Content by Microsoft Defender Security Research Team (27)

The Microsoft Defender Security Research Team breaks down CVE-2026-31431 (“Copy Fail”), a high-severity Linux kernel local privilege escalation that can lead to root access and container escape in cloud and Kubernetes environments, and provides mitigation steps plus Microsoft Defender XDR detection and hunting guidance.

Microsoft Defender Security Research Team explains how Microsoft Sentinel UEBA enriches AWS CloudTrail logs with simple true/false behavioral signals and built-in anomalies, helping detection engineers write simpler KQL, reduce false positives, and triage suspicious AWS activity faster.

The Microsoft Defender Security Research Team breaks down a cross-tenant Microsoft Teams helpdesk-impersonation intrusion chain, from Quick Assist remote access through WinRM lateral movement to Rclone-based data exfiltration, with concrete mitigations and Defender XDR hunting queries.

The Microsoft Defender Security Research Team walks through a real-world Active Directory domain compromise and shows how Microsoft Defender XDR’s predictive shielding (automatic attack disruption) used exposure-based containment to slow credential abuse and limit lateral movement until the attacker lost momentum.

The Microsoft Defender Security Research Team analyzes a severe Android intent-redirection flaw in the EngageSDK that could let a malicious app abuse another app’s identity to reach protected components and data, and explains what developers should update and review to avoid similar SDK-driven risks.

The Microsoft Defender Security Research Team breaks down an AI-enabled device code phishing campaign abusing the OAuth device code flow to steal tokens at scale, then using Microsoft Graph for reconnaissance and inbox rules for persistence. It includes a phase-by-phase attack chain plus concrete mitigations across Entra ID, Defender, and Sentinel.

The Microsoft Defender Security Research Team breaks down a stealthy PHP webshell technique where HTTP cookies act as the control channel, enabling dormant execution and cron-based persistence in Linux hosting environments, and maps practical hunting and mitigation guidance to Microsoft Defender capabilities.

The Microsoft Defender Security Research Team breaks down a WhatsApp-delivered VBScript campaign that renames legitimate Windows tools, pulls next-stage payloads from cloud storage, tampers with UAC for persistence, and finishes by deploying unsigned MSI installers; the post includes mitigations, Defender detections, and hunting queries.

The Microsoft Defender Security Research Team explains how Microsoft Defender uses high-value asset (HVA) context and Microsoft Security Exposure Management to improve detection and prevention, illustrated with real-world scenarios like domain controller credential theft and Exchange/IIS webshell remediation.

The Microsoft Defender Security Research Team breaks down the Trivy supply-chain compromise affecting GitHub Actions and official binaries, explains how credentials were harvested from CI/CD runners, and provides concrete Microsoft Defender detections plus hardening steps (like pinning actions to commit SHAs) to reduce repeat incidents.

The Microsoft Defender Security Research Team walks through a real human-operated ransomware case where attackers abused Group Policy Objects (GPOs) to disable defenses and distribute payloads, and shows how Defender predictive shielding (GPO hardening + attack disruption) proactively blocked the GPO-based encryption path across ~700 devices.

The Microsoft Defender Security Research Team analyzes how malicious AI-themed browser extensions harvest LLM chat histories and enterprise data, highlighting significant security risks.

Microsoft Defender Security Research Team explores how attackers are abusing stolen EV certificates and trusted workplace app branding to deliver RMM backdoors via phishing. The article details infection chains, hunting, mitigations, and provides practical security guidance.

Authored by the Microsoft Defender Security Research Team, this article explores how OAuth redirection mechanisms are exploited to deliver phishing and malware, offering technical insight and actionable defense strategies.

The Microsoft Defender Security Research Team examines the unique security risks of self-hosted agents like OpenClaw, detailing how identity, isolation, and runtime controls are critical for safe deployment.

Microsoft Defender Security Research Team provides a detailed overview of the top 10 security risks in Copilot Studio agent deployments, offering practical detection and mitigation strategies for secure use of AI-powered business workflows.

Microsoft Defender Security Research Team explores how AI systems, including Microsoft 365 Copilot, are vulnerable to AI memory poisoning attacks—where malicious prompts manipulate AI recommendations. The article details attack vectors, detection methods, and defenses against this growing threat.

Microsoft Defender Security Research Team presents a technical walkthrough of a multi-stage attack exploiting SolarWinds Web Help Desk, with actionable defensive guidance and hunting tips.

The Microsoft Defender Security Research Team dissects the CrashFix variant of ClickFix, revealing how it combines malicious browser extensions, PowerShell obfuscation, and a portable Python-based RAT to compromise and persist on high-value Windows systems.

The Microsoft Defender Security Research Team analyzes how modern infostealer malware campaigns, including those targeting macOS and Python-based attacks, are evolving. This piece provides actionable security insights and is essential reading for security professionals.