Phishing campaign impersonates Booking.com, delivers a suite of credential-stealing malware
Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking.
Cybercrime
The cybercriminal economy is a connected ecosystem of many players with different techniques, goals, and skillsets. Get insights on the industrialization of cybercrime and how cyberattackers use ready-made malware and other tools to perform their attacks.
Refine results
Topic
Products and services
Publish date
Simplify endpoint management with Microsoft Intune
Microsoft Intune is a cloud-based unified endpoint management platform that empowers IT to manage, assess, and protect apps and devices.
-
-
Threat actors leverage tax season to deploy tax-themed phishing campaigns
As Tax Day approaches in the United States on April 15, Microsoft has detected several tax-themed phishing campaigns employing various tactics. -
Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer
Over the past year, Microsoft Threat Intelligence observed the persistent growth and operational sophistication of Lumma Stealer, an info-stealing malware used by multiple financially motivated threat actors to target various industries. -
Defending against evolving identity attack techniques
Threat actors continue to develop and leverage various techniques that aim to compromise cloud identities. Secure and verify every identity with Microsoft Entra
Microsoft Entra expands beyond identity and access management with new product categories such as cloud infrastructure entitlement management (CIEM) and decentralized identity.
-
Unveiling RIFT: Enhancing Rust malware analysis through pattern matching
As threat actors are adopting Rust for malware development, RIFT, an open-source tool, helps reverse engineers analyze Rust malware, solving challenges in the security industry. -
Jasper Sleet: North Korean remote IT workers’ evolving tactics to infiltrate organizations
Since 2024, Microsoft Threat Intelligence has observed remote IT workers deployed by North Korea leveraging AI to improve the scale and sophistication of their operations, steal data, and generate revenue for the North Korean government. -
Investigating targeted “payroll pirate” attacks affecting US universities
Microsoft Threat Intelligence has identified a financially motivated threat actor that we track as Storm-2657 compromising employee accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts, attacks that have been dubbed “payroll pirate”. -
Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft
Storm-2561 uses SEO poisoning to push fake VPN downloads that install signed trojans and steal VPN credentials. Prevent threats with Microsoft Defender
The Microsoft Defender family offers comprehensive threat prevention, detection, and response capabilities for everyone—from individuals looking to protect their family to the world’s largest enterprises.
-
Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations
The financially motivated cybercriminal threat actor Storm-1175 operates high-velocity ransomware campaigns that weaponize recently disclosed vulnerabilities to obtain initial access, exfiltrate data, and deploy Medusa ransomware. -
Investigating Storm-2755: “Payroll pirate” attacks targeting Canadian employees
Microsoft Incident Response – Detection and Response Team (DART) researchers observed an emerging, financially motivated threat actor, tracked as Storm-2755, compromising Canadian employee accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts. -
Email threat landscape: Q1 2026 trends and insights
In early 2026, email threats increased with a rise in credential phishing, QR code phishing, and CAPTCHA-gated campaigns, highlighted by Microsoft’s disruption of the Tycoon2FA phishing platform which led to a 15% volume decrease and shifts in threat actor tactics. -
Exposing Fox Tempest: A malware-signing service operation
Fox Tempest is a financially motivated threat actor operating a malware‑signing‑as‑a‑service (MSaaS) used by other cybercriminals, including Vanilla Tempest and Storm groups, to more effectively distribute malicious code, including ransomware.
