Hacking Made Easy, Patching Made Optional: A Modern Cyber Tragedy
In today’s cyber threat landscape, the tools and techniques required to compromise enterprise environments are no longer confined to highly skilled adversaries or state-sponsored actors. While artificial intelligence is increasingly being used to enhance the sophistication of attacks, the majority of breaches still rely on simple, publicly accessible tools and well-established social engineering tactics. Another major issue is the persistent failure of enterprises to patch common vulnerabilities in a timely manner—despite the availability of fixes and public warnings. This negligence continues to be a key enabler of large-scale breaches, as demonstrated in several recent incidents. The Rise of AI-Enhanced Attacks Attackers are now leveraging AI to increase the credibility and effectiveness of their campaigns. One notable example is the use of deepfake technology—synthetic media generated using AI—to impersonate individuals in video or voice calls. North Korean threat actors, for instance, have been observed using deepfake videos and AI-generated personas to conduct fraudulent job interviews with HR departments at Western technology companies. These scams are designed to gain insider access to corporate systems or to exfiltrate sensitive intellectual property under the guise of legitimate employment. Social Engineering: Still the Most Effective Entry Point And yet, many recent breaches have begun with classic social engineering techniques. In the cases of Coinbase and Marks & Spencer, attackers impersonated employees through phishing or fraudulent communications. Once they had gathered sufficient personal information, they contacted support desks or mobile carriers, convincingly posing as the victims to request password resets or SIM swaps. This impersonation enabled attackers to bypass authentication controls and gain initial access to sensitive systems, which they then leveraged to escalate privileges and move laterally within the network. Threat groups such as Scattered Spider have demonstrated mastery of these techniques, often combining phishing with SIM swap attacks and MFA bypass to infiltrate telecom and cloud infrastructure. Similarly, Solt Thypoon (formerly DEV-0343), linked to North Korean operations, has used AI-generated personas and deepfake content to conduct fraudulent job interviews—gaining insider access under the guise of legitimate employment. These examples underscore the evolving sophistication of social engineering and the need for robust identity verification protocols. Built for Defense, Used for Breach Despite the emergence of AI-driven threats, many of the most successful attacks continue to rely on simple, freely available tools that require minimal technical expertise. These tools are widely used by security professionals for legitimate purposes such as penetration testing, red teaming, and vulnerability assessments. However, they are also routinely abused by attackers to compromise systems Case studies for tools like Nmap, Metasploit, Mimikatz, BloodHound, Cobalt Strike, etc. The dual-use nature of these tools underscores the importance of not only detecting their presence but also understanding the context in which they are being used. From CVE to Compromise While social engineering remains a common entry point, many breaches are ultimately enabled by known vulnerabilities that remain unpatched for extended periods. For example, the MOVEit Transfer vulnerability (CVE-2023-34362) was exploited by the Cl0p ransomware group to compromise hundreds of organizations, despite a patch being available. Similarly, the OpenMetadata vulnerability (CVE-2024-28255, CVE-2024-28847) allowed attackers to gain access to Kubernetes workloads and leverage them for cryptomining activity days after a fix had been issued. Advanced persistent threat groups such as APT29 (also known as Cozy Bear) have historically exploited unpatched systems to maintain long-term access and conduct stealthy operations. Their use of credential harvesting tools like Mimikatz and lateral movement frameworks such as Cobalt Strike highlights the critical importance of timely patch management—not just for ransomware defense, but also for countering nation-state actors. Recommendations To reduce the risk of enterprise breaches stemming from tool misuse, social engineering, and unpatched vulnerabilities, organizations should adopt the following practices: 1. Patch Promptly and Systematically Ensure that software updates and security patches are applied in a timely and consistent manner. This involves automating patch management processes to reduce human error and delay, while prioritizing vulnerabilities based on their exploitability and exposure. Microsoft Intune can be used to enforce update policies across devices, while Windows Autopatch simplifies the deployment of updates for Windows and Microsoft 365 applications. To identify and rank vulnerabilities, Microsoft Defender Vulnerability Management offers risk-based insights that help focus remediation efforts where they matter most. 2. Implement Multi-Factor Authentication (MFA) To mitigate credential-based attacks, MFA should be enforced across all user accounts. Conditional access policies should be configured to adapt authentication requirements based on contextual risk factors such as user behavior, device health, and location. Microsoft Entra Conditional Access allows for dynamic policy enforcement, while Microsoft Entra ID Protection identifies and responds to risky sign-ins. Organizations should also adopt phishing-resistant MFA methods, including FIDO2 security keys and certificate-based authentication, to further reduce exposure. 3. Identity Protection Access Reviews and Least Privilege Enforcement Conducting regular access reviews ensures that users retain only the permissions necessary for their roles. Applying least privilege principles and adopting Microsoft Zero Trust Architecture limits the potential for lateral movement in the event of a compromise. Microsoft Entra Access Reviews automates these processes, while Privileged Identity Management (PIM) provides just-in-time access and approval workflows for elevated roles. Just-in-Time Access and Risk-Based Controls Standing privileges should be minimized to reduce the attack surface. Risk-based conditional access policies can block high-risk sign-ins and enforce additional verification steps. Microsoft Entra ID Protection identifies risky behaviors and applies automated controls, while Conditional Access ensures access decisions are based on real-time risk assessments to block or challenge high-risk authentication attempts. Password Hygiene and Secure Authentication Promoting strong password practices and transitioning to passwordless authentication enhances security and user experience. Microsoft Authenticator supports multi-factor and passwordless sign-ins, while Windows Hello for Business enables biometric authentication using secure hardware-backed credentials. 4. Deploy SIEM and XDR for Detection and Response A robust detection and response capability is vital for identifying and mitigating threats across endpoints, identities, and cloud environments. Microsoft Sentinel serves as a cloud-native SIEM that aggregates and analyses security data, while Microsoft Defender XDR integrates signals from multiple sources to provide a unified view of threats and automate response actions. 5. Map and Harden Attack Paths Organizations should regularly assess their environments for attack paths such as privilege escalation and lateral movement. Tools like Microsoft Defender for Identity help uncover Lateral Movement Paths, while Microsoft Identity Threat Detection and Response (ITDR) integrates identity signals with threat intelligence to automate response. These capabilities are accessible via the Microsoft Defender portal, which includes an attack path analysis feature for prioritizing multicloud risks. 6. Stay Current with Threat Actor TTPs Monitor the evolving tactics, techniques, and procedures (TTPs) employed by sophisticated threat actors. Understanding these behaviours enables organizations to anticipate attacks and strengthen defenses proactively. Microsoft Defender Threat Intelligence provides detailed profiles of threat actors and maps their activities to the MITRE ATT&CK framework. Complementing this, Microsoft Sentinel allows security teams to hunt for these TTPs across enterprise telemetry and correlate signals to detect emerging threats. 7. Build Organizational Awareness Organizations should train staff to identify phishing, impersonation, and deepfake threats. Simulated attacks help improve response readiness and reduce human error. Use Attack Simulation Training, in Microsoft Defender for Office 365 to run realistic phishing scenarios and assess user vulnerability. Additionally, educate users about consent phishing, where attackers trick individuals into granting access to malicious apps. Conclusion The democratization of offensive security tooling, combined with the persistent failure to patch known vulnerabilities, has significantly lowered the barrier to entry for cyber attackers. Organizations must recognize that the tools used against them are often the same ones available to their own security teams. The key to resilience lies not in avoiding these tools, but in mastering them—using them to simulate attacks, identify weaknesses, and build a proactive defense. Cybersecurity is no longer a matter of if, but when. The question is: will you detect the attacker before they achieve their objective? Will you be able to stop them before reaching your most sensitive data? Additional read: Gartner Predicts 30% of Enterprises Will Consider Identity Verification and Authentication Solutions Unreliable in Isolation Due to AI-Generated Deepfakes by 2026 Cyber security breaches survey 2025 - GOV.UK Jasper Sleet: North Korean remote IT workers’ evolving tactics to infiltrate organizations | Microsoft Security Blog MOVEit Transfer vulnerability Solt Thypoon Scattered Spider SIM swaps Attackers exploiting new critical OpenMetadata vulnerabilities on Kubernetes clusters | Microsoft Security Blog Microsoft Defender Vulnerability Management - Microsoft Defender Vulnerability Management | Microsoft Learn Zero Trust Architecture | NIST tactics, techniques, and procedures (TTP) - Glossary | CSRC https://learn.microsoft.com/en-us/security/zero-trust/deploy/overviewUpdate 2403 for Microsoft Configuration Manager current branch is now available.
Update 2403 for Configuration Manager current branch is available as an in-console update. Apply this update on sites that run version 2211 or later. When installing a new site, it will also be available as a baseline version soon after general availability. This article summarizes the changes and new features in Configuration Manager, version 2403. Site infrastructure Microsoft Azure Active Directory rebranded to Microsoft Entra ID Starting Configuration Manager version 2403, Microsoft Azure Active Directory is renamed to Microsoft Entra ID within Configuration Manager. Automated diagnostic Dashboard for Software Update Issues A new dashboard is added to the console under monitoring workspace, which shows the diagnosis of the software update issues in your environment this feature can easily identify any issues related to software updates. You can fix software update issues based on troubleshooting documentations. Special credit to Shankar Subramanian and Smita Jadhav for their details and troubleshooting notes. For more information, see Software update health dashboard. Introducing centralized search box: Effortlessly find what you need in the console! Users can now use the global search box in CM console, which streamlines the search experience and centralizes access to information. This feature enhances the overall usability, productivity and effectiveness of CM. Users no longer need to navigate through multiple nodes or sections/ folders to find information they require, saving valuable time and effort. For more information, see Improvements to console search. Added Folder support for Scripts node in Software Library You can now organize scripts by using folders. This change allows for better categorization and management of scripts. Full Administrator and Operations Administrator roles can manage the folders. For more information, see Folder support for scripts. HTTPS or Enhanced HTTP should be enabled for client communication from this version of Configuration Manager HTTP-only communication is deprecated, and support is removed from this version of Configuration Manager. Enable HTTPS or Enhanced HTTP for client communication. For more information, see Enable site system roles for HTTPS or Enhanced HTTP. and Deprecated features Windows Server 2012/2012 R2 operating system site system roles are not supported from this version of Configuration Manager Starting 2403, Windows Server 2012/2012 R2 operating system site system roles aren't supported in any CB releases. Clients with extended support (ESU) will continue to support. For more information, see Supported-operating-systems-for-site-system-servers. Resource access profiles and deployments will block Configuration manager upgrade Any configured Resource access profiles and deployments block Configuration manager upgrade. Consider deleting them and moving the co-management workload for Resource Access (if co-managed) to Intune. For more information, see FAQ and Resource access policies are no longer supported. Software updates New parameter SoftwareUpdateO365Language is added to Save-CMSoftwareUpdate cmdlet A new parameter SoftwareUpdateO365Language is now added to PowerShell Save-CMSoftwareUpdate cmdlet. Customers now don't have to check a specific language in the SUP Properties (causing a metadata download for that language for all updates). PowerShell Commandlet: Save-CMSoftwareUpdate – SoftwareUpdateO365Language <language name> (<region name>)" Note Languages need to be in O365 format to be consistent with Admin Console UI. E.g. "Hungarian (Hungary)". OS deployment Support for ARM 64 Operating System Deployment Configuration Manager operating system deployment support is now added on Windows 11 ARM 64 devices. Currently Importing and customizing Arm 64 boot images, Wipe and load TS, Media creation TS, WDS PXE for Arm 64 and CMPivot is supported. Enhancement in Deploying Software Packages with Dynamic Variables Administrators while deploying the "Install Software Package" via Dynamic variable with "Continue on error" unchecked to clients, will not be notified with task sequence failures even if package versions on the distribution point are updated. For more information, see Options for Install Application. Cloud-attached management Upgrade to CM 2403 is blocked if CMG V1 is running as a cloud service (classic) The option to upgrade Configuration Manager 2403 is blocked if you're running cloud management gateway V1 (CMG) as a cloud service (classic). All CMG deployments should use a virtual machine scale set. For more information, see Check for a cloud management gateway (CMG) as a cloud service (classic). Deprecated features Learn about support changes before they're implemented in removed and deprecated items. System Center Update Publisher (SCUP) and integration with ConfigMgr planned end of support Jan 2024. For more information, see Removed and deprecated features for Configuration Manager. Other updates Improvements to BitLocker This release includes the following improvements to BitLocker: Starting in this release, this feature ensures proper verification of key escrow and prevents message drops. We now validate whether the key is successfully escrowed to the database, and only on successful escrow we add the key protector. This feature now prevents a potential data loss scenario where BitLocker is protecting the volumes with keys that are never backed up to the database, in any failures to escrow happens. For more information on BitLocker management, see Deploy BitLocker management. and Plan for BitLocker management.. From this version of Configuration Manager, the Windows 11 readiness dashboard shows charts for Windows 23H2. Defender Exploit Guards policy for controlled folder now accepts regex in the file path for apps. For example, [C:\Folder\Subfolder\app?.exe] [C:\Folder1\Sub*Name] Next steps At this time, version 2403 is released for slow ring (all in console update), Baseline will be updated in portal soon. Thank you, The Configuration Manager team Additional resources: What’s New in Configuration Manager Documentation for Configuration Manager Microsoft Configuration Manager announcement Microsoft Configuration Manager vision statement Evaluate Configuration Manager in a lab Upgrade to Configuration Manager Configuration Manager Forums Configuration Manager Support Report an issue Provide suggestionsAutomating and Streamlining Vulnerability Management for Your Clients
Learn how to enhance vulnerability management for your windows clients using Microsoft Defender for Endpoint, Intune, and Azure AD. Harness the potential of automation to simplify processes and minimize expenses. *Discover how automation transforms security by removing manual tasks, minimizing human error, and conserving time and resources. *Observe how Microsoft's tools deliver a complete vulnerability management solution for both on-site and remote devices. *Follow our detailed guide on setup, enrollment, strategic updates deployment, and monitoring progress through the Microsoft 365 Defender portal. Take charge of your vulnerability management and protect your organization. Don't miss our blog post, and keep an eye out for the upcoming entry on servers!Desktop Analytics is now available in Public Preview
Desktop Analytics is now available in public preview. Desktop Analytics provides the insight and automation you need to efficiently get current and stay current with Windows. By integrating with System Center Configuration Manager, Desktop Analytics adds cloud value to your on-premises infrastructure. Read more in Zach Dvorak's blog post Welcome to the Tech Community for Desktop Analytics!Microsoft Intune customer adoption pack is now available
Microsoft Intune is designed for the modern era of corporate connectivity from any location and any device that not only enable great consumer experiences at work, but must also protect against increased risk of inadvertent and malicious threats to corporate data. Join the over 100 million customers across the world who trust Microsoft 365 Enterprise Mobility + Security (EMS) to stay connected, secure data and get things done on the go. You can view resources for each phase of roll-out below or download customer adoption resources from this Customer Adoption Pack .zip file.Hardening Windows Clients with Microsoft Intune and Defender for Endpoint
Explore an approach at hardening clients in your organization by using Microsoft Intune and Defender for Endpoint to apply and mitigate some of the most common security misconfigurations. This blog unveils a centralized approach to automating asset management, deploying security baselines consistently, and minimizing the impact on end users. Learn valuable insights on planning, testing, and monitoring security policies, while discovering the power of attack surface reduction rules. Dive into this comprehensive guide and elevate your organization's security posture with streamlined solutions and proactive measures. Don't miss the chance to turn a major pain point into a significant win for your team!Microsoft Intune security tasks extend Microsoft Defender ATP’s Threat & Vulnerability Management
We are happy to introduce Microsoft Intune security tasks, a new one-click remediation capability in Microsoft 365 that bridges security stakeholders—security administrators, security operations, and IT administrators—by allowing them to collaborate and seamlessly remediate threats. This capability will extend the newly announced Microsoft Defender Threat & Vulnerability Management (TVM), a new component of Microsoft Defender ATP that uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.Microsoft Intune announces device-only subscription for shared resources
Microsoft Intune is pleased to announce a new device-only subscription service that helps organizations manage devices that are not affiliated with specific users, such as digital signage, public kiosks, and phone room devices. The Intune device SKU is licensed per device per month.
Recommendations and insights to enrich the Configuration Manager site health and device management
You can now use the Microsoft Intune admin center to view recommendations and insights for your Configuration Manager sites. These recommendations can help you improve the site health and infrastructure along with enriching the device management experience. With so many features and updates available, implementing the right available resources for your infrastructure management is essential. You might be new to the management world, or even if you have been managing your company’s infrastructure for a long time, this feature will provide you with insights that can help you to level up. We are currently providing recommendations that can help in following ways: Help you to simplify your infrastructure by reviewing your hierarchy. Assist you to enhance device management through co-management enablement. Refine gathering of device insights via endpoint analytics enablement. Improve the health of the site by reviewing current peer cache and delivery optimization settings. These recommendations will be based on your current site infrastructure and settings. Applying the recommendations is solely the admin’s discretion. We have created recommendation for TA customer solely based on their Site Configuration without interfering customer's privacy. Each recommendation points out how customer is leveraging features provided in site configuration. Recommendations are derived from database. Each recommendation is evaluated and updated in the next cycle. Recommendation will not be visible in the next cycle if fully applied or recommendation insight will be changed if partially applied. Every cycle we inspect the customer DB through static query and then flow this insight to cloud to show the recommendation. How can you view the recommendations? A user with global admin rights will be able to view recommendations for configuration manager sites that are version 2211 or higher and tenant attached. To view recommendations, open the Microsoft Endpoint Manager admin center, and go to Tenant administration > Connectors and tokens > Microsoft Endpoint Configuration Manager, and select a site to view recommendations for that site. Once selected, you’ll find the Recommendations tab that displays each insight along with a Learn more link that opens details on how to apply that recommendation. We are open to adding more recommendations in future and would love to hear from you!Improving Server Vulnerability Management Efforts
Discover a new way to transform vulnerability management with Microsoft Defender for Servers, Azure Automation Services, and Azure Arc. This blog post will guide you through moving pass the traditional vulnerability management approach toward implementing an automated and streamlined process for your servers on-premises and the cloud. Seamlessly integrate various tools in a 5-step solution that will make you rethink server vulnerability management. Don't miss the opportunity to add a new weapon to your cyber security strategy that aims at removing inefficiencies.
