Protect Copilot Studio AI Agents in Real Time with Microsoft Defender
Building AI agents has never been easier. Platforms like Microsoft Copilot Studio democratize the creation of AI agents and empower non-technical users to build intelligent agents that automate tasks and streamline business processes. These agents can answer questions, orchestrate complex tasks, and integrate with enterprise systems to boost productivity and creativity. Organizations are embracing a future where every team has AI agents working alongside them to increase efficiency and responsiveness. While AI agents unlock exciting new possibilities, they also introduce new security risks, most notably prompt injection attacks and a broader attack surface. Attackers are already testing ways to exploit them, such as abusing tool permissions, sneaking in malicious instructions, or tricking agents into sharing sensitive data. Prompt injection is especially concerning because it happens when an attacker feeds an agent malicious inputs to override the agent’s intended behavior. These risks aren’t due to flaws in Copilot Studio or any single platform — they’re a natural challenge that comes with democratizing AI development. As more people build and deploy agents, strong, real-time protection will be critical to keeping them secure. To help organizations safely unlock the potential of generative AI, Microsoft Defender has introduced innovations ranging from shadow AI discovery to out-of-the-box threat protection for both pre-built and custom-built generative AI apps. Today, we’re excited to take the next step in securing AI agents: Microsoft Defender now delivers real-time protection during agent runtime for AI agents built with Copilot Studio. It automatically stops agents from executing unsafe actions during runtime if suspicious behavior, such as a prompt injection attack attempt, is detected and notifies security teams with a detailed alert in the Defender portal. Defender’s AI agent runtime protection is part of our broader approach to securing Copilot Studio AI agents, as outlined in this blog post. Monitor AI agent runtime activities and detect prompt injection attacks Prompt injections are particularly dangerous because they exploit the very AI logic that powers these agents. A well-crafted input can trick an agent’s underlying language model into ignoring its safety guardrails or revealing secrets it was supposed to keep. With thousands of agents operating and interacting with external inputs, the risk of prompt injection is not theoretical - it’s a pressing concern that grows with every new agent deployed. The new real-time protection for AI agents built with Copilot Studio adds a safety net at the most critical point when the agent is running and acting. It helps safeguard AI agents during their operation, reducing the chance that malicious inputs can exploit them during runtime. Microsoft Defender now monitors agent tool invocation calls in real time. If a suspicious or high-risk action is detected, such as a known prompt injection pattern, the action is blocked before it is executed. The agent halts processing and informs the user that their request was blocked due to a security risk. For example, if an HR chatbot agent is tricked by a hidden prompt to send out confidential salary information, Defender will detect this unauthorized action and block it before any tool is invoked. Investigate suspicious agent behaviors in a unified experience See the full attack story, not just the alerts. Today’s attacks are targeted and multi‑stage. When Defender stops risky Copilot Studio AI agent activity at runtime, it raises an alert - and immediately begins correlating related signals across email, endpoints, identities, apps, and cloud into a single incident. That builds the complete attack narrative, often before anyone even opens the queue, so the SOC can see how they’re being targeted and what to do next. In the Microsoft Defender portal, incidents arrive enriched with timelines, entity relationships, relevant TTPs, and threat intelligence. Automated investigation and response gathers evidence, determines scope, and recommends or executes remediation to cut triage time. With Security Copilot embedded, analysts get instant incident summaries, guided response and hunting in natural language, and contextualize threat intelligence to accelerate deeper analysis and stay ahead of threats. If you use Microsoft Sentinel, the unified SOC experience brings Defender XDR incidents together with third‑party data. And with the new Microsoft Sentinel data lake (preview), teams can retain and analyze years of security data in one place, then hunt across that history using natural‑language prompts that Copilot translates to KQL. Because runtime protection already stops the unsafe actions of Copilot Studio AI agents, most single alerts don’t require immediate intervention. But the SOC still needs to know when they’re being persistently targeted. Defender automatically flags emerging patterns, such as sustained activity from the same actor or technique, and, when warranted and a supporting scenario like ransomware, can trigger automatic attack disruption to contain active threats while analysts' review. For Copilot Studio builders, Defender extends the same protection to AI agents: real‑time runtime protection helps prevent unsafe actions and prompt‑injection attempts, and detections are automatically correlated and investigated, without moving data outside a trusted, industry‑leading XDR. By embedding security into the runtime of AI agents, Microsoft Defender helps organizations embrace the full potential of Copilot Studio while maintaining the trust and control they need. Real-time protection during agent runtime is a foundational step in Microsoft’s journey to secure the future of AI agents, laying the foundation for more advanced capabilities coming soon to Microsoft Defender. It reflects our belief that innovation and security go hand in hand. With this new capability, organizations can feel more confident using AI agents, knowing that Microsoft Defender is monitoring in real time to keep their environments protected. Learn more: Read the blog to learn more about securing Copilot Studio agents Check the documentation to learn how Defender blocks agent tool invocation in real time Explore how to build and customize agents with Copilot Studio Agent BuilderMonthly news - August 2025
Microsoft Defender XDR Monthly news - August 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from July 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Microsoft Defender Microsoft Sentinel is moving to the Microsoft Defender portal to deliver a unified, AI-powered security operations experience. Many customers have already made the move. Learn how to plan your transition and take advantage of new capabilities in the this blog post. Introducing Microsoft Sentinel data lake. We announced a significant expansion of Microsoft Sentinel’s capabilities through the introduction of Sentinel data lake, now rolling out in public preview. Read this blog post for a look at some of Sentinel data lake’s core features. (Public Preview) The GraphApiAuditEvents table in advanced hunting is now available for preview. This table contains information about Microsoft Entra ID API requests made to Microsoft Graph API for resources in the tenant. (Public Preview) The DisruptionAndResponseEvents table, now available in advanced hunting, contains information about automatic attack disruption events in Microsoft Defender XDR. These events include both block and policy application events related to triggered attack disruption policies, and automatic actions that were taken across related workloads. Increase your visibility and awareness of active, complex attacks disrupted by attack disruption to understand the attacks' scope, context, impact, and actions taken. Introducing Summary Rules Templates: Streamlining Data Aggregation in Microsoft Sentinel. Microsoft Sentinel’s new Summary Rules Templates offer a structured and efficient approach to aggregating verbose data - enabling security teams to extract meaningful insights while optimizing resource usage. Automating Microsoft Sentinel: Playbook Fundamentals. This is the third entry of the blog series on automating Microsoft Sentinel. In this post, we’re going to start talking about Playbooks which can be used for automating just about anything. Customer success story: Kuwait Credit Bank boosts threat detection and response with Microsoft Defender. To modernize its security posture, the bank unified its security operations under Microsoft Defender XDR, integrating Microsoft Sentinel and Microsoft Purview. Microsoft Defender for Cloud Apps App Governance is now also available in Brazil, Sweden, Norway, Switzerland, South Africa, South Korea, Arab Emirates and Asia Pacific. For more details, see our documentation.. Updated network requirements for GCC and Gov customers. To support ongoing security enhancements and maintain service availability, Defender for Cloud Apps now requires updated firewall configurations for customers in GCC and Gov environments. To avoid service disruption, take action by August 25, 2025, and update your firewall configuration as described here. Discover and govern ChatGPT and other AI apps accessing Microsoft 365 with Defender for Cloud Apps. In this blog post, we’ll explore how Defender for Cloud Apps helps security teams gain enhanced visibility into the permissions granted to AI applications like ChatGPT as they access Microsoft 365 data. We’ll also share best practices for app governance to help security teams make informed decisions and take proactive steps to enable secure usage of AI apps accessing Microsoft 365 data. Microsoft Defender for Endpoint (General Availability) Microsoft Defender Core service is now generally available on Windows Server 2019 or later which helps with the stability and performance of Microsoft Defender Antivirus. Microsoft Defender for Identity Expanded coverage in ITDR deployment health widget. With this update, the widget also includes deployment status for ADFS, ADCS, and Entra Connect servers - making it easier to track and ensure full sensor coverage across all supported identity infrastructure. Time limit added to Recommended test mode. Recommended test mode configuration on the Adjust alert thresholds page, now requires you to set an expiration time (up to 60 days) when enabling it. The end time is shown next to the toggle while test mode is active. For customers who already had Recommended test mode enabled, a 60-day expiration was automatically applied. Identity scoping is now available in Governance environments. Organizations can now define and refine the scope of Defender for Identity monitoring and gain granular control over which entities and resources are included in security analysis. For more information, see Configure scoped access for Microsoft Defender for Identity. New security posture assessments for unmonitored identity servers. Defender for Identity has three new security posture assessments that detect when Microsoft Entra Connect, Active Directory Federation Services (ADFS), or Active Directory Certificate Services (ADCS) servers are present in your environment but aren't monitored. Learn more in our documentation. Microsoft Defender for Office 365 Protection against multi-modal attacks with Microsoft Defender. This blog post showcases how Microsoft Defender can detect and correlate certain hybrid, multi-modal attacks that span across email, Teams, identity, and endpoint vectors; and how these insights surface in the Microsoft Defender portal. Users can report external and intra-org Microsoft Teams messages from chats, standard and private channels, meeting conversations to Microsoft, the specified reporting mailbox, or both via user reported settings. Microsoft Security Blogs Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats. Microsoft Threat Intelligence has uncovered a cyberespionage campaign by the Russian state actor we track as Secret Blizzard that has been ongoing since at least 2024, targeting embassies in Moscow using an adversary-in-the-middle (AiTM) position to deploy their custom ApolloShadow malware. Sploitlight: Analyzing a Spotlight-based macOS TCC vulnerability. Microsoft Threat Intelligence has discovered a macOS vulnerability, tracked as CVE-2025-31199, that could allow attackers to steal private data of files normally protected by Transparency, Consent, and Control (TCC), including the ability to extract and leak sensitive information cached by Apple Intelligence. Disrupting active exploitation of on-premises SharePoint vulnerabilities. Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting vulnerabilities targeting internet-facing SharePoint servers.
Discover risks in AI model providers and MCP servers with Microsoft Defender
AI model providers and Model Context Protocol (MCP) are being adopted at an unprecedented pace. As these new AI tools become deeply integrated into business operations and bring endless opportunities for productivity, security must not be ignored. MCP and AI model providers enable seamless communication between AI agents, tools, and models - but this convenience comes with significant security risks. MCP can expose sensitive information to unverified context providers, creating data leaks, malicious agent chaining, and supply chain attacks - all without consistent logging or enforcement. Microsoft Defender is expanding its capabilities to protect AI MCP use across the enterprise. Building on recent enhancements in Microsoft Defender for Cloud which now provides visibility into containers running MCP across AWS, GCP, and Azure, we're now adding support in Microsoft Defender for Cloud Apps to help security teams discover, manage, and protect not only generative AI apps, but also AI model providers and MCP servers. As AI tools spread, so does shadow AI - unauthorized or unmanaged use of AI tools that bypass IT and security controls. MCP servers and AI model providers explained MCP servers take productivity a step further by enabling AI to operate in real-time context. As intelligent intermediaries, MCP servers connect models to live enterprise data and applications - standardizing interactions and removing silos between tools, systems, and information. This unlocks the full potential of AI: not just generating insights, but acting autonomously, adapting to business conditions, and streamlining operations without any human in the loop. SaaS-based AI model providers are services that deliver sophisticated AI capabilities through simple APIs, allowing companies to integrate intelligence without massive infrastructure investments or specialized machine learning expertise. However, as productivity evolves, unauthorized or unmanaged use of AI tools that bypass IT and security controls evolve too. Software engineering teams can easily configure the AI model provider or MCP server to an unsanctioned one in their AI code assistant. These integrations can inadvertently expose sensitive information, violate compliance policies, or introduce threats like tool shadowing and prompt injections. As AI becomes deeply embedded across the enterprise, visibility and governance must keep pace to ensure security is never compromised. How Microsoft Defender secures the use of AI model providers and MCP servers Based on an extensive customer survey with large enterprises, we now understand the first step to securing AI use is gaining visibility into which of these services are in use across the organization. The cloud app catalog already provides a comprehensive list of over 35,000 discoverable cloud apps. It helps analyze traffic logs, gain visibility into cloud use, and assess the risk posture of these apps to manage security and compliance effectively. The catalog includes detailed risk parameters, such as data handling practices, authentication methods, and integration scopes. Starting today, the catalog has expanded to include AI model providers and MCP servers, enabling security teams to assess usage patterns and understand the risk posture of each. In addition to this expanded catalog, we aim to provide more security insights to customers, based on customer feedback on AI model providers and MCP servers, to help reduce the risks they introduce. Furthermore, if you're hosting your own MCP server Defender for Cloud, AI Security Posture Management can help you discover all MCP servers hosted across multi-cloud environments, identify misconfigurations and vulnerabilities in the AI application and agents using them, and prioritize remediation process based on attack path analysis. Microsoft Defender now helps you discover, monitor, and govern the use of AI model providers and MCP servers - giving you visibility, control, and protection against shadow AI risks with automated policies and real-time enforcement. Learn more How to use Microsoft Defender for Cloud Apps to stay safe in the Gen AI era Check out our website to learn more about Defender for Cloud Apps Not a customer, yet? Start a free trial today Visit our Cloud App Catalog documentation Learn more about AI Security Posture Management (AI-SPM)Monthly news - July 2025
Microsoft Defender XDR Monthly news - July 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from May 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Microsoft Defender (General Availability) In advanced hunting, Microsoft Defender portal users can now use the adx() operator to query tables stored in Azure Data Explorer. You no longer need to go to log analytics in Microsoft Sentinel to use this operator if you're already in Microsoft Defender. Learn more on our docs. Introducing TITAN powered recommendations in Security Copilot guided response. This blog post explains the power of Guided Response with Security Copilot and and the integration of Threat Intelligence Tracking via Adaptive Networks (TITAN). (General Availability) Case management now supports multiple tenants in Microsoft Defender experience. We’re excited to share that multi-tenant support is now generally available in our case management experience. This new capability empowers security teams to view and manage incidents across all their tenants from a single, unified interface—directly within the Microsoft Defender Multi-Tenant (MTO) portal. You can read this blog for more information. Microsoft Defender for Cloud Apps (General Availability) The Behaviors data type significantly enhances overall threat detection accuracy by reducing alerts on generic anomalies and surfacing alerts only when observed patterns align with real security scenarios. This data type is now generally available. Learn more on how to use Behaviors and new detections in this blog post. New Dynamic Threat Detection model. Defender for Cloud Apps new dynamic threat detection model continuously adapts to the ever-changing SaaS apps threat landscape. This approach ensures your organization remains protected with up-to-date detection logic without the need for manual policy updates or reconfiguration. Microsoft Defender for Endpoint (General Availability) Global exclusions on Linux are now generally available. We just published a new blog post, that discussed how you can manage global exclusion policies for Linux across both AV and EDR. (General Availability) Support for Alma Linux and Rocky Linux is now generally available for Linux. (General Availability) Behavior monitoring on macOS is now generally available. Read this blog post to learn more about it and how it improves the early detection and prevention of suspicious and malicious activities targeting macOS users. (Public Preview) Selective Isolation allows you to exclude specific devices, processes, IP addresses, or services from isolation actions. More details in this blog post "Maintain connectivity for essential services with selective network isolation" Microsoft Defender for Identity (Public Preview) Domain-based scoping for Active Directory is now available in public preview. This new capability enables SOC analysts to define and refine the scope of Defender for Identity monitoring, providing more granular control over which entities and resources are included in security analysis. Read this announcement blog for more details. (Public Preview) Defender for Identity is extending its identity protection to protect Okta identities, that’s in addition to the already robust protection for on-premises Active Directory and Entra ID identities. For more details, have a look at this announcement blog post. Microsoft Defender for Office 365 Introducing the Defender for Office 365 ICES Vendor Ecosystem - a unified framework that enables seamless integration with trusted third-party vendors. Learn more about this exciting announcement in this blog post. (General Availability) Auto-Remediation of malicious messages in Automated Investigation and Response is now generally available. Have a look at this detailed blog post on how it works. Mail bombing is now an available Detection technology value in Threat Explorer, the Email entity page, and the Email summary panel. Mail bombing is also an available DetectionMethods value in Advanced Hunting. For more information, see MC1096885. AI-powered Submissions Response introduces generative AI explanations for admin email submissions to Microsoft. For more information, see Submission result definitions. Microsoft Security Exposure Management (Public Preview) Enhanced External Attack Surface Management integration with Exposure Management. This new integration allows you to incorporate detailed external attack surface data from Defender External Attack Surface Management into Exposure Management. Learn more on our docs. Microsoft Security Blogs Unveiling RIFT: Enhancing Rust malware analysis through pattern matching As threat actors are adopting Rust for malware development, RIFT, an open-source tool, helps reverse engineers analyze Rust malware, solving challenges in the security industry. Jasper Sleet: North Korean remote IT workers’ evolving tactics to infiltrate organizations Since 2024, Microsoft Threat Intelligence has observed remote IT workers deployed by North Korea leveraging AI to improve the scale and sophistication of their operations, steal data, and generate revenue for the North Korean government. Threat Analytics (Access to the Defender Portal needed) Tool Profile: Qilin ransomware. Qilin (also called Agenda) is a ransomware as a service (RaaS) offering that was first observed in 2022. It has been used by multiple cybercriminal groups, including Pistachio Tempest, Octo Tempest, and most recently Moonstone Sleet. While the ransom attacks appear to be opportunistic rather than targeted, they have had notable impacts against healthcare and media companies. Activity Profile: Emerald Sleet using QR codes for credential harvesting. In May 2025, Microsoft Threat Intelligence observed the North Korean threat actor that Microsoft tracks as Emerald Sleet using QR (quick response) codes designed to lure recipients to credential-harvesting sites in phishing emails. Vulnerability profile: CVE-2025-34028 – Commvault Command Center Innovation Release. According to the National Institute of Standards and Technology (NIST), “the Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files that represent install packages that, when expanded by the target server, are vulnerable to path traversal vulnerability that can result in Remote Code Execution via malicious JSP. This issue affects Command Center Innovation Release: 11.38.0 to 11.38.20. The vulnerability is fixed in 11.38.20 with SP38-CU20-433 and SP38-CU20-436 and also fixed in 11.38.25 with SP38-CU25-434 and SP38-CU25-438.” Activity Profile: Forest Blizzard trojanizes Ukraine software to deliver new variant of Blipslide downloader. Since March, Microsoft Threat intelligence observed the Russian military intelligence threat actor Forest Blizzard infect devices in Ukraine with a new variant of BlipSlide malware, a downloader that the threat actor uses for command and control (C2). Actor Profile: Storm-2416. The threat actor that Microsoft tracks as Storm-2416 is a nation-state activity group based out of China. Storm-2416 is known to primarily target information technology (IT), government, and other business entities in Europe, Asia, Oceania, and South and North America. Activity Profile: Suspicious OAuth applications used to retrieve and send emails. In late February 2025, Microsoft discovered a set of malicious Open Authorization (OAuth) applications, including one that impersonated Outlook, that can retrieve and send emails. Actor Profile: Storm-0126. The threat actor that Microsoft tracks as Storm-0126 is a nation-state activity group based out of China. Storm-0126 is known to primarily target defense industry enterprises, public institutions, research institutes, and military-industrial organizations worldwide. Actor Profile: Storm-2001. Microsoft assesses with high confidence that the threat actor Microsoft tracks as Storm-2001 is a Russian state-sponsored actor. It is known to primarily target defense organizations in the North Atlantic Treaty Organization (NATO) alliance—specifically, member states that form NATO’s Enhanced Forward Presence (EFP) program, recent NATO members, and other related organizations that engage in NATO-related communications and planning. Activity profile: Storm-2561 distributes trojanized SonicWall NetExtender SilentRoute. In late May 2025, Storm-2561 began distributing malware that Microsoft detects as SilentRoute. The malware is a trojanized version of SonicWall’s SSL VPN NetExtender application that transmits the user’s VPN configuration data to a hardcoded IP address.Monthly news - June 2025
Microsoft Defender XDR Monthly news - June 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from May 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel From on-premises to cloud: Graph-powered detection of hybrid attacks with Microsoft exposure graph. In this blog, we explain how the exposure graph, an integral part of our pre-breach security exposure solution, supercharges our post-breach threat protection capabilities to detect and respond to such multi-faceted threats. (Public Preview) Unified detections rules list that includes both analytics rules and custom detections is in public preview. Learn more in our docs. The Best of Microsoft Sentinel — Now in Microsoft Defender. We are proud to share that the most advanced and integrated SIEM experience from Microsoft Sentinel is now fully available within the Microsoft Defender portal as one unified experience. (General Available) Multi workspace for single and multi tenant is now in General Available. (Public Preview) Case management now available for the Defender multitenant portal. For more information, see View and manage cases across multiple tenants in the Microsoft Defender multitenant portal. (Public Preview) You can now highlight your security operations achievements and the impact of Microsoft Defender using the unified security summary. For more information, see Visualize security impact with the unified security summary. (Public Preview) New Microsoft Teams table: The MessageEvents table contains details about messages sent and received within your organization at the time of delivery (Public Preview) New Microsoft Teams table: The MessagePostDeliveryEvents table contains information about security events that occurred after the delivery of a Microsoft Teams message in your organization (Public Preview) New Microsoft Teams table: The MessageUrlInfo table contains information about URLs sent through Microsoft Teams messages in your organization Unified IdentityInfo table in advanced hunting now includes the largest possible set of fields common to both Defender and Azure portals. Microsoft Defender for Endpoint (Webinar - YouTube Link) Secure Your Servers with Microsoft's Server Protection Solution- This webinar offers an in-depth exploration of Microsoft Defender for Endpoint on Linux. Defender for Endpoint successfully passes the AV-Comparatives 2025 Anti-Tampering Test. Discover how automatic attack disruption protects critical assets while ensuring business continuity. Microsoft Defender for Office 365 Part 2: Build custom email security reports and dashboards with workbooks in Microsoft Sentinel New deployment guide: Quickly configure Microsoft Teams protection in Defender for Office 365 Plan 2 New SecOps guide: Security Operations Guide for Teams protection in Defender for Office 365 Video - Ninja Show: Advanced Threat Detection with Defender XDR Community Queries Video- Mastering Microsoft Defender for Office 365: Configuration Best Practices Video - Ninja Show: Protecting Microsoft Teams with Defender for Office 365 This blog discussed the new Defender for Office 365 Language AI for Phish Model. SafeLinks Protection for Links Generated by M365 Copilot Chat and Office Apps. Microsoft Defender for Cloud Apps New Applications inventory page now available in Defender XDR. The new Applications page in Microsoft Defender XDR provides a unified inventory of all SaaS and connected OAuth applications across your environment. For more information, see Application inventory overview. The Cloud app catalog page has been revamped to meet security standards. The new design includes improved navigation, making it easier for you to discover and manage your cloud applications. Note: As part of our ongoing convergence process across Defender workloads, Defender for Cloud Apps SIEM agents will be deprecated starting November 2025. Learn more. Microsoft Defender for Identity (Public Preview) Expanded New Sensor Deployment Support for Domain Controllers. Learn more. Active Directory Service Accounts Discovery Dashboard. Learn more. Improved Visibility into Defender for Identity New Sensor Eligibility in the Activation page. The Activation Page now displays all servers from your device inventory, including those not currently eligible for the new Defender for Identity sensor. Note: Local administrators collection (using SAM-R queries) feature will be disabled. Microsoft Security Blogs Analyzing CVE-2025-31191: A macOS security-scoped bookmarks-based sandbox escape Marbled Dust leverages zero-day in Output Messenger for regional espionage Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer New Russia-affiliated actor Void Blizzard targets critical sectors for espionage Defending against evolving identity attack techniques Threat Analytics (Access to the Defender Portal needed) Activity profile - AITM campaign with brand impersonated OAUTH applications Threat overview: SharePoint Server and Exchange Server threats Vulnerability profile: CVE-2025-24813 – Apache Tomcat Path Equivalence Vulnerability Actor profile: Storm-0593 [TA update] Actor profile: Storm-0287 Activity Profile: Marbled Dust leverages zero-day to conduct regional espionage [TA update] Technique profile: ClickFix technique leverages clipboard to run malicious commands Technique profile: LNK file UI feature abuse Technique profile: Azure Blob Storage threats Activity profile: Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer Vulnerability profile - CVE-2025-30397 Activity profile: Recent OSINT trends in information stealers
Expanding the Identity perimeter: the rise of non-human identities
Expanding the Identity perimeter With the rise of cloud applications and AI, machine-to-machine access and authentication has become even more prevalent. From automating workflows, integrating applications, managing cloud services and even powering AI agents, non-human identity (NHI) has become vital to modern work. These digital constructs come in many different varieties, each with their own unique characteristics, but because they are foundational elements of many critical business processes, they represent a prime target for cyber-criminals. Not only do NHI greatly outnumber their human counterparts but they are also often highly privileged, eliminating the need for the attacker to elevate this status themselves. AI agents are expected to drive even faster growth machine identities. Copilot Studio alone has more than 230,000 organizations — including 90% of the Fortune 500- already using it to build AI agents and automations. What are non-human Identities? Non-human identities or machine identities like service accounts in Active Directory, Entra registered service principals and third-party OAuth apps, cloud workload identities, AI agents and Secrets each have their own unique roles, responsibilities and vulnerabilities. Despite their importance, there is no team dedicated to securing them holistically, leading to a lack of: Visibility: Different teams are often responsible for the creation of the various types of NHI. Due to this, organizations are often blind to what accounts exist, where, and who owns them. Governance and Management: Limited policies and regulations on how these accounts should be set up, used and managed can create situations where accounts are overprivileged or shared across multiple applications and even where their credentials are stored in plain text or their passwords become stale and susceptible to exploitation. Gaps like these in policy and the lifecycle management of NHI expose organizations to increased risk. Protection: Without dedicated security controls, non-human identities (NHIs) are often left exposed to threats such as credential theft, misuse, or unauthorized access. Many of these identities operate with elevated privileges, making them attractive targets for attackers. A lack of consistent monitoring, anomaly detection, and automated response mechanisms further increases the risk. Effective protection requires implementing least privilege access, rotating credentials regularly, encrypting secrets, and integrating NHIs into a broader identity threat detection and response strategy. How can Microsoft help protect your NHI? While NHIs are a recent term, they have been a critical focus area within Microsoft Security for a long time. Today, Microsoft Security delivers an end-to-end solution for monitoring, securing, and managing non-human identities across their entire lifecycle. Organizations benefit from a comprehensive set of unified capabilities, including: Full-spectrum discovery and visibility: Identify all non-human identities and secrets - including service principals, tokens, keys, and application credentials, across hybrid and multi-cloud environments. Enrichment and risk analysis: Gain deep insights into each identity’s privileges, activity patterns, ownership, and authentication methods to prioritize risks and streamline remediation. Secrets management: Detect secrets in insecure or inappropriate locations, validate their usage, and provide actionable recommendations for protection and remediation. Lifecycle and access governance: Monitor for stale or orphaned accounts, govern OAuth enabled and third-party connections, enforce credential rotation, manage ownership transfer, and ensure secure decommissioning of machine identities. Threat detection and response: Get alerts on suspicious activity or policy deviations, such as unusual privilege escalation, excessive app permissions, or risky machine-to-machine communications. Together, these integrated capabilities empower organizations to proactively identify and mitigate NHI risks, reduce attack surfaces, and strengthen access controls, no matter where identities live or how fast they change. Microsoft brings these protections together, so you can secure every identity -– human and non-human -– across your digital estate. For example, automatic classification rules help organizations quickly find and secure Service Accounts within their organization. 1: Service Account classification capabilities from Defender for Identity And the Microsoft's "Attack Paths" capabilities allow users to see all their NHIs, their connections, associated risks and context, as well as potential lateral movement paths. 2: Attack path mapping in Microsoft Defender illustrates a scenario where a resource contains a service principal certificate that can authenticate asa service principal with permissions to a sensitive database. This represents a risky lateral movement path — one that is now visible and can be proactively secured. What does this mean for you? Non-human identities (NHI) have become a critical yet overlooked component of modern security practices. While each type of NHI poses distinct challenges, they are tightly interconnected and require expertise across the security landscape. This is what makes Microsoft such a powerful partner. Our leadership in identity, security and now AI make us uniquely qualified to help your organization, and your machine identities, stay protected against threats. Our unified approach: consolidating visibility, control, and protection across AI, cloud, apps, data, devices and identities helps comprehensively secure all NHI and your organization. And this is only the beginning. Our team is already hard at work building the cohesive, intelligent defense layer our customers will need to remain protected today and, in the future, including leveraging our leadership in AI to help our customers secure their organizations, and their AI agents, against attacks.Monthly news - May 2025
Microsoft Defender XDR Monthly news May 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from April 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel What’s new in Microsoft Defender XDR at Secure 2025 New blog post: Empowering SOC Analysts: Investigating Identity Threats with Microsoft Defender XDR. (GA) Multi Tenant Organizations (MTO) expanded support for up to 100 tenants per view per user is now generally available! We are delighted to announce that Microsoft Defender MTO now supports the ability, for each user, to add up to 100 tenants to their view. We extended the number of tenants you can see in one single pane of glass – from 50 to 100. You can now view incidents, investigate, view device inventory and vulnerabilities on a larger number of tenants at the same time. Expanding Cross Cloud Multitenant Security Operations for Government Customers. This blog post summarizes a new capability that enhances multitenant security operations for government cloud customers, enabling cross-cloud visibility and centralized security management. We invite you to give this new capability a try! (Public Preview) The OAuthAppInfo table is now available for preview in advanced hunting. The table contains information about Microsoft 365-connected OAuth applications registered with Microsoft Entra ID and available in the Defender for Cloud Apps app governance capability. The OnboardingStatus and NetworkAdapterDnsSuffix columns are now available in the DeviceNetworkInfo table in advanced hunting. Automatic attack disruption: Enhanced containment for critical assets and shadow IT. This blog post introduces new, extended capabilities in automatic attack disruption. Announcing Rich Text for Case Management. In the dynamic world of SecOps, managing and communicating information efficiently is vital. Rich Text for Case Management introduces capabilities that allow you to enrich your case documentation with various formatting options, including bold, italics, underlining, code blocks, links, tables, and more. (Public Preview) You can now create data security investigations in the Microsoft Defender portal with the integration of Microsoft Purview Data Security Investigations (preview) and Microsoft Defender XDR. This integration allows security operations center (SOC) teams to enhance their investigation and response to potential data security incidents like data breaches or data leaks. Learn more in our docs. (Public Preview) Containing IP addresses associated with devices that are undiscovered or are not onboarded to Defender for Endpoint is now in preview. Containing an IP address prevents attackers from spreading attacks to other non-compromised devices. Learn more in our docs. Microsoft Defender for Endpoint Updated documentation Schedule antivirus scans using Group Policy Schedule antivirus scans using PowerShell Two new ASR rules are now generally available: Block rebooting machine in Safe Mode: This rule prevents the execution of commands to restart machines in Safe Mode. Block use of copied or impersonated system tools: This rule blocks the use of executable files that are identified as copies of Windows system tools. These files are either duplicates or impostors of the original system tools. (General Available) Defender for Endpoint supports ARM64-based Linux servers across various Linux distributions, including Ubuntu, RHEL, Debian, SUSE Linux, Amazon Linux, and Oracle Linux. All product capabilities that are supported on AMD64 devices are now supported on ARM64-based Linux servers. For more information, see the following articles: Tech Community Blog: Defender for Endpoint extends support to ARM-based Linux servers Microsoft Defender for Endpoint on Linux Microsoft Defender for Office 365 Announcing the Public Preview of Auto-Remediation of Malicious Entity Clusters Identified in Automated Investigation and Response (AIR). Defender for Office 365 automated investigation and response is being enhanced to enable AIR to automatically remediate malicious entity clusters. AIR currently recommends actions for SecOps to approve or decline and this enhancement will allow customers the option to configure auto-remediation for AIR to automatically execute the soft deletion of messages included in malicious URL or malicious file clusters. Options to "tune" controls within Defender for Office 365 for an organization to maximize protection and efficacy. We are pleased to announce that if you are using third-party report message solutions in Microsoft Outlook, such as Knowbe4, Hoxhunt, and Cofense, you can now configure Defender for Office 365 to automatically forward these suspicious messages to Microsoft for analysis. The Outlook.com consumer email service will require compliance with SPF, DKIM, and DMARC email authentication standards for domains sending more than 5000 messages to outlook.com, hotmail.com, and yahoo.com recipients as of 5 May, 2025. Learn more in this blog post.. Microsoft Defender for Cloud Apps Enhanced alert source accuracy. This update, applicable to new alerts only, are reflected across various experiences and APIs, including the Defender XDR portal, Advanced hunting, and Graph API. (Public Preview) Investigate OAuth application attack paths in Defender for Cloud Apps Microsoft Defender for Identity (General available) Identities guided tour New attack paths tab on the Identity profile page New and updated events in the Advanced hunting IdentityDirectoryEvents table Identity page enhancements such as user timeline side panel, password last change field on the UI, devices tab filters and others. Deprecation of Defender for Identity alert email notifications (Public Preview) Defender for Identity integration with Entra Privileged Identity Management (PIM) Privileged Access Management (PAM) vendors integration with Defender for Identity – CyberArk, Delinea and BeyondTrust Microsoft Security Blogs Threat actors leverage tax season to deploy tax-themed phishing campaigns As Tax Day approaches in the United States on April 15, Microsoft has detected several tax-themed phishing campaigns employing various tactics. These campaigns use malicious hyperlinks and attachments to deliver credential phishing and malware including RaccoonO365, AHKBot, Latrodectus, BruteRatel C4 (BRc4), and Remcos. Exploitation of CLFS zero-day leads to ransomware activity Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a newly discovered zero-day vulnerability in the Windows Common Log File System (CLFS) against a small number of targets. Microsoft released security updates to address the vulnerability, tracked as CVE 2025-29824, on April 8, 2025. Stopping attacks against on-premises Exchange Server and SharePoint Server with AMSI Exchange Server and SharePoint Server are business-critical assets and considered crown-jewels for many organizations, making them attractive targets for attacks. Threat actors misuse Node.js to deliver malware and other malicious payloads Since October 2024, Microsoft Defender Experts has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information theft and data exfiltration. Understanding the threat landscape for Kubernetes and containerized assets The dynamic nature of containers can make it challenging for security teams to detect runtime anomalies or pinpoint the source of a security incident, presenting an opportunity for attackers to stay undetected. Microsoft Threat Intelligence has observed threat actors taking advantage of unsecured workload identities to gain access to resources, including containerized environments. Threat Analytics (Access to the Defender Portal needed) Activity profile: Tax and IRS-themed phishing campaigns [TA update] Tool profile: Grandoreiro banking trojan Activity profile - Threat actors using fake Chrome updates to deliver Lumma Stealer Actor profile: Storm-2256 Actor Profile - Storm-1877 [TA update] Vulnerability profile: CVE-2025-26633 Vulnerability profile - CVE-2025-29824 Activity profile: Cryptomining infection by malicious AutoIT scripts uses masqueraded Ncat for C2 communications Technique profile: ClickFix technique leverages clipboard to run malicious commands [TA update] Actor profile: Storm-1249 Tool profile - XCSSET Tool profile: ReedBed Quarterly cyber threat report: MITRE ATT&CK framework trends in OSINT (January to March 2025) Actor Profile - Storm-1125 Activity profile: Sapphire Sleet using GoLang files to download malware Technique Profile: Device Code PhishingProtect SaaS apps from OAuth threats with attack path, advanced hunting and more
Over the past two years, nation-state attacks using OAuth apps have surged. To combat this threat and to help customers focus on the most important exposure points, Microsoft Defender for Cloud Apps introduces several new capabilities. OAuth applications are now integrated into the attack path experience within Exposure Management, providing an overview of the attack paths that a bad actor might take to access Microsoft 365 SaaS apps like Outlook and Teams. Additionally, a unified application inventory allows customers to manage both user-to-SaaS and OAuth-to-SaaS interactions with an 'action center' so that they can block or disable apps and create policies aligned to exposure points. Lastly, information about OAuth applications is now included in the Attack Surface Map and Advanced Hunting experience for comprehensive threat investigation and more effective threat hunting. OAuth Apps Pose Critical Security Threat The rise in nation-state attacks exploiting OAuth apps poses a significant threat to organizations. Protecting your SaaS apps from OAuth interactions is critical, as attackers can easily compromise your network. For example, a phishing link that impersonates a legitimate application can deceive users into granting malicious apps full access to their account. Once the user clicks “Accept,” the attacker gains full access to the organization's email, chats and files. Figure 1. Phishing link with permission request. Microsoft's research shows that 1 in 3 OAuth apps are overprivileged 1 making them prime targets for threat actors. Attackers often use phishing to compromise accounts, create malicious OAuth apps, or hijack existing ones leading to unauthorized access and causing data breaches. It's a frightening scenario, but one that can be prevented with the right tools and strategies. Learn more: investigate and remediate risky OAuth apps. Visualize Attack Paths We are excited to announce that Microsoft Defender for Cloud Apps has significantly enhanced the Exposure Management experience by integrating OAuth applications. The new attack path feature enables you to visualize how attackers could use OAuth apps to move laterally within your organization to access critical SaaS applications. By identifying, reducing, and managing the number of attack paths, you can significantly reduce your attack surface and enhance the security of your M365 services. Learn more: Explore with the attack surface map in Microsoft Security Exposure Management - Microsoft Security Exposure Management | Microsoft Learn Figure 2. Attack path shows lateral movement to service principal with sensitive permissions. Manage your SaaS Ecosystem The new “Applications” page in the Defender XDR portal offers comprehensive visibility and control over your SaaS and OAuth applications. This page provides a unified view to discover and manage all your SaaS and OAuth applications connected to services like Microsoft 365, Google, and Salesforce. With actionable insights, you can identify and prioritize applications that need your attention. The new application inventory experience allows you to easily explore metadata and insights for OAuth apps involved in attack paths or review apps as part of your periodic app review process. For example, you can identify applications with unused permissions to access Microsoft 365 by using the pre-defined insight card for “Overprivileged apps,” which automatically applies the relevant filters to display all overprivileged applications within your environment. Figure 3. OAuth apps in the Applications page of the Defender XDR portal. Investigate with Attack Surface Map and Advanced Hunting The Attack Surface Map allows customers to visualize the organizational connection to OAuth applications, including those who own the app and the permission levels. Figure 4. The user Shkedi is the owner of the MdaXspmSensitive OAuth app. All the data available in the Attack surface map is also available in advanced hunting under the Exposure Management section. Additionally, you can get detailed metadata and comprehensive insights for all applications in the new OAuthAppInfo table in advanced hunting powered by the app governance capability in Microsoft Defender for Cloud Apps. These are the same apps that are displayed on the OAuth apps tab of the applications page. Currently, the scope of the table is limited to Microsoft Entra registered apps with access to Microsoft 365. With this new table, you can write powerful queries for advanced scenarios or leverage the suggested queries to explore and hunt for privileged apps. Learn more: Investigate OAuth application attack paths in Defender for Cloud Apps - Microsoft Defender for Cloud Apps | Microsoft Learn Automatic Attack Disruption Recently we introduced automatic attack disruption capabilities that proactively disrupt malicious OAuth applications involved in active attacks, effectively stopping threats in their tracks. By onboarding Microsoft Defender for Cloud Apps, you can effortlessly thwart these attacks ensuring your organization's security remains robust and resilient. Act Today! Protect your organization from OAuth-related attacks with Microsoft Defender for Cloud Apps. Use its powerful capabilities to visualize, investigate, and remediate potential threats to safeguard your Microsoft 365 services and secure your valuable data. Start by filtering all attack paths leading to service principals with sensitive permissions to Microsoft 365 SaaS services and continue with your investigation from there. Figure 5. Attack paths show lateral movement to service principal with sensitive permissions. Alternatively, if your environment has numerous attack paths, start with the choke points experience to identify assets that are frequently involved in attacks. Then, apply the principle of least privilege to secure these critical assets. Figure 6. OAuth app choke points. Then you can further explore the interconnections of the attack paths or the choke points in the attack surface map: Figure 7. OAuth node in attack surface map. Note that everything which is available in the Attack surface map is also available in Advanced Hunting under ExposureGraphEdges and ExposureGraphNodes. You can also use the App inventory to explore specific OAuth applications and get detailed insights into API permissions, privilege level, app origin, publisher, permission type and services being accessed. Access it by selecting "Applications" under the "Assets" tab in the Defender XDR portal: Figure 8. App inventory shows in-depth visibility for OAuth app integrations. Lastly, you can hunt for risky OAuth apps. To get started, use the template below to identify all enabled, highly privileged, externally registered OAuth apps that have no verified publisher: OAuthAppInfo | where AppStatus == "Enabled" | where PrivilegeLevel == "High" | where VerifiedPublisher == "{}" and AppOrigin == “External” Figure 9. OAuth app threat hunting template. Prerequisites To access these new capabilities requires Microsoft Defender for Cloud apps license, activate Microsoft 365 app connector and enable app governance. To access all Exposure Management experiences, we recommend the following roles: Unified RBAC role: “Exposure Management (read)” under “Security posture” category Any of the Entra ID roles: Global admin, Security admin, Security operator, Global reader, Security reader Conclusion Integrating OAuth applications into Microsoft Security Exposure Management is crucial for addressing OAuth-based attacks. This integration provides a comprehensive view of potential attack paths and exposure points, enabling security teams to reduce the attack surface and mitigate risks effectively. Microsoft Defender for Cloud Apps helps visualize and prevent exploits targeting critical resources. The unified application inventory streamlines management of OAuth and user-to-SaaS interactions, while Advanced Hunting facilitates investigations. Stay ahead of threats and protect your assets with Microsoft Defender for Cloud Apps. 1. Microsoft sample data, Nov 2024Monthly news - April 2025
Microsoft Defender XDR Monthly news April 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from March 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. ⏰ April 9th & 10th is Microsoft Secure! Make sure you join this virtual event to hear about our latest product announcements. Three broadcast times are available, offering opportunities to get your questions answered by subject matter experts at a time that suits you best. April 9, 2025 | 8:00 AM – 9:00 AM PT (UTC-7) | Americas broadcast April 10, 2025 | 10:00 AM – 11:00 AM CET (UTC+1) | Europe, Middle East, Africa broadcast April 10, 2025 | 12:00 PM – 1:00 PM SGT (UTC+8) | Asia broadcast Microsoft Secure - Home - Microsoft Secure registration home page. New episodes of the Virtual Ninja Show has been published, covering various products and scenarios. Microsoft's Zero Trust approach Resolving high CPU utilization in Microsoft Defender Antivirus Microsoft Defender for Endpoint Client Analyzer overview Mastering onboarding issues with Defender for Endpoint Client Analyzer Mastering endpoint security settings issues with Defender for Endpoint Client Analyzer Connecting your Apps to Defender for Cloud Apps Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel What’s new in Microsoft Defender XDR at Secure 2025 (Webinar) Microsoft Sentinel Repositories: Manage Your SIEM Content as code Like a Pro (GA Announcement) The content hub offers the best way to find new content or manage the solutions you already installed, now with granular AI search. (Public Preview) The Microsoft Sentinel agentless data connector for SAP and related security content is now included, as public preview, in the solution for SAP applications. Blog post: Transforming public sector security operations in the AI era Discover how Microsoft's AI-powered, unified SecOps can revolutionize public sector security operations and safeguard multiplatform, multi-cloud environments with industry-leading innovation and seamless integration. Ready to elevate your cyber defense? (Public Preview) The incident description has moved within the incident page. The incident description is now displayed after the incident details. For more information, see Incident details. The Microsoft 365 alert policies can now only be managed in the Microsoft Defender portal. For more information, see Alert policies in Microsoft 365. You can now link Threat analytics reports when setting up custom detections. Learn more Microsoft Defender for Endpoint Update to the Microsoft Defender Antivirus group policies documentation. Learn more Addition of the default settings for Potentially Unwanted Applications (PUA) documentation. Learn more New video (9 mins): How Microsoft is redefining endpoint security New documentation: Troubleshoot Microsoft Defender Antivirus scan issues Microsoft Defender for Office 365 User reported messages by third-party add-ins can be sent to Microsoft for analysis: In user reported settings, admins can select Monitor reported messages in Outlook > Use a non-Microsoft add-in button. In the Reported message destination section, select Microsoft and my reporting mailbox, and then provide the email address of the internal Exchange Online mailbox where user-reported messages by the third-party add-in are routed to. Microsoft analyzea these reported messages and provides result on the User reported tab of Submissions page at https://security.microsoft.com/reportsubmission?viewid=user. Create allow entries directly in the Tenant Allow/Block List: You can now create allow entries for domains & addresses and URLs directly in the Tenant Allow/Block List. This capability is available in Microsoft 365 Worldwide, GCC, GCC High, DoD, and Office 365 operated by 21Vianet. Microsoft Defender for Cloud Apps (GA) Unified Identity inventory now general available. Learn more Defending against OAuth based attacks with automatic attack disruption. Microsoft’s Automatic attack disruption capabilities disrupt sophisticated in-progress attacks and prevent them from spreading, now including OAuth app-based attacks. Attack disruption is an automated response capability that stops in-progress attacks by analyzing the attacker’s intent, identifying compromised assets, and containing them in real time. Level Up Your App Governance With Microsoft Defender for Cloud Apps Workshop Series. Join one of these workshops to learn: Real-world examples of OAuth attacks New pre-built templates and custom rules to simplify app governance How to quickly identify and mitigate risks from high-risk or suspicious apps Best practices for operationalizing app governance to improve your security posture These workshops are designed to accommodate global participation, with flexible date and time options. Protecting SaaS apps from OAuth threats with attack path, advanced hunting and more. Read this blog post to learn about various new capabilities rolling out over the next few weeks. Microsoft Defender for Identity Blog post: Discover and protect Service Accounts with Microsoft Defender for Identity Microsoft Defender for Identity now includes a Service Account Discovery capability, offering you centralized visibility into service accounts across your Active Directory environment. New health issue for cases where sensors running on VMware have network configuration mismatch. The Identities page under Assets has been updated to provide better visibility and management of identities across your environment. New LDAP query events were added to the IdentityQueryEvents table in Advanced Hunting to provide more visibility into additional LDAP search queries running in the customer environment. Microsoft Security Blogs Silk Typhoon targeting IT supply chain Malvertising campaign leads to info stealers hosted on GitHub New XCSSET malware adds new obfuscation, persistence techniques to infect Xcode projects Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware StilachiRAT analysis: From system reconnaissance to cryptocurrency theft Analyzing open-source bootloaders: Finding vulnerabilities faster with AI Threat Analytics (Access to the Defender Portal needed) Vulnerability Profile: CVE-2024-40711 – Veeam Backup Activity profile: Moonstone Sleet using Qilin ransomware [TA update] Actor Profile: Secret Blizzard Actor profile: Berry Sandstorm Activity profile: DarkGate malware samples delivered through fake Notion websites followed by ClickFix technique Activity profile: Secret Blizzard and Aqua Blizzard collaborate to target Ukrainian military devices [TA update] Actor profile - Swirl Typhoon Vulnerability profile: CVE-2024-57726 Multiple vulnerabilities found in SimpleHelp Remote Support Software Activity profile: Lumma Stealer spreads via YouTube video descriptions [TA update] Actor profile: Aqua Blizzard Tool profile: Latrodectus Vulnerability profile: CVE-2025-26633 Tool profile: WinRing0 Activity profile: Storm-0485 phishing activity Activity profile: Silk Typhoon targeting IT supply chain Activity profile: Storm-1877 evolving tactics to target users with ClickFix attacks Threat overview: Business Email Compromise [Snapshot] Actor profile: Storm-2372 [TA update] Actor profile: ZigZag Hail Actor profile: Storm-0287 Activity profile: Secret Blizzard abusing Visual Studio Code tunneling service Activity Profile: Clickfix and Malvertising campaigns leveraging node.exe application Actor profile: Yulong Flood Vulnerability profile: CVE-2024-43451- NTLM Hash Disclosure Spoofing Vulnerability Tool profile: FrostyStash [TA update] Tool profile: Mimikatz Tool profile: Mamba 2FA Activity profile: Phishing campaign deploying PureLogStealer targets users in Central America [TA update] Vulnerability profile: CVE 2025-0282: Ivanti Connect Secure, Policy Secure, and ZTA Gateway [TA update] Actor profile: Silk Typhoon Seamless SSO Abuse via AADInternals [TA update] SystemBC Tool Profile Vulnerability profile: CVE-2025-22224 – VMware
