use of reverse shells

This query looks for potential reverse shell activity initiated by cmd.exe or PowerShell. It matches the use of reverse shells in this attack: reverse-shell-nishang.

Indicators of compromise

The list below is non-exhaustive and does not represent all indicators of compromise observed in the known campaigns:

References

• Critical Security Vulnerability in React Server Components – React
• NVD – CVE-2025-55182
• CVE-2025-55182 (React2Shell) Opportunistic Exploitation In The Wild: What The GreyNoise Observation Grid Is Seeing So Far

Learn more  

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

The guidance provided in this blog post represents general best practices and is intended for informational purposes only. Customers remain responsible for evaluating and implementing security measures appropriate for their environments.

The post Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components appeared first on Microsoft Security Blog.

The Shai‑Hulud 2.0 campaign builds on earlier supply chain compromises but introduces more automation, faster propagation, and a broader target set:

• Malicious code executes during the preinstall phase of infected npm packages, allowing execution before tests or security checks.
• Attackers have compromised maintainer accounts from widely used projects (for example, Zapier, PostHog, Postman).
• Stolen credentials are exfiltrated to public attacker-controlled repositories, which could lead to further compromise.

This campaign illustrates the risks inherent to modern supply chains:

• Traditional network defenses are insufficient against attacks embedded in trusted package workflows.
• Compromised credentials enable attackers to escalate privileges and move laterally across cloud workloads.

In defending against threats like Shai-Hulud 2.0, organizations benefit significantly from the layered protection from Microsoft Defender, which provides security coverage from code, to posture management, to runtime. This defense-in-depth approach is especially valuable when facing supply chain-driven attacks that might introduce malicious dependencies that evade traditional vulnerability assessment tools. In these scenarios, the ability to correlate telemetry across data planes, such as endpoint or container behavior and runtime anomalies, becomes essential. Leveraging these insights enables security teams to rapidly identify compromised devices, flag suspicious packages, and contain the threat before it propagates further.

This blog provides a high-level overview of Shai‑Hulud 2.0, the attack mechanisms, potential attack propagation paths, customized hunting queries, and the actions Microsoft Defender is taking to enhance detection, attack-path analysis, credential scanning, and supply chain hardening.

Analyzing the Shai-Hulud 2.0 attack

Multiple npm packages were compromised when threat actors added a preinstall script named set_bun.js in the package.json of the affected packages. The setup_bun.js script scoped the environment for an existing Bun runtime binary; if not found, the script installed it. Bun can be used in the same way Node.js is used.

The Bun runtime executed the bundled malicious script bun_environment.js. This script downloaded and installed a GitHub Actions Runner archive. It then configured a new GitHub repository and a runner agent called SHA1Hulud. Additional files were extracted from the archive including, TruffleHog and Runner.Listener executables. TruffleHog was used to query the system for stored credentials and retrieve stored cloud credentials.

Microsoft Defender for Containers promptly notified our customers when the campaign began through the alert Suspicious usage of the shred command on hidden files detected. This alert identified the data destruction activity carried out as part of the campaign. Additionally, we introduced a dedicated alert to identify this campaign as Sha1-Hulud Campaign Detected – Possible command injection to exfiltrate credentials.

In some cases, commits to the newly created repositories were under the name “Linus Torvalds”, the creator of the Linux kernel and the original author of Git.  The use of fake personas highlights the importance of commit signature verification, which adds a simple and reliable check to confirm who actually created a commit and reduces the chance of impersonation.

Mitigation and protection guidance

Microsoft Defender recommends the following guidance for customers to improve their environments’ security posture against Shai-Hulud:

• Review the Key Vault assets on the critical asset management page and investigate any relevant logs for unauthorized access.
• Rapidly rotate and revoke exposed credentials.
• Isolate affected CI/CD agents or workspaces.
• Prioritize high-risk attack paths to reduce further exposure.
• Remove unnecessary roles and permissions granted to identities assigned to CI/CD pipelines; specifically review access to key vaults.
• For Defender for Cloud customers, read on the following recommendation:
  • As previously indicated, the attack was initiated during the preinstall phase of compromised npm packages. Consequently, cloud compute workloads that rely on these affected packages present a lower risk compared to those involved in the build phase. Nevertheless, it is advisable to refrain from using such packages within cloud workloads. Defender for Cloud conducts thorough scans of workloads and prompts users to upgrade or replace any compromised packages if vulnerable versions are detected. Additionally, it references the code repository from which the image was generated to facilitate effective investigation.
  • To receive code repository mapping, make sure to connect your DevOps environments to Defender for Cloud. Refer to the following documentation for guidance on:
    • Connecting Azure DevOps to Defender for Cloud
    • Connecting GitHub environment to Defender for Cloud
    • Connecting GitLab environment to Defender for Cloud
    • Deploying Defender CLI for container image scan

• For npm maintainers:
  • Use npm trusted publishing instead of tokens. Strengthen publishing settings on accounts, organizations, and packages to require two-factor authentication (2FA) for any writes and publishing actions.
  • When configuring two-factor authentication, use WebAuthn instead of a time-based, one-time password (TOTP).
• To combat this evolving threat, we are also introducing a new functionality in Microsoft Defender for Cloud that identifies Shai-Hulud 2.0 packages by leveraging agentless code scanning. This capability works by creating a Software Bill of Materials (SBOM) in the background and performing a lookup to identify if any package in the filesystem or source code repository is a malicious package that could be a component of the Shai-Hulud attack. By decoupling security analysis from runtime execution, this approach ensures that deep dependency threats are detected without impacting the performance of workloads or pipelines.
  • If malicious packages are found, recommendations in Microsoft Defender for Cloud provide immediate visibility into compromised assets as shown below. This ensures that security teams can act quickly to freeze dependencies and rotate credentials before further propagation occurs.
  • The next recommended step for customers is to start scanning repositories and protecting supply chains. Learn how to set up connectors.

• Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
• Turn on attack surface reduction rules, particularly on blocking executable files from running unless they meet a prevalence, age or trusted list criterion and blocking execution of potentially obfuscated scripts.

For more information on GitHub’s plans on securing the npm supply chain and what npm maintainers can take today, Defender also recommends checking the Github plan for a more secure npm supply chain.

Microsoft Defender XDR detections 

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article
• Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender XDR threat analytics:

• Activity Profile: From vulnerable workflows to self-replicating malware: Technical analysis of npm supply chain security incidents

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Attack path analysis

Attack path analysis shows paths from exposed entry points to targets. Security teams can use attack path analysis to surface cross-domain exposure risks, for example how an attacker could move from externally reachable resources to sensitive systems to escalate privileges and maintain persistence. While supply chain attacks like those used by Shai-Hulud 2.0 can originate without direct exposure, customers can leverage advanced hunting to query the Exposure Graph for these broader relationships.

For example, once a virtual or physical machine is determined to be compromised, key vaults that are directly accessible using credentials obtained from the compromised system can also be identified. The relevant access paths can be extracted using queries, as detailed in the hunting section below. Any key vault found along these paths should be investigated according to the mitigation guide.

Hunting queries 

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following queries to find related activity in their networks:

Attempts of malicious JS execution through node

DeviceProcessEvents 
| where FileName has "node" and ProcessCommandLine has_any ("setup_bun.js", "bun_environment.js")

Suspicious process launched by malicious JavaScript

DeviceProcessEvents | where InitiatingProcessFileName in~ ("node", "node.exe") and InitiatingProcessCommandLine endswith ".js"
| where (FileName in~ ("bun", "bun.exe") and ProcessCommandLine has ".js")
    or (FileName  in~ ("cmd.exe") and ProcessCommandLine has_any ("where bun", "irm ", "[Environment]::GetEnvironmentVariable('PATH'", "|iex"))
    or (ProcessCommandLine in~ ("sh", "dash", "bash") and ProcessCommandLine has_any ("which bun", ".bashrc && echo $PATH", "https://bun.sh/install"))
| where ProcessCommandLine !contains "bun" and ProcessCommandLine !contains "\\" and ProcessCommandLine !contains "--"

GitHub exfiltration

DeviceProcessEvents | where FileName has_any ("bash","Runner.Listener","cmd.exe") | where ProcessCommandLine has 'SHA1HULUD' and not (ProcessCommandLine has_any('malicious','grep','egrep',"checknpm","sha1hulud-checker-ado","sha1hulud-checker-ado"," sha1hulud-checker-github","sha1hulud-checker","sha1hulud-scanner","go-detector","SHA1HULUD_IMMEDIATE_ACTIONS.md","SHA1HULUD_COMPREHENSIVE_REPORT.md","reddit.com","sha1hulud-scan.sh"))

Paths from compromised machines and repositories to cloud key management services

let T_src2Key = ExposureGraphEdges
| where EdgeLabel == 'contains'
| where SourceNodeCategories has_any ('code_repository', 'virtual_machine' , 'physical_device')
| where TargetNodeCategories has 'secret'
| project SourceNodeId, SourceNodeLabel, SourceNodeName, keyNodeId=TargetNodeId, keyNodeLabel=TargetNodeLabel;
let T_key2identity = ExposureGraphEdges
| where EdgeLabel == 'can authenticate as'
| where SourceNodeCategories has 'key'
| where TargetNodeCategories has 'identity'
| project keyNodeId=SourceNodeId, identityNodeId=TargetNodeId;
ExposureGraphEdges
| where EdgeLabel == 'has permissions to'
| where SourceNodeCategories has 'identity'
| where TargetNodeCategories has "keys_management_service"
| join hint.strategy=shuffle kind=inner (T_key2identity) on $left.SourceNodeId==$right.identityNodeId
| join hint.strategy=shuffle kind=inner (T_src2Key) on keyNodeId
| join hint.strategy=shuffle kind=inner (ExposureGraphNodes | project NodeId, srcEntityId=EntityIds) on $left.SourceNodeId1==$right.NodeId
| join hint.strategy=shuffle kind=inner (ExposureGraphNodes | project NodeId, identityEntityId=EntityIds) on $left.identityNodeId==$right.NodeId
| join hint.strategy=shuffle kind=inner (ExposureGraphNodes | project NodeId, kmsEntityId=EntityIds) on $left.TargetNodeId==$right.NodeId
| project srcLabel=SourceNodeLabel1, srcName=SourceNodeName1, srcEntityId, keyNodeLabel, identityLabel=SourceNodeLabel,
    identityName=SourceNodeName, identityEntityId, kmsLabel=TargetNodeLabel, kmsName=TargetNodeName, kmsEntityId
| extend Path = strcat('srcLabel',' contains','keyNodeLabel',' can authenticate as', ' identityLabel', ' has permissions to', ' kmsLabel')

Setup of the GitHub runner with the malicious repository and downloads of the malicious bun.sh script that facilitates this

CloudProcessEvents
| where  (ProcessCommandLine has "--name SHA1HULUD" ) or (ParentProcessName == "node" and (ProcessName == "bash" or ProcessName == "dash" or ProcessName == "sh") and ProcessCommandLine has "curl -fsSL https://bun.sh/install | bash")
| project Timestamp, AzureResourceId, KubernetesPodName, KubernetesNamespace, ContainerName, ContainerId, ContainerImageName, ProcessName, ProcessCommandLine, ProcessCurrentWorkingDirectory, ParentProcessName, ProcessId, ParentProcessId, AccountName

Credential collection using TruffleHog and Azure CLI

CloudProcessEvents
| where (ParentProcessName == "bun" and ProcessName in ("bash","dash","sh") and ProcessCommandLine has_any("az account get-access-token","azd auth token")) or
        (ParentProcessName == "bun" and ProcessName == "tar" and ProcessCommandLine has_any ("trufflehog","truffler-cache"))
| project Timestamp, AzureResourceId, KubernetesPodName, KubernetesNamespace, ContainerName, ContainerId, ContainerImageName, ProcessName, ProcessCommandLine, ProcessCurrentWorkingDirectory, ParentProcessName, ProcessId, ParentProcessId, AccountName

Cloud security explorer

Microsoft Defender for Cloud customers can also use cloud security explorer to surface possibly compromised software packages. The following screenshot represents a query that searches for a virtual machine or repository allowing lateral movement to a key vault. View the query builder.

The security explorer templates library has been expanded with two additional queries that retrieve all container images with compromised software packages and all the running containers with these images.

Another means for security teams to proactively identify the scope of this threat is by leveraging the Cloud Security Explorer to query the granular Software Bill of Materials (SBOM) generated by agentless scanners. This capability allows you to execute dynamic, graph-based queries across your entire multi-cloud estate—including virtual machines, containers, and code repositories—to pinpoint specific software components and their versions without the need for agent deployment.

For the Shai-Hulud 2.0 campaign, you can use the Cloud Security Explorer to map your software inventory directly to the list of known malicious packages. By running targeted queries that search for the specific compromised package names identified in our threat intelligence, you can instantly visualize the blast radius of the attack within your environment. This enables you to locate every asset containing a malicious dependency and prioritize remediation efforts effectively.

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. 

Indicators of compromise   

References

• https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains

Learn more  

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

The post Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack appeared first on Microsoft Security Blog.

As IDC notes in their report, the endpoint security market “is growing in response to an increasingly sophisticated threat” powered by AI. Global enterprises like Crocs, Victorionox, and Del Monte Foods are choosing Microsoft Defender more and more to secure their environments because of the value they see not only in our endpoint security, but also our defense-in-depth approach across domains powered by AI. Spanning from the devices to the cloud, the Microsoft Defender platform protects every aspect of their daily operations.

“It was surprisingly simple to enable real-time visibility across our environment. It’s been a leap in our security maturity level, and with the native interoperability of our Microsoft security solutions, we achieved it much faster than we expected.”

—Glauco Sampaio, Chief Information Security Officer, Cielo

Worldwide Modern Endpoint Security 2024 Share Snapshot

Why organizations increasingly prefer Microsoft Defender for endpoint security

Microsoft Defender helps organizations proactively secure their digital estate with AI-powered endpoint protection across Windows, Linux, macOS, Android, iOS, and Internet of Things (IoT). It empowers security operations center (SOC) analysts with unique capabilities spanning pre-breach exposure management to post-breach attack disruption.

A key driver behind Microsoft Defender’s growing market share is its deep investment in cross-platform support, especially for Linux. Over the last three years, Microsoft has reengineered its Linux security for zero workload disruption, using eBPF sensor technology for greater visibility with minimal reliance on the kernel mode. This innovation has led to significant performance gains, with the solution consuming less than 1% CPU across 95% of deployments. Defender now supports a broader range of Linux distributions, including ARM64, and is optimized for low-resource environments such as single-core servers. At the same time, we’ve continued to drive cross-platform innovation to further expand comprehensive endpoint security across Windows, macOS, iOS, Android, and IoT.

An organization’s best offense against the rapidly evolving threat landscape is a secure defense, where Microsoft Defender’s next-generation protection and then built-in exposure management capabilities are critical. To help you manage your risk, you get a dynamic risk score that continuously measures vulnerabilities and misconfigurations in your environment and provides actionable recommendations for resolution. In the case of a cyberattack, you immediately see the most critical junctions in your network with attack path analysis. Our unique visibility into your environment provides a risk-based map of the potential devices that adversaries can exploit so you can proactively harden your environment, cutting them off from progressing further.

Advanced detection and response capabilities like automatic attack disruption are next in the stack. Informed by the full breadth of Microsoft Defender’s 84 trillion daily signals, it is a built-in self-defense capability that contains in-progress cyberattacks across the organization to prevent further lateral movement and damage. Meanwhile, the security operations team remains in control of investigation, remediation, and restoring asset availability. Even as attack disruption harnesses extended detection and response (XDR) signal, it can stop cyberattacks in a decentralized way across devices with just Defender for Endpoint deployed.

It also surgically protects critical assets like servers by containing compromised IP addresses while allowing the server to continually operate. You can maximize attack disruption’s reach and effectiveness across assets like identities, email, and additional domains by expanding your Microsoft Defender deployment. In addition, Defender provides analysts a rich set of detection and response capabilities such as live response and advanced hunting to further secure their environment. 

Further supporting SOC teams with a global footprint, the Microsoft Defender portal experience comes in more than 100 languages and dialects, and documentation covers more than 60 languages and dialects. This robust coverage means security analysts can quickly and confidently understand, investigate, and remediate without language barriers. Wherever the security analyst operates from, Defender likely speaks their language. 

These capabilities and global approach to securing organizations are just some of the reasons why organizations are increasingly choosing Defender for Endpoint over other vendors in the market. Thank you to our valued customers and partners for your trust and collaboration that empower us to advance our mission and build a more secure future together. 

To learn more

• Read about Microsoft’s leadership in the 2025 Gartner® Magic Quadrant™ for Endpoint Protection Platforms.
• Read the Defender for Endpoint e-book.
• Watch the Defender for Endpoint overview video.
• Try out Defender for Endpoint with a free trial.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Worldwide Modern Endpoint Security Market Shares, 2024; (Doc # US53349725, May 2025).

The post Microsoft ranked number one in modern endpoint security market share third year in a row appeared first on Microsoft Security Blog.

Defender for Endpoint’s ability to disrupt ransomware at scale stems from our commitment to empowering security analysts against the most sophisticated cyberthreats. We are honored to be recognized once again as a Leader in the 2025 Gartner® Magic Quadrant™ for Endpoint Protection Platforms—our sixth consecutive time. Microsoft was recognized for its completeness of vision and ability to execute, which we believe underscores the effectiveness of Defender for Endpoint in the face of an ever-shifting digital threat environment.

Microsoft Defender for Endpoint is an endpoint security solution that helps organizations secure their digital estate using AI-powered, industry-leading endpoint detection and response across Windows, Linux, macOS, Android, iOS, and Internet of Things (IoT) devices. It is core to Microsoft Defender’s unified security operations platform and built on global threat intelligence informed by more than 84 trillion daily signals and more than 10,000 security experts.¹

We thank our customers and partners for their essential role in advancing Microsoft Security.

Over the past year, Microsoft has introduced key advancements to endpoint security that have empowered defenders to stay ahead of evolving cyberthreats, including:

• Proactively securing digital environments with exposure management capabilities spanning pre-to-post breach: Reducing exposure risks like vulnerabilities and misconfigurations is foundational to endpoint security. Defender for Endpoint’s unique visibility into a device estate helps security operations center (SOC) analysts see and harden against their organization’s level of exposure to weaknesses and exploits with an actionable risk score (endpoint security initiative). In the case of a cyberattack, analysts can further protect the organization and accelerate response with potential attack paths embedded into the incident. Analysts gain end-to-end visibility into attack paths bad actors may take across devices to reach high-value assets, enabling fast, informed decisions when it matters most.

• Disrupting ransomware attacks even earlier in the cyberattack chain with automatic attack disruption: Unique to Microsoft, automatic attack disruption is a built-in self-defense capability that contains in-progress cyberattacks to prevent further lateral movement and damage to an organization. The most pervasive cyberthreat to network-connected devices is ransomware, one of the many scenarios covered by attack disruption. Up to 90% of successful ransomware campaigns leverage unmanaged endpoints, which are typically personal devices that people bring to work.¹ Automatic attack disruption now extends to unmanaged shadow IT devices and critical assets. Defender for Endpoint can detect and contain malicious IP addresses associated with unmanaged or undiscovered devices. It stops threat actors from exploiting vulnerable entry points, preventing lateral movement before it starts. Attack disruption now also granularly isolates cyberthreats on critical assets such as domain controllers, helping defenders preserve key network functions and ensure operational continuity during an attack.

• Enhancing Linux support: Microsoft supports even more Linux distributions, including ARM64 and has reduced resource requirements. These releases reflect the continual progress we’ve made for securing Linux servers on top of our strategic shift over a year ago to eBPF sensor technology that improves system control, minimizes resource demands, and boosts security performance. We’ve also continued delivering cross-platform innovation across Windows, macOS, iOS, Android, and IoT for comprehensive endpoint security.

• Unifying our agent across XDR workloads: The single agent makes it faster and easier to activate and manage core capabilities across endpoint, operational technology (OT), identity, and data loss prevention workloads so you can quickly unlock the value of AI-powered protection. Organizations simply deploy it once and then enable each solution as needed. Microsoft applies its long-established safe deployment practices in delivering the latest protections to help organizations outpace evolving cyberthreats without compromising operational stability. As a part of this process, admins have full control over these software updates.

• Accelerating SOC operations with Microsoft Security Copilot: It is the cybersecurity industry’s first generative AI solution, generally available as of April 2024. Built into the Microsoft Defender portal, it helps SOC analysts investigate, contain, and remediate cyberthreats in minutes. It delivers endpoint-specific capabilities such as recommending tailored guided responses related to devices, analyzing suspicious scripts, and translating natural language questions into ready-to-run Kusto Query Language (KQL) queries. Microsoft Security Copilot agents, introduced this year, automate routine tasks by fitting naturally into existing workflows across the security stack. These agents align to Microsoft’s Zero Trust principles, learn from feedback, and remain under SOC control.

• Supporting a global SOC: Security analysts navigate many complexities in their daily operations—language barriers should not be one of them. The Microsoft Defender portal provides experiences in more than 100 languages and dialects. Documentation covers more than 60 languages. This extensive language coverage ensures that analysts can easily navigate, understand, and act with confidence in their native tongue. Wherever the analyst is, Defender likely speaks their language. 

• Extending your SOC team with Microsoft Defender Experts for XDR: Sophisticated threats span beyond endpoints. We’ve been continually enhancing the capabilities and improving the efficiencies of Microsoft Defender Experts for XDR, our managed XDR service. Defender Experts for XDR offers around-the-clocl, expert-led managed triage, investigation, and response across domains, along with proactive threat hunting—strengthening SOC capabilities around the clock.

Market leadership isn’t just about responding to current needs—it’s about driving the next wave of innovation. Microsoft is investing significantly in helping SOC teams quickly scale their endpoint defenses through foundational enhancements designed to radically simplify deployment and advanced AI-powered autonomous capabilities spanning pre-to-post breach, to name just a couple of highlights for what’s ahead.

Thank you to all our customers and partners. Your partnership drives our mission forward as we work side by side to build a safer, more secure world.

Learn more

If you’re not yet taking advantage of Microsoft’s leading endpoint security solution, visit Microsoft Defender for Endpoint and start a free trial today to evaluate our leading endpoint protection platform. 

Are you a regular user of Microsoft Defender for Endpoint? Share your insights on Microsoft Defender for Endpoint and get rewarded with a $25 gift card on Gartner Peer Insights™.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2024.

Gartner, Magic Quadrant for Endpoint Protection Platforms, Evgeny Mirolyubov, Deepak Mishra, Franz Hinner. July 14, 2025.

Gartner is a registered trademark and service mark and Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. 

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

The post Microsoft is named a Leader in the 2025 Gartner® Magic Quadrant™ for Endpoint Protection Platforms appeared first on Microsoft Security Blog.

That’s why we’re focused on delivering deeply integrated, scenario-based experiences that align with Zero Trust principles, making it easier for IT and security professionals to ask questions, take action, and gain insights directly within their existing workflows. These experiences not only reduce friction but also help IT teams stay in flow, making smarter decisions faster and with greater confidence. And the impact is real: organizations using Security Copilot have seen a 54% reduction in time to resolve device policy conflicts, and a 22.8% drop in alerts per incident within three months of adoption, freeing up teams to focus on more strategic work.

We’re excited to announce the Security Copilot capabilities in Microsoft Intune and Microsoft Entra have moved from preview to general availability. This milestone reflects the critical role Intune and Entra play in modern security strategies, serving as the foundation for implementing a Zero Trust model. Intune enforces device compliance, app protection, and endpoint privilege management, while Entra governs identity access with Conditional Access policies and granular authentication controls. Together, they create a unified security posture that aligns with Zero Trust principles across devices, users, applications, and even agents. Security Copilot amplifies this foundation by providing AI-assisted guidance, autonomous agents, and insights accessible through natural language, helping IT teams scale operations, accelerate skilling, and proactively remediate threats at machine speed.

Reimagining IT workflows with Security Copilot in Intune

IT administrators often face a daily flood of data, alerts, and configuration details, making it difficult to quickly find the right information and act with confidence. AI is changing how people work, and Copilot in Intune is evolving how IT admins interact with and act on their endpoint management data. The Security Copilot in Intune general availability release introduces a brand new, Copilot-assisted data exploration capability. IT admins now have a dedicated page in the Intune admin center to ask Copilot for the data they need, take action, and complete endpoint management tasks, all without leaving their workflow. This capability allows admins to extract insights across Intune domains—devices, apps, security policies, users, compliance data, app configurations, and more—and act on it using its deep integration into the Intune functionality they are familiar with. It represents the first step in a foundational shift from traditional reporting and queries to Copilot-powered investigation and IT-empowered action.

This new Security Copilot capability is designed to simplify the most time-consuming IT workflows, like assessing security posture, managing updates, troubleshooting issues, and generating custom reports. Whether it’s identifying non-compliant devices, tracking patch failures, previewing policy impact, or automating remediation, Copilot brings together the data and actions IT needs in one place.

Admins can ask natural language questions like, “Show me devices that are not on the latest version of Windows and Office,” or “Which of my Endpoint Privilege Management rules are in conflict and what are the source profiles?” and take action instantly, without switching context.

Figure 1. New experience to explore your Intune data with Copilot assistance across workloads.

The new Explorer experience also includes support for Windows 365 Cloud PCs, giving IT administrators a consistent way to view and act on device details across both cloud and physical endpoints. We are excited to share that in the coming weeks, we’ll introduce additional AI capabilities in Intune with Copilot assistance for Windows 365, offering insights into Cloud PC connectivity and connection quality, licensing optimization, and performance issues tied to compute resources. These capabilities build on the momentum of virtual computing and the ability to stream Windows from the Cloud, enhancing the IT experience and delivering even more endpoint management value—especially for Windows-based environments.

The general availability release of Security Copilot in Intune also provides chat-based contextual assistance and includes integration with core and Microsoft Intune Suite solutions. Intune Advanced Analytics multiple device query (MDQ), and Copilot help admins write detailed Kusto Query Language (KQL) queries and Endpoint Privilege Management with Copilot assesses app risks for admins to make informed decisions before approving Windows users’ elevation requests. And with the Surface Management Portal in Intune, Copilot provides unified visibility and controls for IT across Surface devices, further strengthening security posture and streamlining operations.

Just as Security Copilot is transforming endpoint management in Intune, it’s also reshaping how identity is managed in Microsoft Entra.

Security Copilot in Entra brings clarity and speed to identity security

Identity environments evolve daily—new user, apps, and permissions are constantly introduced, making it difficult for IT and identity admins to keep policies up to date and user access properly governed. Manual investigations done the traditional way can be very time-consuming and reactive, giving cyberattackers more time to exploit gaps. With more than 600 million identity-based attacks happening daily, organizations can’t afford slow, manual investigations or infrequent policy reviews.¹

Security Copilot in Microsoft Entra, now generally available, brings AI-assisted reasoning, natural language prompts, and real-time insights across your identity and access estate, all within the Microsoft Entra admin center. We’ve made major enhancements to improve performance, scalability, and accuracy, enabling Security Copilot to better understand user intent, handle more complex questions, and deliver clearer answers.

 We’ve also expanded coverage to support a broader set of real-world identity scenarios. Copilot in Entra now helps admins investigate users, troubleshoot sign-ins, manage access reviews and entitlements, monitor tenant health and service-level agreement (SLAs), optimize license usage, and analyze role assignments and recommendations—all grounded in Microsoft Graph data.

Admins can now ask natural language questions like, “Which enterprise applications have credentials about to expire?” and “What role does the user have?” to quickly surface insights and take action. Whether it’s reviewing access packages, identifying risky apps, or checking license availability, Security Copilot in Entra helps teams move faster, stay ahead of cyberthreats, and focus on what matters most.

Purpose-built agents for real-world IT challenges

At Microsoft Secure 2025, as part of our vision to deliver an AI-first, end-to-end security platform, Microsoft announced 11 AI-powered Security Copilot agents that are seamlessly integrated with Microsoft Security and partner solutions. These agents autonomously handle high-volume, high-value tasks, learn from feedback, adapt to workflows, and operate securely, reflecting our commitment to helping organizations achieve what was previously impossible—at machine speed.

Today marks a meaningful milestone in our journey toward an AI-first, end-to-end security platform: we’re announcing the general availability of the Conditional Access Optimization Agent in Microsoft Entra. This launch brings AI-powered automation to IT and security operations, helping teams bring proactive protection directly into identity workflows.

The Conditional Access Optimization Agent runs autonomously, scanning your environment for gaps, overlaps, and outdated policy assignments. It then recommends precise, one-click remediations to help close the gaps fast, turning reactive cleanup into proactive defense.

The Conditional Access Optimization Agent provides:

• Autonomous protection, every day—Automatically detects newly created users or apps not covered by Conditional Access policies, reducing risk between manual audits.
• Real-time, explainable decisions—Every recommendation includes a plain-language summary and visual activity map showing how the agent reached its conclusion.
• Continuous adaptability to your organization’s needs—Support for custom business rules, the agent can learn based on your natural-language feedback (for example, excluding break-glass accounts).
• Full auditability—Agent actions like install, enable and disable, and recommendations are recorded in the audit log for compliance and operational transparency.

With the Conditional Access Optimization Agent, policy coverage becomes continuous. You gain daily protection, policy clarity, and built-in expertise without the manual lift. As one security leader put it:

“The Conditional Access Optimization Agent is like having a security analyst on call 24/7. It proactively identifies gaps in our Conditional Access policies and ensures every user is protected from day one, and with report-only mode and AI-driven recommendations, we can test and refine access policies without disruption. It’s a secure path to innovation that every chief information security officer can trust.”

—Julian Rasmussen, Senior consultant and Partner, Point Taken, Microsoft MVP

Step into the future of IT with Security Copilot

We’re in a new era of AI that has implications for IT operations and security. Now with Microsoft Security Copilot in Intune and Entra, you can make your organization future-ready with AI solutions that help organizations transform IT and security at machine speed.

As part of our ongoing commitment to enhancing the embedded experience of Security Copilot across Microsoft Security products, we’re excited to introduce a new in-portal capacity calculator available in the Security Copilot standalone experience (Azure account required). This tool allows organizations to estimate the number of Security Compute Units (SCUs) they may need based on the number of Security Copilot users in each Microsoft Security product. Users can generate a quick estimate, providing a practical starting point for capacity planning. SCU allocations can be adjusted at any time as real-world usage patterns emerge. Learn more.

Explore more use cases for IT and identity admins in the Security Copilot adoption hub. Explore Copilot in Intune and Entra and take these steps to learn more:

• Get started with Microsoft Security Copilot.
• Learn more about how to apply Microsoft Intune and Microsoft Entra to your program.
• Connect with your Microsoft representative to schedule a demo or get more information.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2024.

The data, insights, and events in this report represent July 2023 through June 2024 (Microsoft fiscal year 2024), unless otherwise noted.

The post Improving IT efficiency with Microsoft Security Copilot in Microsoft Intune and Microsoft Entra appeared first on Microsoft Security Blog.

In fact, over the last 18 months, our threat protection research teams have observed a 275% increase in ransomware encounters. In these cyberattacks, threat actors tend to target identities and devices for gaining initial access. Microsoft disrupts 35,000 such incidents each month. But not only has the volume of cyberattacks increased, so too has the speed of execution. Cyberattacks used to take days before affecting organizations, but today thousands of devices can be encrypted in less than five minutes.

Fortunately, the likelihood of a Microsoft Defender for Endpoint customer getting encrypted over the past 18 months has also decreased by 300%. Microsoft disabled and contained 120,000 compromised user accounts and saved more than 180,000 devices in the last six months alone.

Microsoft Defender for Endpoint

Apply AI-powered endpoint security across Windows, Linux, macOS, iOS, Android, and IoT devices. Learn more.

Microsoft delivers comprehensive endpoint protection

Not only does Microsoft have the largest market share in modern endpoint security worldwide, we see more attack data than any other security vendor. We process more than 84 trillion signals every day across data sources like novel cyberattacks, malware, ransomware, and fraud while leveraging dynamic insights from 10,000 full-time security experts. This gives us early signal into emerging threat vectors that we refactor into our detection and response systems.

Powered by AI and built on the broadest global threat and human intelligence, Microsoft Defender for Endpoint provides comprehensive protection across all platforms, from mobile to servers to IoT—including Windows, Linux, macOS, iOS, and Android. This empowers the security operations center (SOC) with industry-leading threat protection to stay one step ahead of the evolving cyberthreat landscape.

Defender for Endpoint is part of the Microsoft Defender XDR platform, natively integrated with the full breadth of security solutions that comprise our unified security operations platform.

Why do CISOs prefer Microsoft Defender for Endpoint?

Defender for Endpoint is purpose-built for the SOC and offers a series of capabilities that help you reduce your attack surface, accelerate your security workflows, and respond quicker and more effectively than ever before. These are just a few of the reasons most chief information security officers (CISOs) choose Microsoft to protect their device estate.

• Reduce your attack surface: With built-in posture management, you can monitor vulnerabilities and security configuration issues, receive prioritized alerts, and take corrective actions to mitigate risk and reduce your exposure. Auto-deployed deception techniques allow you to create an artificial attack surface in minutes, sniffing out bad actors early in the cyberattack chain.
• Accelerate your workflow with AI: Defender for Endpoint’s native integration with Microsoft Security Copilot allows you to use natural language to speed up daily tasks such as investigating and responding to incidents and prioritizing alerts. As the industry’s first generative AI, Security Copilot helps analysts by providing enriched context for faster and smarter decisions in addition to prescriptive step-by-step remediation guidance.
• Respond automatically: Automatic attack disruption is an industry-first, always-on security response capability exclusive to Microsoft. It is offered only by Microsoft Defender XDR and available within Defender for Endpoint. Powered by advanced machine learning, it can identify when a cyberattack is occurring with high confidence and block the attack.

This makes it possible to contain an active breach quickly and effectively while preventing lateral movement from the cyberattacker. It accomplishes this using high confidence signals collected from our unified platform—including endpoints, hybrid identities, apps, email, collaboration tools, cloud workloads, data security insights and third-party data. It can protect against advanced attacks like ransomware, business email compromise (BEC), and Adversary-in-the-Middle (AiTM) attacks.

Automatic attack disruption doesn’t kick in until Defender for Endpoint has reached above 99.99% confidence in the presence of a cyberattack. It dynamically responds to in-progress, hands-on-keyboard attacks—isolating compromised entities, stopping cyberattackers in their tracks, and halting ransomware attacks in three minutes on average. Unlike traditional solutions that periodically scan for known malware and solely rely on endpoint signals, attack disruption uses AI and cross-domain signals to predict an attacker’s next move and adapt its response. This means we can block lateral movement early in the cyberattack chain and stop the attacker from progressing.

For more on why CISOs prefer Defender for Endpoint, read our latest e-book or watch the video.

Defender for Endpoint in action: Thwarting ransomware when another security solution couldn’t

Here is a real-life example that demonstrates just how critical it is to have Defender for Endpoint securing your devices.

In early 2024, a multinational organization was targeted by cyberattackers. They attempted to encrypt about 2,100 user devices and about 1,000 servers. The organization had mixed deployment of endpoint vendors with Microsoft on user devices and another leading EDR vendor on their servers. There were two cyberattack waves. 

• In the first attack wave, within two minutes of Microsoft recognizing that an attack was underway, automatic attack disruption kicked in and prevented the cyberattacker from encrypting more than 2,000 devices and held steady for about three hours.
• In the second attack wave, Microsoft held strong and thwarted encryption for more than 99% of devices, whereas the cyberattacker successfully encrypted 100% of the servers that were on another vendor.

The customer has since onboarded all of their servers to Microsoft.

How to transform endpoint security at your organization

Microsoft makes it easy to secure your device estate and stay one step ahead of the cyberattackers. If you’re looking to supercharge endpoint security at your organization and keep up with the evolving cyberthreat landscape, you can get started with Microsoft Defender for Endpoint today. Begin a free trial, read the e-book, watch the video, or speak to the Microsoft Security sales team.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post How Microsoft Defender for Endpoint is redefining endpoint security appeared first on Microsoft Security Blog.

Threat actors specifically target these high-value systems, meaning that even weaker signals need to be properly investigated. With short-staffed SOC teams, it has historically been a challenge to respond to these types of signals effectively. Given assets like domain controllers are the backbone to an organization’s daily operations, protecting critical infrastructure means proactively stopping adversaries before they inflict damage. So how do security solutions help SOC teams effectively protect critical assets while ensuring business continuity?

To help security teams meet this challenge, Microsoft Defender developed automatic attack disruption: a built-in self-defense capability that identifies & disrupts multi-domain attacks in near real time to prevent further damage across the organization. We recently announced how we protect domain controllers against ransomware as the latest attack disruption innovation.

Behind the scenes, attack disruption uses a critical asset framework to achieve this outcome. This framework is developed from the latest threat research and tested internally within Microsoft’s security infrastructure to provide the context needed to differentiate true threats from noise for critical assets, empowering organizations to act decisively when it matters most. Using the native integration between Microsoft Defender for Endpoint and Microsoft Security Exposure Management, we can automatically identify critical assets in your environment and apply deep contextual insights based on each asset’s unique threat profile to disrupt attacks accordingly.

This blog post dives into how this framework drives real impact, its core components, innovative methodology, and how it helps ensure that organizations are proactive and efficient in their defense strategy specifically for critical asset protection.

Real world impact

By applying the critical asset framework, Microsoft Defender was able to disrupt attacks targeting high-value assets several days earlier in the kill chain in 40% of triggered incidents. This early intervention significantly reduces attacker dwell time, helping prevent impact and limit damage. Additionally, in another 40% of incidents, risk-based contextual insights transformed weak signals into clear, actionable disruption opportunities. These were unique incidents, false negatives in the past, that are now being surfaced and mitigated for the first time.

Neutralizing a human-operated attack on a global enterprise’s domain controller

In this scenario, a global enterprise was running multiple endpoint detection & response vendors in their environment, including Microsoft Defender for Endpoint. The organization was targeted by an advanced, human-operated attack on their domain controllers. Only Microsoft’s solution was able to stop the attack thanks to Defender’s early detection and disruption capabilities. The threat was neutralized before any damage could be inflicted, demonstrating the necessity of automatic attack disruption in the fight against ransomware. Meanwhile, critical assets onboarded to the other vendor were impacted.

Attack story showing automatic attack disruption saving domain controllers onboarded to Microsoft Defender for Endpoint whereas those onboarded to a different EDR solution were encrypted.

Core principles for protecting critical assets

Now that you’ve seen how effective attack disruption is for protecting critical assets, let’s take a look at the core principles shaping our framework:

Prioritization and classification: By classifying assets based on their criticality and role we ensure that disruption actions are triggered precisely where they matter most. With fewer benign events on critical systems, every detection is more likely to reflect a genuine threat, enabling faster, more targeted responses that directly enhance client security and operational confidence.
Proactive, real-time defense: Our context-driven approach enables early detection and disruption of threats, often stopping attacks days before they can cause significant harm.
Adaptive and scalable: Although our initial focus has been on domain controllers, the framework is designed to be flexible and protect a variety of other critical assets such as cloud connectivity solutions and publicly connected devices, based on each asset’s unique behavioral context.

We take these principles and translate them into actionable detection and disruption actions tailored to protect critical assets from the sophisticated and persistent threats that they frequently face.

Under the hood of critical asset protection

Asset classification: Our process starts by analyzing each asset’s role and criticality using Microsoft Security Exposure Management to identify and prioritize critical assets, guiding every disruption decision along the way.
Detector integration and management:
Targeted detector selection: We have engineered a specialized set of detectors most relevant to high-value assets, guided by extensive asset-specific threat research. This ensures each critical asset is protected by detectors selected specifically for the threats it faces.
Automated quality evaluation: Our system continuously assesses each detector’s signal-to-noise ratio and overall impact, deploying only those that meet our strict standards.
Integrated security platform: A dedicated module orchestrates every step – from generating alerts and enriching them with context to automatically triggering the right containment or remediation action via one streamlined workflow.
Contextual disruption execution: When a detector triggers on a critical asset, our framework immediately enriches the alert with detailed contextual telemetry. This enriched data is leveraged in several powerful ways. For example, events are correlated to accurately identify any impacted users – even when initial detections lack clear user data (such as when a malicious payload runs under the SYSTEM account via a service, where our framework traces the creator of the service). The framework also assesses remote activity to capture additional related entities, applying tailored threat lists specific to each asset type. These examples demonstrate how our context-driven approach transforms raw detections into precise, actionable intelligence that enable targeted responses like user containment and soon, IP containment for critical assets.

Where we’re heading

As the threat landscape evolves, we continue investing in attack disruption’s ability to protect critical assets. Our roadmap includes:

Scaling through AI-driven behavioral coverage: We’re shifting from a detector-centric approach to an AI-driven model that continuously learns from vast volumes of telemetry and behavioral patterns. We’re shifting the framework to identify and disrupt threats dynamically, improving precision, expanding coverage, and adapting faster than static rules ever could.
Extending asset coverage: Beyond domain controllers, upcoming iterations will include additional high-value assets such as Entra Connect Sync servers, internet-facing servers, SQLs servers, and more – providing comprehensive protection across your organization’s critical infrastructure.
Deepening integration: This innovation has been made possible through the integration between Microsoft Defender for Endpoint and Microsoft Security Exposure Management, which provides advanced asset classification. Our ongoing partnership ensures we continue to innovate and deliver tailored solutions that address unique client needs.

Conclusion

The ability to protect critical assets represents a paradigm shift in cybersecurity, moving from reactive alerting to proactive, context-aware disruption that prioritizes not just alerts, but the assets themselves. By recognizing that not all assets carry the same risk, our approach ensures that protection efforts are focused where they matter most, enabling true end-to-end defense. By integrating advanced asset classification and context-driven intelligence into our security platform, we’re not only protecting critical systems like domain controllers but also empowering customers with decisive, actionable insights.

As we continue to innovate, our commitment remains clear: to deliver intelligent, effective security solutions that safeguard your most vital assets against even the most advanced threats.

Learn more

Explore these resources to stay updated on the latest automatic attack disruption capabilities and how we protect critical assets:

Learn more about Microsoft Defender for Endpoint.
Read our latest security blog on how we protect against ransomware attacks using domain controllers.
Read about the new containment features.
Learn how attack disruption safeguards your domain controllers in this video.
Check out our latest infographic.
Read about automatic attack disruption.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Discover how automatic attack disruption protects critical assets while ensuring business continuity appeared first on Microsoft Security Blog.

For chief technology officers (CTOs), this raises important questions: How can frontline devices enhance productivity and responsiveness? And just as critically, how can organizations ensure those devices are secure, compliant, and ready to go at a moment’s notice?

Healthcare isn’t alone in these challenges. Industries like retail, where frontline teams also engage directly with the public in fast-paced, high-stakes environments, face similar pressures around device management, security, and scalability. This blog focuses on how modern endpoint management supports care and delivery at the frontline, with parallel insights drawn from the retail world to highlight shared strategies and solutions.

Learn how Microsoft Intune can help your organization securely manage frontline devices.

Microsoft Intune

Secure and manage every device from one place.

Learn more

Why endpoint management matters at the frontline

Every frontline interaction is a potential brand moment that impacts trust and outcomes. A poor experience can ripple quickly, but the right tools in the hands of frontline staff can lead to faster, more personalized service. To deliver those experiences at scale, CTOs should consider three foundational principles for frontline device strategy:

1. Recognize that many devices are shared. With shift-based work, secure and seamless sign-on backed by a Zero Trust approach helps provide the right person access to the right tools, without delay.
2. Use a cloud-native approach to manage all devices. Whether company-issued or bring-your-own device (BYOD), cross-platform management keeps devices are up-to-date and ready to go, reducing setup times and support tickets.
3. Embrace innovations like Microsoft Copilot and Microsoft 365. AI-powered tools and Cloud PCs help organizations scale faster, enhance security, and give workers access to the latest experiences, without disruption.

Now let’s explore what this looks like in practice, starting with healthcare.

Healthcare in focus: Modern management for care delivery

In healthcare, frontline workers rely on shared devices that must be secure, personalized, and compliant. Microsoft Intune has helped hospitals like Milton Keynes University Hospital implement endpoint management for shared tablets used in nurse stations—tools that support real-time monitoring and communication.

Because staff rotate across shifts, easy sign-in is essential, and devices must only receive updates during defined maintenance windows. These shared tablets also require network restrictions and strict access controls to meet security standards without interrupting care.

Intune also supports iPad OS and configuration, helping frontline staff access patient information quickly and securely at the bedside, reducing friction and improving the overall care experience.

With AI-powered tools like Microsoft Copilot in Intune, healthcare IT teams can proactively identify issues, troubleshoot devices, and maintain compliance, all while reducing operational burden. As new AI agent capabilities emerge, they’ll enable even faster remediation of vulnerabilities, protecting sensitive patient data in an evolving cyberthreat landscape.

And with Windows 365 Frontline, healthcare organizations can provide scalable, secure access to virtual desktops for rotating clinical staff, delivering performance without the need to deploy and manage a physical device for every user.

Retail in focus: Elevating service and speed on the store floor

In retail environments, every frontline interaction is a brand opportunity, and device performance can make or break that moment.

At the National Retail Federation (NRF) conference in January 2025, companies like IKEA and Levi’s showcased how giving employees access to personalized devices helps them visualize products with customers and provide more tailored service.

Retail staff often rely on shared devices across shifts, so it’s critical that sign-in is fast, interfaces are familiar, and access is secure but streamlined. Temporary session PINs and pre-configured apps let employees start working, and serving customers, immediately.

At Schwarz Group (which includes 575,000 employees across 13,900 stores in 32 countries, including the Lidl and Kaufland retail brands) Intune supports staging and managing tens of thousands of employee devices. IT can remotely provision new devices with pre-defined configurations, eliminating time-consuming setups and ensuring tools are ready before the employee even logs in.

Retailers can also take advantage of Windows 365 Cloud PCs and Windows 365 Frontline to give employees secure access to key tools across locations and shifts, while simplifying management and keeping costs down.

A better frontline experience leads to better outcomes

Whether it’s a customer shopping in store or a patient receiving care, the frontline experience shapes how people perceive your organization. When frontline tools are secure, responsive, and tailored to the user, staff can serve with confidence—and people feel the difference.

Now is the time to reassess your endpoint strategy. For healthcare organizations, secure, cloud-native device management can be one of the most powerful levers for improving patient outcomes and operational efficiency. And for industries with similar frontline demands, like retail, the same principles can deliver meaningful gains in speed, security, and customer satisfaction.

Explore how other leading organizations are benefiting from modern, cloud-native endpoint management. For more, check out Intune’s recent “From the frontlines” blog for retail or for healthcare, or other examples of Intune customer stories.

Learn more

Learn more about Microsoft Intune.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Faster, more personalized service begins at the frontline with Microsoft Intune appeared first on Microsoft Security Blog.

While there are new vendors launching MDR services regularly, many security teams are turning to Microsoft Defender Experts for XDR, a recognized leader, to deliver comprehensive coverage.¹ Employed worldwide by organizations across industries, Microsoft’s team of dedicated experts proactively hunts for cyberthreats and triages, investigates, and responds to incidents on a customer’s behalf around the clock across their most critical assets. Our proven service brings together in-house security professionals and industry-leading protection with Microsoft Defender XDR to help security teams rapidly stop cyberthreats and keep their environments secure.² 

Frost & Sullivan names Microsoft Defender Experts for XDR a leader in the Frost Radar™ Managed Detection and Response for 2024.¹ 

Microsoft Defender Experts for XDR

Give your security operations center team coverage with end-to-end protection and expertise.

Learn more

Reduce the staffing burden, improve security coverage, and focus on other priorities

Microsoft Defender Experts for XDR improves operational efficacy greatly while elevating an organization’s security posture to a new level. The team of experts will monitor the environment, find and halt cyberthreats, and help contain incidents faster with human-led response and remediation. With Defender Experts for XDR, organizations will expand their threat protection capabilities, reduce the number of incidents over time, and have more resources to focus on other priorities.

More experts on your side

Scaling in-house security teams remains challenging. Security experts are not only scarce but expensive. The persistent gap in open security positions has widened to 25% since 2022, meaning one in four in-house security analyst positions will remain unfilled.³ In the Forrester Consulting New Technology Project Total Economic Impact study, without Defender Experts for XDR, the in-house team size for the composite organization would need to increase by up to 30% in mid-impact scenario or 40% in high-impact scenario in year one to provide the same level of threat detection service.⁴ When you consider the lack of available security talent, increasing an in-house team size by 40% poses significant security concerns to CISOs. Existing security team members won’t be able to perform all the tasks required. Many will be overworked, which may lead to burnout.

With more than 34,000 full-time equivalent security engineers, Microsoft is one of the largest security companies in the world. Microsoft Defender Experts for XDR reinforces your security team with Microsoft security professionals to help reduce talent gap concerns. In addition to the team of experts, customers have additional Microsoft security resources to help with onboarding, recommendations, and strategic insights.

“Microsoft has the assets and people I needed. All the technologies, Microsoft Azure, and a full software stack end-to-end, all combined together with the fabric of security. Microsoft [Defender Experts for XDR] has the people and the ability to hire and train those people with the most upmost skill set to deal with the issues we face.”

—Head of Cybersecurity Response Architecture, financial services industry

Accelerate and expand protection against today’s cyberthreats

Microsoft Defender Experts for XDR deploys quickly. That’s welcome news to organizations concerned about maturing their security program and can’t wait for new staffing and capabilities to be developed in-house. Customers can quickly leverage the deep expertise of the Microsoft Defender Experts for XDR team to tackle the increasing number of sophisticated threats. 

CISOs and security teams know that phishing attacks continue to rise because cybercriminals are finding success. Email remains the most common method for phishing attacks, with 91% of all cyberattacks beginning with a phishing email. Phishing is the primary method for delivering ransomware, accounting for 45% of all ransomware attacks. Financial institutions are most targeted at 27.7% followed by nearly all other industries.⁵

According to internal Microsoft Defender Experts for XDR statistics, roughly 40% of halted threats are phishing.

Microsoft Defender Experts for XDR is a managed extended detection and response service (MXDR). MXDR is an evolution of traditional MDR services, which primarily focuses on endpoints. Our MXDR service has greater protection across endpoints, email and productivity tools, identities, and cloud apps—ensuring the detection and disruption of many cyberthreats, such as phishing, that would not be covered by endpoint-only managed services. That expanded and consolidated coverage enables Microsoft Defender Experts for XDR to find even the most emergent threats. For example, our in-house team identified and disrupted a significant Octo Tempest operation that was working across previously siloed domains. 

The reduction in the likelihood of breaches with Microsoft Defender Experts for XDR is roughly 20% and is worth $261,000 to $522,000 over three years with Defender Experts.⁴

In addition to detecting, triaging, and responding to cyberthreats, Microsoft Defender Experts for XDR publishes insights to keep organizations secure. That includes recent blogs on file hosting services abuse and phishing abuse of remote monitoring and management tools. As well, the MXDR service vetted roughly 45 indicators related to adversary-in-the-middle, password spray, and multifactor authentication fatigue and added them to Spectre to help keep organizations secure.

From September 2024 through November 2024, Microsoft Security published multiple cyberthreat articles covering real-world exploration topics such as Roadtools, AzureHound, Fake Palo Alto GlobalProtect, AsyncRAT via ScreenConnect, Specula C2 Framework, SectopRAT campaign, Selenium Grid for Cryptomining, and Specula.

“The Microsoft MXDR service, Microsoft Defender Experts for XDR, is helping our SOC team around the clock and taking our security posture to the next level. On our second day of using the service, there was an alert we had previously dismissed, but Microsoft continued the investigation and identified a machine in our environment that was open to the internet. It was created by a threat actor using a remote desktop protocol (RDP). Microsoft Defender Experts for XDR’s MXDR investigation and response to remediate the issue was immediately valuable to us.”

—Director of Security Operations, financial services industry

Halt cyberthreats before they do damage

In 2024 the mean time for the average organization to identify a breach was 194 days and containment 64 days.⁶  Organizations must proactively look for cyberattackers across unified cross-domain telemetry versus relying solely on disparate product alerts. Proactive threat hunting is no longer a nice-to-have in an organization’s security practice. It’s a must-have to detect cyberthreats faster before they can do significant harm.

When every minute counts, Microsoft Defender Experts for XDR can help speed up the detection of an intrusion with proactive threat hunting informed by Microsoft’s threat intelligence, which tracks more than 1,500 unique cyberthreat groups and correlates insights from 78 trillion security signals per day.⁷

Microsoft Defender Experts for Hunting proactively looks for threats around the clock across endpoints, email, identity, and cloud apps using Microsoft Defender and other signals. Threat hunting leverages advanced AI and human expertise to probe deeper and rapidly correlate and expose cyberthreats across an organization’s security stack. With visibility across diverse, cross-domain telemetry and threat intelligence, Microsoft Defender Experts for Hunting extends in-house threat hunting capabilities to provide an additional layer of threat detection to improve a SOC’s overall threat response and security efficacy.

In a recent survey, 63% of organizations saw a measurable improvement in their security posture with threat hunting. 49% saw a reduction in network and endpoint attacks along with more accurate threat detection and a reduction of false positives.⁸

Microsoft Defender Experts for Hunting enables organizations to detect and mitigate cyberthreats such as advanced persistent threats or zero-day vulnerabilities. By actively seeking out hidden risks and reducing dwell time, threat hunting minimizes potential damage, enhances incident response, and strengthens overall security posture.

Microsoft Defender Experts for XDR, which includes Microsoft Defender Experts for Hunting, allows customers to stay ahead of sophisticated threat actors, uncover gaps in defenses, and adapt to an ever-evolving cyberthreat landscape.

“Managed threat hunting services detect and address security threats before they become major incidents, reducing potential damage. By implementing this (Defender Experts for Hunting), we enhance our cybersecurity posture by having experts who continuously look for hidden threats, ensuring the safety of our data, reputation, and customer trust.”

—CISO, technology industry

Spend less to get more

Microsoft Defender Experts for XDR helps CISOs do more with their security budgets. According to a 2024 Forrester Total Economic Impact™ study, Microsoft Defender Experts for XDR generated a project return on investment (ROI) of up to 254% with a projected net present value of up to $6.1 million for the profiled composite company.⁴

Microsoft Defender Experts for XDR includes trusted advisors who provide insights on operationalizing Microsoft Defender XDR for optimal security efficacy. This helps reduce the burden on in-house security and IT teams so they can focus on other projects.

Beyond lowering security operations costs, the Forrester study noted Microsoft Defender Experts for XDR efficiency gains for surveyed customers, including a 49% decrease in security-related IT help desk tickets. Other productivity gains included freeing up 42% of available full time employee hours and lowering general IT security-related project hours by 20%.⁴

Learn how Microsoft Defender Experts for XDR can improve organizational security

Microsoft Defender Experts for XDR is Microsoft’s MXDR service. It delivers round-the-clock threat detection, investigation, and response capabilities, along with proactive threat hunting. Designed to help close the security talent gap and enhance organizational security postures, the MXDR service combines Microsoft’s advanced Microsoft Defender XDR capabilities with dedicated security experts to tackle cyberthreats like phishing, ransomware, and zero-day vulnerabilities. Offering rapid deployment, significant ROI (254%, as per Forrester), and operational efficiencies, Microsoft Defender Experts for XDR reduces incident and alerts volume, improves the security posture, and frees up in-house resources. Organizations worldwide benefit from these scalable solutions, leveraging Microsoft’s threat intelligence and security expertise to stay ahead of evolving cyberthreats.

To learn more, please visit Microsoft Defender Experts for XDR or contact your Microsoft security representative.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Frost & Sullivan names Microsoft a Leader in the Frost Radar™: Managed Detection and Response, 2024, Srikanth Shoroff. March 25, 2024.

²Microsoft a Leader in the Forrester Wave for XDR, Microsoft Security Blog. June 3, 2024.

³ISC2 Cybersecurity Workforce Report, 2024.

⁴Forrester Consulting study commissioned by Microsoft, 2024, New Technology: The Projected Total Economic Impact™ of Microsoft Defender Experts For XDR.

⁵2024 Phishing Facts and Statistics, Identitytheft.org.

⁶Time to identify and contain data breaches global 2024, Statista.

⁷Microsoft Digital Defense Report, 2024.

⁸SANS 2024 Threat Hunting Survey, March 19, 2024.

The post Why security teams rely on Microsoft Defender Experts for XDR for managed detection and response appeared first on Microsoft Security Blog.