Microsoft Threat Intelligence

Microsoft closely monitors how threat actors continuously shift their tactics, techniques, and procedures (TTPs) even after their operation is disrupted or their TTPs are exposed. In the case of the Russian threat actor tracked as Star Blizzard, while their campaigns have always been focused on email credential theft, the actor has persistently introduced new techniques to avoid detection, and either modified or abandoned them once they become publicly known. Microsoft’s Digital Crimes Unit (DCU) and the US Department of Justice disrupted Star Blizzard’s operations in October 2024 by taking down more than 180 websites that the threat actor used in their campaign. However, by mid-November 2024 Microsoft observed Star Blizzard already using a new spear-phishing technique: offering their targets a supposed opportunity to join a WhatsApp group. Star Blizzard sent their targets spear-phishing messages that included a quick response (QR) code purporting to direct users to join a WhatsApp group on “the latest non-governmental initiatives aimed at supporting Ukraine NGOs.” However, this QR code is used by WhatsApp to connect an account to a linked device and/or the WhatsApp Web portal. This means that if the target follows the instructions on this page, the threat actor could gain access to the messages in their WhatsApp account and have the capability to exfiltrate this data using existing browser plugins. In this episode of the Microsoft Threat Intelligence Podcast, Sherrod DeGrippo is joined by security researchers Anna Seitz and Sarah Pfabe to discuss their insights on this shift in Star Blizzard’s techniques. They discuss the impact of these changes, and the importance of monitoring techniques used by threat actors to help educate potential targets. Learn more by listening to the full episode here: https://msft.it/6042qChEI Read more about Star Blizzard from our past blog post: https://msft.it/6043qChEL

Microsoft Defender Experts (DEX) has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information theft and data exfiltration. The most recent observed attacks include a malvertising campaign related to cryptocurrency trading that attempts to lure users into downloading a malicious installer disguised as legitimate software. Another notable technique observed involves inline JavaScript execution, where malicious scripts are run directly through Node.js to facilitate the malware deployment. Node.js is an open-source, cross-platform JavaScript runtime environment that's widely used and trusted by developers to build frontend and backend applications. However, threat actors are also leveraging these Node.js characteristics to facilitate malicious activity. These recent activities might indicate that while traditional scripting languages like Python, PHP, and AutoIT remain widely used in threats, Node.js is quickly becoming a part of the continuously evolving threat landscape. Organizations can reduce the impact of attacks leveraging Node.js by educating users about the dangers of downloading software from unverified sources and by monitoring and restricting Node.js execution in their environments. Our latest blog provides details of the mentioned observed attacks, as well as additional mitigation and protection guidance. https://msft.it/6042q7LLO

Listen to Microsoft Threat Intelligence experts share their findings and provide guidance on nation-state threat actors, cybercrime takedowns, fraud and social engineering, cyber influence operations, and others. Register here to attend: https://msft.it/6041qAwhL Steven Masada, Assistant General Counsel and Director of Microsoft’s Digital Crimes Unit (DCU), Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft, and Jeremy Dallman, Senior Director of Security Research in Microsoft Threat Intelligence will be at RSA 2025 Conference for an exclusive briefing on threat intelligence trends and insights on April 30, 2025, 10:30-11:30 AM at the French Parlor of the Palace Hotel.

Human-operated ransomware attacks frequently involve compromising domain controllers, which attackers then use as the primary spreader device — the system responsible for distributing ransomware at scale within a compromised environment. Ransomware threat actors exploit domain controllers to fulfill two requirements that are critical to deploying ransomware on multiple devices simultaneously: access to high-privilege accounts and central network assets. Compromising a domain controller allows threat actors to extract password hashes as well as create and elevate privileged accounts to facilitate lateral movement. Domain controllers also provide access to many endpoints in the network and can be exploited to rapidly deploy ransomware across an environment. Security teams constantly face the complex challenge of striking the right balance between security and operational functionality when it comes to protecting domain controllers. Unlike other endpoints, domain controllers must remain highly accessible to authenticate users, enforce policies, and manage resources across the environment, making it difficult to apply traditional security measures without disrupting business continuity. To address this challenge, we have expanded our contain device capability in Defender for Endpoint to include granular containment of critical assets such as domain controllers through automatic attack disruption. This means that if domain controller is compromised, it is immediately contained in less than three minutes, preventing the threat actor from moving laterally and deploying ransomware, while at the same time maintaining the operational functionality of the device. The expansion also adds containment of IP addresses linked to undiscovered devices, which can identify and incriminate malicious IP addresses linked to unmanaged or undiscovered devices and automatically contain those IPs, preventing attackers from getting their foot in the door through vulnerable, unmanaged devices. Learn more about this update through our blog: https://msft.it/6047qFEZl More details on these automatic attack disruption enhancements are available through our tech community blog, and official documentation: https://msft.it/6048qFEZm https://msft.it/6049qFEZW

Microsoft Security Copilot supports custom plugins that can help with device investigation and threat hunting, extending functionalities beyond preinstalled and third-party plugins. Two custom plugins, “Custom Plugin Defender Device Investigation” and “Custom Plugin Defender Device Info” include skills that help defenders investigate security incidents within their environment. The “Custom Plugin Defender Device Investigation” plugin features skills that can provide information on files and processes on the device, lateral movement events, and other suspicious activities. The “Custom Plugin Defender Device Info” plugin, on the other hand, offers specific device information often needed during an investigation such as current and past IPs assigned to the device, list of users signed in to a device, alerts observed, and others. Our blog presents details on a real-world case and how these two plugins can be used to investigate an incident that involves a phishing attack to gain initial access, as well as several instances of lateral movement, credential access, and privilege escalation. https://msft.it/6044qFBQ2 Use of Security Copilot and its features such as the plugins mentioned above requires units of resources called secure compute units (SCUs). Microsoft recently announced the general availability of the overage model which allows customers to allocate an overage amount of SCUs to handle unexpected workload spikes. This helps customers have access to SCUs when their needs exceed their provisioned units. Learn more here: https://msft.it/6045qFBQN

Managing the new area of security introduced by AI starts with understanding how to control our intent with AI and what it's given permission to go do. Charlie Bell, Executive Vice President for Microsoft Security, believes that understanding the environments and how to secure them in a way that they don’t have an attack surface is too big of a problem for humans to grapple with. He shares that there is so much data and configuration to deal with in security, that security has historically been a reactive problem. But AI can help provide an advantage over attackers through data. AI can help defenders have a better understanding of the environment and visibility of the whole system. Defenders can identify attack paths through the environment and remove them to make it extremely difficult for an attacker to get in. AI can also be used to better understand what attackers go through and help defenders to proactively eliminate attack surface areas. Hear more of Charlie’s insights in the full episode of the Microsoft Threat Intelligence podcast hosted by Sherrod DeGrippo here: https://msft.it/6043q0VTP

More taxpayers are waiting until the last minute to file and pay their taxes. It is incredibly important to stay on top of phishing campaigns this tax season. Cyber criminals leverage the urgency of filing to target taxpayers into revealing personal and financial information. Read the blog for tips to protect yourself this tax season.

Exchange Server and SharePoint Server are business-critical assets and considered crown jewels for many organizations, making them attractive targets for attacks like server-side request forgery (SSRF) exploitation, web shell attacks, insecure deserialization leading to remote code execution (RCE), and others. To help customers protect their environments and respond to these attacks, Exchange Server and SharePoint Server now integrate with the Windows Antimalware Scan Interface (AMSI), providing an essential layer of protection by preventing harmful web requests from reaching backend endpoints. In our latest blog post, we discuss different types of attacks targeting Exchange Server and SharePoint Server, demonstrate how AMSI is helping organizations protect against these attacks, and share mitigation and protection guidance, detection details, and hunting queries. https://msft.it/6043qLo7R

Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center discovered post-compromise exploitation of CVE 2025-29824, a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS), against a small number of targets. The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia. Due to new mitigations introduced in Windows 11, version 24H2, the exploit only worked on prior Windows versions. Microsoft released security updates to address the vulnerability on April 8, 2025. We're sharing our analysis of the observed CLFS exploit and related activity, as well as indicators of compromise, and detection details, and hunting guidance to improve defenses against these attacks, and encourage rapid patching or other mitigations. https://msft.it/6049qIVTH

The April 2025 security updates are available: