Blog Post

Microsoft Security Experts Blog
4 MIN READ

Microsoft Defender Experts - S.T.A.R. Series

Raae_'s avatar
Raae_
Icon for Microsoft rankMicrosoft
Dec 02, 2025

(Strategies for Threat Awareness and Response) webinar and blog series

Co-author: Samantha Gardener

To stay ahead of today’s sophisticated cyber threats, organizations must embrace a proactive defense strategy that includes these three pillars: emerging trends, adaptive strategies, and actionable insights.

Threat actors are increasingly leveraging AI-driven attacks, supply chain compromises, and identity-based exploits. Modern strategies focus on zero trust principles, continuous threat hunting, and leveraging advanced threat intelligence to predict and neutralize risks before they escalate. By integrating real-time analytics, automated response capabilities, and cross-platform visibility, security teams can transform insights into decisive action to help ensure resilience against evolving attack vectors and safeguard critical assets in an ever-changing landscape

Our popular S.T.A.R. webinar series features panels of our experts who discuss trends, strategies, and insights that will help you defend against today’s sophisticated threats.

  • Gain Expert Insights: Learn from Microsoft Defender Experts who share their knowledge on the latest threats and trends in cybersecurity.
  • Bolster their Security Program: Receive actionable guidance and strategies to effectively combat emerging threats and strengthen defenses.
  • Meet the Experts: Get to know the Defender Experts and understand their roles in safeguarding organizations.

For additional insights, some episodes are accompanied by informative blogs that include even include real-world threat hunting patterns

Microsoft Defender Experts - S.T.A.R. series episodes

Episode 1 - November 2024

Crafting Chaos: The Amplified Tactics of Social Engineering - Hunt, Halt, and Evict

Description

Explore amplified tactics of social engineering with our Defender Experts. We cover Quick Assist email spam floodsRMM tool abuse, and the ClickFix Powershell copy/paste technique. We highlight how attackers leverage legitimate services like SharePoint, Dropbox, and Google Drive for phishing campaigns.

Key Topics:
  • Quick Assist Email Spam Flood: Abusing QuickAssist to gain initial access and deploy ransomware.
  • RMM Tools: Increased abuse of RMM tools for delivering trojans or infostealers.
  • ClickFix Powershell Copy/Paste: Users tricked into copying and pasting malicious code.
  • Abuse of File Hosting Platforms: Using legitimate services for phishing campaigns.
  • Advanced Hunting Queries: KQL queries for detecting suspicious activities.
Video Link

Episode 1 - Crafting Chaos: The Amplified Tactics of Social Engineering - Hunt, Halt, and Evict

Episode 2 - February 2025

Rise of Infostealers, ClickFix, and More

Description

Delve into the latest threat landscape, featuring notorious actors like Hazel Sandstorm, Sangria Tempest, and Midnight Blizzard. Understand the insidious ClickFix technique, a social engineering marvel that exploits users' natural tendencies to click prompts and buttons. Learn more about the growing trend of renamed binaries and how adversaries are using them to evade detection.

Key Topics:

  • Infostealers Unveiled: Functions and examples of infostealers like LummaStealer, DarkGate, and DanaBot.
  • ClickFix Technique: Combining phishing, malvertising, and malicious scripting.
  • Identity Compromise: Techniques like AiTM, BiTM, and BiTB attacks.
  • Advanced Hunting Queries: KQL queries for detecting suspicious activities
Video Link

Episode 2 - Rise of Infostealers, ClickFix, and More

Episode 3 - June 2025

The Case Against ClickFix

Description

Deep dive into the ClickFix technique, a rising social engineering threat that manipulates users into executing malicious scripts through fake prompts like CAPTCHA verifications.

Key Topics

  • How adversaries are leveraging ClickFix to deploy infostealers, remote access tools, and loaders, while also evading detection through renamed binaries and obfuscated scripting.

Technique:

  • ClickFix combines phishing, malvertising, and drive-by compromises with fake CAPTCHA overlays. Users are tricked into copying and executing malicious commands via the Windows Run dialog.

Compromise:

  • ClickFix mimics identity compromise tactics by hijacking user trust, using spoofed interfaces, clipboard hijacking, and executing obfuscated scripts via LOLBins like PowerShell, mshta, and rundll32.

Advanced Hunting Queries (AHQs):

  • Suspicious RunMRU registry entries.
  • Use of LOLBins and obfuscated PowerShell commands.
  • Indicators such as shortened URLs, fake CAPTCHA text, and encoded payloads.
Video Link

Episode 3 - The Case Against ClickFix

Episode 4 - Aug 2025

Post-Breach Browsers: The Hidden Threat You’re Overlooking

Description

Modern browsers aren’t just attack entry points; they’re post-breach goldmines. In this episode, Microsoft Defender Experts are joined by JBO, the architect behind cross-platform research at Microsoft Defender and a leading voice in offensive security, exploitation, and vulnerability research.

Key Topics:

  • Post-Breach Tradecraft
    How adversaries weaponize browser memory, debugging ports, and extensions to maintain access and evade detection.
  • Detection That Cuts Through the Noise
    Spot stealthy abuse: anomalous COM calls, rogue child processes, TLS key leaks, and more.
  • Expert-Led Defense
    JBO and the Defender Experts team bring real-world insights from the frontlines, including techniques used to uncover and mitigate browser-based threats across Windows, macOS, and Linux.

If you think browser security ends at patching, think again. This episode is your essential guide to defending against the post-breach browser threatscape.

Video Link

Episode 4 - Post-Breach Browsers: The Hidden Threat You’re Overlooking

Learn more – read the blog

Post-breach browser abuse: a new frontier for threat actors | Microsoft Community Hub

Modern browsers are among the most complex and trusted applications on any endpoint. While they are often discussed in the context of initial access (through phishing, drive-by downloads, or zero-day exploits) this post focuses on a less explored but increasingly relevant threat vector: post-breach browser abuse.

Episode 5 – October 2025

TCC You Later: Spotlights Metadata Mischief in macOS

Description

Threat actors are exploiting overlooked macOS features. Join our experts as they discuss trends, strategies, and insights that will help you defend against this new attack vector.

Key Topics:

  • Understand how AI features and Spotlight indexing expose sensitive metadata, while weaknesses in TCC controls increase exploitation potential.
  • Learn how unsigned Spotlight plugins can bypass privacy safeguards, granting access to confidential files and Apple Intelligence data.
  • Defend better by strengthening detection for anomalous Spotlight activity, enforce patching, and manage updates through Intune for proactive defense.
Video Link

Episode 5 - TCC You Later: Spotlights Metadata Mischief in macOS

Learn more – read the blog

The invisible attack surface: hunting AI threats in Defender XDR | Microsoft Community Hub

As organizations embed AI across their business, the same technology that drives productivity also introduces a new class of risk: prompts that can be manipulated, data that can be leaked, and AI systems that can be tricked into doing things they shouldn’t. Attackers are already testing these boundaries, and defenders need visibility into how AI is being used - not just where it’s deployed.

 

Follow us for more S.T.A.R. episodes - Microsoft Defender Experts for XDR | Microsoft Security
Updated Dec 01, 2025
Version 1.0
defender experts for xdr
No CommentsBe the first to comment