Content by Microsoft Defender Security Research Team (37)

Microsoft Defender Security Research Team breaks down an npm supply chain compromise in the mastra/@mastra ecosystem, where a typosquat dependency executed a malicious postinstall payload. The report explains the staged delivery, C2 behavior, cross-platform persistence, and provides Microsoft Defender detections, KQL hunting queries, and concrete mitigation steps.

Microsoft Defender Security Research Team breaks down “Miasma,” a large-scale npm supply-chain compromise that abused a GitHub Actions OIDC publishing workflow to ship trojanized @redhat-cloud-services packages. It explains the multi-stage obfuscation, credential theft targets (including Azure tokens), worm-like propagation, and concrete hunting and mitigation steps.

Microsoft Defender Security Research Team reports on a dependency confusion campaign using 33 malicious npm packages that execute an obfuscated postinstall payload to fingerprint developer and build environments, and shares concrete mitigations plus Microsoft Defender detections and hunting queries to find related activity.

Microsoft Defender Security Research Team reports on the “Mini Shai-Hulud” supply-chain campaign where typosquatted npm packages execute during install to steal cloud and CI/CD secrets. The post breaks down the two-stage payload, key indicators, and concrete hunting and mitigation steps for defenders.

The Microsoft Defender Security Research Team breaks down a multi-stage intrusion that started with an Azure-hosted F5 BIG-IP edge appliance, pivoted to an internal Confluence server, and escalated into credential theft and relay-style attacks against Active Directory, with concrete Defender detections, hunting queries, and mitigation guidance.

The Microsoft Defender Security Research Team breaks down a supply-chain attack where compromised @antv npm packages executed during install to steal CI/CD secrets, with a focus on GitHub Actions runners on Linux. The post includes technical malware behavior, IOCs, and concrete hunting and mitigation guidance using Microsoft Defender.

Microsoft Defender Security Research Team breaks down a Storm-2949 intrusion that starts with Entra ID credential theft and escalates into Azure-wide control-plane abuse, Key Vault secret theft, and large-scale data exfiltration. It also includes concrete hardening and detection guidance across identity, cloud resources, and endpoints.

Microsoft Defender Security Research Team describes research into generating high-fidelity synthetic attack telemetry with AI, translating MITRE ATT&CK TTPs into structured logs to speed up detection engineering while avoiding sensitive real-world data.

The Microsoft Defender Security Research Team reports on “Dirty Frag,” an actively exploited Linux local privilege escalation technique targeting kernel networking components, and shares practical interim mitigations plus Microsoft Defender detection coverage to help teams reduce post-compromise risk.

Microsoft Defender Security Research Team breaks down updated ClickFix-style macOS social engineering that tricks users into running Terminal commands, leading to multi-stage infostealers. The post covers three campaign variants, what they steal, how they persist, and how to detect and mitigate the activity with Microsoft Defender and hunting queries.

The Microsoft Defender Security Research Team breaks down CVE-2026-31431 (“Copy Fail”), a high-severity Linux kernel local privilege escalation that can lead to root access and container escape in cloud and Kubernetes environments, and provides mitigation steps plus Microsoft Defender XDR detection and hunting guidance.

Microsoft Defender Security Research Team explains how Microsoft Sentinel UEBA enriches AWS CloudTrail logs with simple true/false behavioral signals and built-in anomalies, helping detection engineers write simpler KQL, reduce false positives, and triage suspicious AWS activity faster.

The Microsoft Defender Security Research Team breaks down a cross-tenant Microsoft Teams helpdesk-impersonation intrusion chain, from Quick Assist remote access through WinRM lateral movement to Rclone-based data exfiltration, with concrete mitigations and Defender XDR hunting queries.

The Microsoft Defender Security Research Team walks through a real-world Active Directory domain compromise and shows how Microsoft Defender XDR’s predictive shielding (automatic attack disruption) used exposure-based containment to slow credential abuse and limit lateral movement until the attacker lost momentum.

The Microsoft Defender Security Research Team analyzes a severe Android intent-redirection flaw in the EngageSDK that could let a malicious app abuse another app’s identity to reach protected components and data, and explains what developers should update and review to avoid similar SDK-driven risks.

The Microsoft Defender Security Research Team breaks down an AI-enabled device code phishing campaign abusing the OAuth device code flow to steal tokens at scale, then using Microsoft Graph for reconnaissance and inbox rules for persistence. It includes a phase-by-phase attack chain plus concrete mitigations across Entra ID, Defender, and Sentinel.

The Microsoft Defender Security Research Team breaks down a stealthy PHP webshell technique where HTTP cookies act as the control channel, enabling dormant execution and cron-based persistence in Linux hosting environments, and maps practical hunting and mitigation guidance to Microsoft Defender capabilities.

The Microsoft Defender Security Research Team breaks down a WhatsApp-delivered VBScript campaign that renames legitimate Windows tools, pulls next-stage payloads from cloud storage, tampers with UAC for persistence, and finishes by deploying unsigned MSI installers; the post includes mitigations, Defender detections, and hunting queries.

The Microsoft Defender Security Research Team explains how Microsoft Defender uses high-value asset (HVA) context and Microsoft Security Exposure Management to improve detection and prevention, illustrated with real-world scenarios like domain controller credential theft and Exchange/IIS webshell remediation.

The Microsoft Defender Security Research Team breaks down the Trivy supply-chain compromise affecting GitHub Actions and official binaries, explains how credentials were harvested from CI/CD runners, and provides concrete Microsoft Defender detections plus hardening steps (like pinning actions to commit SHAs) to reduce repeat incidents.

The Microsoft Defender Security Research Team walks through a real human-operated ransomware case where attackers abused Group Policy Objects (GPOs) to disable defenses and distribute payloads, and shows how Defender predictive shielding (GPO hardening + attack disruption) proactively blocked the GPO-based encryption path across ~700 devices.

The Microsoft Defender Security Research Team analyzes how malicious AI-themed browser extensions harvest LLM chat histories and enterprise data, highlighting significant security risks.

Microsoft Defender Security Research Team explores how attackers are abusing stolen EV certificates and trusted workplace app branding to deliver RMM backdoors via phishing. The article details infection chains, hunting, mitigations, and provides practical security guidance.

Authored by the Microsoft Defender Security Research Team, this article explores how OAuth redirection mechanisms are exploited to deliver phishing and malware, offering technical insight and actionable defense strategies.

The Microsoft Defender Security Research Team examines the unique security risks of self-hosted agents like OpenClaw, detailing how identity, isolation, and runtime controls are critical for safe deployment.

Microsoft Defender Security Research Team provides a detailed overview of the top 10 security risks in Copilot Studio agent deployments, offering practical detection and mitigation strategies for secure use of AI-powered business workflows.

Microsoft Defender Security Research Team explores how AI systems, including Microsoft 365 Copilot, are vulnerable to AI memory poisoning attacks—where malicious prompts manipulate AI recommendations. The article details attack vectors, detection methods, and defenses against this growing threat.

Microsoft Defender Security Research Team presents a technical walkthrough of a multi-stage attack exploiting SolarWinds Web Help Desk, with actionable defensive guidance and hunting tips.

The Microsoft Defender Security Research Team dissects the CrashFix variant of ClickFix, revealing how it combines malicious browser extensions, PowerShell obfuscation, and a portable Python-based RAT to compromise and persist on high-value Windows systems.

The Microsoft Defender Security Research Team analyzes how modern infostealer malware campaigns, including those targeting macOS and Python-based attacks, are evolving. This piece provides actionable security insights and is essential reading for security professionals.

The Microsoft Defender Security Research Team details the LangGrinch (CVE-2025-68664) vulnerability affecting AI supply chains, with actionable guidance for enterprise security using Microsoft Defender tools.

The Microsoft Defender Security Research Team explains how security analysts can use AI to extract and validate TTPs from threat reports. Authored by the Defender Research Team, this workflow streamlines detection analysis while keeping experts in the loop.

The Microsoft Defender Security Research Team shares in-depth guidance on securing Microsoft Copilot Studio AI agents at runtime, demonstrating how Defender’s real-time protection thwarts malicious prompt injections and data exfiltration attempts.

Microsoft Defender Security Research Team investigates a sophisticated AiTM phishing and BEC attack campaign leveraging SharePoint, providing in-depth insights, detection analytics, and actionable defense strategies for security practitioners.

The Microsoft Defender Security Research Team examines security challenges arising from autonomous AI agents and demonstrates how Microsoft Defender helps secure these systems. Key strategies and posture management capabilities for multi-cloud environments are highlighted.

Microsoft Defender Security Research Team delivers expert analysis of the React2Shell vulnerability (CVE-2025-55182) in React Server Components, providing mitigation strategies and Defender integration guidance for securing enterprise systems.

Microsoft Defender Security Research Team presents an in-depth analysis of the Shai-Hulud 2.0 attack, offering actionable detection, investigation, and defense guidance for developers and security professionals in cloud-native environments.