Microsoft Threat Intelligence
We are Microsoft's global network of security experts. Follow for security research and threat intelligence. aka.ms/threatintelblog
- Cyberattacks succeed when basic controls are missing or inconsistently applied. Microsoft is engaging in Operation Winter SHIELD, an FBI Cyber Division initiative focused on closing the gap between security intent and consistent execution. msft.it/63327QMwON
- This special “AI hot takes” episode of the Microsoft Threat Intelligence Podcast explores where AI truly stands today, how it’s shaping cyber operations, and what security practitioners and threat intelligence analysts need to know and consider: msft.it/63324QGWWy
- Microsoft Defender researchers uncovered a multi‑stage adversary‑in‑the‑middle (AiTM) phishing and business email compromise (BEC) campaign targeting the energy sector. msft.it/63320QD9Tq
- Reposted by Microsoft Threat Intelligence[Not loaded yet]
- Recent threat actor activity shows an emphasis on misusing trust, identity, and cloud-native capabilities to achieve maximum impact with minimal noise msft.it/6016tCBFm.
- Microsoft Threat Intelligence observed the rapid proliferation of RedVDS, a virtual dedicated server (VDS) provider used by financially motivated threat actors for BEC, phishing, account takeover, and financial fraud campaigns spanning multiple sectors. msft.it/6016t7J5m
- The January 2026 security updates are available:
- Phishing actors are abusing complex routing scenarios and misconfigured spoof protections to spoof organizations’ domains and deliver emails that appear internally sent. msft.it/63322tFxIO
- WhisperLeak is a side-channel attack that could enable an attacker with the ability to monitor network traffic to infer conversation topics with remote language models, even when the traffic is fully encrypted with TLS. msft.it/63322tUD9j
- Most successful exploitation activity related to the CVE-2025-55182 vulnerability affecting React Server Components, Next.js, and related frameworks originated from red team assessments, but observed exploitation attempts by threat actors deliver various payloads. msft.it/63323tmKIh
- New blog post: Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack. msft.it/63322t90mY
- The December 2025 security updates are available:
- "Defense is doable… We have to be brilliant at the basics... It’s about doing really good access management, really good principle of least privilege, really good network architecture..." -- Matt Duncan, E-ISAC VP of Security Operations and Intelligence msft.it/63325tdPsv
- On Thanksgiving eve, November 26, Microsoft detected and blocked a high-volume phishing campaign from a threat actor we track as Storm-0900. The campaign used parking ticket and medical test result themes and referenced Thanksgiving to lend credibility and lower recipients’ suspicion.
- Throughout 2025, Tycoon2FA (tracked by Microsoft as Storm-1747) has consistently been the most prolific phishing-as-a-service (PhaaS) platform observed by Microsoft. In October 2025, Microsoft Defender for Office 365 blocked more than 13 million malicious emails linked to Tycoon2FA.
