Cross‑tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook
Threat actors are abusing external Microsoft Teams collaboration to impersonate IT helpdesk staff and convince users to grant remote access.
Microsoft Defender
Microsoft Defender helps prevent, detect, and respond to attacks across devices, identities, apps, email, data, workloads, and clouds. Explore threat intelligence, capabilities, and real-world guidance to help you get more out of Defender.
Refine results
Topic
Products and services
Publish date
Modernize your Security Operations Center with Microsoft Sentinel
Microsoft Sentinel is a cloud-native SIEM solution powered by AI and automation that delivers intelligent security analytics across your entire enterprise.
-
-
Containing a domain compromise: How predictive shielding shut down lateral movement
Domain compromise accelerates fast. Predictive shielding slowed it down. -
Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise
The Microsoft Defender Security Research Team uncovered a sophisticated macOS intrusion campaign attributed to the North Korean threat actor Sapphire Sleet that abuses user driven execution and social engineering to bypass macOS security protections and steal credentials, cryptocurrency assets, and sensitive data. -
The agentic SOC—Rethinking SecOps for the next decade
In the SOC of the future, autonomous defense moves at machine speed, agents add context and coordination, and humans focus on judgment, risk, and outcomes. Tailored AI insights from Microsoft Security Copilot
Empower your defenders to detect hidden patterns, harden defenses, and respond to incidents faster with generative AI.
-
Investigating Storm-2755: “Payroll pirate” attacks targeting Canadian employees
Microsoft Incident Response – Detection and Response Team (DART) researchers observed an emerging, financially motivated threat actor, tracked as Storm-2755, compromising Canadian employee accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts. -
Intent redirection vulnerability in third-party SDK exposed millions of Android wallets to potential risk
A severe Android intent‑redirection vulnerability in a widely deployed SDK exposed sensitive user data across millions of apps. -
SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks
Executive summary Forest Blizzard, a threat actor linked to the Russian military, has been compromising insecure home and small-office internet equipment like routers, then modifying their settings in ways that turn them into part of the actor’s malicious infrastructure. -
Inside an AI‑enabled device code phishing campaign
A new wave of device code phishing shows how threat actors are scaling account compromise using AI and end‑to‑end automation. Go beyond data protection with Microsoft Purview
Govern, protect, and manage all of your data with Microsoft Purview, comprehensive solutions to help give you better visibility and control.
-
Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations
The financially motivated cybercriminal threat actor Storm-1175 operates high-velocity ransomware campaigns that weaponize recently disclosed vulnerabilities to obtain initial access, exfiltrate data, and deploy Medusa ransomware. -
Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments
Cookie-gated PHP webshells use obfuscation, php-fpm execution, and cron-based persistence to evade detection in Linux hosting environments. -
Mitigating the Axios npm supply chain compromise
On March 31, 2026, the popular HTTP client Axios experienced a supply chain attack, causing two newly published npm packages for version updates to download from command and control (C2) that Microsoft Threat Intelligence has attributed to the North Korean state actor Sapphire Sleet. -
How Microsoft Defender protects high-value assets in real-world attack scenarios
High-value assets including domain controllers, web servers, and identity infrastructure are frequent targets in sophisticated attacks.
