This case highlights a growing class of cyberattacks that exploit trust, collaboration platforms, and built-in tooling, and underscores why defenders must be prepared to detect and disrupt these techniques before they escalate. Read the full report to dive deeper into this vishing breach of trust.

What happened?

Once remote interactive access was established, the threat actor shifted from social engineering to hands-on keyboard compromise, steering the user toward a malicious website under their control. Evidence gathered from browser history and Quick Assist artifacts showed the user was prompted to enter corporate credentials into a spoofed web form, which then initiated the download of multiple malicious payloads. One of the earliest artifacts—a disguised Microsoft Installer (MSI) package—used trusted Windows mechanisms to sideload a malicious dynamic link library (DLL) and establish outbound command-and-control, allowing the threat actor to execute code under the guise of legitimate software.

Subsequent payloads expanded this foothold, introducing encrypted loaders, remote command execution through standard administrative tooling, and proxy-based connectivity to obscure threat actor activity. Over time, additional components enabled credential harvesting and session hijacking, giving the threat actor sustained, interactive control within the environment and the ability to operate using techniques designed to blend in with normal enterprise activity rather than trigger overt alarms.

How did Microsoft respond?

Given the growing pattern of identity-first intrusions that begin with collaboration-based social engineering, DART moved quickly to contain risk and validate scope. The team confirmed that the compromise originated from a successful Microsoft Teams voice phishing interaction and immediately prioritized actions to prevent identity or directory-level impact. Through focused investigation, we established that the activity was short-lived and limited in reach, allowing responders to concentrate on early-stage tooling and entry points to understand how access was achieved and constrained.

To disrupt the intrusion, DART conducted targeted eviction and applied tactical containment controls to protect privileged assets and restrict lateral movement. Using proprietary forensic and investigation tooling, the team collected and analyzed evidence across affected systems, validated that threat actor objectives were not met, and confirmed the absence of persistence mechanisms. These actions enabled rapid recovery while helping to ensure the environment was fully secured before declaring the incident resolved.

What can customers do to strengthen their defenses?

Human nature works against us in these cyberattacks. Employees are conditioned to be responsive, helpful, and collaborative, especially when requests appear to come from internal IT or support teams. Threat actors exploit that instinct, using voice phishing and collaboration tools to create a sense of urgency and legitimacy that can override caution in the moment.

To mitigate exposure, DART recommends organizations take deliberate steps to limit how social engineering attacks can propagate through Microsoft Teams and how legitimate remote access tools can be misused. This starts with tightening external collaboration by restricting inbound communications from unmanaged Teams accounts and implementing an allowlist model that permits contact only from trusted external domains. At the same time, organizations should review their use of remote monitoring and management tools, inventory what is truly required, and remove or disable utilities—such as Quick Assist—where they are unnecessary.

Together, these measures help shrink the attack surface, reduce opportunities for identity-driven compromise, and make it harder for threat actors to turn human trust into initial access, while preserving the collaboration employees rely on to do their work.

What is the Cyberattack Series?

In our Cyberattack Series, customers discover how DART investigates unique and notable attacks. For each cyberattack story, we share:

• How the cyberattack happened.
• How the breach was discovered.
• Microsoft’s investigation and eviction of the threat actor.
• Strategies to avoid similar cyberattacks.

DART is made up of highly skilled investigators, researchers, engineers, and analysts who specialize in handling global security incidents. We’re here for customers with dedicated experts to work with you before, during, and after a cybersecurity incident.

Learn more

To learn more about DART capabilities, please visit our website, or reach out to your Microsoft account manager or Premier Support contact. To learn more about the cybersecurity incidents described above, including more insights and information on how to protect your own organization, download the full report.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2025.

The post Help on the line: How a Microsoft Teams support call led to compromise appeared first on Microsoft Security Blog.

For more than a decade, Microsoft Incident Response has been at the forefront of the world’s most complex cyberattacks, helping organizations investigate, contain, and recover from incidents. That real-world experience also informs our proactive services, which help organizations improve readiness before an incident occurs. To further help organizations before, during, and after a cyber incident, we’re excited to introduce new proactive incident response services designed to help organizations build resilience and minimize disruption.

Microsoft Incident Response

Strengthen your security with intelligence-driven incident response from Microsoft.

Explore the portfolio

Expanded proactive services to enhance resilience

Delivered by the same experts who handle real-world crises, Microsoft proactive services equip security teams with insights and skills to be informed, resilient, and ready—because the best response is one you never need to make.

• Incident response plan development: We assist organizations in developing their own incident response plan, using lessons from real-world incidents.
• Major event support: We provide dedicated teams during critical events—such as corporate conferences or sporting events—actively monitoring emerging cyberthreats and acting instantly to prevent incidents and interruptions.
• Cyber range: Microsoft Incident Response delivers simulations that provide high-fidelity, hands-on experience in a controlled environment. Security teams engage directly with threat actor tactics, using Microsoft security tools to detect, investigate, and contain cyberthreats in real time. This immersive approach builds confidence, muscle memory, and validates playbooks before an actual incident occurs using tools customers already own.
• Advisory: We offer one-on-one, customized engagements, offering strategic recommendations, industry-specific consulting, and expert guidance informed by current threat actor activity and the latest incident response engagements. These services provide on-demand access to Microsoft Incident Response and cybersecurity experts, empowering leadership and technical teams to make informed decisions that reduce risk and accelerate resilience.
• Mergers and acquisitions compromise assessment: Microsoft Incident Response offers a targeted compromise assessment performed during or around a merger, acquisition, or divestiture to determine whether the organization being acquired—or the environment being integrated—has been previously or is currently compromised by threat actors.

Building on a strong proactive foundation

These new services build on Microsoft Incident Response’s established proactive offerings, which are trusted by organizations of all sizes and across industries.

• Our popular compromise assessment delivers deep forensic investigations to identify indicators of compromise (IOCs), threat actor activity, and vulnerabilities hidden in your environment. This service includes advanced threat hunting and forensic examination, providing actionable recommendations to harden your security posture.
• Identity assessment offers a targeted evaluation of the identity control plane, pinpointing weaknesses in authentication and access policies. By addressing these gaps early, organizations reduce exposure to credential-based attacks and help ensure identity systems remain resilient against evolving cyberthreats.
• Identity hardening works with organizations to deploy policies and configurations that block unauthorized access and strengthen authentication mechanisms. Engineers provide proven containment and recovery strategies to secure the identity control plane.
• Tabletop exercises go beyond theory by immersing leadership, legal, and technical teams in realistic scenarios involving an incident. These sessions expose gaps in defenses and response plans, sharpen decision-making under pressure, and foster alignment on regulatory obligations and executive communications.

Make resilience your strongest defense

Incident response isn’t just about reacting to incidents—it’s giving organizations the confidence and capabilities needed to prevent them. Microsoft Incident Response helps customers move from security uncertainty to clarity and readiness with expert-led preparation, gap detection, defense hardening, and tailored threat insights. By investing in proactive services, you reduce risk, accelerate recovery, and strengthen your security posture before threats strike. Don’t wait for an incident to test your resilience—invest in proactive defense today.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Explore the latest Microsoft Incident Response proactive services for enhanced resilience appeared first on Microsoft Security Blog.

Microsoft Defender Experts Suite

Get integrated security services that protect your organization and accelerate security outcomes in the new security offering from Microsoft.

Learn more

Elevate your security with expert-led services

Even as today’s security challenges feel overwhelming, you don’t have to face them alone. The Microsoft Defender Experts Suite combines managed extended detection and response (MXDR), end-to-end proactive and reactive incident response, and direct access to a designated Microsoft security advisor to help you protect your organization and accelerate security outcomes.

The Defender Experts Suite can help you do the following:

Defend against cyberthreats

Microsoft Defender Experts for XDR delivers round-the-clock MXDR, natively integrated with Microsoft Defender. Our seasoned analysts—bringing more than 600 years of combined experience—triage, investigate, and respond to incidents across endpoints, identities, email, cloud apps, and cloud workloads, helping to reduce alert fatigue and improve security operations center (SOC) efficiency. Defender Experts for XDR includes Microsoft Defender Experts for Hunting, which provides around-the-clock, proactive threat hunting across domains to help uncover emerging cyberthreats earlier.

With Defender Experts for XDR, you gain access to a designated service delivery engineer who helps you get the full value of the service and provides ongoing recommendations to strengthen your security posture. You can also connect with our experts on-demand for deeper insight into specific incidents, attack vectors, or nation-state cyberthreats.

Build cyber resilience

Microsoft Incident Response offers proactive and reactive services that help organizations prevent, withstand, and recover from cyber incidents. Backed by extensive threat intelligence, proprietary investigation tools, and direct engagement with Microsoft product engineering, Microsoft Incident Response strengthens resilience and delivers rapid response. Proactive services—such as incident response planning, assessments, simulation exercises, and advisory services—enhance incident response readiness, improve response capabilities, and provide tailored insights on the cyberthreat landscape.

When an incident does occur, Microsoft Incident Response rapidly investigates, removes the cyberattacker, and helps accelerates recovery. Operating on the frontlines of the world’s most complex cyberattacks since 2008, the Microsoft Incident Response team provides speed, precision, and confidence in the moments that matter most.

Modernize security operations

Microsoft Enhanced Designated Engineering provides direct access to Microsoft security advisors who partner with customers to strengthen security posture and operational maturity. Our experts work with you to help ensure Microsoft security technologies are properly architected, configured, and used effectively to achieve desired security outcomes, supported by ongoing assessments and continuous improvement. They also collaborate with security teams to optimize operations, modernize processes, and apply Microsoft best practices and real world threat intelligence to improve detection, response, and resilience—helping organizations operate with confidence as cyberthreats evolve.

Better together—integrated security services

With the Defender Experts Suite, organizations get more than standalone expertise—they gain integrated security services that reduce complexity and simplify operations. With shared intelligence and connected workflows, investigations can move faster, recommendations land in context, and improvements compound over time. Instead of managing multiple providers, security teams benefit from streamlined communication, consistent guidance, and comprehensive expertise from Microsoft security experts. This can result in a more resilient, more efficient, and more confident security operation that matures steadily rather than reacting in silos.

End-to-end, expert-led protection

Let’s look at the Microsoft Defender Experts Suite in action. When you first get started with the Microsoft Defender Experts Suite, Enhanced Designated Engineering guides you through deploying Defender workloads securely and helps ensure Defender Experts for XDR is configured correctly. Once operational, Defender Experts for XDR provides constant MXDR and threat hunting to protect your environment. Defender Experts for XDR will provide ongoing recommendations to improve your security posture, and your designated Microsoft security advisor helps you act on those recommendations as your environment evolves.

Assessments delivered by Microsoft Incident Response may uncover vulnerabilities or gaps. The Microsoft security advisor will step in to help you address them and strengthen resilience. And if an incident occurs, Defender Experts for XDR will work hand-in-hand with the Microsoft Incident Response team to help you respond and recover quickly. With end-to-end services delivered by Microsoft, you can benefit from reduced complexity, streamlined communication, comprehensive expertise, and continuous improvement.

Get started with the Microsoft Defender Experts Suite today and save

For a limited time, organizations can unlock the full value of expert-led services with a promotional offer. From January 1, 2026, through December 31, 2026, eligible customers can save up to 66% on the Microsoft Defender Experts Suite.² Read more about the Microsoft Defender Experts Suite and get started now.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Bridging the Cyber Skills Gap, World Economic Forum, 2025.

²Eligible customers must purchase a minimum of 1,500 seats of the Microsoft Defender Experts Suite and have either Microsoft 365 E5 or Microsoft Defender and Purview  Frontline Workers (formerly Microsoft 365 F5).

The post Introducing the Microsoft Defender Experts Suite: Elevate your security with expert-led services appeared first on Microsoft Security Blog.

What happened?

What began as a routine onboarding turned into a covert operation. In this case, four compromised user accounts were discovered connecting PiKVM devices to employer-issued workstations—hardware that enables full remote control as if the threat actor were physically present. This allowed unknown third parties to bypass normal access controls and extract sensitive data directly from the network. With support from Microsoft Threat Intelligence, we quickly traced the activity to the North Korean remote IT workforce known as Jasper Sleet.

DART quickly pivoted from proactive threat hunting to full-scale investigation, leveraging numerous specialized tools and techniques. These included, but were not limited to, Cosmic and Arctic for Azure and Active Directory analysis, Fennec for forensic evidence collection across multiple operating system platforms, and telemetry from Microsoft Entra ID protection and Microsoft Defender solutions for endpoint, identity, and cloud apps. Together, these tools and capabilities helped trace the intrusion, contain the threat, and restore operational integrity.

How did Microsoft respond?

Once the scope of the compromise was clear, DART acted immediately to contain and disrupt the cyberattack. The team disabled compromised accounts, restored affected devices to clean backups, and analyzed Unified Audit Logs—a feature of Microsoft 365 within the Microsoft Purview Compliance Manager portal—to trace the threat actor’s movements. Advanced detection tools, including Microsoft Defender for Identity and Microsoft Defender for Endpoint, were deployed to uncover lateral movement and credential misuse. To blunt the broader campaign, Microsoft also suspended thousands of accounts linked to North Korean IT operatives.

What can customers do to strengthen their defenses?

This cyberthreat is challenging, but it’s not insurmountable. By combining strong security operations center (SOC) practices with insider risk strategies, companies can close the gaps that threat actors exploit. Many organizations start by improving visibility through Microsoft 365 Defender and Unified Audit Log integration and protecting sensitive data with Microsoft Purview Data Loss Prevention policies. Additionally, Microsoft Purview Insider Risk Management can help organizations identify risky behaviors before they escalate, while strict pre-employment vetting and enforcing the principle of least privilege reduce exposure from the start. Finally, monitor for unapproved IT tools like PiKVM devices and stay informed through the Threat Analytics dashboard in Microsoft Defender. These cybersecurity practices and real-world strategies, paired with proactive alert management, can give your defenders the confidence to detect, disrupt, and prevent similar attacks.

What is the Cyberattack Series?

In our Cyberattack Series, customers discover how DART investigates unique and notable attacks. For each cyberattack story, we share:

• How the cyberattack happened.
• How the breach was discovered.
• Microsoft’s investigation and eviction of the threat actor.
• Strategies to avoid similar cyberattacks.

DART is made up of highly skilled investigators, researchers, engineers, and analysts who specialize in handling global security incidents. We’re here for customers with dedicated experts to work with you before, during, and after a cybersecurity incident.

Learn more

To learn more about DART capabilities, please visit our website, or reach out to your Microsoft account manager or Premier Support contact. To learn more about the cybersecurity incidents described above, including more insights and information on how to protect your own organization, download the full report.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹AI Fuels Mistrust Between Employers and Job Candidates; Recruiters Worry About Fraud, Candidates Fear Bias

The post Imposter for hire: How fake people can gain very real access appeared first on Microsoft Security Blog.

The backdoor, which we’ve named SesameOp, was discovered in July 2025, when DART researchers responded to a sophisticated security incident, where the threat actors had maintained a presence within the environment for several months prior to the engagement. The investigation uncovered a complex arrangement of internal web shells, which were responsible for running commands relayed from persistent, strategically placed malicious processes. These processes leveraged multiple Microsoft Visual Studio utilities that had been compromised with malicious libraries, a defense evasion method known as .NET AppDomainManager injection.

Hunting across other Visual Studio utilities loading unusual libraries led to the discovery of additional files that could facilitate external communications with the internal web shell structure. Analysis of one such artifact identified SesameOp, a covert backdoor purpose-built to maintain persistence and allow a threat actor to stealthily manage compromised devices. The stealthy nature of SesameOp is consistent with the objective of the attack, which was determined to be long term-persistence for espionage-type purposes.

This blog post outlines our analysis of SesameOp and its inner workings and highlights the capability of threat actors to adjust their tactics, techniques, and procedures (TTPs) in response to rapid technological developments. We’re sharing these findings with the broader security research community to help disrupt this backdoor and improve defenses against this and similar threats.

This threat does not represent a vulnerability or misconfiguration, but rather a way to misuse built-in capabilities of the OpenAI Assistants API, which is being deprecated in August 2026. Microsoft and OpenAI jointly investigated the threat actor’s use of the OpenAI Assistants API. DART shared the findings with OpenAI, who identified and disabled an API key and associated account believed to have been used by the actor. The review confirmed that the account had not interacted with any OpenAI models or services beyond limited API calls. Microsoft and OpenAI continue to collaborate to better understand and disrupt how threat actors attempt to misuse emerging technologies.

Technical analysis  

Our investigation uncovered how a threat actor integrated the OpenAI Assistants API within a backdoor implant to establish a covert C2 channel, leveraging the legitimate service rather than building a dedicated infrastructure for issuing and receiving instructions. Our analysis revealed sophisticated techniques employed to secure and obfuscate communications, including payload compression to minimize size, as well as layered encryption mechanisms both symmetric and asymmetric to protect command data and exfiltrated results.

The infection chain consists of a loader (Netapi64.dll) and a NET-based backdoor (OpenAIAgent.Netapi64) that leverages OpenAI as a C2 channel. The dynamic link library (DLL) is heavily obfuscated using Eazfuscator.NET and is designed for stealth, persistence, and secure communication using the OpenAI Assistants API. Netapi64.dll is loaded at runtime into the host executable via .NET AppDomainManager injection, as instructed by a crafted .config file accompanying the host executable.

Netapi64.dll loader

Netapi64.dll is obfuscated with Eazfuscator.NET, a tool used to obfuscate .NET applications. The DLL creates the file C:\Windows\Temp\Netapi64.start as a marker. It also creates a mutex to ensure that only one instance is running in memory. Any exceptions with an error message are written to C:\Windows\Temp\Netapi64.Exception.

The Netapi64.dll loader enumerates the files under C:\Windows\Temp\ and checks for a file ending with .Netapi64. The loader then XOR-decodes the file and runs it.

OpenAIAgent.Netapi64 backdoor

Microsoft security researchers determined that the malware component OpenAIAgent.Netapi64 contains the main functionality that enables the backdoor to operate. Contrary to its name, OpenAIAgent.Netapi64 does not utilize OpenAI agent software development kits (SDKs) or model execution features. Instead, it uses OpenAI Assistants API to fetch commands, which the malware then decrypts and executes locally. Once the tasks are completed, it sends the results back to OpenAI as a message. To stay under the radar, it uses compression and encryption, ensuring both the incoming payload and the outgoing results remain hidden.

At launch, it creates the mutex OpenAI APIS, reads the configuration from the .NET resource section TextFile1 of the executable, and parses it:

<OpenAI_API_Key>|<Dictionary_Key_Name>|<Proxy>

The configuration is split using a pipe (|). The first part (OpenAIAgent.token) contains the OpenAI API key and the second part (OpenAIAgent.aaazzz) is used by the embedded .NET module as a dictionary key selector. The third part (OpenAIAgent.proxy) specifies the proxy address.

The code checks if the third part of the configuration specifies a proxy address; if present, it utilizes this address. In the absence of proxy details, the system defaults to using the default web proxy system.

The backdoor obtains the hostname and applies Base64 encoding. If the hostname is unavailable, it uses NAMEXXX as a placeholder.

First, the backdoor queries the vector store list from OpenAI using the OpenAI Assistants API and the hardcoded API key. The backdoor also checks if the vector store name contains hostnames by parsing the response. If, for example, the host is communicating for the first time, OpenAI would not have the hostname, so it would create a vector store using the hostname of the infected machine.

The vector store list retrieved from OpenAI might look like this:

Next, it retrieves the list of Assistants created in the OpenAI account, of up to 100 Assistants, with pagination controlled by the limit query parameter. From the response, it populates Assistant ID, name, description and instructions variables.

In the context of OpenAI, Assistants refer to a feature within the OpenAI platform that allows developers and organizations to create custom AI agents tailored to specific tasks, workflows, or domains. These Assistants are built on top of OpenAI’s models (like GPT-4 or GPT-4.1) and can be extended with additional capabilities.

An Assistants list retrieved from OpenAI might look like this:

In the response above, the description field is set to SLEEP. The description field contains one of the following three options:

• SLEEP
• Payload
• Result

When the description is set to SLEEP, the backdoor reads the instruction value and splits the string with [._.] as delimiter. The first element is the thread ID and the second element is the message ID. The backdoor retrieves the message from OpenAI using both the thread ID and message ID.

The message retrieved from OpenAI using thread ID and message ID might look like this:

The backdoor parses the timeSLEEP field from the response received from OpenAI. The value is then used to perform a thread sleep operation.

In the Assistants list, if the description field contains Payload, the backdoor retrieves the message from OpenAI using the thread ID and message ID extracted from the instructions field and deletes the message and the Assistant using message ID and Assistant ID, respectively.

After the message is read from OpenAI, the backdoor invokes a separate thread for execution.

The invoked thread begins parsing the message. The message consists of two parts separated by a space. The message is split into an array of two elements:

• The first element is a 32-byte AES key, which is Base64-decoded and decrypted using a hardcoded RSA private key.
• The second element is Base64-decoded, decrypted with AES algorithm using the key derived from the first element, and decompressed with GZIP.

The decrypted message undergoes additional processing and is converted into a dictionary through the following steps:

1. Split by ampersands (&): The decrypted message is divided using & as the delimiter, with empty entries removed.
2. Split each pair by equal sign (=): Each resulting substring is split by = with a maximum of 2 parts to separate keys from values.
3. URL decoding: Both the key and value are decoded using HttpUtility.UrlDecode() with UTF-8 encoding to handle special characters.

After converting the final message into a dictionary and retrieving the OpenAIAgent.aaazzz key from the configuration, both are passed as parameters to the executeWithJScriptEngine method. The method first checks whether OpenAIAgent.httpApplicationState[“MicroWxx”] is null. If it is null, the code Base64-decodes and GZIP-decompresses the embedded .NET module. Using reflection, the backdoor then dynamically loads this module and calls the Frameworks method with the provided parameters. If MicroWxx is already present in the Application State (i.e., the check for null fails), the code skips the decoding and decompression steps of embedded module and directly loads and executes the method retrieved from Application State.

The Frameworks method initializes a Microsoft JScript VsaEngine, then loops through the message dictionary (DicT) to construct a NameValueCollection. It retrieves a key from the configuration (Pwd) and uses this key to find the corresponding value in the collection. This value is then executed using Eval.JScriptEvaluate, and the result of this execution is returned to the original caller of the module.

After launch, a 32-byte AES key is created. The result is first compressed with GZIP, then encrypted using AES with this key, and finally encoded in Base64. The AES key itself is encrypted using a hardcoded RSA public key found in the backdoor, and this encrypted key is also Base64-encoded. Both the encrypted key and the processed result are joined together, separated by a space character.

The processed result is posted to OpenAI as a new message with the same thread ID retrieved earlier from description field.

The backdoor creates a new Assistant with the Base64-encoded hostname as Assistant name. The thread ID and the new message ID, where the results are posted to, are concatenated using the delimiter [._.]. The instruction field is set to the concatenated thread ID and message ID and description field is set to Result. This signals to the actor that the result obtained by executing the payload is ready.

Finally, it performs a POST request to vector store using the vector store ID.

Mitigation and protection guidance

Microsoft recommends the following mitigations to reduce the impact of this threat.

• Audit and review firewalls and web server logs frequently. Be aware of all systems exposed directly to the Internet.
• Use Windows Defender Firewall, intrusion prevention systems, and network firewall to block C2 server communications across endpoints whenever feasible. This approach can help mitigate lateral movement and other malicious activities.
• Review and configure your perimeter firewall and proxy settings to limit unauthorized access to services, including connections through non-standard ports.
• Ensure that tamper protection is enabled in Microsoft Defender for Endpoint.
• Run endpoint detection and response in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode.
• Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume.
• Turn on potentially unwanted applications (PUA) protection in block mode in Microsoft Defender Antivirus. PUA are a category of software that can cause your machine to run slowly, display unexpected ads, or install other software that might be unexpected or unapproved.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques.
• Turn on Microsoft Defender Antivirus real-time protection.

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender Antivirus 

Microsoft Defender Antivirus detects this threat as the following malware: 

• Trojan:MSIL/Sesameop.A (loader)
• Backdoor:MSIL/Sesameop.A (backdoor)

Microsoft Defender for Endpoint 

The following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity. 

• Possible dotnet process AppDomainManager injection

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article
• Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Devices connecting to OpenAI API endpoints

//show number of devices connecting to https://api.openai.com per InitiatingProcessFileName, and number of days in the period where the connection was observed
DeviceNetworkEvents
| where RemoteUrl endswith "api.openai.com"
| summarize Connections = count() by DayOfConnection = bin(TimeGenerated, 1d), DeviceName, InitiatingProcessFileName, RemoteUrl
| summarize TotalConnections = sum(Connections), DaysWithConnections = dcount(DayOfConnection), DistinctDevices = dcount(DeviceName) by InitiatingProcessFileName, RemoteUrl

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

Microsoft is committed to delivering comprehensive customer experience through various Microsoft offerings. Our approach goes beyond traditional support by focusing on detection, prevention, and in-depth mitigation to help customers quickly respond to security incidents and build resiliency. Check our Unified and Security eBook and visit https://aka.ms/Unified.

The post SesameOp: Novel backdoor uses OpenAI Assistants API for command and control appeared first on Microsoft Security Blog.

What happened?

The cases we’re examining in detail spanned two parts—Reactive 1 and Reactive 2. Reactive 1 began when a retail customer received a Microsoft Defender Experts alert titled “Possible web shell installation.” The Investigation revealed a malicious ASPX file on their SharePoint server, linked to vulnerabilities CVE-2025-49706 and CVE-2025-49704. These allowed cyberattackers to spoof identities and inject remote code.

Reactive 2 started with a single compromised identity. Cyberattackers gained persistence by abusing self-service password reset features and mapped the organization’s identity structure using Microsoft Entra ID and Microsoft Graph API. The issue escalated access using Azure Virtual Desktop and Remote Desktop Protocol (RDP), deployed tools like PsExec and SQL Server Management Studio, and maintained control using Teleport, Azure CLI, and Rsocx proxy. Credential manipulation and directory exploration followed, confirmed by Entra ID risk events. The Detection and Response Team (DART) again provided expert support to contain and analyze the threat.

In both cases, the customer engaged DART quickly, which helped validate the scope of the compromise and assess cyberattacker activity and persistence mechanisms.

How did Microsoft respond?

DART swiftly addressed the two security incidents by executing a comprehensive set of actions aimed at restoring control, containing cyberthreats, and reinforcing long-term resilience. The team began by reclaiming identity systems—both on-premises and cloud—through Active Directory takeback and Entra ID isolation. It neutralized threat actor access by deprivileging compromised accounts, revoking tokens, and identifying persistence mechanisms like Teleport and multifactor authentication (MFA) device registration. Malicious web shells were detected and removed within hours, showcasing rapid containment capabilities.

To investigate and remediate the incidents, Microsoft deployed proprietary forensic tools across critical infrastructure, enabling root cause analysis and operational recovery. The team also guided the affected organization through security configuration enhancements aligned with Zero Trust principles, including MFA enforcement. Threat intelligence from Defender and Microsoft Sentinel confirmed systemic identity compromise, prompting patching of vulnerable systems and a phased mass password reset with user identity re-attestation. Additionally, reverse engineering of ransomware revealed targeted attacks on ESXi directories, informing further mitigation strategies.

What can customers do to prepare?

In the case of Reactive 1, we recommended critical security actions to fortify on-premises SharePoint environments and minimize exposure to known vulnerabilities, something we recommend for all customers. Customers can reduce their risk by deploying endpoint detection and response (EDR) across all devices, conducting regular vulnerability scans, and strengthening identity and access controls. Centralized logging and threat intelligence should also be implemented, along with preserving evidence and maintaining a robust incident response plan. Tools to monitor behavioral anomalies, suspicious processes, and malware indicators are increasingly necessary to protect against today’s threat actors.

Patching promptly—especially for known exploited vulnerabilities—remains a key defense for customers. Regular security hygiene practices—like enforcing MFA across all accounts, removing inactive credentials, and applying least privileged access principles—can improve defenses in real time as threats change fast.

Secure your spot

Ready to strengthen your security strategy for the AI era? Register now for Microsoft Secure, on September 30, to explore the latest AI-first solutions. Then, join us at Microsoft Ignite—November 17–21 in San Francisco, CA or online—to deep dive into more innovations, connect with industry experts, experience hands-on labs, and earn certifications.

What is the Cyberattack Series?

With our Cyberattack Series, customers discover how DART investigates unique and notable cyberattacks. For each cyberattack story, we share:

• How the cyberattack happened
• How the security compromise was discovered
• Microsoft’s investigation and eviction of the threat actor
• Strategies to avoid similar cyberattacks

While retail customers were the target of cyberattackers this time, these incidents serve as a stark reminder that proactive patching, identity segmentation, and continuous monitoring are essential security practices to defend against modern cyber threats for all customers. DART is made up of highly skilled investigators, researchers, engineers, and analysts who specialize in handling global security incidents. We’re here for customers with dedicated experts to work with you before, during, and after a cybersecurity incident.

Learn more with Microsoft Security

To learn more about DART capabilities, please visit our website, or reach out to your Microsoft account manager or premier support contact. To learn more about the cybersecurity incidents described above, including more insights and information on how to protect your own organization, download the full report.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Retail Cybersecurity Statistics: Market Data Report 2025 

The post Retail at risk: How one alert uncovered a persistent cyberthreat​​ appeared first on Microsoft Security Blog.

Co-authors: Henry Yan, Sr. Product Marketing Manager and Sylvie Liu, Principal Product Manager

Security Operations Centers (SOCs) are under extreme pressure due to a rapidly evolving threat landscape, an increase in volume and frequency of attacks driven by AI, and a widening skills gap. To address these challenges, organizations across industries are relying on Microsoft Defender Experts for XDR and Microsoft Defender Experts for Hunting to bolster their SOC and stay ahead of emerging threats. We are committed to continuously enhancing Microsoft Defender Experts services to help our customers safeguard their organizations and focus on what matters most.

We are excited to announce the general availability of expanded Defender Experts coverage. With this update, Defender Experts for XDR and Defender Experts for Hunting now deliver around the clock protection and proactive threat hunting for your cloud workloads, starting with hybrid and multicloud servers in Microsoft Defender for Cloud. Additionally, third-party network signals from Palo Alto Networks, Zscaler, and Fortinet can now be used for incident enrichment in Defender Experts for XDR, enabling faster and more accurate detection and response.

Extend 24/7, expert-led defense and threat hunting to your hybrid and multicloud servers

As cloud adoption accelerates, the sophistication and frequency of cloud attacks are on the rise. According to IDC, in 2024, organizations experienced an average of more than nine cloud security incidents, with 89% reporting an increase year over year. Furthermore, cloud security is the leading skills gap with almost 40% of respondents in the O’Reilly 2024 State of Security Survey identifying it as the top area in need of skilled professionals. Virtual machines (VMs) are the backbone of cloud infrastructure, used to run critical applications with sensitive data while offering flexibility, efficiency, and scalability. This makes them attractive targets for attackers as compromised VMs can be used to potentially carry out malicious activities such as data exfiltration, lateral movement, and resource exploitation.

Defender Experts for XDR now delivers 24/7, expert-led managed extended detection and response (MXDR) for your hybrid and multicloud servers in Defender for Cloud. Our security analysts will investigate, triage, and respond to alerts on your on-premises and cloud VMs across Microsoft Azure, Amazon Web Services, and Google Cloud Platform. With Defender Experts for Hunting, which is included in Defender Experts for XDR and also available as a standalone service, our expert threat hunters will now be able to hunt across hybrid and multicloud servers in addition to endpoints, identities, emails, and cloud apps, reducing blind spots and uncovering emerging cloud threats.

Figure 1: Incidents from servers in Defender for Cloud investigated by Defender Experts

Incident enrichment for improved detection accuracy and faster response

By enriching Defender incidents with third-party network signals from Palo Alto Networks (PAN-OS Firewall), Zscaler (Zscaler Internet Access and Zscaler Private Access), and Fortinet (FortiGate Next-Generation Firewall), our security analysts gain deeper insights into attack paths. The additional context helps Defender Experts for XDR identify patterns and connections across domains, enabling more accurate detection and faster response to threats.

Figure 2: Third-party enrichment data in Defender Experts for XDR report

In this hypothetical scenario, we explore how incident enrichment with third-party network signals helped Defender Experts for XDR uncover lateral movement and potential data exfiltration attempts.

• Detection: Microsoft Defender for Identity flagged an “Atypical Travel” alert for User A, showing sign-ins from India and Germany within a short timeframe using different devices and IPs, suggesting possible credential compromise or session hijacking. However, initial identity and cloud reviews showed no signs of malicious activity.
• Correlation: From incident enrichment with third-party network signals, Palo Alto firewall logs revealed attempts to access unauthorized remote tools, while Zscaler proxy data showed encrypted traffic to an unprotected legacy SharePoint server.
• Investigation: Our security analysts uncovered that the attacker authenticated from a managed mobile device in Germany. Due to token reuse and a misconfigured Mobile Device Management profile, the device passed posture checks and bypassed Conditional Access, enabling access to internal SharePoint. Insights from third-party network signals helped Defender Experts for XDR confirm lateral movement and potential data exfiltration.
• Response: Once malicious access was confirmed, Defender Experts for XDR initiated a coordinated response, revoking active tokens, isolating affected devices, and hardening mobile policies to enforce Conditional Access.

Flexible, cost-effective pricing

Defender Experts coverage of servers in Defender for Cloud is priced per server per month, with charges based on the total number of server hours each month. You have the flexibility to scale your servers as needed while ensuring cost effectiveness as you only pay for Defender Experts coverage based on resources you use. For example, if you have a total of 4000 hours across all servers protected by Defender for Cloud in June (June has a total of 720 hours), you will be charged for a total of 5.56 servers in June (4000/720 = 5.56).

There is no additional charge for third-party network signal enrichment beyond the data ingestion charge through Microsoft Sentinel.

Please contact your Microsoft account representative for more information on pricing.

Get started today

Defender Experts coverage of servers in Defender for Cloud will be available as an add-on to Defender Experts for XDR and Defender Experts for Hunting. To enable coverage, you must have the following:

• Defender Experts for XDR or Defender Experts for Hunting license
• Defender for Servers Plan 1 or Plan 2 in Defender for Cloud

You only need a minimum of 1 Defender Experts for XDR or Defender Experts for Hunting license to enable coverage of all your servers in Defender for Cloud.

If you are interested in purchasing Defender Experts for XDR or the add-on for Defender Experts coverage of servers in Defender for Cloud, please complete this interest form.

Third-party network signals for enrichment are available only for Defender Experts for XDR customers. To enable third-party network signals for enrichment, you must have the following:

• Microsoft Sentinel instance deployed
• Microsoft Sentinel onboarded to Microsoft Defender portal
• At least one of the supported network signals ingested through Sentinel built-in connectors:
  • Palo Alto Networks (PAN-OS Firewall)
  • Zscaler (Zscaler Internet Access and Zscaler Private Access)
  • Fortinet (FortiGate Next-Generation Firewall)

If you are an existing Defender Experts for XDR customer and are interested in enabling third-party network signals for enrichment, please reach out to your Service Delivery Manager.

Learn more

• Technical Documentation
  • Microsoft Defender Experts for XDR
  • Microsoft Defender Experts for Hunting
  • Third-party network signals for enrichment
  • Plan Defender for Servers deployment
• Defender Experts Ninja Training

The post Elevate your protection with expanded Microsoft Defender Experts coverage appeared first on Microsoft Security Blog.

Microsoft has not yet attributed StilachiRAT to a specific threat actor or geolocation. Based on Microsoft’s current visibility, the malware does not exhibit widespread distribution at this time. However, due to its stealth capabilities and the rapid changes within the malware ecosystem, we are sharing these findings as part of our ongoing efforts to monitor, analyze, and report on the evolving threat landscape.

Microsoft security solutions can detect activities related to attacks that use StilachiRAT. To help defenders protect their network, we are also sharing mitigation guidance to help reduce the impact of this threat, detection details, and hunting queries. Microsoft continues to monitor information on the delivery vector used in these attacks. Malware like StilachiRAT can be installed through multiple vectors; therefore, it is critical to implement security hardening measures to prevent the initial compromise. 

This blog presents our detailed findings on all the key capabilities of StilachiRAT, which include:

• System reconnaissance: Collects comprehensive system information, including operating system (OS) details, hardware identifiers, camera presence, active Remote Desktop Protocol (RDP) sessions, and running graphical user interface (GUI) applications, allowing detailed profiling of the target system.
• Digital wallet targeting: Scans for configuration data of 20 different cryptocurrency wallet extensions for the Google Chrome browser.
• Credential theft: Extracts and decrypts saved credentials from Google Chrome, gaining access to usernames and passwords stored in the browser.
• Command-and-control (C2) connectivity: Establishes communication with remote C2 servers using TCP ports 53, 443, or 16000, enabling remote command execution and potentially SOCKS like proxying.
• Command execution: Supports a variety of commands from the C2 server, including system reboots, log clearing, registry manipulation, application execution, and system suspension.
• Persistence mechanisms: Achieves persistence through the Windows service control manager (SCM) and uses watchdog threads to ensure self-reinstatement if removed.
• RDP monitoring: Monitors RDP sessions, capturing active window information and impersonating users, allowing for potential lateral movement within networks.
• Clipboard and data collection: Continuously monitors clipboard content, actively searching for sensitive data like passwords and cryptocurrency keys, while tracking active windows and applications.
• Anti-forensics and evasion: Employs anti-forensic tactics by clearing event logs, detecting analysis tools, and implementing sandbox-evading behaviors to avoid detection.

Technical analysis of key capabilities

System reconnaissance

StilachiRAT gathers extensive system information, including OS details, device identifiers, BIOS serial numbers, and camera presence. Information is collected through the Component Object Model (COM) Web-based Enterprise Management (WBEM) interfaces using WMI Query Language (WQL). Below are some of the queries it executes:

Serial number

Camera

OS / System info (server, model, manufacturer)

Additionally, the malware creates a unique identification on the infected device that is derived from the system’s serial number and attackers’ public RSA key. The information is stored in the registry under a CLSID key.

Digital wallet targeting

StilachiRAT targets a list of specific cryptocurrency wallet extensions for the Google Chrome browser. It accesses the settings in the following registry key and validates if any of the extensions are installed:

\SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings

The malware targets the following cryptocurrency wallet extensions:

Credential theft

StilachiRAT extracts Google Chrome’s encryption_key from the local state file in a user’s directory. However, since the key is encrypted when Chrome is first installed, it uses Windows APIs that rely on current user’s context to decrypt the master key. This allows access to the stored credentials in the password vault. The stored credentials are extracted from the following locations:

• %LOCALAPPDATA%\Google\Chrome\User Data\Local State – stores Chrome’s configuration data, including the encrypted key.
• %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data – stores entered user credentials.

The “Login Data” stores information using an SQLite database and the malware retrieves credentials using the following query:

Command-and-control (C2)

There are two configured addresses for the C2 server – one is stored in obfuscated form and the other is an IP address converted to its binary format (instead of a regular string):

• app.95560[.]cc
• 194.195.89[.]47

The communications channel is established using TCP ports 53, 443, or 16000, selected randomly. Additionally, the malware checks for presence of tcpview.exe and will not proceed if one is present. It also delays initial connection by two hours, presumably to evade detection. Once connected, a list of active windows is sent to the server. Additional technical findings regarding C2 communications functionality are listed in the section below.

Persistence mechanisms

StilachiRAT can be launched both as a Windows service or a standalone component. In both cases, there is a mechanism in place to ensure the malware isn’t removed.

A watchdog thread monitors both the EXE and dynamic link library (DLL) files used by the malware by periodically polling for their presence. If found absent, the files can be recreated from an internal copy obtained during initialization. Lastly, the Windows service component can be recreated by modifying the relevant registry settings and restarting it through the SCM.

RDP monitoring

StilachiRAT monitors RDP sessions by capturing foreground window information and duplicating security tokens to impersonate users. This is particularly risky on RDP servers hosting administrative sessions as it could enable lateral movement within networks.

The malware obtains the current session and actively launches foreground windows as well as enumerates all other RDP sessions. For each identified session, it will access the Windows Explorer shell and duplicate its privileges or security token. The malware then gains capabilities to launch applications with these newly obtained privileges.

Data collection

StilachiRAT collects a variety of user data, including software installation records and active applications. It monitors active GUI windows, their title bar text, and file location, and sends this information to the C2 server, potentially allowing attackers to track user behavior.

Clipboard monitoring

StilachiRAT has a functionality that is responsible for monitoring clipboard data. Specifically, the malware can periodically read the clipboard, extract text based on search expressions, and then exfiltrate this data. Clipboard monitoring is continuous, with targeted searches for sensitive information such as passwords, cryptocurrency keys, and potentially personal identifiers.

The list below includes the regular search expressions used to extract certain credentials. These are associated with the Tron Cryptocurrency blockchain that is popular in Asia, especially in China.

The same search expressions are then used to iterate files in the following locations:

• %USERPROFILE%\Desktop
• %USERPROFILE%\Recent

Anti-forensic measures

StilachiRAT displays anti-forensic behavior by clearing event logs and checking certain system conditions to evade detection. This includes looping checks for analysis tools and sandbox timers that prevent its full activation in virtual environments commonly used for malware analysis.

Additionally, Windows API calls are obfuscated in multiple ways and a custom algorithm is used to encode many text strings and values. This significantly slows down analysis time since extrapolating higher level logic and code design becomes a more complex effort.

The malware employs API-level obfuscation techniques to impede manual analysis, specifically by concealing its use of Windows APIs (e.g., RegOpenKey()). Instead of referencing API names directly, it encodes them as checksums that are resolved dynamically at runtime. While this is a common technique in malware, the authors have introduced additional layers of obfuscation.

Precomputed API checksums are stored in multiple lookup tables, each masked with an XOR value. During launch, the malware selects the appropriate table based on the hashed API name, applies the correct XOR mask to decode the value, and dynamically resolves the corresponding Windows API function. The resolved function pointer is then cached, but with an additional XOR mask applied, preventing straightforward memory scans from identifying API references.

Commands launched from the C2 server

StilachiRAT can launch various commands received from the C2 server. These commands include system reboot, log clearing, credential theft, executing applications, and manipulating system windows. Additionally, it can suspend the system, modify Windows registry values, and enumerate open windows, indicating a versatile command set for both espionage and system manipulation. The C2 server’s command structure assigns specific numbers to what commands it will initiate. The following section presents details on the said commands.

07 – Dialog box

Uses the Windows API function ShowHTMLDialogEx() to display a dialog box with rendered HTML contents from a supplied URL.

08 – Log clearing

Given an event log type, the relevant Windows APIs are used to open and then clear the log entries.

09 – System reboot

Adjusts its own executing privileges to enable system shutdown and uses an undocumented Windows API to perform the action.

13 – Network sockets

Appears to contain capability to receive a network address from C2 server and establish a new outbound connection.

14 – TCP incoming

Accepts an incoming network connection on the supplied TCP port.

15 – Terminate

If there’s an open network connection, then close it and disable the Windows service controlling this process. This appears to be the self-removal (uninstall) command.

16 – Initiate application

The malware creates a console window and initiates a command to launch the program provided by the C2 operator using the WinExec() API.

19 – Enumerate Windows

Iterates all windows of the current desktop to look for a requested title bar text. This might allow the operator to access specific GUI applications and their contents, both onscreen and clipboard.

26 – Suspend

Uses the SetSuspendState() API to put the system into either a suspended (sleep) state or hibernation.

30 – Chrome credentials

Launches the earlier mentioned functionality to steal Google Chrome passwords.

Mitigations

Malware like StilachiRAT can be installed through various vectors. The following mitigations can help prevent this type of malware from infiltrating the system and reduce the attack surface:

• In some cases, RATs can masquerade as legitimate software or software updates. Always download software from the official website of the software developer or from reputable sources.
• Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
• Turn on Safe Links and Safe Attachments for Office 365. In organizations with Microsoft Defender for Office 365, Safe Links scanning protects your organization from malicious links that are used in phishing and other attacks. Specifically, Safe Links provides URL scanning and rewriting of inbound email messages during mail flow, and time-of-click verification of URLs and links in email messages, Microsoft Teams, and supported Office 365 apps. Safe Attachments provides an additional layer of protection for email attachments that have already been scanned by anti-malware protection in Exchange Online Protection (EOP).
• Enable network protection in Microsoft Defender for Endpoint to prevent applications or users from accessing malicious domains and other malicious content on the internet. You can audit network protection in a test environment to view which apps would be blocked before enabling network protection.

General hardening guidelines:

• Ensure that tamper protection is enabled in Microsoft Defender for Endpoint.
• Run endpoint detection and response in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode.
• Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume.
• Turn on Potentially unwanted applications (PUA) protection in block mode in Microsoft Defender Antivirus. PUA are a category of software that can cause your machine to run slowly, display unexpected ads, or install other software that might be unexpected or unapproved.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques.
• Turn on Microsoft Defender Antivirus real-time protection.

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects this threat as the following malware:

• TrojanSpy:Win64/Stilachi.A

Microsoft Defender for Endpoint

The following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

• A process was injected with potentially malicious code
• Process hollowing detected
• Suspicious service launched
• Possible theft of passwords and other sensitive web browser information

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article
• Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Look for suspicious outbound network connections

Monitor network traffic for malicious activity caused by remote access trojans by focusing on identifying unusual outbound connections, irregular port activity, and suspicious data exfiltration patterns that may indicate RAT presence.

Outbound ports associated with common data transfer protocols such as HTTP/HTTPS (port 80/443), SMB (port 445), and DNS (port 53) or less common ports like 16000 used for specific applications and services for network communications might indicate such activity.

let domains = dynamic(['domain1', 'domain2', 'domain3']);
DeviceNetworkEvents
| where RemotePort in (53, 443, 16000)
| where Protocol == "Tcp"
| where RemoteUrl has_any (domains)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessCommandLine, ActionType, DeviceId, LocalIP, RemoteUrl, InitiatingProcessFileName

Look for signs of persistence

The malware can be run both as a Windows Service or a standalone component. To identify persistence and suspicious services, monitor for the following event IDs:

• Event ID 7045 – a new service was installed on the system. Monitor for suspicious services.
• Event ID 7040 – start type of a service is changed (boot, on-request). Boot may be a vector for the RAT to persist during a system reboot. On request indicates that the process must request the SCM to start the service.
• Correlated with Event ID 4697 – a service was installed on the system (Security log)

DeviceEvents
|where ActionType == “ServiceInstalled”
| project Timestamp, DeviceId,ActionType, FileName, FolderPath, InitiatingProcessCommandLine

Look for anti-forensic behavior

To identify potential event log clearing, monitor for the following event IDs:

• Event ID 1102 (Security log)
• Event ID 104 (System log)

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain/IP/Hash indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Additionally, Sentinel users can use the following query to detect when the security event log has been cleared, a potential indicator of an attempt to erase system evidence.

SecurityEvent
  | where EventID == 1102 and EventSourceName == "Microsoft-Windows-Eventlog"
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0])

Sentinel users can also use the following query to detect service installations or modifications in service settings, which may indicate potential persistence mechanisms used by attackers.

Event 
  // 7045: A service was installed in the system
 //  7040: A service setting has been changed
  | where Source == "Service Control Manager" 
  | where EventID in ( '7045', '7040')
  | parse EventData with * 'ServiceName">' ServiceName "<" * 'ImagePath">' ImagePath "<" *
  | parse EventData with * 'AccountName">' AccountName "<" *
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ServiceName, ImagePath, AccountName

Indicators of compromise

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

Microsoft is committed to delivering comprehensive customer experience through various Microsoft Offerings. Our approach goes beyond traditional support by focusing on detection, prevention, and in-depth mitigation to help customers quickly respond to security incidents and build resiliency. Want to know how to Build a More Secure Tomorrow? Check our Unified and Security eBook and visit https://aka.ms/Unified

Dmitriy Pletnev and Daria Pop
Microsoft Incident Response

The post StilachiRAT analysis: From system reconnaissance to cryptocurrency theft appeared first on Microsoft Security Blog.

That statistic alone tells us a great deal about the importance of preparedness for a potential cyberattack, which includes a robust incident response plan. To create such a plan, it is critical to understand potential risks, and one of the best ways to do that is to conduct a proactive threat hunt and compromise assessment.

Microsoft Incident Response is made up of highly skilled investigators, researchers, engineers, and analysts who specialize in handling global security incidents. In addition to reactive response, they also conduct proactive compromise assessments to find threat actor activity. They’ll provide recommendations and best practice guidance to strengthen an organization’s security posture.

Microsoft Incident Response

Your first call before, during, and after a cybersecurity incident.

Microsoft Incident Response compromise assessments utilizes the same methodology and resources as those used in an investigation but without the time pressure and crisis-driven decision making associated with a live cyberattack. Compromise assessments are often used by those who have had a prior incident and want to measure their security posture after the implementation of new security measures. Some customers use the service as an annual assessment prior to locking down change controls. Others may use it to assess the environment of an acquisition prior to joining infrastructures.

What happens when a compromise assessment turns into a reactive incident response engagement? Let’s dive into a recent situation where our team encountered this very scenario.

Why differentiate between proactive and reactive investigations?

It is important to understand the key differences between proactive and reactive investigations, as each has different goals and measures for success. Microsoft Incident Response’s proactive compromise assessments are focused on detection and prevention, which includes identifying potential indicators of compromise (IOCs), bringing attention to potential vulnerabilities, and helping customers mitigate risks by implementing security hardening measures.

Our reactive investigations are centered on incident management during and immediately after a compromise, including incident analysis, threat hunting, tactical containment, and Tier 0 recovery, all while under the pressure of an active cyberattack.

Proactive and reactive incident response are essential capabilities for providing a more robust defense strategy. They enable an organization to address an active cyberattack during a period when time and knowing the next steps are critical. At the same time, it provides experts with the experience needed to help prevent future incidents. Not all organizations have the resources required to maintain an incident response team capable of proactive and reactive approaches and may want to consider using a third-party service.

The importance of Microsoft’s “double duty” incident response experts

When confronted by an active threat actor, two things are at the forefront of success and can’t be lost—time and knowledge.

While conducting a proactive compromise assessment for a nonprofit organization in mid-2024, Microsoft Incident Response began their forensic investigation. Initially identifying small artifacts of interest, the assessment quickly changed as suspicious events began to unfold. At the time the threat actor was not known, but has since been tracked as Storm-2077, a Chinese state actor that has been active since at least January 2024. Storm-2077’s techniques focus on email data theft, using valid credentials harvested from compromised systems. Storm-2077 was lurking in the shadows of the organization’s environment. When they felt they had been detected, these threat actors put their fingers on keyboards and started making moves.

Precious time to remediate was not lost. Microsoft Incident Response immediately switched from proactive to reactive mode. The threat actor created a global administrator account and began disabling legitimate organizational global administrator accounts to gain full control of the environment. The targeted organization’s IT team was already synchronized with Microsoft Incident Response through the active compromise assessment that was taking place. The targeted customer took note of the event and came to Microsoft for deconfliction. Once the activity was determined to be malicious, the organization’s IT team disabled the access, and the proactive incident response investigation converted to being reactive. The threat actor was contained and access was remediated quickly because of this collaboration.

The threat actor had likely been present in the organization’s environment for a few months or more. They had taken advantage of a stolen session token to conduct a token replay attack, and through this had gained access to multiple accounts.

Proactive assessments that don’t utilize reactive investigation teams for delivery may result in a delay in responding or even generate more challenges for the incoming investigation team.

Thankfully, Microsoft Incident Response conducts proactive compromise assessments with the same resources that deliver reactive investigations. They can take immediate action to halt active cyberthreats before they do more harm.

Read the report to go deeper into the details of the cyberattack, including Storm-2077 tactics, the response activity, and lessons that other organizations can learn from this case.

What is the Cyberattack Series?

With our Cyberattack Series, customers will discover how Microsoft Incident Response investigates unique and notable attacks. For each cyberattack story, we will share:

• How the cyberattack happened.
• How the breach was discovered.
• Microsoft’s investigation and eviction of the threat actor.
• Strategies to avoid similar cyberattacks.

Learn more

To learn more about Microsoft Incident Response capabilities, please visit our website, or reach out to your Microsoft account manager or Premier Support contact.

Download our Unified Security e-book to learn more about how Microsoft can help you be more secure.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Cybercrime Expected To Skyrocket in Coming Years, Statista. February 22, 2024.

²World GDP Rankings 2024 | Top 10 Countries Ranked By GDP, Forbes India. November 4, 2024.

The post Build a stronger security strategy with proactive and reactive incident response: Cyberattack Series appeared first on Microsoft Security Blog.

Microsoft Incident Response

Strengthen your security with an end-to-end portfolio of proactive and reactive cybersecurity incident response services.

Learn more

Threat intelligence is often oversimplified to represent a feed of indicators of compromise (IOCs). The intersection between multiple types of threat intelligence, however, enables organizations and their threat hunters to have a holistic understanding of the cyberattackers and techniques that can and will target them. With this comprehensive cheat sheet of knowledge, threat hunters can not only increase efficiency when responding to a compromise, but proactively hunt their systems for anomalies and fine-tune protection and detection mechanisms. 

Figure 1. Three types of threat intelligence.

Figure 1 introduces three types of threat intelligence that will be outlined in this blog—strategic, operational, and tactical. It provides a visualization of organizational effort versus the value gained when utilizing threat intelligence in more than one way. Typically, security teams integrate IOC cyberthreat feeds at a tactical level, but incorporating threat intelligence operationally requires daily investment, especially when alert queues seem endless. Strategic threat intelligence may seem familiar to most organizations but can be challenging to apply effectively, as this requires concentrated effort at multiple levels to understand the organization’s position within the overall threat landscape. How can threat hunters leverage these types of threat intelligence effectively for the benefit of their organization? 

Strategic threat intelligence: Informed hunting driven by the overarching cyberthreat landscape 

Security teams should be industry aware—being cognizant of the types of digital threats and current trends affecting industry verticals allows any team to be better prepared for potential compromise. Strategic threat intelligence is fundamentally based on understanding threat actor motives, which gives organizations an understanding of which threat actors they should be most conscious of in relation to the industry vertical or their most valuable resources. For example, government entities are traditionally targeted by nation-state advanced persistent threats (APTs) to perform cyber espionage, whereas organizations in the healthcare industry are commonly targeted by cybercriminal actor groups for ransomware operations and financial extortion due to the sensitivity of the data they possess. Understanding where the organization fits into this strategic picture determines the investment where its resources (people and time) may be constrained. Furthermore, it’s a key step toward developing an effective threat-informed defense strategy prioritizing the cyberattacks that target the organization.  

Operational threat intelligence: Informed hunting to proactively understand the environment and its data 

Having broad visibility into an organization’s attack surface is imperative when applying threat intelligence at an operational level. The crucial components spanning the perimeter of the on-premises network and extended entities such as cloud, software-as-a-service, and overall supply chain should be well understood: 

• Where are the tier 0 systems in the organization? 
• What intermediary lateral movement pathways exist to tier 0 systems? 
• What security controls across the environment are (or aren’t) in place? 
• What telemetry is produced by all systems in the environment?  

Security teams should proactively analyze the data that comes from these entities to develop a baseline of normal operations. Along with this baseline, threat hunters should comprehend and exercise organizational processes. In the event of an identified anomaly, how is that behavior deconflicted? What teams within the organization need to be consulted? What is the process for ensuring false positives can be reported and circulated efficiently and effectively? Considering the secondary questions and tertiary actions of response steps greatly benefits threat hunting timeliness, staving off confusion during a rapidly evolving incident.

Tactical threat intelligence: Informed hunting to reactively respond to a live cyberthreat 

Tactical threat intelligence is often an organization’s main integration to enhance a threat hunt, particularly in response to an active cyberattack scenario. Known-bad entities and atomic indicators such as IP addresses, domains, and file hashes are used to identify anomalies aligning to attacker techniques against targeted systems quickly. Additionally, if the cyberattack is already attributed to a threat actor, or the attack aligns to a particular motive, security teams can use these patterns of behavior to prioritize their hunting scope to their known tactics, techniques, and procedures. Novel indicators or associated research from the analysis should be shared with other vetted threat hunters within the organization and are a particularly valuable contribution to the wider threat intelligence community to further enrich detections for all organizations.  

Putting it together: Threat intelligence and iterative threat hunting 

Armed with this breakdown, threat hunters can now turn their attention to using varied threat intelligence to execute threat hunts and track down threat actors. The threat hunting iterative workflow shown in Figure 2 is something security teams will likely be familiar with; but are threat intelligence artifacts effectively being applied to create a holistic threat-informed defense strategy? 

Figure 2. Feeding threat intelligence artifacts into an iterative threat hunting workflow.

When preparing a hunt, threat hunters should seek to apply strategic threat intelligence to prioritize the cyberthreats that target the organization. This directly leads into the hypothesis phase. Threat hunters include the gathered strategic artifacts in a hunt hypothesis based on the trends or threat actors impacting other organizations in the same vertical. This casts a wide net to identify anomalies and behaviors common to the industry. They are not limiting the hunt based on any one IOC, rather using the collective intelligence learned from similar intrusions to detect or prevent the attack scenario. For every investigation, whether it be proactive or reactive, Microsoft Incident Response threat hunters consider other incidents impacting victim organizations in the same industry as a guiding force to efficiently identify focus areas of analysis, leveraging research from Microsoft Threat Intelligence that outlines any applicable threat actor attribution. 

Daily workflows should be enhanced with operational threat intelligence artifacts to determine an environmental baseline. Proactive hunt hypotheses should seek to test the understanding and actively seek to identify gaps in various aspects of the baseline, identifying any behavioral anomalies straying from “normal operations” and developing high-fidelity, real-world detections based on the true attempts at intrusion to their environments. Existing detections should be continuously reviewed and refined, hunting threads should include interrogation of both successful and failed access attempts, and data integrity should be verified. Security teams should question if: 

• Centralized data is both complete and accurate—identifying if there are any gaps in the data and why. 
• The schema is consistent between all data sources (for example, timestamp accuracy). 
• The correct fields are flowing through from their distributed systems’ sources.  

When security teams embody being the experts of their environment, they become more adept at identifying when a proactive threat hunt shifts into reactive response to active threat. This is invaluable when improving the speed of returning to normal operations and engaging additional support such as Microsoft Incident Response, who can enhance the hunt with threat intelligence from previous global incidents, working with the customer to deconflict abnormalities quickly for swift takeback and eviction of threat actors. 

When incident response teams like Microsoft Incident Response are engaged during a reactive incident, the objective of threat hunting is to conduct analysis of live, historical, and contextual data on targeted and compromised systems and provide a detailed story of not only the attack chain, but the threat actor(s) conducting that attack. Enriching a threat hunt with tactical threat intelligence artifacts in the form of IOCs concentrates investigation scope and allows for rapid identification of threat actor activity. As the hunt progresses, relational entities to that indicator are uncovered, such as the identities involved in activity execution and lateral movement paths to different systems. Attention shifts from atomic indicators such as IP addresses and malicious domains, to artifacts left directly on compromised systems, such as commands that were run or persistent backdoors that were installed. This builds an end-to-end timeline of malicious activity and related indicators for organizations to stay informed, implement target security controls, and prevent the same, or similar, incidents in the future.  

Adhering to the collaborative cycle of threat intelligence, Microsoft Incident Response contributes front-line research to enhance and further develop detections for customers worldwide. Entities are aligned with industry frameworks such as the Diamond Model, to build threat actor profiles detailing the relationship between adversaries’ infrastructure, capabilities and victims. Microsoft Threat Intelligence is available in Microsoft Defender XDR for the community and fellow security teams to consume, validate, and refine into proactive detections for the organization. 

How Microsoft Incident Response can support proactive threat protection

Microsoft Incident Response has cultivated and relies upon implementing the cycle between incident response and threat intelligence to protect our customers, leveraging insights from 78 trillion signals per day. Organizations can proactively position themselves to be well-informed by the threats targeting their organization by implementing threat intelligence in a holistic way, before an incident begins.  

Embracing a collaborative culture amongst the threat intelligence community to not only consume entities, but to further contribute, refine, and enhance existing research, results in improved detections, controls, and automation, allowing all security professionals to get behind the same goal—track down and protect themselves from threat actors and their malicious intent.  

You can read more blogs from Microsoft Incident Response. For more security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

Learn more

Learn more about Microsoft Incident Response.

To get notified about new Microsoft Threat Intelligence publications and to join discussions on social media, follow us on X (@MsftSecIntel).

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹The art and science behind Microsoft threat hunting: Part 1, Microsoft Incident Response Team. September 9, 2022.

²The art and science behind Microsoft threat hunting: Part 2, Microsoft Incident Response Team. September 21, 2022.

The post The art and science behind Microsoft threat hunting: Part 3 appeared first on Microsoft Security Blog.