defender experts for hunting
31 TopicsHunting Infostealers - Trusted Platform Abuse
In this part of the “Hunting Infostealers” series, we explore the growing abuse of trusted communication services and software ecosystems—including messaging platforms like WhatsApp and seemingly benign PDF converter tools—to propagate malware and deploy credential stealers such as Eternidade Stealer, lowering user suspicion and complicating detection. Throughout the blog, we map observed activity to Microsoft Defender XDR coverage and provide actionable guidance to help organizations detect, mitigate, and respond to infostealers. Platform Abuse (WhatsApp, PDF Converters) Since late 2025, Platform abuse has become an increasingly prevalent tactic in the modern threat landscape, wherein adversaries deliberately exploit the legitimacy, scale, and user trust associated with widely used applications and services. By weaponizing platforms such as WhatsApp and seemingly benign PDF conversion tools, threat actors are able to disguise malicious activity within normal user behavior, enabling efficient malware delivery, lateral propagation, and evasion of traditional security controls. WhatsApp Abused to Deliver Eternidade Stealer During the third week of November 2025, Microsoft Defender Experts (DEX) identified a WhatsApp platform abuse campaign that leverages a multi-stage infection chain and worm-like propagation techniques to distribute malware. The activity begins with the execution of an obfuscated Visual Basic script, which drops a malicious batch file that launches multiple PowerShell instances to download additional payloads from adversary-controlled command-and-control domains. These payloads include a Python script responsible for WhatsApp Web–based dissemination of the malware in a worm-like manner, as well as a malicious MSI installer that ultimately delivers the Eternidade Stealer. To ensure successful execution, the batch script also installs the required Python dependencies on the compromised system. The Python script establishes communication with a remote server and leverages the open-source project WPPConnect to automate message sending from hijacked WhatsApp accounts. As part of this process, it harvests the victim’s entire contact list while filtering out groups, business contacts, and broadcast lists. The malware then collects, for each contact, the associated WhatsApp phone number, name, and an indicator showing whether the contact is saved. This information is exfiltrated to an attacker-controlled server via an HTTP POST request. In the final stage of this propagation mechanism, the malware sends a malicious attachment to all harvested contacts, using a predefined messaging template populated with time-based greetings and contact names to increase the likelihood of interaction. The malicious MSI installer drops several components, including encrypted payload files with .dmp and .tda extensions, an AutoIt executable, and a script loader disguised as a .log file. Despite its benign appearance, the .log file functions as an AutoIt-based malicious script that conducts environment reconnaissance, performs anti-detection checks, and loads payloads in memory using large hex-encoded binary blobs to initialize native components. The encrypted .tda file acts as an injector and employs a process hollowing technique to execute the final payload. Specifically, the injector reads the .dmp file, decrypts the embedded payload, and injects the Eternidade Stealer into svchost.exe, allowing the malware to run stealthily under the guise of a trusted system process. Eternidade Stealer, a Delphi-based credential stealer, continuously monitors active windows and running processes for strings associated with banking portals, payment services, and cryptocurrency exchanges and wallets. These include, but are not limited to, Bradesco, BTG Pactual, MercadoPago, Stripe, Binance, Coinbase, MetaMask, and Trust Wallet, highlighting its focus on harvesting sensitive financial and cryptocurrency-related information Malicious Crystal PDF installer campaign In late September 2025, Microsoft Defender Experts (DEX) discovered a malicious campaign conducted by an unknown threat actor centered on an application masquerading as a PDF editor named Crystal PDF. The campaign leveraged malvertising and search engine optimization (SEO) poisoning techniques, using misleading advertisements to lure users into downloading a malicious payload. The attack chain begins when a user clicks the download button for the PDF editor on crystalpdf[.]com. The request is redirected to one of two actor-controlled domains, from which the CrystalPDF.exe payload is downloaded. Users most likely arrived at this website through deceptive advertisements distributed via Google Ads, which served as the primary lure for the campaign. Microsoft suspects that Google Ads were used based on the URL format observed in telemetry: hxxps://smartdwn[.]com/download?v=<GUID>&campaign_id=<ID#>&utm_source=google_b2b&subid=<domainSource>&kw=true&gad_source=5&gad_campaignid=<ID#>&gclid=<>. When CrystalPDF.exe is downloaded and executed on the device, it performs several actions to establish persistence and enable further activity. A copy of the CrystalPDF.exe payload is created in the AppData\Local\Temp\crys directory, and a malicious scheduled task is created to ensure continued execution on the compromised device. In addition, a second binary named Crystal PDF.exe (note the space in the filename) is dropped in the user’s Desktop folder. The attacker configures the payload to run daily at 7:15 AM local system time using a scheduled task named Crystal_updater. When triggered, this scheduled task launches the malicious CrystalPDF.exe, which initiates network connections to three command-and-control domains: negmari[.]com, ramiort[.]com, and strongdwn[.]com. The secondary executable, Crystal PDF.exe, stored in the Desktop directory, establishes network connections to multiple cloudconvert[.]com-related domains. CloudConvert is a legitimate service used to convert files into different formats, including converting various document types into PDF files. Analysis of this file indicates that it is a clean file and is designed to appear as a legitimate application that leverages CloudConvert to provide document-to-PDF conversion functionality. Despite presenting itself as a legitimate PDF conversion and merging tool, CrystalPDF.exe ultimately functions as an information stealer. It covertly hijacks Firefox and Chrome browsers and attempts to access sensitive files located in the AppData\Roaming directory, which stores user-specific configuration and profile data that must persist across sessions. This includes cookies and session data, sign-in and credential caches, and profile settings. By harvesting credentials, tokens, and session cookies stored in the browser, the attacker can bypass standard authentication mechanisms and impersonate the user to gain unauthorized access to accounts and services that the user is authorized to use. Mitigation and protection guidance Microsoft recommends the following mitigations to reduce the impact of trusted platform abuse used to deliver infostealers as discussed in this report. These recommendations draw from established Defender blog guidance patterns and align with protections offered across Microsoft Defender XDR. Organizations can follow these recommendations to mitigate threats associated with this threat: Strengthen user awareness & execution safeguards Educate users on social‑engineering lures, including malvertising redirect chains, fake installers, and ClickFix‑style copy‑paste prompts. Control outbound traffic & staging behavior Block direct access to known C2 infrastructure where possible, informed by your organization’s threat‑intelligence sources. Protect against cross‑platform payloads Harden endpoint defenses around LOLBIN abuse, such as wscript.exe executing Visual Basic scripts. Evaluate activity involving AutoIt and process hollowing, common in platform‑abuse campaigns. Microsoft also recommends the following mitigations to reduce the impact of this threat. Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. Enable network protection and web protection in Microsoft Defender for Endpoint to safeguard against malicious sites and internet-based threats. Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. Allow investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. Turn on tamper protection features to prevent attackers from stopping security services. Combine tamper protection with the DisableLocalAdminMerge setting to prevent attackers from using local administrator privileges to set antivirus exclusions. Microsoft Defender XDR customers can also implement the following attack surface reduction rules to harden an environment against LOLBAS techniques used by threat actors: o Block execution of potentially obfuscated scripts o Block executable files from running unless they meet a prevalence, age, or trusted list criterion o Block JavaScript or VBScript from launching downloaded executable content Microsoft Defender XDR detections Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog. Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence. Tactic Observed activity Microsoft Defender coverage Execution - Payloads downloaded using PowerShell Microsoft Defender for Endpoint - Suspicious Powershell download or encoded command execution Persistence - Registry Run key created - Scheduled task created for recurring execution Microsoft Defender for Endpoint - Anomaly detected in ASEP registry - Suspicious Scheduled Task Launched Defense Evasion - Unauthorized code execution facilitated by DLL sideloading and process injection - Python script execution - Renamed AutoIT interpreter binary and AutoIT script Microsoft Defender for Endpoint - An executable file loaded an unexpected DLL file - A process was injected with potentially malicious code - Suspicious Python binary execution - Rename AutoIT tool Discovery - System information queried using WMI and Python Microsoft Defender for Endpoint - Suspicious System Hardware Discovery - Suspicious Process Discovery - Suspicious Security Software Discovery Threat intelligence reports Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments. Microsoft Defender XDR Threat analytics Malicious Crystal PDF installer campaign Hunting queries Microsoft Defender XDR Microsoft Defender XDR customers can run the following queries to find related activity in their networks: Use the following queries to identify activity related to WhatsApp Abused to Deliver Eternidade Stealer // Identify the files dropped from the malicious VBS execution DeviceFileEvents | where InitiatingProcessCommandLine has_all ("Downloads",".vbs") | where FileName has_any (".zip",".lnk",".bat") and FolderPath has_all ("\\Temp\\") // Identify batch script launching powershell instances to drop payloads DeviceProcessEvents | where InitiatingProcessParentFileName == "wscript.exe" and InitiatingProcessCommandLine has_any ("instalar.bat","python_install.bat") | where ProcessCommandLine !has "conhost.exe" // Identify AutoIT executable invoking malicious AutoIT script DeviceProcessEvents | where InitiatingProcessCommandLine has ".log" and InitiatingProcessVersionInfoOriginalFileName == "Autoit3.exe" Use the following queries to identify activity related to Malicious CrystalPDF Installer Campaign // Identify network connections to C2 domains DeviceNetworkEvents | where InitiatingProcessVersionInfoOriginalFileName == "CrystalPDF.exe" // Identify scheduled task persistence DeviceEvents | where InitiatingProcessVersionInfoProductName == "CrystalPDF" | where ActionType == "ScheduledTaskCreated Indicators of compromise Indicator Type Description 2c885d1709e2ebfcaa81e998d199b29e982a7559b9d72e5db0e70bf31b183a5f 6168d63fad22a4e5e45547ca6116ef68bb5173e17e25fd1714f7cc1e4f7b41e1 3bd6a6b24b41ba7f58938e6eb48345119bbaf38cd89123906869fab179f27433 5d929876190a0bab69aea3f87988b9d73713960969b193386ff50c1b5ffeadd6 bdd2b7236a110b04c288380ad56e8d7909411da93eed2921301206de0cb0dda1 495697717be4a80c9db9fe2dbb40c57d4811ffe5ebceb9375666066b3dda73c3 de07516f39845fb91d9b4f78abeb32933f39282540f8920fe6508057eedcbbea SHA-256 Payloads related to WhatsApp malware campaign 598da788600747cf3fa1f25cb4fa1e029eca1442316709c137690e645a0872bb 3bc62aca7b4f778dabb9ff7a90fdb43a4fdd4e0deec7917df58a18eb036fac6e c72f8207ce7aebf78c5b672b65aebc6e1b09d00a85100738aabb03d95d0e6a95 SHA-256 Payloads related to Malicious Crystal PDF installer campaign hxxps://empautlipa[.]com/altor/installer.msi URL Used to deliver VBS initial access payload (WhatsApp Abused to Deliver Eternidade Stealer) Negmari[.]com Ramiort[.]com Strongdwn[.]com Domain C2 servers (Malicious Crystal PDF installer campaign) Microsoft Sentinel Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. References Infostealers Strike Again: Malicious Installers Pass Through EDRs Undetected SpiderLabs IDs New Banking Trojan Distributed Through WhatsApp Learn more For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog. To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky. To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.Hunting Infostealers - Python Stealers
In this next part of the “Hunting Infostealers” series, we’ll cover Python information stealers. The proliferation of Python stealers over the past year has become an escalating concern in the cybersecurity landscape. This gravitation towards Python is largely driven by the ease of use of the language and the availability of tools and frameworks which allow for quick development, even for individuals with limited knowledge of coding. Typically, Python infostealers are distributed via phishing emails to infiltrate systems. The sensitive information they collect includes, but is not limited to login credentials, session cookies, authentication tokens, credit card numbers, and crypto wallet data. To evade detection, threat actors utilize legitimate services such as Telegram for command-and-control communications, obfuscate their code, and use signed and living off the land binaries. Due to the growing threat of Python-based infostealers, it is important that organizations protect their environment by being aware of the tactics, techniques, and procedures used by the threat actors who deploy this type of malware. One of the most notable Python-based infostealers seen in 2025 was PXA Stealer. It harvests sensitive data from infected systems such as login credentials, financial information, and browser data. It is linked to Vietnamese-speaking threat actors who target government and education entities. It is primarily delivered via phishing campaigns that use social engineering to trick users into downloading malicious files onto their computer. Throughout the blog, we map observed activity to Microsoft Defender XDR coverage and provide actionable guidance to help organizations detect, mitigate, and respond to infostealers operating without borders. PXA Stealer: Campaign 1 In October 2025, Microsoft Defender Experts (DEX) identified a campaign involving PXA Stealer. The attack begins with a phishing email with a malicious URL. Some of the observed URLs contained in the emails were hxxp://concursal[.]macquet[.]de/uid_page=244739642061129 and hxxps://tickets[.]pfoten-prinz[.]de/uid_page=118759991475831. The URLs have the same format, but with different domain names and values for the uid_page key. When the user clicks the URL, they are taken to a blank web page that contains JavaScript to download a ZIP file from a remote location, such as allecos[.]de, once the page is fully loaded. The files contained in the ZIP file that are used to execute the next payload include an executable (renamed WinWord.exe) masquerading as a Word document with the same name as the ZIP file, a malicious DLL named msvcr100.dll, and several files used in a series of commands concatenated with “&&” that ultimately execute an obfuscated Python script that loads PXA Stealer and PureRAT. When the renamed WinWord.exe file is executed, msvcr100.dll is sideloaded which leads to the execution of the concatenated command line via cmd.exe. The command line does the following: opens a benign decoy Word document to delay the users’ suspicion and sandbox analysis, uses certutil.exe to decode a base64-encoded blob hidden in DA 성형외과 재무 보고서.pdf which results in a ZIP file named Invoice.pdf (contains Python environment, renamed Python interpreter named svchost.exe, and an obfuscated Python script named images.png), uses another file named images.png (renamed WinRAR.exe) to extract the contents of Invoice.pdf, deletes Invoices.pdf and the renamed WinRAR file, then uses svchost.exe (renamed pythonw.exe) to execute images.png with a Telegram bot identifier that’s used to fetch and execute the next payload. When images.png is executed, it creates a Registry Run key named Windows Update Service to re-execute itself when the user logs in. The script downloads PXA Stealer from urlvanish[.]com (URL shortener), which redirects to bagumedios[.]cloud, then executes the infostealer in its memory space. Before collecting information, the stealer downloads a DLL from Dropbox. The DLL is injected into a Chrome process to bypass Chrome’s App-Bound Encryption (ABE) so sensitive browser information can be stolen. After that, it collects the installed AV products and browser information such as login credentials, cookies, autofill data, and credit card information. That information is archived into a ZIP file with a file name that follows the format "[CountryCode_IPAddress] ComputerName.zip", then it’s exfiltrated using Telegram. Once the exfiltration is complete, images.png downloads another payload from hxxps://bagumedios[.]cloud/assets/media/others/ADN/pure and injects it into cvtres.exe. The payload is a commercially available remote access trojan named PureRAT which proceeds to connect to its command-and-control (C2) server 157.66.27[.]11 (located in Vietnam) over port 56001 after injection. After that, cvtres.exe uses WMI to collect installed AV products, connected cameras, and the Windows OS version. It sends the collected information to its C2 server. Chain PXA Stealer: Campaign 2 In late December 2025, DEX identified another PXA Stealer campaign. This attack also begins with a phishing email that delivers a ZIP archive that masquerades as a PDF, image, or Word document. Some similar TTPs were noted for the second campaign where the use of Living Off-the Land Binaries (LOLBINs) was invoked, such as certutil.exe. The Certutil application is a native Windows application that allows for displaying Certification Authority (CA) configuration information, configure Certificate Services, and backup and restore CA components. The program also verifies certificates, key pairs, and certificate chains. The capability used in Campaign 2 used the decode parameter in Certutil on an encoded PDF. The decoded PDF was then presented to an application with a file extension of “.png”. Further investigation of this application identified command line behavior typical to that of a WinRAR, with a password protected ZIP archive. This obfuscation allowed the application to continue to perform un-archiving steps, ultimately leading to python modules being loaded on the device. Once the Python modules were available, additional activity such as scheduled tasks were created paving the way for update scripts to be deployed on affected hosts. Communication to C2 infrastructure was then initiated through the svchost (Python interpreter) process to connect and transmit data to the attacker via hxxp://195.24.236[.]116/recover/getlink?id=sunset and hxxp://195.24.236[.]116/recover/links/sunset.txt Mitigation and protection guidance Microsoft recommends the following mitigations to reduce the impact of the Python‑based infostealers discussed in this report. These recommendations draw from established Defender blog guidance patterns and align with protections offered across Microsoft Defender XDR. Organizations can follow these recommendations to mitigate threats associated with this threat: Strengthen user awareness & execution safeguards Educate users on social‑engineering lures, such as phishing emails. Control outbound traffic & staging behavior Inspect network egress for POST requests to newly registered or suspicious domains—a key indicator for Python‑based stealer campaigns. Detect transient creation of ZIP archives under ephemeral directories, followed by outbound exfiltration attempts. Block direct access to known C2 infrastructure where possible, informed by your organization’s threat‑intelligence sources. Protect against Python‑based stealers Harden endpoint defenses around LOLBIN abuse, such as certutil.exe decoding malicious payloads. Evaluate abnormal activity involving known processes and files with suspicious file extensions, such as a Python interpreter masquerading as svchost.exe executing a Python script disguised as a PNG file. Microsoft also recommends the following mitigations to reduce the impact of this threat. Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. Enable network protection and web protection in Microsoft Defender for Endpoint to safeguard against malicious sites and internet-based threats. Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. Allow investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. Turn on tamper protection features to prevent attackers from stopping security services. Combine tamper protection with the DisableLocalAdminMerge setting to prevent attackers from using local administrator privileges to set antivirus exclusions. Microsoft Defender XDR customers can also implement the following attack surface reduction rules to harden an environment against LOLBAS techniques used by threat actors: o Block execution of potentially obfuscated scripts o Block executable files from running unless they meet a prevalence, age, or trusted list criterion o Block JavaScript or VBScript from launching downloaded executable content Microsoft Defender XDR detections Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog. Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence. Tactic Observed activity Microsoft Defender coverage Execution - Encoded PowerShell commands downloading payload Microsoft Defender for Endpoint - Suspicious Powershell download or encoded command execution - Suspicious script launched Persistence - Registry Run key created - Scheduled task created for recurring execution Microsoft Defender for Endpoint - Anomaly detected in ASEP registry - Suspicious Scheduled Task Launched Defense Evasion - Unauthorized code execution facilitated by DLL sideloading and process injection - Renamed Python interpreter executes obfuscated Python script - Decode payload with certutil Microsoft Defender for Endpoint - An executable file loaded an unexpected DLL file - A process was injected with potentially malicious code - Suspicious Python binary execution - Suspicious certutil activity Microsoft Defender Antivirus - Obfuse' malware was prevented (Trojan:Script/Obfuse!MSR) Credential Access - Credential and Secret Harvesting Microsoft Defender for Endpoint - Possible theft of passwords and other sensitive web browser information - Suspicious access of sensitive files - Suspicious process collected data from local system Discovery - Information queried using WMI and Python Microsoft Defender for Endpoint - Suspicious System Hardware Discovery - Suspicious Process Discovery - Suspicious Security Software Discovery - Suspicious Peripheral Device Discovery Collection - Sensitive browser information compressed into ZIP file for exfiltration Microsoft Defender for Endpoint - Compression of sensitive data - Suspicious Staging of Data - Suspicious archive creation Threat intelligence reports Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments. Microsoft Defender XDR Threat analytics Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem From Custom Scripts to Commodity RATs: A Threat Actor’s Evolution to PureRAT Hunting queries Microsoft Defender XDR Microsoft Defender XDR customers can run the following queries to find related activity in their networks: Use the following queries to identify activity related to PXA Stealer: Campaign 1 // Identify activity initiated by renamed python binary DeviceProcessEvents | where InitiatingProcessFileName endswith "svchost.exe" | where InitiatingProcessVersionInfoOriginalFileName == "pythonw.exe" // Identify network connections initiated by renamed python binary DeviceNetworkEvents | where InitiatingProcessFileName endswith "svchost.exe" | where InitiatingProcessVersionInfoOriginalFileName == "pythonw.exe" Use the following queries to identify activity related to PXA Stealer: Campaign 2 // Identify malicious Process Execution activity DeviceProcessEvents | where ProcessCommandLine has_all ("-y","x",@"C:","Users","Public", ".pdf") and ProcessCommandLine has_any (".jpg",".png") // Identify suspicious process injection activity DeviceProcessEvents | where FileName == "cvtres.exe" | where InitiatingProcessFileName has "svchost.exe" | where InitiatingProcessFolderPath !contains "system32" Indicators of compromise Indicator Type Description 9d867ddb54f37592fa0ba1773323e2ba563f44b894c07ebfab4d0063baa6e777 SHA-256 Payloads related to PXA Stealer: Campaign 1 08a1f4566657a07688b905739055c2e352e316e38049487e5008fc3d1253d03b 5970d564b5b2f5a4723e548374d54b8f04728473a534655e52e5decef920e733 59855f0ec42546ce2b2e81686c1fbc51e90481c42489757ac03428c0daee6dfe a5b19195f61925ede76254aaad942e978464e93c7922ed6f064fab5aad901efc e7237b233fc6fda614e9e3c2eb3e03eeea94f4baf48fe8976dcc4bc9f528429e 59347a8b1841d33afdd70c443d1f3208dba47fe783d4c2015805bf5836cff315 e965eb96df16eac9266ad00d1087fce808ee29b5ee8310ac64650881bc81cf39 hxxps://allecos[.]de/Documentación_del_expediente_de_derechos_de_autor_del_socio.zip URL Used to deliver initial access ZIP file (PXA Stealer: Campaign 1) hxxps://bagumedios[.]cloud/assets/media/others/ADN/pure URL Used to deliver PureRAT payload (PXA Stealer: Campaign 1) hxxp://concursal[.]macquet[.]de/uid_page=244739642061129 URL URL contained in phishing email (PXA Stealer: Campaign 1) hxxps://tickets[.]pfoten-prinz[.]de/uid_page=118759991475831 hxxps://erik22[.]carrd.co URL Used in make network connection and subsequent redirection in (PXA Stealer: Campaign 2) hxxps://erik22jomk77[.]card.co URL Used in make network connection and subsequent redirection in (PXA Stealer: Campaign 2) 157.66.27[.]11 IP Address PureRAT C2 server (PXA Stealer: Campaign 1) 195.24.236[.]116 IP Address C2 server (PXA Stealer: Campaign 2) bagumedios[.]cloud Domain C2 server (PXA Stealer: Campaign 1) Microsoft Sentinel Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. References A Vietnamese threat actor's shift from PXA Stealer to PureRAT | Huntress Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem | SentinelOne Information-Stealing Malware Distribution Campaign Using Emails Disguised as Copyright Infringement Notices – wizSafe Security Signal -Guideposts to Safety and Security- IIJ Learn more For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog. To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky. To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.Hunting Infostealers - macOS Threats
The “Hunting Infostealers” blog series covers the ever-evolving threat of infostealers. Infostealers have gone from simple credential theft to subscription-based threats (i.e., Malware-as-a-Service) driving modern cybercrime. Threat actors target sensitive information such as browser data, cookies, and session tokens that can later be used for account takeovers or to fuel data breaches, ransomware attacks, and supply chain attacks. In this blog series, Microsoft Defender Experts examine how modern infostealers operate across operating systems and delivery channels by blending into legitimate ecosystems and evading conventional defenses. In this first part of the series, we highlight the rise of macOS-specific infostealers—including families such as DigitStealer, MacSync, and Atomic macOS (AMOS)—that abuse native utilities, user-initiated execution flows, and social-engineering techniques like “ClickFix” installers to harvest credentials and sensitive data. Throughout the blog, we map observed activity to Microsoft Defender XDR coverage and provide actionable guidance to help organizations detect, mitigate, and respond to infostealers. macOS Threats Since late 2025, Microsoft Defender Experts (DEX) has observed macOS targeted infostealer campaigns delivered through social engineering techniques, including ClickFix style prompts and malicious DMG downloads. These attacks rely on user interaction to initiate execution and are designed to steal credentials, session material, and infrastructure secrets that can enable account takeover, financial theft, and follow on compromise of cloud and developer resources. Once executed, the malware abuses trusted macOS functionality to collect a wide range of personal, financial, and enterprise related information. Stolen data can include browser authentication material, operating system credential stores, access keys used for cloud services, and artifacts commonly present on developer or administrator workstations. The potential impact of this threat extends beyond the infected device. Compromised credentials and session material can enable attackers to take over online accounts, access cloud and enterprise resources, steal cryptocurrency assets, and perform follow on intrusion activity without needing to maintain persistence on the original system. In organizational environments, this can lead to broader security incidents, including unauthorized access to internal services, cloud environments, or third-party platforms. DigitStealer In November 2025, Microsoft Defender Experts (DEX) identified a macOS infostealer campaign tracked as DigitStealer, delivered via a spoofed “DynamicLake” lure. The infection chain begins when users browse to a deceptive domain such as dynamiclake[.]org and download an unsigned disk image DynamicLake.dmg, then follow a “drag‑into‑Terminal” execution path that helps bypass Gatekeeper protections. Once mounted, DigitStealer executes a Bash-based dropper that uses native tooling (notably curl) to retrieve staged payloads from Cloudflare Pages such as hxxps://b93b559cf522386018e24069ff1a8b7a[.]pages[.]dev/703d2315783f48c0563836f02a3421ed.aspx. In subsequent stages, the malware performs host profiling with system_profiler and uses AppleScript/JXA to drive credential theft and collection, staging artifacts in temporary locations (commonly under /tmp) before compressing content into ZIP archives for outbound transfer. For exfiltration and C2, DigitStealer uses HTTPS POSTs to structured endpoints and API routes such as /api/grabber, /api/log, and /api/poll, where /api/poll is used for beaconing/tasking while upload routes handle stolen archives. Persistence is established via a macOS LaunchAgent, which can retrieve follow‑on instructions via DNS TXT records (observed use of dig + curl) and immediately execute newly fetched payloads via JXA. In higher‑value (crypto‑focused) scenarios, DigitStealer targets wallet workflows including Ledger Live, and has been observed manipulating user friction and visibility by suppressing prompts (TCC-related behavior) and tampering with wallet application assets (e.g., Ledger Live.app.asar) to facilitate hijacking. MacSync In December 2025, Microsoft Defender Experts (DEX) identified a fileless macOS infostealer campaign referred to as MacSync Stealer, commonly delivered via malvertising and ClickFix-style lures that instruct users to copy/paste commands into Terminal rather than running a traditional installer. DEX has broadly observed these macOS-targeted infostealer campaigns delivered through ClickFix prompts and malicious DMG downloads in late 2025. During observed MacSync activity, no standalone binaries are dropped. Instead, execution is driven by an in‑memory pipeline that invokes curl with TLS verification disabled, streaming the response directly through decoding/decompression (e.g., curl … | base64 -d | gunzip) without writing intermediate files to disk. This technique reduces disk artifacts and pushes detection toward process/network telemetry rather than file hashes. MacSync then leverages osascript to indirectly invoke shell execution (e.g., sh -c) to blend into legitimate macOS automation, while harvesting a wide set of artifacts across browsers and credential stores. High‑signal targeted files include Chrome databases (Cookies / Login Data / Web Data), Firefox stores (cookies.sqlite / logins.json / key4.db /cert9.db), macOS Keychains (*.keychain-db), and developer/cloud secrets including SSH keys, AWS credentials, Kubernetes config files, plus shell history such as .zsh_history.(Observed in telemetry write‑up you provided.) Staging and exfiltration are similarly low‑footprint: data is staged under /tmp using the pattern /tmp/sync[0-9]{7}, compressed using the built‑in ditto utility, and exfiltrated via HTTP POST to attacker infrastructure using a legitimate macOS browser user‑agent. Requests use custom headers (including an API key) to authenticate and manage tasking. Post‑exfiltration cleanup deletes staged directories, reinforcing the transient nature of the intrusion. Atomic Stealer (AMOS) In January 2026, Microsoft Defender Experts (DEX) observed active exploitation by Atomic macOS Stealer (AMOS), a highly automated and full‑featured macOS infostealer capable of progressing from initial user interaction to persistent command‑and‑control within minutes. Telemetry shows a modular, high‑throughput campaign optimized for credential harvesting, cryptocurrency theft, and long‑term operator control using exclusively native macOS tooling. Initial access was achieved through redirect‑based delivery chains that guided victims through multiple intermediary domains—alliai[.]com and alli‑ai[.]pro—before downloading a malicious disk image (AlliAi.dmg) hosted on newly registered infrastructure (ai[.]foqguzz[.]com). Upon execution, the unsigned application launched under App Translocation, indicating execution from an untrusted path and effectively bypassing Gatekeeper enforcement. Immediately after launch, the trojanized application executed its embedded binary (observed as FXSound) via xpcproxy, establishing outbound network connectivity to attacker‑controlled infrastructure (day.foqguzz[.]com) and spawning a staged Bash loader. The loader decoded and executed a Base64‑encoded script and used curl as an ingress tool transfer mechanism to retrieve next‑stage payloads from hxxp://217.119.139[.]117/d/dayd96331, completing a classic multi‑stage stager pattern. Once staged, AMOS executed a large modular AppleScript payload via osascript, driving extensive system discovery and data collection. Harvested artifacts included macOS Keychains (for example ~/Library/Keychains/login.keychain‑db), browser credentials and session data from Chrome, Edge, Safari, and Firefox (including SafariCookies.binarycookies), Apple Notes databases, desktop and document files, and deep inspection of browser‑based cryptocurrency wallets through IndexedDB enumeration and targeted extension directory scanning. System metadata was collected via system_profiler to uniquely identify compromised hosts and support operator tasking. Stolen data was staged under /tmp/17936/, compressed using the built‑in ditto utility into /tmp/out.zip, and exfiltrated via HTTP POST requests to hxxp://217.119.139[.]117/log. Exfiltration requests included custom headers—such as buildid, username, and cid—to uniquely identify victims and manage backend processing. AMOS incorporated retry logic and backoff mechanisms to ensure reliable data transfer before deleting local staging artifacts. For persistence, AMOS installed a root‑level LaunchDaemon (for example /Library/LaunchDaemons/com.<random>.plist) that re‑executed a Base64‑decoded AppleScript payload at system startup. This established a botnet‑style polling loop to endpoints such as /api/v1/bot/joinsystem/<botid>/<macOS_version> and /api/v1/bot/actions/<botid>, enabling operators to issue commands including doshell, repeat, enablesocks5, and uninstall. The observed activity demonstrates a mature macOS stealer architecture optimized for stealth, scalability, and continuous remote control. Shared Characteristics Across macOS Infostealer Campaigns Despite differences in tooling and maturity, DigitStealer, MacSync Stealer, and Atomic macOS (AMOS) exhibit a converging macOS infostealer tradecraft driven by user‑initiated execution, fileless delivery, and deep abuse of native macOS frameworks. All three campaigns rely on social engineering—such as malvertising, redirect chains, or ClickFix‑style prompts—to coerce users into mounting unsigned DMGs or executing commands directly in Terminal, effectively bypassing Gatekeeper through explicit user action. Payload delivery is predominantly fileless and multi‑stage, leveraging native utilities such as curl piped through Base64 decoding and decompression for in‑memory execution. Extensive use of AppleScript and JavaScript for Automation (JXA), alongside additional living‑off‑the‑land binaries (system_profiler, dscl, ditto, and shell interpreters), enables attackers to execute complex workflows while blending malicious activity into legitimate system automation. All three campaigns aggressively harvest credentials and sensitive artifacts from browsers, macOS Keychains, and developer or cloud environments, while explicitly probing cryptocurrency wallets to prioritize financially valuable victims. Stolen data is staged temporarily (commonly under /tmp), compressed using built‑in archiving utilities, and exfiltrated via HTTP or HTTPS POST requests that mimic legitimate browser traffic, followed by immediate cleanup. Where persistence is required, campaigns rely on LaunchAgents or LaunchDaemons and dynamic tasking mechanisms (such as C2 polling or DNS‑based updates) to maintain access without redeployment. Taken together, these behaviors highlight why macOS has become an increasingly attractive target: growing adoption in enterprise and developer environments, a rich set of built‑in automation and scripting capabilities that favor living‑off‑the‑land tradecraft, persistent user trust in installer and Terminal workflows, and the widespread presence of browser‑based and native cryptocurrency wallets on a single host. These factors have enabled the rise of scalable, high‑volume macOS infostealer ecosystems that rival traditional Windows‑centric campaigns in both sophistication and impact. Mitigation and protection guidance Microsoft recommends the following mitigations to reduce the impact of the macOS‑focused threats discussed in this report. These recommendations draw from established Defender blog guidance patterns and align with protections offered across Microsoft Defender XDR. Organizations can follow these recommendations to mitigate threats associated with this threat: Strengthen user awareness & execution safeguards Educate users on social‑engineering lures, including malvertising redirect chains, fake installers, and ClickFix‑style copy‑paste prompts common across macOS stealer campaigns such as DigitStealer, MacSync, and AMOS. Discourage installation of unsigned DMGs or unofficial “terminal‑fix” utilities; reinforce safe‑download practices for consumer and enterprise macOS systems. Harden macOS environments against native tool abuse Monitor for suspicious Terminal activity—especially execution flows involving curl, Base64 decoding, gunzip, osascript, or JXA invocation, which appear across all three macOS stealers. Detect patterns of fileless execution, such as in‑memory pipelines using curl | base64 -d | gunzip, or AppleScript‑driven system discovery and credential harvesting. Leverage Defender’s custom detection rules to alert on abnormal access to Keychain, browser credential stores, and cloud/developer artifacts, including SSH keys, Kubernetes configs, AWS credentials, and wallet data. Control outbound traffic & staging behavior Inspect network egress for POST requests to newly registered or suspicious domains—a key indicator for DigitStealer, MacSync, and AMOS. Detect transient creation of ZIP archives under /tmp or similar ephemeral directories, followed by outbound exfiltration attempts. Block direct access to known C2 infrastructure where possible, informed by your organization’s threat‑intelligence sources. Microsoft also recommends the following mitigations to reduce the impact of this threat. Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. Enable real-time protection for macOS in Microsoft Defender Antivirus. Enable real-time behavior monitoring for macOS in Microsoft Defender Antivirus. Enable network protection for macOS in Microsoft Defender for Endpoint. Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. Allow investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. Turn on tamper protection features to prevent attackers from stopping security services. Combine tamper protection with the DisableLocalAdminMerge setting to prevent attackers from using local administrator privileges to set antivirus exclusions. Microsoft Defender XDR detections Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog. Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence. Tactic Observed activity Microsoft Defender coverage Execution - Execution of various commands and scripts via osascript and sh Microsoft Defender for Endpoint - Suspicious piped command launched - Suspicious AppleScript activity - Suspicious script launched Persistence - LaunchAgent or LaunchDaemon for recurring execution Microsoft Defender for Endpoint - Suspicious Pslist modifications - Suspicious launchctl tool activity Microsoft Defender Antivirus - Trojan:AtomicSteal.F Defense Evasion - Delete data staging directories Microsoft Defender for Endpoint - Suspicious path deletion Credential Access - Credential and Secret Harvesting - Cryptocurrency probing Microsoft Defender for Endpoint - Suspicious access of sensitive files - Suspicious process collected data from local system - Unix credentials were illegitimately accessed Collection - Sensitive browser information compressed into ZIP file for exfiltration Microsoft Defender for Endpoint - Compression of sensitive data - Suspicious Staging of Data - Suspicious archive creation Exfiltration - Exfiltration through curl Microsoft Defender for Endpoint - Suspicious file or content ingress - Network connection by osascript Threat intelligence reports Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments. Microsoft Defender XDR Threat analytics From ClickFix to code signed: the quiet shift of MacSync Stealer malware MacSync infostealer campaigns leverage social engineering Hunting queries Microsoft Defender XDR Microsoft Defender XDR customers can run the following queries to find related activity in their networks: Use the following queries to identify activity related to DigitStealer // Identify suspicious DynamicLake disk image (.dmg) mounting DeviceProcessEvents | where FileName has_any ('mount_hfs', 'mount') | where ProcessCommandLine has_all ('-o nodev' , '-o quarantine') | where ProcessCommandLine contains '/Volumes/Install DynamicLake' // Identify data exfiltration to DigitStealer C2 API endpoints. DeviceProcessEvents | where InitiatingProcessFileName has_any ('bash', 'sh') | where ProcessCommandLine has_all ('curl', '--retry 10') | where ProcessCommandLine contains 'hwid=' | where ProcessCommandLine endswith "api/credentials" or ProcessCommandLine endswith "api/grabber" or ProcessCommandLine endswith "api/log" | extend APIEndpoint = extract(@"/api/([^\s]+)", 1, ProcessCommandLine) Use the following queries to identify activity related to MacSync // Identify exfiltration of staged data via curl DeviceProcessEvents | where InitiatingProcessFileName =~ "zsh" and FileName =~ "curl" | where ProcessCommandLine has_all ("curl -k -X POST -H", "api-key: ", "--max-time", "-F file=@/tmp/", ".zip", "-F buildtxd=") Use the following queries to identify activity related to Atomic Stealer (AMOS) // Identify suspicious AlliAi disk image (.dmg) mounting DeviceProcessEvents | where FileName has_any ('mount_hfs', 'mount') | where ProcessCommandLine has_all ('-o nodev', '-o quarantine') | where ProcessCommandLine contains '/Volumes/ALLI' Indicators of compromise Indicator Type Description 3e20ddb90291ac17cef9913edd5ba91cd95437da86e396757c9d871a82b1282a da99f7570b37ddb3d4ed650bc33fa9fbfb883753b2c212704c10f2df12c19f63 SHA-256 Payloads related to DigitStealer campaign 42d51feea16eac568989ab73906bbfdd41641ee3752596393a875f85ecf06417 SHA-256 Payload related to Atomic Stealer (AMOS) 217.119.139[.]117 IP Address AMOS C2 server (AMOS campaign) dynamiclake[.]org Domain Deceptive domain used to deliver unsigned disk image. (DigitStealer campaign) booksmagazinetx[.]com goldenticketsshop[.]com Domain C2 servers (DigitStealer campaign) b93b559cf522386018e24069ff1a8b7a[.]pages[.]dev 67e5143a9ca7d2240c137ef80f2641d6[.]pages[.]dev Domain CloudFlare Pages hosting payloads. (DigitStealer campaign) barbermoo[.]coupons barbermoo[.]fun barbermoo[.]shop barbermoo[.]space barbermoo[.]today barbermoo[.]top barbermoo[.]world barbermoo[.]xyz Domain C2 servers (MacSync Stealer campaign) alli-ai[.]pro Domain Deceptive domain that redirects user after CAPTCHA verification (AMOS campaign) ai[.]foqguzz[.]com Domain Redirected domain used to deliver unsigned disk image. (AMOS campaign) Day[.]foqguzz[.]com Domain C2 server (AMOS campaign) Microsoft Sentinel Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. References MacSync Stealer Evolves: From ClickFix to Code-Signed Swift Malware — Jamf Threat Labs Learn more For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog. To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky. To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.1.1KViews0likes0CommentsSploitlight: Hunting Beyond the Patch
Many people aren’t aware that Microsoft security isn't just about Microsoft, it’s also about the platforms supporting the products we build. This means our reach extends across all operating systems: iOS, Android, Linux, and macOS! In early 2025 Microsoft disclosed CVE-2025-31199, a macOS vulnerability that abused Spotlight, macOS’s metadata importer framework to bypass Transparency, Consent, and Control (TCC). After the Defender team reported this to Apple, a patch was released that closed the hole. But, the underlying behavior behind the threat still matters to Microsoft! Once attackers learn that trusted macOS services can be redirected, they will reuse the method for nefarious purposes, so it is important to track them down. The next variant won’t look the same, and Spotlight is a commonly targeted service. [1] So, in this article, we teach you how to hunt beyond the patch! Why Hunt for Sploitlight Spotlight importers (.mdimporter) extend macOS indexing. They normally process metadata for search visibility. Attackers can twist that design to index protected files, extract sensitive data, or trigger code execution, perhaps with elevated system trust and privileges. Even with the patch in place, the same logic paths remain valuable targets for attackers. We recommend hunting for patterns around importers, indexing behavior, and TCC privileged binaries to help detect attempts to rebuild this chain of abuse. Advanced Hunting Queries (AHQs) 1. Detect Unusual Spotlight Importer Activity Looking for manual invocations of mdimport may tip you off to attacker activity DeviceProcessEvents |where ProcessCommandLine contains "mdimport" OR DeviceProcessEvents | where ProcessCommandLine contains "mdimport" | where isempty(extract(@"-(\w+)", 1, ProcessCommandLine)) == false | extend mdimportFlag = extract(@"-(\w+)", 1, ProcessCommandLine) | where mdimportFlag in~ ("r", "i", "t", "L") Why it’s important: A Spotlight plugin being developed or tested will be called from the command line using the mdimport utility. For a wide-sweeping query, just search for mdimport alone. However, to get more granular, you can search for it with common parameters such as "r", "i", "t", or "L". 2. Investigate Anomalous Spotlight Activity Use this query to monitor Spotlight activity in the background DeviceProcessEvents | where FileName in~ ("mdworker", "mdworker_shared") Why it’s important: The Advanced Hunting Portal creates timelines for you to quickly zoom in on abnormal behavior, and peaks can show when new Spotlight plugins are invoked. Defender Recommendations Establish a baseline of normal Spotlight activity before setting detection thresholds. Tag importer activity by TCC domain to surface unexpected access. Correlate unsigned importer drops with system events such as privilege escalation or installer execution. Deploy these AHQs in Microsoft Defender XDR or Sentinel for continuous telemetry review. The Bigger Picture The point isn’t to memorize CVEs. It’s to understand the logic that made them possible and look for it everywhere else. Threat actors don’t repeat exploits; they repeat success patterns. Visibility is the only real control. If a process touches data, moves it, or indexes it, it’s part of your attack surface. Treat it that way. 👉 Join the Defender Experts S.T.A.R. Forum to see Sploitlight detection strategies and live hunting demonstrations: Defender Experts Webinar Series [1] References: https://theevilbit.github.io/posts/macos_persistence_spotlight_importers/ https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf https://newosxbook.com/home.html https://www.microsoft.com/en-us/security/blog/2025/07/28/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability/Delivering more threat hunting insights with Microsoft Defender Experts’ newest capabilities
The cybersecurity threat landscape continues to evolve with novel attacks and techniques emerging each day. Microsoft Defender Experts for Hunting, included with Microsoft Defender Experts for XDR, helps security teams stay ahead of evolving attacks by providing proactive threat hunting, powered by Microsoft’s vast threat intelligence with 100 trillion daily signals processed by over 10,000 experts. To date, our managed threat hunting reports have provided details about the hunts we conduct after observing suspicious activity, with full attack summary details provided for verified threats (also known as Defender Experts Notifications). Today, we are excited to announce the general availability of new capabilities that deliver deeper hunting context to our customers. More specifically, we will provide greater insight into each hunt we carry out—not just the ones that result in verified threats. And we’ll also give our customers visibility into the hypothesis-based hunts we conduct on their behalf. Introducing investigation summaries for the hunts we conduct Each hunt we conduct tells a story, even when no active threat is found. So, to keep you informed, you will now receive an investigation summary to go along with nearly each hunt we conduct in their environment—regardless of whether a confirmed threat was found. This summary will detail what we hunted for, why we hunted for it, and how we reached our final determination. Beyond transparency, these summaries provide assurance that we thoroughly hunted down the threat and that your defenses remain intact. They help validate your security posture and, when applicable, highlight any previously uncovered threats during the process. Even in cases where no threat is detected, you can analyze our hunt summaries to be tangibly assured that we are continuously hunting on your behalf—keeping you informed, prepared, and ahead of new risks. New Emerging threats section of the Defender Experts for Hunting report Our threat hunters constantly analyze substantial amounts of threat intelligence to hunt for new and emerging techniques. To share this information with you, we are unveiling a new section of our report titled “Emerging threats” which details the proactive, hypothesis-based hunts we’ve conducted in your environment. These hunts focus on tactics that adversaries are just beginning to adopt, meaning they might bypass traditional detection mechanisms. This section will provide a title briefly describing each emerging threat, the severity we’ve ascribed to it, its relevant threat category, and most importantly, whether we’ve identified any evidence of impact in your environment. Additionally, by clicking into the hunt, you’ll see when we started and ended our hunt for the threat, along with a full investigation summary detailing our hunt. By surfacing these emerging threat hunts, we give you visibility into how we’re anticipating attacker behavior, validating your defenses against cutting-edge techniques, and identifying relevant suspicious activity before significant exploitation. Conclusion With these new capabilities, Microsoft Defender Experts for Hunting goes beyond detection to deliver transparency, assurance, and proactive defense. By surfacing investigation summaries and emerging threat insights, we help security teams validate their defenses, anticipate attacker tactics, and stay ahead of evolving risks. You can access these new capabilities by visiting your Hunting report, located in the Defender portal. To learn more about our hunting service, visit our Microsoft Defender Experts for Hunting page, read our hunting documentation, or watch our explainer video. To learn more about our managed XDR service, visit our Microsoft Defender Experts for XDR page, or read our XDR documentation. You can also visit our Tech Community discussion space to ask questions, engage in conversations, and share your expertise and feedback. What's next? Join us at Microsoft Ignite in San Francisco on November 17–21, or online, November 18–20, for deep dives and practical labs to help you maximize your Microsoft Defender investments and to get more from the Microsoft capabilities you already use. Security is a core focus at Ignite this year, with the Security Forum on November 17th, deep dive technical sessions, theater talks, and hands-on labs designed for security leaders and practitioners Featured sessions BRK237: Identity Under Siege: Modern ITDR from Microsoft Join experts in Identity and Security to hear how Microsoft is streamlining collaboration across teams and helping customers better protect, detect, and respond to threats targeting your identity fabric. BRK240 – Endpoint security in the AI era: What's new in Defender Discover how Microsoft Defender’s AI-powered endpoint security empowers you to do more, better, faster. BRK236 – Your SOC’s ally against cyber threats, Microsoft Defender Experts See how Defender Experts detect, halt, and manage threats for you, with real-world outcomes and demos. LAB541 – Defend against threats with Microsoft Defender Get hands-on with Defender for Office 365 and Defender for Endpoint, from onboarding devices to advanced attack mitigation. Explore and filter the full security catalog by topic, format, and role: aka.ms/SessionCatalogSecurity. Why attend? Ignite is the place to learn about the latest Defender capabilities, including new agentic AI integrations and unified threat protection. We will also share future-facing innovations in Defender, as part of our ongoing commitment to autonomous defense. Security Forum—Make day 0 count (November 17) Kick off with an immersive, in person preday focused on strategic security discussions and real-world guidance from Microsoft leaders and industry experts. Select Security Forum during registration. Register for Microsoft Ignite >How Microsoft Defender Experts and partners like Quorum Cyber are redefining cybersecurity teamwork
In today’s rapidly evolving threat landscape, cybersecurity demands more than just great technology—it requires great teamwork. That’s the story behind the collaboration between Microsoft Defender Experts and MXDR partner, Quorum Cyber, joining forces to deliver end-to-end threat protection for organizations worldwide. Microsoft-verified MXDR partner Microsoft Defender Experts recognized the need for partner-led managed services to complement their first-party MDR (Managed Detection and Response) service. Quorum Cyber is a trusted Microsoft solutions partner and MSSP of the Year. They are also a Microsoft-verified MDR partner, which means they passed Microsoft’s validation process to deliver services using Microsoft’s security technologies. Quorum Cyber complements Microsoft Defender Experts, MDR services with additional security operations center (SOC) capabilities, extended coverage, non-Microsoft telemetry, and 3rd party domain expertise. “Quorum Cyber’s reputation for customer focus and security expertise made them the ideal Microsoft-verified MDR partner.” – Vivek Kumar, Microsoft “We saw Defender Experts as a way to extend our reach and deliver even more value to customers. It wasn’t about replacing—it was about enhancing.” – Ricky Simpson, Quorum Cyber Why teamwork matters The Microsoft-verified MDR partner program was born out of a shared mission: to provide holistic, customer-led security solutions to address the growing security needs of organizations worldwide. Today, cyber security needs to be a team sport. Organizations that provide security services, like Microsoft’s Defender Experts and Quorum Cyber, need to join together with customers to defend an ever-expanding attack surface against today’s sophisticated threats. Facing the modern threat landscape together From skill shortages to complex attacks, organizations need security providers who can adapt and collaborate. “Hackers only need to get it right once while SecOps needs to get it right every time. Customers need an end-to-end security solution to eliminate gaps and strengthen vulnerabilities. No single provider can address the needs of every organization—everywhere. Only teamwork can get the job done.” – Vivek Kumar, Microsoft How MDR providers working together is important for CISOs and other security leaders Meeting real-world challenges Modern SecOps must navigate an increasingly complex and multifaceted threat landscape. One of the most pressing challenges is the global shortage of cybersecurity professionals. Although the security workforce has grown by 9%, the gap has widened even further, with nearly 4.8 million additional professionals needed to adequately protect organizations last year. ¹ Meanwhile, adversaries are becoming more sophisticated and agile. They work in groups, using many individuals who process deep domain expertise is executing various attack techniques and tactics. In May 2024 alone, Microsoft Defender XDR detected over 176,000 incidents involving tampering with security settings, impacting more than 5,600 organizations. ² That surge in threat activity coincides with a pivotal moment in technological evolution as organizations rapidly scale cloud operations and explore the transformative potential of generative AI. These innovations, while powerful, also expand the attack surface and the likelihood of gaps and vulnerabilities. Comprehensive coverage across security domains Microsoft Defender Experts brings deep integration across Microsoft’s ecosystem and manages incidents across Microsoft Defender products (Endpoint, Office 365, Identity, Cloud Apps, and Defender for Cloud/Servers). Quorum Cyber, a Microsoft-verified partner, offers flexibility and specialized coverage to extend beyond Microsoft Defender Experts. “What is so exciting about this approach, is that together, we created a layered defense strategy that’s greater than the sum of its parts and provides coverage for nearly all of the customers’ environment. Microsoft SDM/SecDeliveryExperts worked together with Quorum Cyber to create a nearly seamless, unified defense strategy. They not only help to eliminate the skills gap but are designed to scale easily to address nearly any volume of sophisticated threats.” – Sebastien Molendijk, Microsoft With shared tooling, real-time communication, and complementary expertise, this teamwork eliminates blind spots and delivers coverage across an environment that includes non-Defender Experts supported technology such as 3rd party and legacy systems, custom applications, IoT, firewalls, network gear, and more. Additionally, the combined telemetry for all covered systems, Defender Experts and Quorum Cyber, enriches incident context and improves detection accuracy and hunting. Real-world impact – Customer success stories Proactive threat hunting is a core component of Defender Experts. Experts are not just cross-checking Indicators of Compromise (IOCs) against the environment or only validating them against known tactics, techniques, and procedures (TTPs). The hunting approach is differentiated by the 78T signals and hundreds of tracked threat actors. The intelligence informing Microsoft hunts spans across nation state, criminal activity, evolving vulnerabilities, and newly observed behaviors. That is something Defender Experts can uniquely provide customers. One of many customer examples of this teamwork involved an organization already engaged with Quorum Cyber MDR for Microsoft E5 services. When Defender Experts engaged with the customer, the two teams co-created a solution tailored to meet the CISOs needs by combining Quorum Cyber’s analytics and monitoring with Defender Expert’s proactive threat hunting. That not only expanded coverage but provided the customer with both proactive and reactive services across nearly their entire environment. Another example is adversary in the middle alerts, Defender Experts performs the investigation of malicious QR codes and then escalates to Quorum Cyber if malicious activity is observed. Quorum Cyber then takes delegated authority to reset the user's password, revokes their sessions, and takes other actions as needed. Unique services Collaboration is more than Quorum Cyber and Microsoft working as one. Quorum Cyber develops unique services including their data security service – Clarity Data. This service handles incidents generated via Microsoft Purview - DLP and IRM. It includes Quorum Cyber’s 24/7 365 SOC services to address those incidents without interfering with security signals being addressed by other analysts. Operational flexibility Customers have the option to divide responsibilities. For example, Microsoft manages Defender-specific alerts and Quorum Cyber manages alerts from all the other tools. Guided response playbooks allow Microsoft Defender Experts and Quorum Cyber teams to work as one to perform containment and remediation across workstreams. “We built solutions from scratch, keeping customer outcomes at the center. The results are frictionless, powerful security models that address unique customer needs.” – Ricky Simpson, Quorum Cyber Overcoming challenges, building trust, working as one Like building any team, there were hurdles. From workflow alignment to incident handoffs, mutual respect and a shared commitment to customer satisfaction paved the way to building frictionless workstreams. Teamwork thrived on technical integration. Because Defender Experts is built atop the Microsoft Defender portal and Microsoft Graph, the service is inherently designed for seamless collaboration. When Defender Experts assigns incidents, initiates proactive threat hunts, publishes investigation notes, or executes one-click remediation actions, those activities are fully integrated into both the Defender user experience and the Graph API. That integration enables Quorum Cyber to synchronize directly with those workflows, allowing their teams to operate within their existing toolsets while customers receive real-time updates and final resolutions through platforms such as Microsoft Defender, Sentinel, or their ITSM systems. A notable example is the ‘real-time chat’ feature within Defender Experts, which is architected to support joint participation from both customers and partners like Quorum Cyber—ensuring transparency and responsiveness throughout the incident lifecycle. That level of tooling integration is essential to delivering a unified experience. Customers benefit from the deep expertise of Defender Experts, the broad coverage of a trusted partner like Quorum Cyber, and the operational efficiency of a tightly connected security services ecosystem. It truly represents the best of both worlds. “Defender Experts’ use of Microsoft Graph and Defender Portal enabled seamless incident sharing, real-time chat, and synchronized updates across platforms. Live dashboards from Defender Experts offer a clear, prioritized view of incidents. That allowed Defender Experts and Quorum Cyber to work as one team to keep customers secure and do that quickly and efficiently.” – Ricky Simpson, Quorum Cyber The bigger picture – innovation and growth This partnership isn’t just about solving today’s problems—it’s about shaping the future. It has opened doors for Quorum Cyber to expand into new service areas, like managed data security, while reinforcing Microsoft’s commitment to flexible, scalable security solutions. Customers don’t have to choose between Microsoft and their trusted MDR provider like Quorum Cyber—they can have both. By combining Microsoft Defender Experts with MDR providers like Quorum Cyber, organizations gain a flexible, scalable, and deeply integrated security strategy that adapts to their unique needs and can grow as they grow. Whether you're augmenting your SOC, expanding global coverage, or navigating a transition, this “better together” model ensures your security operations are resilient, responsive, and ready for what’s next. “We’ve proven, and our customer agree, that first-party and partner-led services can coexist and thrive together.” – Ricky Simpson, Quorum Cyber “Customers get the best of both worlds—expertise from Defender Experts and coverage from Quorum Cyber, all delivered as it should be—in a timely and seamless way.” – Vivek Kumar, Microsoft In summary – Microsoft Defender Experts and Quorum Cyber – the benefits are clear End-to-End Threat Protection – Combines Microsoft Defender capabilities with Quorum Cyber extended SOC services and third-party telemetry. Comprehensive Coverage –Protects both Microsoft and non-Microsoft environments, including legacy systems, IoT, and custom applications. Proactive and Reactive Security –Integrates threat hunting with incident response for full-spectrum defense. Operational Flexibility –Allows tailored division of responsibilities and coordinated remediation through guided playbooks. Real-Time Collaboration –Enables seamless communication and incident management via shared tooling, dashboards, and chat features. Advanced Threat Intelligence –Leverages Microsoft’s 78T signals and threat actor tracking, with partner TI, to enrich incident context and improve detection. Complementary Services –For example, Quorum Cyber’s Clarity Data service handles Microsoft Purview incidents without disrupting other security workflows. Unified Customer Experience –Delivers frictionless, scalable, and resilient security operations through deep integration and mutual trust. Learn more If you like this blog, and would like to learn more, see this insightful webinar for more details The Better Together Story of Defender Experts and Quorum Cyber - Quorum Cyber And listen to what these experts from Quorum Cyber and Microsoft have to say about the benefits of ‘Better Together.’ Ricky Simpson | LinkedIn Paul Caiazzo | LinkedIn Scott McManus | LinkedIn Raae Wolfram | LinkedIn Sebastien Molendijk | LinkedIn Henry Yan | LinkedIn Vivek Kumar | LinkedIn Next Steps For organizations considering a multi-provider strategy, the message is clear: collaboration works. Microsoft Defender Experts and Quorum Cyber show that when service providers align around customer needs, the results are transformative. “Microsoft Security has got you covered—whether through Defender Experts, partners like Quorum Cyber, or both.” – Vivek Kumar, Microsoft Ready to strengthen your cyber resilience, Join the conversation through Microsoft’s public webinar series Explore the CTI community Reach out to learn more about how this partnership can support your organization. Sources ¹ ISC2-2024-Cybersecurity-Workforce-Study ² Microsoft Digital Defense Report 2024476Views0likes0CommentsCloud forensics: Why enabling Microsoft Azure Storage Account logs matters
Co-authors - Christoph Dreymann - Shiva P Introduction Azure Storage Accounts are frequently targeted by threat actors. Their goal is to exfiltrate sensitive data to an external infrastructure under their control. Because diagnostic logging is not always fully enabled by default, valuable evidence of their malicious actions may be lost. With this blog, we will explore realistic attack scenarios and demonstrate the types of artifacts those activities generate. By properly enabling Microsoft Azure Storage Account logs investigators gain a better understanding of the scope of the incident. The information can also provide guidance for remediating the environment and on preventing data theft from occurring again. Storage Account A Storage Account provides scalable, secure, and highly available storage for storing and managing data objects. Due to the variety of sensitive data that can be stored, it is another highly valued target by a threat actor. Threat actors exploit misconfigurations, weak access controls, and leaked credentials to gain unauthorized access. Key risks include Shared Access Signature token (SAS) misuse that allows threat actors to access or modify exposed blob storages. Storage Account key exposure could grant privileged access to the data plane. Investigating storage-related security incidents requires familiarity with Azure activity logs and Diagnostic logs. Diagnostic log types for Storage accounts are StorageBlob, StorageFile, StorageQueue, and StorageTable. These logs can help identify unusual access patterns, role changes, and unauthorized SAS token generation. This blog is centered around StorageBlob activity logs. Storage Account logging The logs for a Storage Account aren’t enabled by default. These logs capture operations, requests, and use such as read, write, and delete actions/requests on storage objects like blobs, queues, files, or tables. NOTE: There are no license requirements to enable Storage Account logging, but Log Analytics charges based on ingestion and retention (Pricing - Azure Monitor | Microsoft Azure) For more information on enabling logging for a Storage Account can be found here. Notable fields The log entries contain various fields which are of use not only during or after an incident, but for general monitoring of a storage account during normal operations (for a full list, see what data is available in the Storage Logs). Once the storage log is enabled, one of the key tables within Log Analytics is StorageBlobLogs, which provides details about blob storage operations, including read, write, and delete actions. Key columns such as OperationName, AuthenticationType, StatusText, and UserAgentHeader capture essential information about these activities. The OperationName field identifies operations on a storage account, such as “PutBlob” for uploads or “DeleteBlob” and “DeleteFile” for deletions. The UserAgentHeader fields offer valuable insights into the tools used to access a Blob storage. Accessing blob storages through the Azure portal is typically logged with a generic user agent, which indicates the application used to perform the access, such as a web browser like Mozilla Firefox. In contrast, tools like AzCopy or Microsoft Azure Storage Explorer are explicitly identified in the logs. Analyzing the UserAgentHeader provides crucial details about the access method, helping determine how the blob storage was accessed. The following table includes additional investigation fields, Field name Description TimeGenerated [UTC] The date and time of the operation request. AccountName Name of the Storage account. OperationName Name of the operation. A detailed list of for StorageBlob operation can be found here. AuthenticationType The type of authentication that was used to make this request. StatusCode The HTTP status code for the request. If the request is interrupted, this value might be set to Unknown. StatusText The status of the requested operation. Uri Uniform resource identifier that is requested. CallerIpAddress The IP address of the requester, including the port number. UserAgentHeader The User-Agent header value. ObjectKey Provides the path of the object requested. RequesterUpn User Principal Name of the requester. AuthenticationHash Hash of the authentication token used during a request. Request authenticated with SAS token includes a SAS signature specifying the hash derived from the signature part of the SAS token. For a full list, see what data is available in the Storage Logs. How a threat actor can access a Storage Account Threat actors can access the Storage Account through Azure-assigned RBAC, a SAS token (including User delegated SAS token), Azure Storage Account Keys and Anonymous Access (if configured). Storage Account Access Keys Azure Storage Account Access Keys are shared secrets that enable full access to Azure storage resources. When creating a storage account, Azure generates two access keys, both can be used for authentication with the storage account. These keys are permanent and do not have an expiration date. Both Storage Account Owners and roles such as Contributor or any other role with the assigned action of Microsoft.Storage/storageAccounts/listKeys/action can retrieve and use these credentials to access the storage account. Account Access Keys can be rotated/regenerated but if done unintentionally, it could disrupt applications or services dependent on the key for authentication. Additionally, this action invalidates any SAS tokens derived from that key, potentially revoking access to dependent workflows. Monitoring key rotations can help detect unexpected changes and mitigate disruptions. Query: This query can help identify instances of account key rotations in the logs AzureActivity | where OperationNameValue has "MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" | where ActivityStatusValue has "Start" | extend resource = parse_json(todynamic(Properties).resource) | extend requestBody = parse_json(todynamic(Properties).requestbody) | project TimeGenerated, OperationNameValue, resource, requestBody, Caller, CallerIpAddress Shared Access Signature SAS tokens offer a granular method for controlling access to Azure storage resources. SAS tokens enable specific permitted actions on a resource and their duration. They can be generated for blobs, queues, tables, and file shares within a storage account, providing precise control over data access. A SAS token allows access via a signed URL. A Storage Account Owner can generate a SAS token and connection strings for various resources within the storage account (e.g., blobs, containers, tables) without restrictions. Additionally, roles with Microsoft.Storage/storageAccounts/listKeys/action rights can also generate SAS tokens. SAS tokens enable access to storage resources using tools such as Azure Storage Explorer, Azure CLI, or PowerShell. It is important to note that the logs do not indicate when a SAS token was generated [How a shared access signature works]. However, their usage can be inferred by tracking configuration changes that enable the use of storage account keys option which is disabled by default. Figure 1: Configuration setting to enable account key access Query: This query is designed to detect configuration changes made to enable access via storage account keys AzureActivity | where OperationNameValue has "MICROSOFT.STORAGE/STORAGEACCOUNTS/WRITE" | where ActivityStatusValue has "Success" | extend allowSharedKeyAccess = parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).allowSharedKeyAccess | where allowSharedKeyAccess == "true" User delegated Shared Access Signature A User Delegation SAS is a type of SAS token that is secured using Microsoft Entra ID credentials rather than the storage account key. For more details see Authorize a user delegation SAS. To request a SAS token using the user delegation key, the identity must possess the Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey action (see Assign permissions with RBAC). Azure Role-Based Access Control A threat actor must identify a target (an identity) that can assign roles or already holds specific RBAC roles. To assign Azure RBAC roles, an identity must have Microsoft.Authorization/roleAssignments/write, which allows the assignment of roles necessary for accessing storage accounts. Some examples of roles that provide permissions to access data within Storage Account (see Azure built-in roles for blob): Storage Account Contributor (Read, Write, Manage Access) Storage Blob Data Contributor (Read, Write) Storage Blob Data Owner (Read, Write, Manage Access) Storage Blob Data Reader (Read Only) Additionally, to access blob data in the Azure portal, a user must also be assigned the Reader role (see Assign an Azure role). More information about Azure built-in roles for a Storage Account can be found here Azure built-in roles for Storage. Anonymous Access If the storage account configuration 'Allow Blob anonymous access' is set to enabled and a container is created with anonymous read access, a threat actor could access the storage contents from the internet without any authorization. Figure 2: Configuration settings for Blob anonymous access and container-level anonymous access. Query: This query helps identify successful configuration changes to enable anonymous access AzureActivity | join kind=rightouter (AzureActivity | where TimeGenerated > ago(30d) | where OperationNameValue has "MICROSOFT.STORAGE/STORAGEACCOUNTS/WRITE" | where Properties has "allowBlobPublicAccess" | extend ProperTies = parse_json(Properties) | evaluate bag_unpack(ProperTies) | extend allowBlobPublicAccess = todynamic(requestbody).properties["allowBlobPublicAccess"] | where allowBlobPublicAccess has "true" | summarize by CorrelationId) on CorrelationId | extend ProperTies = parse_json(Properties) | evaluate bag_unpack(ProperTies) | extend allowBlobPublicAccess_req = todynamic(requestbody).properties["allowBlobPublicAccess"] | extend allowBlobPublicAccess_res = todynamic(responseBody).properties["allowBlobPublicAccess"] | extend allowBlobPublicAccess = case (allowBlobPublicAccess_req!="", allowBlobPublicAccess_req, allowBlobPublicAccess_res!="", allowBlobPublicAccess_res, "") | project OperationNameValue, ActivityStatusValue, ResourceGroup, allowBlobPublicAccess, Caller, CallerIpAddress, ResourceProviderValue Key notes regarding the authentication methods When a user accesses Azure Blob Storage via the Azure portal, the interaction is authenticated using OAuth and is authorized by the Azure RBAC roles configuration for the given user. In contrast, authentication using Azure Storage Explorer and AzCopy depends on the method used: If a user interactively signs in via the Azure portal or utilizes the Device code flow, authentication appears as OAuth based. When using a SAS token, authentication is recorded as SAS-based for both tools. Access via Azure RBAC is logged in Entra ID Sign-in Logs, however, activity related to SAS token usage does not appear in the sign-in logs, as it provides pre-authorized access. Log analysis should consider all operations, since initial actions can reveal the true authentication method even OAuth-based access may show as SAS in logs. The screenshot below illustrates three distinct cases, each showcasing different patterns of authentication types used when accessing storage resources. A SAS token is consistently used across various operations, where the SAS token is the primary access method. The example below highlighted as ‘2’ demonstrates a similar pattern, with OAuth (using assigned Azure RBAC role) serving as the primary authentication method for all listed operations. Lastly, example number ‘3’, Operations start with OAuth authentication (using an assigned Azure RBAC role for authorization) and then uses a SAS token, indicating mixed authentication types. Figure 3: Different patterns of authentication types Additionally, when using certain applications such as Azure Storage Explorer with Account Access Keys authentication, the initial operations such as ListContainers and ListBlob are logged with the authentication type reported as “AccountKey”. However, for subsequent actions like file uploads or downloads, the authentication type switches to SAS in the logs. To accurately determine whether an Account Access Keys or SAS was used, it's important to correlate these actions with the earlier enumeration or sync activity within the logs. With this understanding, let’s proceed to analyze specific attack scenarios by utilizing the log analytics, such as the StorageBlobLogs table. Attack scenario This section will examine the typical steps that a threat actor might take when targeting a Storage Account. We will specifically focus on the Azure Resource Manager layer, where Azure RBAC initially dictates what a threat actor can discover. Enumeration During enumeration, a threat actor’s goal is to map out the available storage accounts. The range of this discovery is decided by the access privileges of a compromised identity. If that identity holds at least a minimum level of access (similar to a Reader) at the subscription level, it can view storage account resources without making any modifications. Importantly, this permission level does not grant access to the actual data stored within the Azure Storage itself. Hence, a threat actor is limited to interacting only with those storage accounts that are visible to them. To access and download files from Blob Storage, a threat actor must be aware of the names of containers (Operation: ListContainers) and the files within those containers (Operation: ListBlobs). All interactions with these storage elements are recorded in the StorageBlobLogs table. Containers or blobs in a container can be listed by a threat actor with the appropriate access rights. If access is not authorized, attempts to do so will result in error codes shown in the StatusCode field. A high number of unauthorized attempts resulting in errors would be a key indicator of suspicious activity or misconfiguration. Figure 4: Failure attempts to list blobs/containers Query: This query serves as a starting point for detecting a spike in unauthorized attempts to enumerate containers, blobs, files, or queues union Storage* | extend StatusCodeLong = tolong(StatusCode) | where OperationName has_any ("ListBlobs", "ListContainers", "ListFiles", "ListQueues") | summarize MinTime = min(TimeGenerated), MaxTime = max(TimeGenerated), OperationCount = count(), UnauthorizedAccess = countif(StatusCodeLong >= 400), OperationNames = make_set(OperationName), ErrorStatusCodes = make_set_if(StatusCode, StatusCodeLong >= 400), StorageAccountName = make_set(AccountName) by CallerIpAddress | where UnauthorizedAccess > 0 Note: The UnauthorizedAccess filter attribute must be adjusted based on your environment. Data exfiltration Let’s use the StorageBlobLogs to analyze two different attack scenarios. Scenario 1: Compromised user has access to a storage account In this scenario, the threat actor either compromises a user account with access to one or more storage accounts or alternatively, obtains a leaked Account Access Key or SAS token. With a compromised identity, the threat actor can either enumerate all storage accounts the user has permissions to (as covered in enumeration) or directly access a specific blob or container if the leaked key grants scoped access. Account Access Keys (AccountKey)/SAS tokens The threat actor might either use the storage account’s access keys or SAS token retrieved through the compromised user account provided they have the appropriate permissions or the leaked key itself may already be either an Account access key or SAS token. Access keys grant complete control while SAS key can generate a time-bound access, to authorize data transfers enabling them to view, upload, or download data at will. Figure 5: Account key used to download/view data Figure 6: SAS token used to download/view data Query: This query helps identify cases where an AccountKey/SAS was used to download/view data from a storage account StorageBlobLogs | where OperationName has "GetBlob" | where AuthenticationType in~ ("AccountKey", "SAS") | where StatusText in~ ("Success", "AnonymousSuccess", "SASSuccess") | project TimeGenerated, AccountName, OperationName, RequesterUpn, AuthenticationType, Uri, ObjectKey, StatusText, UserAgentHeader, CallerIpAddress, AuthenticationHash User Delegation SAS Available for Blob Storage only, a User Delegation SAS functions similar to a SAS but is protected with Microsoft Entra ID credentials rather than the storage account key. The creation of a User Delegation SAS is tracked as a corresponding "GetUserDelegationKey" log entry in StorageBlobLogs table. Figure 7: User-Delegation Key created Query: This query helps identify creation of a User-Delegation Key. The RequesterUpn provides the identity of the user account creating this key. StorageBlobLogs | where OperationName has "GetUserDelegationKey" | where StatusText in~ ("Success", "AnonymousSuccess", "SASSuccess") | project TimeGenerated, AccountName, OperationName, RequesterUpn, Uri, CallerIpAddress, ObjectKey, AuthenticationType, StatusCode, StatusText Figure 8: User-Delegation activity to download/read Query: This query helps identify cases where a download/read action was initiated while authenticated via a User delegation key StorageBlobLogs | where AuthenticationType has "DelegationSas" | where OperationName has "GetBlob" | where StatusText in~ ("Success", "AnonymousSuccess", "SASSuccess") | project Type, TimeGenerated, OperationName, AccountName, UserAgentHeader, ObjectKey, AuthenticationType, StatusCode, CallerIpAddress, Uri The operation "GetUserDelegationKey" within the StorageBlobLogs captures the identity responsible for generating a User Delegation SAS token. The AuthenticationHash field shows the Key used to sign the SAS token. When the SAS token is used, any operations will include the same SAS signature hash enabling you to correlate various actions performed using this token even if the originating IP addresses differ. Query: The following query extracts a SAS signature hash from the AuthenticationHash field. This helps to track the token's usage, providing an audit trail to identify potentially malicious activity. StorageBlobLogs | where AuthenticationType has "DelegationSas" | extend SasSHASignature = extract(@"SasSignature\((.*?)\)", 1, AuthenticationHash) | project Type, TimeGenerated, OperationName, AccountName, UserAgentHeader, ObjectKey, AuthenticationType, StatusCode, CallerIpAddress In the next scenario, we examine how a threat actor already in control of a compromised identity uses Azure RBAC to assign permissions. With administrative privileges over a storage account, the threat actor can grant access to additional accounts and establish long-term access to the storage accounts. Scenario 2: A user account is controlled by the threat actor and has elevated access to the Storage Account An identity named Bob was identified as compromised due to an unauthorized IP login. The investigation triggers when Azure Sign-in logs reveal logins originating from an unexpected location. This account has owner permissions for a resource group, allowing full access and role assignments in Azure RBAC. The threat actor grants access to another account they control, as shown in the AzureActivity logs. The AzureActivity logs in the figure below show that Reader, Data Access, and Storage Account Contributor roles were assigned to Hacker2 for a Storage Account within Azure: Figure 9: Assigning a role to a user Query: This query helps identify if a role has been assigned to a user AzureActivity | where Caller has "Bob" | where OperationNameValue has "MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE" | extend RoleDefintionIDProperties = parse_json(Properties) | evaluate bag_unpack(RoleDefintionIDProperties) | extend RoleDefinitionIdExtracted = tostring(todynamic(requestbody).Properties.RoleDefinitionId) | extend RoleDefinitionIdExtracted = extract(@"roleDefinitions/([a-f0-9-]+)", 1, RoleDefinitionIdExtracted) | extend RequestedRole = case( RoleDefinitionIdExtracted == "ba92f5b4-2d11-453d-a403-e96b0029c9fe", "Storage Blob Data Contributor", RoleDefinitionIdExtracted == "b7e6dc6d-f1e8-4753-8033-0f276bb0955b", "Storage Blob Data Owner", RoleDefinitionIdExtracted == "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", "Storage Blob Data Reader", RoleDefinitionIdExtracted == "db58b8e5-c6ad-4a2a-8342-4190687cbf4a", "Storage Blob Delegator", RoleDefinitionIdExtracted == "c12c1c16-33a1-487b-954d-41c89c60f349", "Reader and Data Access", RoleDefinitionIdExtracted == "17d1049b-9a84-46fb-8f53-869881c3d3ab","Storage Account Contributor", "") | extend roleAssignmentScope = tostring(todynamic(Authorization_d).evidence.roleAssignmentScope) | extend AuthorizedFor = tostring(todynamic(requestbody).Properties.PrincipalId) | extend AuthorizedType = tostring(todynamic(requestbody).Properties.PrincipalType) | project TimeGenerated, RequestedRole, roleAssignmentScope, ActivityStatusValue, Caller, CallerIpAddress, CategoryValue, ResourceProviderValue, AuthorizedFor, AuthorizedType Note: Refer to this resource for additional Azure in-built role IDs that can be used in this query. The Sign-in logs indicate that Hacker2 successfully accessed Azure from the same malicious IP address. We can examine StorageBlobLogs to determine if the user accessed data of the blob storage since specific roles related to the Storage Account were assigned to them. The activities within the blob storage indicate several entries attributed to the Hacker2 user, as shown in the figure below. Figure 10: User access to blob storage Query: This query helps identify access to blob storage from a malicious IP StorageBlobLogs | where TimeGenerated > ago (30d) | where CallerIpAddress has {{IPv4}} | extend ObjectName= ObjectKey | project TimeGenerated, AccountName, OperationName, AuthenticationType, StatusCode, StatusText, RequesterUpn, CallerIpAddress, UserAgentHeader, ObjectName, Category An analysis of the StorageBlobLogs, as shown in the figure below, reveals that Hacker2 performed a "StorageRead" operation on three files. This indicates that data was accessed or downloaded from blob storage. Figure 11: Blob Storage Read/Download activities The UserAgentHeader suggests that the storage account was accessed through the Azure portal. Consequently, the SignInLogs can offer further detailed information. Query: This query checks for read, write, or delete operations in blob storage and their access methods, StorageBlobLogs | where TimeGenerated > ago(30d) | where CallerIpAddress has {{IPv4}} | where OperationName has_any ("PutBlob", "GetBlob", "DeleteBlob") and StatusText == "Success" | extend Notes = case( OperationName == "PutBlob" and Category == "StorageWrite" and UserAgentHeader has "Microsoft Azure Storage Explorer", "Blob was written through Azure Storage Explorer", OperationName == "PutBlob" and Category == "StorageWrite" and UserAgentHeader has "AzCopy", "Blob was written through AzCopy Command", OperationName == "PutBlob" and Category == "StorageWrite" and not(UserAgentHeader has_any("AzCopy","Microsoft Azure Storage Explorer")), "Blob was written through Azure portal", OperationName == "GetBlob" and Category == "StorageRead" and UserAgentHeader has "Microsoft Azure Storage Explorer", "Blob was Read/Download through Azure Storage Explorer", OperationName == "GetBlob" and Category == "StorageRead" and UserAgentHeader has "AzCopy", "Blob was Read/Download through AzCopy Command", OperationName == "GetBlob" and Category == "StorageRead" and not(UserAgentHeader has_any("AzCopy","Microsoft Azure Storage Explorer")), "Blob was Read/Download through Azure portal", OperationName == "DeleteBlob" and Category == "StorageDelete" and UserAgentHeader has "Microsoft Azure Storage Explorer", "Blob was deleted through Azure Storage Explorer", OperationName == "DeleteBlob" and Category == "StorageDelete" and UserAgentHeader has "AzCopy", "Blob was deleted through AzCopy Command", OperationName == "DeleteBlob" and Category == "StorageDelete" and not(UserAgentHeader has_any("AzCopy","Microsoft Azure Storage Explorer")), "Blob was deleted through Azure portal","") | project TimeGenerated, AccountName, OperationName, AuthenticationType, StatusCode, CallerIpAddress, ObjectName=ObjectKey, Category, RequesterUpn, Notes The log analysis confirms that the threat actor successfully extracted data from a storage account. Storage Account summary Detecting misuse within a Storage Account can be challenging, as routine operations may hide malicious activities. However, enabling logging is essential for investigation to help track accesses, especially when compromised identities or misused SAS tokens or keys are involved. Unusual changes in user permissions and irregularities in role assignments which are documented in the Azure Activity Logs, can signal unauthorized access, while Microsoft Entra ID sign-in logs can help identify compromised UPNs and suspicious IP addresses that ties into OAuth-based storage account access. By thoroughly analyzing Storage Account logs which details operation types and access methods, investigators can identify abuse and determine the scope of compromise. That not only helps when remediating the environment but can also provide guidance on preventing unauthorized data theft from occurring again.4.2KViews2likes0CommentsPost-breach browser abuse: a new frontier for threat actors
Co-authors - Raae Wolfram | Sam Gardener Once an attacker has gained access to a system, the browser becomes a rich source of credentials, a platform for persistence, and a stealthy channel for data exfiltration. This blog outlines key abuse techniques and provides actionable detection strategies using Microsoft Defender for Endpoint and Microsoft Defender XDR. Why browsers matter after the breach Post-compromise, browsers offer attackers: Access to credentials (cookies, tokens, autofill data) Control over peripherals (camera, microphone, location) A trusted execution environment for evasion A platform for persistence via extensions or debugging interfaces These capabilities make browsers a high-value target even after initial access has been achieved. Key abuse techniques and detection strategies 1. Credential theft via memory scraping Attackers can extract sensitive data directly from browser memory using tools like Mimikittenz. Security team members can proactively hunt for threats with advanced hunting in Microsoft Defender. Advanced hunting detection query: let PROCESS_VM_READ=0x0010; DeviceEvents | where ActionType == "OpenProcessApiCall" and FileName in~ ("chrome.exe", "msedge.exe", "firefox.exe", "brave.exe", "opera.exe") | project FileName, InitiatingProcessFileName, DesiredAccess=tolong(parse_json(AdditionalFields).DesiredAccess) | where binary_and(DesiredAccess, PROCESS_VM_READ) != 0 Learn more at about hunting queries: Overview - Advanced hunting - Microsoft Defender XDR | Microsoft Learn 2. TLS key logging for passive credential capture Setting the SSLKEYLOGFILE environment variable allows attackers to dump TLS pre-master secrets, enabling decryption of HTTPS traffic. Detection query: DeviceRegistryEvents | where RegistryKey =~ @"SYSTEM\CurrentControlSet\Control\Session Manager\Environment" and RegistryValueName =~ "SSLKEYLOGFILE" 3. Remote debugging port abuse Chromium-based browsers support remote debugging via WebSocket. Attackers can launch browsers with flags like --remote-debugging-port and control them programmatically. Detection queries: DeviceProcessEvents | where FileName in~ ("chrome.exe", "msedge.exe", "brave.exe", "opera.exe") and ProcessCommandLine contains "--remote" DeviceNetworkEvents | where RemotePort in (9222, 9223, 9229) | where RemoteIP == "127.0.0.1" | where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "brave.exe", "opera.exe") DeviceProcessEvents | where FileName has_any ("chrome", "msedge", "brave", "opera") and ProcessCommandLine contains "--remote" 4. Persistence via malicious extensions Attackers can sideload or auto-update malicious extensions using enterprise policies or developer mode. Detection queries: DeviceProcessEvents | where ProcessCommandLine has "--load-extension" | where FileName in~ ("chrome.exe", "msedge.exe") DeviceRegistryEvents | where RegistryKey has "ExtensionInstallForcelist" | where RegistryValueData has_any ("http", "crx") 5. Anomalous child process spawning Unexpected child processes from browsers may indicate injection, persistence, or evasion. Detection query: DeviceProcessEvents | where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "firefox.exe", “brave.exe”, “opera.exe”) | where FileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe") Recommendations for defenders: Monitor for debugging flags in browser launch commands. Alert on unexpected registry or file modifications related to extensions. Track environment variable usage that affects browser behavior. Investigate RWX memory pages in browser processes. Use Defender for Endpoint to correlate these signals with broader attack chains. Conclusion Post-breach browser abuse is a growing concern that blends stealth, persistence, and credential access into a single threat vector. By understanding these techniques and implementing the detection strategies outlined above, defenders can close a critical visibility gap and better protect their environments. See what our experts have to say. Watch the recorded webinar, download the presentation - and learn more about - Post-Breach Browsers: The Hidden Threat You’re Overlooking.Welcome to the Microsoft Defender Experts Ninja Hub!
Updated August 11, 2025 Microsoft Defender Experts for XDR Microsoft Defender Experts for XDR is a managed extended detection and response (MXDR) service that triages, investigates, and responds to incidents for you to help stop cyberattackers and prevent future compromise. Defender Experts for XDR delivers human expertise to security teams quickly to help address coverage gaps and augment their overall security operations. The documentation links below provide more information on the service, requirements, and FAQs: What is Microsoft Defender Experts for XDR offering | Microsoft Learn Before you begin using Defender Experts for XDR | Microsoft Learn Get started with Microsoft Defender Experts for XDR | Microsoft Learn How to use the Microsoft Defender Experts for XDR service | Microsoft Learn Communicating with Microsoft Defender Experts | Microsoft Learn How to search the audit logs for actions performed by Defender Experts | Microsoft Learn Additional information related to Defender Experts for XDR | Microsoft Learn FAQs related to Microsoft Defender Experts for XDR | Microsoft Learn What is third-party network signal enrichment in Microsoft Defender Experts for XDR?| Microsoft Learn Microsoft Defender Experts for Hunting Microsoft Defender Experts for Hunting , which is included with Defender Experts for XDR or offered separately, proactively looks for threats 24/7/365 using unparalleled visibility of cross-domain telemetry and leading threat intelligence to extend your team’s threat hunting capabilities and improve overall SOC response. The documentation links below provide more information on the service, requirements, and reporting: What is Microsoft Defender Experts for Hunting offering | Microsoft Learn Key infrastructure requirements for Microsoft Defender Experts for Hunting | Microsoft Learn How to subscribe to Microsoft Defender Experts for Hunting | Microsoft Learn Understand the Defender Experts for Hunting report in Microsoft Defender XDR | Microsoft Learn Ninja Show episodes featuring Defender Experts Season 7, Episode 8: Day in the life of a SOC analyst Season 5, Episode 5: Improve your security posture with Microsoft Defender Experts for XDR Season 3, Episode 4: Defender Experts for Hunting Overview On-demand event sessions and webinars featuring Defender Experts RSAC 2025 (NEW): Bolser your SOC with Microsoft's Managed Extended Detection and Response (MXDR) Webinar: MDR and Generative AI: Better Together - A conversation with guest speaker Jeff Pollard Defender Experts videos Explainer Video: Microsoft Defender Experts for XDR Explainer Video (NEW): Microsoft Defender Experts for Hunting Video: Adversary in the Middle Hunting Story Video: Get started with onboarding | Microsoft Defender Experts for XDR Video: Get started with managed response | Microsoft Defender Experts for XDR Video: Get started with reporting | Microsoft Defender Experts for XDR Deep dives from the Microsoft Security blog featuring Defender Experts Microsoft Copilot for Security provides immediate impact for the Microsoft Defender Experts team Detecting and mitigating a multi-stage AiTM phishing and BEC campaign Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks One way Microsoft Defender Experts for Hunting prioritizes customer defense Phish, Click, Breach: Hunting for a Sophisticated Cyber Attack Podcasts Microsoft Security Insights Show Episode 218: Michael Melone Microsoft Security insights Show Episode 198: Raae Wolfram Microsoft Security Insights Show Episode 181: Brian Hooper and Phoebe Rogers: A day in the life of a Defender Experts for XDR analyst Microsoft Security Insights Show Episode 168: Steve Lee, Defender Experts To learn more about Defender Experts, click here.1.1KViews1like0CommentsHow Microsoft Defender Experts uses AI to cut through the noise
Microsoft Defender Experts manages and investigates incidents for some of the world’s largest organizations. We understand the challenges facing our customers and are always looking for ways to respond quicker and scale our services to meet their needs. Teaching AI to think like a security expert We're leveraging AI to help Defender Experts expand our services and respond even faster to threats facing our customers. AI-based incident classification allows us to filter noise up front without compromising on detecting real threats. This AI-based capability is trained by security experts, built for precision, and designed to scale and act at speed. Our approach doesn't just rely on static rules or traditional filtering. Instead, our AI is powered by insights from hundreds of thousands of real investigations conducted by Defender Experts security analysts. These investigations form a goldmine of expert knowledge—how analysts think, what signals they trust, and how they separate benign and false positives from true threats. We use historical intelligence to evaluate each new incident. AI-based incident classification looks at various signals, such as evidence, tenant details, context from IOCs, and TI information. It assigns a similarity score based on those signals. By using a similarity algorithm, the AI-based system compares each new incident to known outcomes from the past—deciding whether it closely resembles true positives, false positives, or is benign. At a certain threshold, it confidently assigns the grade. If the pattern matches past false positives, the system de-grades the incident as noise. If the pattern looks similar to a known higher-risk threat, it escalates it faster. This helps us focus first on what matters most— true, actionable threats, which results in quicker response times for our customers. Human-centric and safe We know that trust is everything in cybersecurity. So even though AI helps us filter noise, we've built guardrails to make sure no real threats are missed: Tiered decisioning: Incidents that are classified as noise are reviewed by Defender Expert analysts to ensure they match the classification and other criteria for noise. Feedback loops: For continuous learning, anything classified as noise is sent to an analyst for validation so that there are no accidental misses of true threats. The feedback from them continuously improves the system. Transparency: classification decisions are visible, helping analysts understand why something is marked as noise or not. This approach strikes the right balance. AI does the heavy lifting up front, and our human security experts remain firmly in control of what is investigated. Quicker response for our customers AI-based incident classification in Defender Experts: 50% of noise is automatically triaged by AI-based incident classification with 100% precision Our experts respond faster to meaningful threats to our customer’s environment. “We no longer waste time chasing dead ends. The system helps us focus on what truly matters and our customers appreciate how quickly we can respond.” — Defender Experts Tier2 Analyst What’s next? We’re continuing to refine this system with more granular risk scoring per entity, deeper tenant-based similarity correlation, IOC based weightage, and additional real-time feedback from Defender Experts analysts. Final thoughts AI alone isn’t the answer—but AI guided by experts is a force multiplier. With AI-based incident classification, Defender Experts is showing what the future of SOCs can look like: faster, smarter, safer, and scalable. AI-based classification has helped reduce 50% of the noise from the analyst queue with 100% accuracy, saving analyst time so they can focus on what matters most. If you're a Defender Experts customer, you’re already seeing the benefit of quicker response times to true security threats. If you're a security leader struggling with alert overload, Microsoft Defender Experts for XDR, Microsoft’s MXDR (managed extended detection and response) service, can deliver around the clock, expert-led protection. For more information, please visit Microsoft Defender Experts for XDR | Microsoft Security670Views3likes0Comments