The Microsoft Digital Defense Report 2025 shows how threats are evolving faster than ever, fueled by AI. Key insights from report include: - More than 50% of cyberattacks with known motives had financial objectives such as extortion or ransom, while only 4% were motivated solely by espionage. - For initial access, attacks targeted well-known exposure footprint, including web-facing assets (18%), external remote services (12%), and supply chains (3%). - Meanwhile, identity-based attacks rose by 32%. More than 97% of identity attacks are password spray or brute force attacks. - There has been an 87% increase in campaigns aimed at disrupting customer cloud environments through ransomware, mass deletion, or other destructive actions. - Threat actors have begun using AI in malicious activities, including automated vulnerability discovery, phishing, malware or deepfake generation, data analysis, and crafting highly convincing fraudulent messages. The report is rich with findings and observations like these on a wide range of topics, including cybercrime, identity attacks, ransomware, fraud, social engineering, cloud threats, and nation-state threat actors. At Microsoft, we’re taking action against these threats by disrupting cybercriminal ecosystems, sharing threat intelligence, and investing in proactive defenses to protect people, data, and critical systems. AI is reshaping both threats and defenses. With responsible AI and cross-sector collaboration, organizations can reduce risk, safeguard identities, and build resilient systems. Learn more: https://msft.it/6041sfMF7.
Microsoft Threat Intelligence
Computer and Network Security
Redmond, Washington 82,785 followers
We are Microsoft's global network of security experts. Follow for security research and threat intelligence.
About us
The Microsoft Threat Intelligence community is made up of more than 10,000 world-class experts, security researchers, analysts, and threat hunters analyzing 78 trillion signals daily to discover threats and deliver timely and hyper-relevant insight to protect customers. Our research covers a broad spectrum of threats, including threat actors and the infrastructure that enables them, as well as the tools and techniques they use in their attacks.
- Website
-
https://aka.ms/threatintelblog
External link for Microsoft Threat Intelligence
- Industry
- Computer and Network Security
- Company size
- 10,001+ employees
- Headquarters
- Redmond, Washington
- Specialties
- Computer & network security, Information technology & services, Cybersecurity, Threat intelligence, Threat protection, and Security
Updates
-
In early October 2025, Microsoft disrupted a Vanilla Tempest campaign by revoking over 200 certificates that the threat actor had fraudulently signed and used in fake Teams setup files to deliver the Oyster backdoor and ultimately deploy Rhysida ransomware. We identified this Vanilla Tempest campaign in late September 2025, following several months of the threat actor using fraudulently signed binaries in attacks. In addition to revoking certificates, Microsoft Defender Antivirus detects the fake setup files, Oyster backdoor, and Rhysida ransomware, and Microsoft Defender for Endpoint detects Vanilla Tempest TTPs. Vanilla Tempest, tracked by other security vendors as VICE SPIDER and Vice Society, is a financially motivated actor that focuses on deploying ransomware and exfiltrating data for extortion. The threat actor has used various ransomware payloads, including BlackCat, Quantum Locker, and Zeppelin, but more recently has been primarily deploying Rhysida ransomware. In this campaign, Vanilla Tempest used fake MSTeamsSetup.exe files hosted on malicious domains mimicking Microsoft Teams, for example, teams-download[.]buzz, teams-install[.]run, or teams-download[.]top. Users are likely directed to malicious download sites using search engine optimization (SEO) poisoning. Running the fake Microsoft Teams setups delivered a loader, which in turn delivered a fraudulently signed Oyster backdoor. Vanilla Tempest has incorporated Oyster into their attacks as early as June 2025, but they started fraudulently signing these backdoors in early September 2025. To fraudulently sign the fake installers and post-compromise tools, Vanilla Tempest was observed using Trusted Signing, as well as SSL[.]com, DigiCert, and GlobalSign code signing services. Fully enabled Microsoft Defender Antivirus blocks this threat. In addition to detections, Microsoft Defender for Endpoint has additional guidance for mitigating and investigating this attack. While these protections help secure our customers, we’re sharing this intelligence broadly to help strengthen defenses and improve resilience across the entire cybersecurity community.
-
-
The October 2025 security updates are available:
Security updates for October 2025 are now available! Details are here: https://msft.it/6018SZEg0 #PatchTuesday #SecurityUpdateGuide
-
-
Microsoft Threat Intelligence reposted this
Cybersecurity incidents don’t just test technology — they test trust. This is why I invited my colleague and friend Frank X. Shaw to join me on Afternoon Cyber Tea. Frank leads communications at Microsoft, and few people understand better how headlines, narratives, and storytelling shape the outcome of a cyber incident. In our conversation, we talked about why words matter as much as defenses, how proactive messaging builds resilience, and what AI means for the future of crisis communications. We also reflected on what we’ve learned, (and what we could have done better), in our time working together and in our early careers. And, true to form, Frank left us with a Bob Dylan quote that sums up cybersecurity communications today. If you lead in security, communications, or anywhere trust is on the line, this episode will give you a new lens. Listen here: https://lnkd.in/gTFbZV76 #CyberSecurity #Communications #CrisisComms #AI #AfternoonCyberTea
-
“Security begins and ends with people, which is why every employee plays a critical role in protecting both Microsoft and our customers. When secure practices are woven into how we think, work, and collaborate, individual actions come together to form a unified, proactive, and resilient defense.” Learn how Microsoft has made security culture a company-wide imperative, reinforcing vigilance, embedding secure habits into everyday work, and achieving what technology alone cannot, in this blog from CVP and Deputy CISO Ann Johnson: https://msft.it/6045sNpkZ
-
Microsoft Threat Intelligence reposted this
Building a strong security culture is about more than technology — it is about people, processes, and shared responsibility. At Microsoft, we are embedding security into every decision and empowering every employee to act as a defender, creating a culture where trust and accountability are core values. In my latest blog, I share how we are making security a mindset across the organization — turning principles into practice, and strategy into action. For security leaders, it is a reminder that resilient defenses start with culture as much as with technology. Read more: https://lnkd.in/gudsb-tc #CybersecurityLeadership #SecurityCulture #CISO #MicrosoftSecurity #EnterpriseSecurity #Leadership #MSFT
-
Microsoft Threat Intelligence has observed a financially motivated threat actor, Storm-2657, compromising employee accounts to gain unauthorized access to profiles and divert salary payments to attacker-controlled accounts. Storm-2657 is actively targeting a range of US-based organizations, particularly employees in sectors like higher education, with such "payroll pirate" attacks to gain access to third-party human resources (HR) software as a service (SaaS) platforms like Workday. These attacks leverage sophisticated social engineering tactics and take advantage of the complete lack of multifactor authentication (MFA) or lack of phishing-resistant MFA to compromise accounts. While the observed campaign specifically targeted Workday profiles, any SaaS systems storing HR or payment and bank account information could be easily targeted with the same technique. Learn more about Storm-2657’s campaign and the TTPs employed, and get comprehensive detection, hunting queries, and guidance for investigation and remediation to defend against this threat in this Microsoft Threat Intelligence blog: https://msft.it/6043sFBbx
-
The highly modular backdoor PipeMagic and the ransomware-as-a-service (RaaS) offering Medusa both exemplify how threats continuously evolve to evade detection and maximize impact. In the latest episode of the latest Microsoft Threat Intelligence Podcast, Microsoft analysts Tori Murphy, Anna Seitz, and Chuong Dong join host Sherrod DeGrippo to share a threat landscape update with a deep dive on these threats. Listen: https://msft.it/6049s0kWf PipeMagic is attributed to the financially motivated threat actor Storm-2460. As a modular backdoor, it allows the threat actor to constantly update the backdoor on the fly. The threat actor can send module code over the network, and the backdoor self-updates in memory. Read about PipeMagic and its internal architecture: https://msft.it/6040s0kWA Medusa, which first appeared in June 2021 as a closed ransomware, is now a RaaS offering with affiliates like Storm-1175 carrying out double extortion: exfiltrating victim data and threatening to release it if the ransom is not paid. Storm-1175 was recently observed exploiting the CVE-2025-10035 GoAnywhere Managed File Transfer vulnerability to deploy Medusa: https://msft.it/6041s0kW7
-
Threat actors seek to abuse Microsoft Teams features and capabilities at different points along the attack chain, raising the stakes for defenders to proactively monitor, detect, and respond. https://msft.it/6043sLUX9 Read our latest blog to get extensive recommendations for countermeasures and controls across identity, endpoints, data apps, and network layers to help harden enterprise Teams environments.
-
Storm-1175, a financially motivated threat actor known for deploying Medusa ransomware and exploiting public-facing applications for initial access, was observed exploiting the deserialization vulnerability in GoAnywhere MFT's License Servlet, tracked as CVE-2025-10035. Read our analysis and get protection, detection, and hunting guidance: https://msft.it/6048sIfT6