Microsoft Threat Intelligence

Also hear from Snow, co-founder of the Social Engineering Community Village at DEF CON, who shares her journey from special effects makeup to elite social engineer. Learn more about how organizations of any size can build resilience against evolving threats.

In this Microsoft Threat Intelligence Podcast episode, hosted by Sherrod DeGrippo, Microsoft's own Aarti Borkar, Simeon Kakpovi, and Andrew Rapp discuss how timely threat intel, rapid attacker analysis, and clear risk communication help orgs make informed decisions during security incidents.

Per Andrew Rapp, “data is everything. Information is informing all of our decisions from where we go investigate, as well as the tactical containment steps we’re going to immediately take." This approach enables teams to respond efficiently and help customers recover quickly.

How Microsoft Stays Ahead of the World’s Most Dangerous Hackers In this episode of the Microsoft Threat Intelligence Podcast, host⁠ ⁠⁠⁠Sherrod DeGrippo⁠ is joined by Aarti Borkar, Simeon Kakpovi, and Andrew Rapp for a behind-the-scenes look at how Microsoft Threat Intelligence and Microsoft Incident Response teams collaborate as part of a closed-loop system, the emotional toll of breaches, and how organizations of any size can build resilience through preparation and psychological safety. By listening to this segment, you’ll get a preview of what this group brought to the main stage of Black Hat this year. Later, Sherrod chats with Snow, co-founder of the Social Engineering Community Village at DEF CON, about her journey from special effects makeup to elite social engineer, and how empathy, creativity, and even a ladder can be powerful tools in physical security testing.

Real-time collaboration between incident response and threat intelligence teams is critical for mounting an effective defense against today’s cyber threats. The process relies on actionable intel to guide every step, from initial investigation to containment. msft.it/63322sOR1I

Project Ire emerged from a collaboration between @msftresearch.bsky.social, Microsoft Defender Research, and Microsoft Discovery & Quantum, bringing together security expertise, operational knowledge, global malware telemetry, and AI research.

To identify malware at scale, Project Ire uses specialized tools to reverse engineer software, with an architecture that allows for reasoning at multiple levels, from low-level binary analysis to control flow reconstruction and high-level interpretation of code behavior.

Project Ire autonomously identifies malware at scale Designed to classify software without context, Project Ire replicates the gold standard in malware analysis through reverse engineering. It streamlines a complex, expert-driven process, making large-scale malware detection faster & more consistent.

Project Ire, an autonomous AI agent, automates what’s considered the gold standard in malware classification: fully reverse engineering a software file without any clues about its origin or purpose: msft.it/63325sMSoc

Russia-affiliated Secret Blizzard conducting ongoing espionage against embassies in Moscow A new Microsoft report finds that the long-running threat group has gained positions on state-aligned ISPs and Russian telecoms, while tricking foreign embassy staff to download custom malware.

A new Microsoft report finds that the long-running threat group has gained positions on state-aligned ISPs and Russian telecoms, while tricking foreign embassy staff to download custom malware. via @mattkapko.com cyberscoop.com/russia-secre...

Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats | Microsoft Security Blog Microsoft Threat Intelligence has uncovered a cyberespionage campaign by the Russian state actor we track as Secret Blizzard that has been ongoing since at least 2024, targeting embassies in Moscow us...

Microsoft: "... notably includes the installation of root certificates under the guise of Kaspersky Anti-Virus (AV). We assess this allows for TLS/SSL stripping from the Secret Blizzard AiTM position ..." www.microsoft.com/en-us/securi...

As a result, diplomatic personnel using local ISP or telecommunications services in Russia are highly likely targets of Secret Blizzard’s AiTM position. Get guidance for how orgs can defend against this campaign along with indicators of compromise (IOCs) and detection details in our blog post.

While we previously assessed with low confidence that the actor conducts cyberespionage activities within Russian borders against foreign and domestic entities, this is the first confirmation of the actor’s ability to do so at the Internet Service Provider (ISP) level.

ApolloShadow installs a trusted root certificate, enabling Secret Blizzard to persist on diplomatic devices, likely for intelligence collection. This campaign, ongoing since 2024, poses high risk to embassies, diplomatic entities, & sensitive orgs operating in Moscow using local internet providers.

Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats | Microsoft Security Blog Microsoft Threat Intelligence has uncovered a cyberespionage campaign by the Russian state actor we track as Secret Blizzard that has been ongoing since at least 2024, targeting embassies in Moscow using an adversary-in-the-middle (AiTM) position to deploy their custom ApolloShadow malware.

Microsoft Threat Intelligence has uncovered a cyberespionage campaign by the Russian state actor we track as Secret Blizzard targeting embassies in Moscow using an adversary-in-the-middle (AiTM) position to deploy their custom ApolloShadow malware. msft.it/63320sJmHK

Have fun learning and connecting at Black Hat!

Finally, the Microsoft Threat Intelligence Podcast will be recording live from Black Hat, so watch for that episode. Meanwhile, listen to Black Hat NOC lead Grifter & Hacker Jeopardy host Lintile share insights and tips on exploring the hacker community: msft.it/6049synib

In the briefing “BitUnlocker: Leveraging Windows Recovery to Extract BitLocker Secrets” Microsoft security researchers share how their research into attack surfaces led to hardening and further securing Windows Recovery Environment (WinRE). msft.it/6048syniw

At our VIP Mixer, hosted by Microsoft Incident Response, you can connect with our threat intelligence, incident response, and Security Copilot teams, alongside peers from the security community. Register here: msft.it/6047syniZ

At Booth 2246, expert meetups, live threat briefings, red teaming deep dives, and insider’s view of real incident response provide attendees the opportunity to hear directly from Microsoft experts, ask questions, get a clearer view end-to-end security: msft.it/6043syniV

Here are the ways you can interact with Microsoft at #BHUSA 2025:

On the main stage, Microsoft Threat Intelligence experts share behind-the-scenes insights in “Unmasking Cyber Villains: How Microsoft Stays Ahead of the World's Most Dangerous Hackers”: msft.it/63322syXVM

After discovering the bypass technique, we disclosed our findings to Apple, and we thank the security team for their collaboration in addressing this issue. Learn more about the implications of Sploitlight, our exploit, and how to strengthen defenses against TCC bypass attacks.

The vulnerability, referred to as “Sploitlight”, enables extraction of sensitive data, such as precise geolocation info, photo and video metadata, face and person recognition data, search history, and more—which is further complicated by the remote linking capabilities between iCloud accounts.

Sploitlight: Analyzing a Spotlight-based macOS TCC vulnerability | Microsoft Security Blog Microsoft Threat Intelligence has discovered a macOS vulnerability, tracked as CVE-2025-31199, that could allow attackers to steal private data of files normally protected by Transparency, Consent, and Control (TCC), including the ability to extract and leak sensitive information cached by Apple Intelligence.

Microsoft Threat Intelligence uncovered a macOS vulnerability that could allow attackers to steal private data of files normally protected by TCC, such as caches used by Apple Intelligence. msft.it/63327sHUSJ

MDTI is Converging into Microsoft Sentinel and Defender XDR | Microsoft Community Hub In today’s rapidly evolving threat landscape, organizations need threat intelligence (TI) that is woven seamlessly into every step of their security...

Microsoft Defender Threat Intelligence (MDTI) is converging directly into Defender XDR and Microsoft Sentinel, providing real-time TI within a unified SecOps experience and granting customers access to Microsoft’s extensive repository of raw & finished threat intelligence: msft.it/6045sGrP9

Tune in to hear how Microsoft and its partners are raising the cost for attackers, pushing them further to the periphery. Learn more about Lumma Stealer: msft.it/63325sGHrB

In this Microsoft Threat Intelligence podcast episode, Richard Boscovich and Derek Richardson from Microsoft’s DCU share the creative legal strategies, global partnerships, and rapid collaboration with infrastructure providers that drove the operation’s success.

Inside Microsoft’s Global Operation to Disrupt Lumma Stealer’s 2,300-Domain Malware Network In this episode of the Microsoft Threat Intelligence Podcast, host⁠ ⁠⁠⁠Sherrod DeGrippo⁠ is joined by Richard Boscovich and Derek Richardson from Microsoft’s Digital Crimes Unit to unpack the global takedown of Lumma Stealer, one of the world’s largest infostealer malware operations. They discuss how creative legal tools like RICO and centuries-old trespass laws, deep collaboration with global partners, and innovative technical strategies came together to seize 2,300 domains and protect nearly 400,000 victims. The episode explores how the DCU is shifting toward persistent, cost-imposing disruption of cybercrime as a service, and what this means for defenders everywhere.

Microsoft’s Digital Crimes Unit (DCU) shares the insider story of the successful global takedown of Lumma Stealer—a stealthy, customizable malware that quietly infected nearly 400,000 Windows devices worldwide, stealing passwords and sensitive data. msft.it/63325sGHE7

Customers should apply the on-premises SharePoint Server security updates immediately and follow the detailed mitigation guidance in the blog. The latest updates include additional TTPs of the new activity, additional IOCs, and expanded mitigation, protection, and hunting guidance.

Disrupting active exploitation of on-premises SharePoint vulnerabilities | Microsoft Security Blog Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting vulnerabilities targeting internet-facing SharePoint servers. In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities. Microsoft has released new comprehensive security updates for all supported versions of SharePoint Server (Subscription Edition, 2019, and 2016) that protect customers against these new vulnerabilities. Customers should apply these updates immediately to ensure they are protected.

We updated our blog with expanded analysis and threat intelligence from newly observed activity by Storm-2603 leading to the deployment of Warlock ransomware. msft.it/63320s134O

Microsoft assesses that threat actors will continue to integrate the exploits into their attacks against unpatched on-premises SharePoint systems. Customers should apply the updates immediately to ensure they are protected.