New blog post: Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack. https://t.co/R41QPav8mO In defending against threats like Shai-Hulud 2.0, organizations benefit significantly from the layered protection from Microsoft Defender,

The December 2025 security updates are available:

"Defense is doable… We have to be brilliant at the basics... It’s about doing really good access management, really good principle of least privilege, really good network architecture..." -- Matt Duncan, E-ISAC VP of Security Operations and Intelligence

Like similar Storm-0900 activity, this campaign led to XWorm, a popular modular malware used by many threat actors for remote access, deployment of other malware, and data theft. XWorm uses plugins that threat actors can use to perform various tasks on compromised devices. These

The URLs in the phishing emails redirected to an attacker-controlled landing page on the malicious domain permit-service[.]top that employed several rounds of user interaction. First, users needed to solve a slider CAPTCHA by clicking and dragging a slider, followed by ClickFix,

On Thanksgiving eve, November 26, Microsoft detected and blocked a high-volume phishing campaign from a threat actor we track as Storm-0900. The campaign used parking ticket and medical test result themes and referenced Thanksgiving to lend credibility and lower recipients’

Throughout 2025, Tycoon2FA (tracked by Microsoft as Storm-1747) has consistently been the most prolific phishing-as-a-service (PhaaS) platform observed by Microsoft. In October 2025, Microsoft Defender for Office 365 blocked more than 13 million malicious emails linked to

For more details and practical guidance, tune in to this Microsoft Threat Intelligence Podcast episode hosted by Sherrod DeGrippo, featuring insights from Anna Seitz and Tori Murphy.

Vanilla Tempest, another financially motivated group, used SEO poisoning to distribute fake, fraudulently signed Teams installers to deliver ransomware. Their TTPs include abusing code signing, opportunistic targeting, & exploiting known vulnerabilities.

The Storm-2657 “payroll pirate” campaign targeted universities by exploiting compromised email accounts and weak MFA protocols, using phishing emails to steal credentials and reroute salary payments.

Attackers are increasingly weaponizing trust in identity and code to achieve financial gain.

The Threat Intelligence Briefing Agent, which delivers daily customized briefings that combine Microsoft’s global threat intelligence with insights specific to each organization, is now fully integrated into the Microsoft Defender portal, available in public preview.

And to make it easier than ever for organizations to harness the power of Security Copilot agents to protect at the speed and scale of AI, Security Copilot will be included for all Microsoft 365 E5 customers. Learn more:

These adaptive agents run side by side with security teams to triage incidents, optimize conditional access policies, surface threat intelligence, and maintain secure, compliant endpoints more easily.

Microsoft is introducing a dozen new and enhanced Microsoft Security Copilot agents in Microsoft Defender, Microsoft Entra, Microsoft Intune, & Microsoft Purview. Our partner community also released more than 30 new Security Copilot agents.

The November 2025 security updates are available:

Microsoft has discovered a new type of side-channel attack against streaming-mode language models using network packet sizes and timings. https://t.co/HAa7IYyhHR An attacker in a position to observe the encrypted traffic could use this type of side-channel attack to conclude

Dive into the heart of threat intelligence as Principal Security Researcher @yo_yo_yo_jbo reveals how proactive security research powers Microsoft’s defenses: https://t.co/VgoMyoiCgJ. The relentless hunt for vulnerabilities—like the HM Surf exploit—spotlights how research doesn’t

In the latest Microsoft Threat Intelligence Podcast episode, Sherrod DeGrippo and Zack Korman explore the future risks and opportunities that AI introduces in cybersecurity, cutting through hype to discuss where AI is both brilliant and flawed:

Microsoft Incident Response – Detection and Response Team (DART) uncovered SesameOp, a new backdoor that uses the OpenAI Assistants API for C2. DART shared the findings with OpenAI, who identified and disabled an API key and associated account. https://t.co/xflPrSQReI SesameOp