Black Hat NOC lead Grifter and Hacker Jeopardy host Lintile join Sherrod DeGrippo as they go behind the scenes at Black Hat and DEF CON, with insights on managing one of the world’s most hostile networks, advice for first-time attendees, and tips on exploring the hacker community, including submitting CFP abstracts. https://msft.it/6049SAWXR
Microsoft Threat Intelligence
Computer and Network Security
Redmond, Washington 72,521 followers
We are Microsoft's global network of security experts. Follow for security research and threat intelligence.
About us
The Microsoft Threat Intelligence community is made up of more than 10,000 world-class experts, security researchers, analysts, and threat hunters analyzing 78 trillion signals daily to discover threats and deliver timely and hyper-relevant insight to protect customers. Our research covers a broad spectrum of threats, including threat actors and the infrastructure that enables them, as well as the tools and techniques they use in their attacks.
- Website
-
https://aka.ms/threatintelblog
External link for Microsoft Threat Intelligence
- Industry
- Computer and Network Security
- Company size
- 10,001+ employees
- Headquarters
- Redmond, Washington
- Specialties
- Computer & network security, Information technology & services, Cybersecurity, Threat intelligence, Threat protection, and Security
Updates
-
The July 2025 security updates are available:
Security updates for July 2025 are now available! Details are here: https://msft.it/6018SZEg0 #PatchTuesday #SecurityUpdateGuide
-
-
Microsoft Threat Intelligence reposted this
Learn how to put Microsoft Security Copilot agents to work in real-world defense. Talk with the experts who build them while you’re at Black Hat. Request to attend the VIP Mixer: https://lnkd.in/dRiq8W2M #BHUSA #AgenticAI
-
-
Microsoft Threat Intelligence reposted this
Cyber resilience is not built in the middle of a crisis. It is the result of consistent preparation, alignment and practice. The same holds true for incident response. Organizations that approach cyber incidents with the same discipline as natural disasters – through cross-functional planning, tested communications strategies and clear decision-making frameworks – are the ones best positioned to lead through disruption. Resilience is not about avoiding every incident. It is about responding with clarity, speed, and alignment when it matters most. Link: https://lnkd.in/gqhh3jDk
-
Since 2024, Microsoft Threat Intelligence has observed remote IT workers deployed by North Korea leveraging AI to improve the scale and sophistication of their operations, steal data, and generate revenue for the North Korean government. Among the changes in tactics include the use of AI tools to replace images in stolen employment and identity documents and enhance North Korean IT worker photos to make them appear more professional. We also discuss observed experimentation with voice-changing software. North Korea has deployed thousands of remote IT workers to assume jobs in software and web development as part of a revenue generation scheme for the North Korean government. While this scheme has historically targeted US companies in the technology, critical manufacturing, and transportation sectors, we have since observed these workers expand to target industries offering technology-related roles around the world. Microsoft Threat Intelligence tracks North Korean IT remote worker activity as Jasper Sleet. We also track several other North Korean activity clusters that pursue fraudulent employment using similar techniques and tools, including Storm-1877 and Moonstone Sleet. Learn more about the North Korean IT worker ecosystem and get hunting guidance, detection details, and our provided in-depth defense strategy to investigate, monitor, and respond to suspected Jasper Sleet activity: https://msft.it/6042SFjnY
-
Today, Microsoft Threat Intelligence Center is proud to announce the release of RIFT, an open-source tool designed to assist malware analysts automate the identification of attacker-written code within Rust binaries. Known for its efficiency, type safety, and robust memory safety, Rust has increasingly become a tool for creating malware, especially among financially motivated groups and nation-state entities. This shift has introduced new challenges for malware analysts as the unique characteristics of Rust binaries make static analysis more complex. To address these pressing challenges, Microsoft Threat Intelligence Center has developed RIFT. In this blog post, we explore how threat actors are increasingly adopting Rust for malware development due to its versatility and how RIFT can be used to combat this threat by enhancing the efficiency and accuracy of Rust-based malware analysis. https://msft.it/6048SLa8y
-
Key points of intersection between red teaming and threat intelligence include the narrative basis on how threat actors conduct their attacks, use of threat data to measure effectiveness, and continuous exploration of emerging threats and ways to test and beat new technology. Craig Nelson, who leads the Microsoft Red Team, joins Sherrod DeGrippo in a discussion about simulating real attacks on Microsoft's infrastructure. Craig talks about his team simulating the actions of threat actors and hunting for vulnerabilities within their target environment. He discusses a past operation and how that helped him learn that security is not just all about technology, but also human nature. Their discussion also covers how red teaming has evolved through the years to push the boundaries and really adapt to that growing attack surface. Learn more by listening to the full episode of the Microsoft Threat Intelligence Podcast here: https://msft.it/6044SIpdC
-
As part of the Secure Future Initiative, Sherrod DeGrippo, Director of Threat Intelligence at Microsoft, led a half-day workshop for the Microsoft developer community on threat-driven software development. The session challenged participants to shift their perspective, from writing code to understanding how nation-state and criminal threat actors think, operate, and target systems. “Developers are on the front lines of our Secure Future Initiative,” Sherrod explained. “This workshop was about empowering them to think like threat analysts—seeing adversaries not as abstract risks, but as real people with real tactics. That mindset changes how we build everything.” Workshops like this bring engineering and threat intelligence together to help developers design more secure software from the start. One of the topics covered was Microsoft’s threat actor naming framework, which helps teams better understand the motivations and origins behind different threat groups and communicate about them clearly and consistently across teams: https://lnkd.in/dj_sTYyu #SFI
-
-
Microsoft has continuously observed hybrid attacks leading to espionage, business interruption, and ransomware deployment that involve threat actors moving from on-premises environments to the cloud. Many organizations manage their resources across different realms, including on-premises and cloud environments, and create complex infrastructures, where interconnections between services, resources, and identities become vital. If not managed with caution and diligence, these interconnections can pose significant risks. A threat actor’s pivot from on-premises to the cloud may easily be a blind spot when there is no shared indication that the device sequence of events is related to the cloud sequence of events, because the former occurs in the context of the local account while the latter occurs in the context of the cloud identity. This prevents SOC teams from correlating operations across different realms (on-premises and cloud), as there are no shared entities. To bridge the gap, Microsoft uses the Enterprise Exposure Graph in Microsoft Defender XDR to integrate both contexts and formulate a comprehensive picture of a malicious campaign with high confidence. By enriching the XDR capabilities, defenders can correlate events through shared paths in the graph, allowing them to consolidate the device compromise, credential theft, and the cloud compromise and operations into a single, cohesive incident. Learn more about the Microsoft Enterprise exposure graph works to help detect hybrid attacks: https://msft.it/6045SvsEx
-
-
While Golden SAML (Security Assertion Markup Language) attacks are less frequently observed than other attacks, their impact can be huge. Whereas an adversary-in-the-middle (AiTM) phishing attack only affects the account that got phished, a successful Golden SAML attack could compromise every account in an organization. In a Golden SAML attack, a threat actor gains control of the private key that a federation server uses to sign SAML tokens. This can happen through a variety of techniques, but usually requires administrative control of the federation server. Having stolen the private key, the attacker then forges tokens representing any users and claims they wish and presents them to the relying party (RP). The signature will validate correctly with the public key, so the RP will be unable to distinguish a forged token from a genuine one. Thus, a successful attack allows the bad actor to impersonate any identity within the scope of trust delegated to the identity provider (IdP) and is very challenging for the RP to detect, because it mimics real users and generates authentic-looking requests. Read our blog to learn more about how Golden SAML attacks work and what users can do to protect against them: https://msft.it/6046SQ9e6
-