Microsoft Defender Security Research Team, Author at Microsoft Security Blog

Photo of employee working outdoors with hexagon icons in overlay

Research
May 4
8 min read

Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise

Microsoft Defender Research observed a large-scale credential theft campaign that exemplifies this trend, using code of conduct-themed lures, a multi-step attack chain, and legitimate email services to distribute fully authenticated messages from attacker-controlled domains.

A graphic indicating a rapid response research article based on active campaigns.

Research
May 1
6 min read

CVE-2026-31431: Copy Fail vulnerability enables Linux root privilege escalation across cloud environments

A high-severity Linux vulnerability, “Copy Fail” (CVE-2026-31431), enables root privilege escalation across cloud environments and Kubernetes workloads.

Two office workers looking at a desktop monitor

Research
April 30
15 min read

Email threat landscape: Q1 2026 trends and insights

In early 2026, email threats increased with a rise in credential phishing, QR code phishing, and CAPTCHA-gated campaigns, highlighted by Microsoft’s disruption of the Tycoon2FA phishing platform which led to a 15% volume decrease and shifts in threat actor tactics.

A colorful graphic showing a radar scanning icon representing new detection and hunting guidance.

Research
April 28
13 min read

Simplifying AWS defense with Microsoft Sentinel UEBA

Learn how Microsoft Sentinel UEBA helps defenders distinguish benign AWS activity from attacker behavior by enriching raw CloudTrail logs with clear, binary behavioral signals derived from baseline user, peer, and device behavior patterns.

Graphic indicating a sleet (weather) icon to align with North Korean threat actors.

Research
April 21
9 min read

Detection strategies across cloud and identities against infiltrating IT workers

The shift to remote and hybrid work since the pandemic expanded global hiring and accelerated digital onboarding, increasing reliance on online identity verification and remote access.

Research
April 18
20 min read

Cross‑tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook

Threat actors are abusing external Microsoft Teams collaboration to impersonate IT helpdesk staff and convince users to grant remote access.

Graphic showing an icon of a key and digital lines representing secure access issues.

Research
April 17
8 min read

Containing a domain compromise: How predictive shielding shut down lateral movement

Domain compromise accelerates fast. Predictive shielding slowed it down.

Research
April 16
25 min read

Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise

The Microsoft Defender Security Research Team uncovered a sophisticated macOS intrusion campaign attributed to the North Korean threat actor Sapphire Sleet that abuses user driven execution and social engineering to bypass macOS security protections and steal credentials, cryptocurrency assets, and sensitive data.

Research
April 9
9 min read

Intent redirection vulnerability in third-party SDK exposed millions of Android wallets to potential risk

A severe Android intent‑redirection vulnerability in a widely deployed SDK exposed sensitive user data across millions of apps.

A graphic showing a phishing hook representing social engineering and phishing.

Research
April 6
16 min read

Inside an AI‑enabled device code phishing campaign

A new wave of device code phishing shows how threat actors are scaling account compromise using AI and end‑to‑end automation.

Research
April 2
13 min read

Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments

Cookie-gated PHP webshells use obfuscation, php-fpm execution, and cron-based persistence to evade detection in Linux hosting environments.

Photo of developers discussing with the hexagon and the supply chain attack icon in overlay

Research
April 1
16 min read

Mitigating the Axios npm supply chain compromise

On March 31, 2026, the popular HTTP client Axios experienced a supply chain attack, causing two newly published npm packages for version updates to download from command and control (C2) that Microsoft Threat Intelligence has attributed to the North Korean state actor Sapphire Sleet.

Microsoft Defender Security Research Team posts