Microsoft Purview is a unified data governance and compliance solution that helps organizations manage, protect, and gain insights from their data across on-premises, multi-cloud, and SaaS environments. If you’re new to Purview, this guide will walk you through the essentials of setting up your first account and preparing for a successful deployment.

Why Purview Matters

Before diving into the steps, it’s important to understand why Purview is critical:

• Centralized Governance: Consolidates data discovery, classification, and lineage tracking.

• Compliance & Risk Management: Offers sensitivity labels, Data Loss Prevention (DLP), and Insider Risk Management.

• Multi-Cloud Support: Extends governance to Azure, AWS, Google Cloud, and on-premises sources.

Prerequisites

Before creating your Purview account, ensure:

• An active Azure subscription and associated Microsoft Entra tenant.

• Appropriate roles: Global Administrator or Compliance Administrator.

• Registered resource providers: Microsoft.Storage, Microsoft.Purview, and optionally Microsoft.EventHub.

• Defined network requirements if using private endpoints.

Step 1: Create Your Purview Account

1. Access Azure Portal: Navigate to https://portal.azure.com

2. Create Resource: Search for Microsoft Purview and select Create.

3. Configure Basics:

   • Subscription: Choose your Azure subscription.

   • Resource Group: Select or create a resource group.

   • Account Name: Provide a unique name.

   • Region: Pick the closest region to your data.

4. Networking: Decide between open access or private endpoints for secure connectivity.

5. Review + Create: Validate settings and deploy.

Step 2: Set Up Data Map and Catalog

• Navigate to Purview Studio and open Data Map.

• Register Data Sources: Add sources like Azure Blob Storage, SQL Server, or Microsoft 365.

• Configure Scans: Define scope and frequency for automated metadata discovery.

• Enable Classification: Apply system or custom classifications for sensitive data.

Step 3: Assign Roles and Permissions

• Use Role Assignments to grant access:

  • Admins: Full control.

  • Curators: Manage metadata.

  • Readers: View-only access.

• For scanning, ensure Storage Blob Data Reader role is assigned to the Purview account.

Step 4: Configure Governance Policies

• Sensitivity Labels: Create and apply labels for files, emails, and sites.

• DLP Policies: Prevent accidental sharing of sensitive data.

• Retention Policies: Define lifecycle rules for compliance.

Step 5: Validate and Monitor

• Use Compliance Manager to track adherence to regulatory standards like GDPR or HIPAA.

• Monitor scans and classification results in Purview Insights.

• Schedule periodic reviews to maintain governance maturity.

Pro Tips

• Start small: Enable core capabilities (Data Classification, Information Protection, DLP) before expanding to advanced features like Insider Risk Management.

• Automate where possible: Use PowerShell modules (Az.Purview, Microsoft.Graph.Compliance) for bulk operations.

• Document your taxonomy: Keep sensitivity labels simple and intuitive.

Additional Resources

• Microsoft Purview Setup Guides [learn.microsoft.com]

• Step-by-Step Configuration Guide [cloudfighters.com]

• Beginner Video Tutorial [youtube.com]

submitted by /u/Substantial-Ad-1398
[link] [comments]

F5 Networks Breach: Nation-State Hackers Steal BIG-IP Source Code

In a major cybersecurity incident shaking the tech world, F5 Networks has confirmed a breach attributed to a China-backed nation-state actor. The attackers reportedly gained access to F5’s production environments, including the BIG-IP product line, potentially as far back as 12 months ago. This compromise led to the exfiltration of proprietary source code and undisclosed vulnerability data, raising alarms about potential exploitation in critical infrastructure.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) swiftly responded with an emergency directive, urging federal agencies to patch affected F5 products by October 22, 2025, for most systems, and October 31 for others. This move underscores the “imminent threat” to thousands of networks, including U.S. government and Fortune 500 entities. F5 emphasized that no active exploitation of vulnerabilities has been detected yet, but the breach’s scope—impacting BIG-IP, BIG-IP Next, F5OS, and related components—marks one of the heaviest security update cycles in the company’s history, with over 30 high-severity CVEs disclosed.

Experts warn this could be a supply chain attack in disguise, similar to past incidents like SolarWinds. Organizations using F5 gear should prioritize patching and monitor for unusual activity. As one X post highlighted, the breach’s potential impact on national security prompted delayed public disclosure by the Department of Justice. For defenders, this is a stark reminder: even robust systems aren’t immune to persistent threats. Stay vigilant—scan your environments now.

Microsoft October 2025 Patch Tuesday: Zero-Days and Massive Fixes

Microsoft’s October 2025 Patch Tuesday dropped a bombshell update, addressing 173 vulnerabilities, including four actively exploited zero-days. This “terrifyingly large” release spells the end of support for Windows 10 updates in some scenarios, leaving admins scrambling to secure systems against privilege escalation bugs and remote exploitation risks.

Key highlights include fixes for Windows zero-days already under attack, such as those enabling denial-of-service and code execution. Additionally, the update caused sync failures in Active Directory on Windows Server 2025, particularly for large security groups over 10,000 members, disrupting identity management in enterprises. Microsoft also revoked over 200 certificates used by the Vanilla Tempest group to sign fake Microsoft Teams files, halting a ransomware campaign in its tracks.

For IT teams, this patch cycle is a nightmare: high-severity issues across Windows, Adobe integrations, and more demand immediate action. As noted in discussions, the update’s size rivals major overhauls, with implications for everything from cloud syncing to endpoint security. Pro tip: Test patches in staging environments first to avoid breaking critical workflows. With threats like these, delaying could mean inviting attackers in.

Zerodha CEO’s Phishing Hack: A Wake-Up Call on Human Error

Nithin Kamath, founder and CEO of Indian brokerage Zerodha, revealed his personal Twitter account was compromised via a sophisticated phishing email. Despite robust safeguards like 2FA, a momentary lapse—clicking a “Change Your Password” link in a spam-filter-evading message—granted attackers access to post scam crypto links.

Kamath emphasized that the attack seemed AI-automated and not targeted personally, but it exposed the human element in cybersecurity. Even with regular awareness training at Zerodha, one slip proved costly. This incident echoes broader concerns about phishing’s evolution, where AI crafts hyper-realistic lures that bypass technical defenses.

The hack serves as a reminder: cybersecurity isn’t just tech—it’s processes, policies, and psychology. Kamath’s experience, shared widely, highlights why holistic frameworks are essential beyond 2FA. For individuals and orgs alike, double-check emails, use password managers, and report suspicious activity immediately. In 2025, phishing remains king—don’t let it dethrone your security.

Indian Voter Data Breach: ECI Under Fire for Privacy Lapses

A alarming voter data breach involving India’s Election Commission of India (ECI) has sparked outrage, with reports of voter rolls—including photos and demographics—being shared with state systems and repurposed illegally for schemes like pension verification. Private firms were allegedly involved, turning sacred voter data into a commodity for exploitation.

The Telangana CEO confirmed the data handover, raising questions about accountability and potential theft enabled at the highest levels. Critics argue this violates privacy norms and risks democracy, as compromised data could fuel identity fraud or targeted misinformation campaigns.

This incident ties into global data protection debates, especially with India’s push for digital IDs like DigiYatra, where facial recognition data storage raises breach fears. ECI must enforce stricter controls—transparency and audits are key. For citizens: Monitor your data usage and advocate for better safeguards. In an election year, data integrity is non-negotiable.

Pro-Hamas Airport Hacks: Cyberattacks Hit B.C. and U.S. Sites

Pro-Hamas hackers claimed responsibility for breaching display systems at airports in British Columbia and the U.S., broadcasting unauthorized messages and chants. This prompted immediate security assessments, highlighting vulnerabilities in public infrastructure like digital signage.

The attacks, while not disrupting operations, underscore the rise of ideologically motivated cyber threats using simple hijacks to amplify propaganda. Airports, as high-visibility targets, face increasing risks from such groups exploiting unpatched systems or weak access controls.

Authorities are investigating, but the incidents reveal gaps in IoT and network security. For critical sectors: Segment networks, apply zero-trust models, and monitor for anomalies. Geopolitical tensions are fueling cyber ops—prepare accordingly to avoid becoming a billboard for adversaries.

Microsoft’s Massive Patch Tuesday: Plugging 172 Holes and Six Zero-Days

In the ever-evolving landscape of cybersecurity, Microsoft’s October 2025 Patch Tuesday stands out as a critical update, addressing a whopping 172 vulnerabilities, including six zero-day exploits. This release marks one of the largest in recent months, with four of those zero-days already under active exploitation by threat actors. Key fixes include high-severity issues like the Microsoft Graphics Component Elevation of Privilege Vulnerability (CVE-2025-49708, CVSS 9.9), which could allow attackers to gain escalated privileges on affected systems. Other notable patches target flaws in Windows Server Update Service and even an ancient modem driver, highlighting how legacy components can still pose modern risks. For organizations, this underscores the urgency of timely patching—delaying could leave systems open to ransomware or data exfiltration. As cyber threats grow more sophisticated, staying ahead means prioritizing these updates, testing them in staging environments, and monitoring for any post-patch anomalies. If you’re running Windows, now’s the time to hit that update button and fortify your defenses.

Data Breaches Dominate the Headlines: From Fines to Exposed Personal Records

Data breaches continue to plague organizations worldwide, with several high-profile incidents making waves on October 15, 2025. The UK’s Information Commissioner’s Office slapped Capita with a £14 million fine for a 2023 breach that exposed millions of people’s data, including pension records and sensitive financial details. Meanwhile, Unity disclosed a breach on its SpeedTree site, impacting 428 users’ personal and payment information via malicious code injected into the checkout page from March to August 2025. Rail operator LNER also notified customers of a breach exposing emails and other personal info, prompting misguided advice to change passwords despite no credentials being compromised. Other leaks included Teknobuilt’s source code exposure, Hello Cake’s 23k email addresses with purchase histories, and Spanish retailer MANGO’s customer contact data theft. Even older cases like Tennessee’s 2018 HIV patient record exposure resurfaced in discussions, emphasizing violations of the principle of least privilege. These incidents highlight a common thread: inadequate access controls and third-party risks. To mitigate, businesses should implement zero-trust architectures, conduct regular audits, and educate users on phishing vigilance. In a world where data is currency, breaches aren’t just costly—they erode trust.

Ransomware’s Relentless Rise: AI-Fueled Attacks and Supply Chain Weaknesses

Ransomware remains a top cybersecurity scourge in 2025, with attacks growing in sophistication and scale, often leveraging AI for both offense and defense. Ransomware-as-a-Service (RaaS) models are booming, enabling even novice cybercriminals to launch devastating campaigns. Recent examples include the “RMPocalypse” and Cl0p ransomware operations targeting global entities, as well as college payroll systems hit by the “Payroll Pirate” scam from Storm-2657. Supply chain vulnerabilities are exacerbating the issue, with threats like malicious npm/PyPI/RubyGems packages and PolarEdge IoT backdoors allowing attackers to infiltrate networks indirectly. Experts warn that without robust zero-trust strategies and employee training, these attacks will only intensify. For protection, focus on multi-layered defenses: regular backups, endpoint detection tools, and incident response plans. As ransomware evolves, so must our countermeasures—proactivity is key to avoiding the next big payout or downtime disaster.

Emerging Vulnerabilities: From Android 2FA Theft to Space-Based Espionage

Beyond the big patches, October 15 saw buzz around fresh vulnerabilities exploiting cutting-edge tech. Android’s “Pixnapping” flaw allows 2FA theft via GPU side-channels, a clever attack vector that bypasses traditional security. Chinese hackers have been using trusted ArcGIS apps for year-long persistence in targeted systems, while researchers demonstrated cheap ways to steal secrets from space-based communications. Other highlights include CISA adding five actively exploited vulnerabilities to its must-patch list, Oracle E-Business Suite zero-days tied to Cl0p, Fortra’s maximum-severity GoAnywhere flaw, AMD’s SEV-SNP issue, and a critical Rockwell NAT Router vulnerability (CVE-2025-7328, CVSS 10.0) enabling unauthenticated takeovers. SAP zero-days and health app risks also surfaced, pointing to broader IoT and remote desktop threats like brute-force attacks and credential theft. These vulnerabilities show how attackers are innovating faster than ever. Defenders should leverage threat intelligence, adopt multi-factor authentication beyond SMS, and scan for known exploits regularly. Staying informed on these emerging risks is your first line of defense in this cat-and-mouse game.

Windows 10’s End of Life: A Ticking Time Bomb for Security

As Windows 10 reaches its end-of-life (EOL) on October 14, 2025, the cybersecurity community is sounding alarms over unpatched systems becoming prime targets. Microsoft’s final security updates for the OS coincide with this month’s Patch Tuesday, leaving millions of devices vulnerable to new exploits without extended support. This shift amplifies risks like ransomware and zero-day attacks, especially for organizations slow to migrate to Windows 11 or beyond. Legacy systems could see a surge in breaches, similar to past EOL events. To navigate this, plan upgrades now, consider virtual patching solutions, or invest in extended security updates if feasible. The EOL isn’t just a tech milestone—it’s a wake-up call for proactive migration to avoid becoming low-hanging fruit for cybercriminals

In the fast-paced world of professional life, where deadlines, ambitions, and pressures often dominate, it’s easy to lose sight of a higher purpose. Yet, for those who seek to integrate faith into their work, 1 Corinthians 10:31 offers a timeless anchor: “So whether you eat or drink or whatever you do, do it all for the glory of God.” This verse challenges professionals to view every task, decision, and interaction as an opportunity to honor God. But what does this look like in practice? Let’s explore how this principle can transform your approach to work.

A Call to Intentionality in All Things

At its core, 1 Corinthians 10:31 is a call to intentionality. Paul, writing to the Corinthian church, urges believers to approach even the most mundane activities—like eating or drinking—with a mindset that glorifies God. For professionals, this means every email sent, every meeting conducted, and every project completed can be an act of worship when done with purpose and integrity.

Consider a software developer debugging code late into the evening. The task may feel tedious, but approaching it with diligence and a commitment to excellence reflects a desire to honor God through stewardship of their skills. Similarly, a manager resolving a team conflict with patience and fairness demonstrates God’s love in action. No task is too small to carry eternal significance when done with this mindset.

Practical Ways to Glorify God in Your Work

1. Pursue Excellence as an Act of Worship

Excellence in your work isn’t just about personal achievement; it’s a reflection of God’s character. Colossians 3:23 reinforces this: “Whatever you do, work at it with all your heart, as working for the Lord, not for human masters.” Whether you’re crafting a presentation, analyzing data, or serving a client, strive for quality that points to the Creator’s perfection. This doesn’t mean perfectionism but rather giving your best effort in every responsibility entrusted to you.

2. Act with Integrity

In a world where cutting corners or bending ethics can seem tempting, 1 Corinthians 10:31 reminds us that our actions matter. Honesty in reporting, transparency in communication, and fairness in decision-making glorify God by aligning with His truth and justice. For instance, choosing to acknowledge a mistake rather than covering it up not only builds trust but also reflects a heart submitted to God’s standards.

3. Serve Others Through Your Role

Your workplace is a mission field. Whether you’re leading a team or supporting one, your interactions with colleagues, clients, or customers are opportunities to demonstrate Christ-like love. Listening attentively, offering encouragement, or going the extra mile to help a coworker can reflect God’s grace. As Jesus said in Matthew 5:16, “Let your light shine before others, that they may see your good deeds and glorify your Father in heaven.”

4. Maintain a Heart of Gratitude

Gratitude transforms our perspective. Instead of viewing work as a burden, 1 Corinthians 10:31 invites us to see it as a gift—an opportunity to use our God-given talents. Expressing thanks, whether through prayer or acknowledging others’ contributions, fosters a culture of appreciation that honors God and uplifts those around you.

Balancing Ambition and Humility

For professionals, ambition often drives success. Yet, 1 Corinthians 10:31 challenges us to align our ambitions with God’s glory rather than personal gain. This means pursuing goals with humility, recognizing that our abilities and opportunities come from God. It also means celebrating others’ successes and trusting God with the outcomes of our efforts, knowing that our ultimate reward is His approval.

A Daily Commitment

Living out 1 Corinthians 10:31 in professional life isn’t a one-time decision but a daily commitment. Start each day by asking, “How can I honor God in my work today?” Reflect on your motives, seek wisdom through prayer, and trust God to guide your decisions. Over time, this mindset transforms not only your work but also your influence, as others see the difference faith makes.

Conclusion

1 Corinthians 10:31 reminds us that no aspect of life—including our professional endeavors—is separate from our faith. By pursuing excellence, acting with integrity, serving others, and maintaining gratitude, we can make our work a living testimony to God’s glory. As professionals, let’s embrace this call to do whatever we do with purpose, knowing that even the smallest tasks can reflect the greatness of our Creator.

Data is the lifeblood of modern organizations, but without proper governance, it can quickly become a liability. Implementing a robust data governance framework ensures accuracy, compliance, and trust—while enabling innovation and AI readiness. Microsoft Purview offers a unified platform to make this possible. Let’s explore how to move from strategy to execution.

Why Data Governance Matters

Data governance is more than a compliance checkbox—it’s a strategic enabler. It ensures:

• Accuracy and Integrity: Reliable data for decision-making.

• Privacy and Compliance: Adherence to regulations like GDPR and HIPAA.

• Operational Efficiency: Standardized processes that reduce silos and manual workarounds.

Without governance, organizations risk regulatory penalties, security breaches, and poor business decisions. In an AI-driven world, governance is essential for safe adoption of advanced technologies.

Microsoft Purview: The Governance Hub

Microsoft Purview consolidates compliance and governance capabilities across Azure and Microsoft 365 into a single interface. It provides:

• Unified Data Map and Catalog: Technical and business layers for asset discovery and curation.

• Automated Classification and Labeling: Reduce manual effort and enforce policies.

• Integration with Existing Tools: Seamless experience across Microsoft ecosystems.

Purview is designed to simplify governance workflows, improve visibility, and centralize policy management—critical for organizations managing hybrid or multi-cloud environments.

From Strategy to Execution: Key Steps

1. Assess Your Data Landscape

Start by mapping your data estate. Identify sources, classify assets, and understand vulnerabilities. You can’t govern what you don’t know exists.

2. Define Governance Framework

Establish policies, standards, and roles:

• Data Governance Council for oversight.

• Data Owners and Stewards for operational execution.

• Clear RACI Matrix to avoid ambiguity.

3. Build Your Data Map and Unified Catalog

Use Purview to scan data sources, register assets, and create a business-friendly catalog. This enables discoverability and responsible usage.

4. Implement Data Quality and Compliance Controls

Set up rules for profiling, cleansing, and monitoring. Integrate master data management to create golden records and maintain consistency.

5. Start Small and Iterate

Avoid onboarding everything at once. Begin with critical domains, validate processes, and expand gradually. This reduces complexity and improves adoption.

6. Engage Stakeholders Early

Governance is a team sport. Involve IT, business users, and compliance officers from the start to ensure alignment and collaboration.

7. Monitor, Optimize, and Scale

Use Purview’s observability and reporting features to track health, compliance, and performance. Continuously refine roles, policies, and processes.

Common Pitfalls and Lessons Learned

• Overloading the Catalog: Too many assets without proper documentation create noise.

• Siloed Deployments: Purview supports governance but doesn’t replace it—embed governance disciplines first.

• Neglecting Change Management: Without clear communication and training, adoption suffers.

TLDR

Implementing data governance with Microsoft Purview is a journey, not a one-time project. By starting with a clear strategy, engaging stakeholders, and leveraging Purview’s capabilities, organizations can transform governance from a compliance necessity into a competitive advantage.

We’re honored to share that Microsoft has again been recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Security Information and Event Management (SIEM).¹ We believe this recognition reinforces Microsoft Sentinel‘s position as an industry-leading, cloud and AI-powered SIEM—designed to solve SOC challenges head-on and streamline modern security operations.

Strengthening cyber defense in the age of agentic AI with Microsoft Sentinel

Microsoft Sentinel has now evolved beyond a cloud-native SIEM into a unified, AI-powered security platform, connecting analytics and context across ecosystems at scale. With a centralized, purpose-built security data lake and graph capabilities, organizations gain deeper insights and richer context for more effective cyberthreat detection and investigation. The Model Context Protocol (MCP) server and agentic tools make data agent-ready, paving the way for seamless integration with autonomous security agents and unlocking new possibilities for proactive defense.

We realized that we needed to uplift our capability in the security operations center. We wanted a platform that could help us face the challenges of offensive use of AI so we could defend at machine speed.

—David Boda, Chief Security and Resilience Officer, Nationwide

Optimizing costs and coverage

Now generally available, the Microsoft Sentinel data lake serves as the foundation for modern, AI-powered security operations. Purpose-built for security, it features a cloud-native architecture that centralizes all security data from more than 350 sources across platforms and clouds. The Microsoft Sentinel data lake simplifies data management, eliminating silos, and enables cost-effective long-term retention, empowering organizations to maintain strong security postures while optimizing budget. By unifying historical and real-time security data, the data lake helps AI agents and automation perform advanced analytics, detect anomalies, and execute autonomous cyberthreat responses with precision and speed.

To further help organizations optimize their security operations, Microsoft Sentinel has native features like:

• SOC optimization helps security teams improve coverage, reduce costs, and streamline operations by providing AI-powered recommendations on data usage, cyberthreat detection gaps, and analytics efficiency. These insights empower defenders to make smarter decisions and maximize return on investment.
• New cost management features in preview help customers with cost predictability, billing transparency, and operational efficiency.

Accelerating the SOC with advanced analytics and AI

Microsoft Sentinel is transforming security operations with advanced analytics, agentic AI, and MCP server. Microsoft Sentinel data lake centralizes security data from hundreds of sources, enabling real-time detection, contextual analysis, and autonomous response. The integration of agentic AI and Microsoft Security Copilot allows defenders to automate investigations, correlate complex signals, and respond to cyberthreats at machine speed. The MCP server further enhances these capabilities by making security data agent-ready. Support for tools like Kusto Query Language (KQL) queries, Spark notebooks, and machine learning models within the Microsoft Sentinel data lake empowers agentic systems to continuously learn, adapt, and act on emerging cyberthreats, driving smarter, faster, and more contextual security operations across the SOC. This AI-powered approach reduces alert fatigue and accelerates decision-making, strengthening security posture across the SOC.

Together, these capabilities empower SOC teams to operate at the speed of AI, reduce noise, and focus on high-impact investigations, driving clarity, efficiency, and resilience across the security lifecycle.

Empowering defenders with industry-leading SIEM

Microsoft Sentinel enhances security operations by unifying SIEM, security orchestration, automation, and response (SOAR), user and entity behavior analytics (UEBA), and threat intelligence into a single, integrated experience. With full integration into the Microsoft Defender portal, Microsoft Sentinel delivers a consolidated view for detection, investigation, and response across endpoints, identities, cloud, and network—streamlining workflows and enhancing efficiency for SOC teams.

• Advanced correlation algorithms combine behavioral analytics, machine learning, and threat intelligence to connect events and deliver comprehensive security insights.
• Custom rules and MITRE ATT&CK® mapping allow defenders to tailor detection strategies for their specific needs.
• Built-in orchestration and automation capabilities reduce manual effort, accelerate incident response, and free analysts to focus on high-value tasks.
• UEBA powered by AI provide deep behavioral insights to detect anomalies and insider threats.
• Integrated threat intelligence enriches investigations with real-time insights, enabling faster detection, deeper context, and more accurate response across the SOC.
• Embedded AI and machine learning accelerate threat detection, reduce false positives, and enable advanced hunting and automated investigations—helping SOC teams respond faster and with precision.

Microsoft Sentinel has comprehensive machine learning threat analytics models that allow us to hunt and detect any security threat, no matter how sophisticated or hidden they are. Microsoft Sentinel has intelligent security event management features which help us to accurately investigate security threats to understand the origin, making it easy to identify the most appropriate way to handle them.

—Software Development Project Manager, Software Industry (Source: Gartner Peer Insights™)

Download the report

To learn more about why Microsoft was named a Leader in the 2025 Gartner® Magic Quadrant™ for SIEM, download the full report.

Looking forward

As cyberthreats grow in sophistication, the need for intelligent, adaptive, and end-to-end AI security platforms becomes more urgent. Microsoft is committed to leading this transformation by:

• Investing in agentic AI to empower defenders with autonomous capabilities.
• Empowering defenders with a cost-effective data lake for deeper insights and scalable analytics.
• Enhancing cross-platform integrations for holistic protection.
• Driving community collaboration through open content hubs and shared analytics.

We’re not just building tools; we’re shaping the future of cybersecurity. Our roadmap is guided by the real-world challenges faced by SOCs and the outcomes they strive for: faster detection, smarter response, and stronger resilience.

We’re honored by the Gartner recognition and deeply grateful to our customers, partners, and the analyst community for their continued trust and collaboration.

Are you a regular user of Microsoft Sentinel? Share your insights and get rewarded with a $25 gift card on Gartner Peer Insights™.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

---

¹Gartner® Magic Quadrant™ for Security Information and Event Management, Andrew Davies, Eric Ahlm, Angel Berrios, Darren Livingstone, 8 October 2025

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner Peer Insights content consists of the opinions of individual end users based on their own experiences with the vendors listed on the platform, should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, Magic Quadrant and Peer Insights are registered trademarks of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.

The post Microsoft named a Leader in the 2025 Gartner® Magic Quadrant™ for SIEM appeared first on Microsoft Security Blog.

In 80% of the cyber incidents Microsoft’s security teams investigated last year, attackers sought to steal data—a trend driven more by financial gain than intelligence gathering. According to the latest Microsoft Digital Defense Report, written with our Chief Information Security Officer Igor Tsyganskiy, over half of cyberattacks with known motives were driven by extortion or ransomware. That’s at least 52% of incidents fueled by financial gain, while attacks focused solely on espionage made up just 4%. Nation-state threats remain a serious and persistent threat, but most of the immediate attacks organizations face today come from opportunistic criminals looking to make a profit.

Every day, Microsoft processes more than 100 trillion signals, blocks approximately 4.5 million new malware attempts, analyzes 38 million identity risk detections, and screens 5 billion emails for malware and phishing. Advances in automation and readily available off-the-shelf tools have enabled cybercriminals—even those with limited technical expertise—to expand their operations significantly. The use of AI has further added to this trend with cybercriminals accelerating malware development and creating more realistic synthetic content, enhancing the efficiency of activities such as phishing and ransomware attacks. As a result, opportunistic malicious actors now target everyone — big or small — making cybercrime a universal, ever-present threat that spills into our daily lives.

In this environment, organizational leaders must treat cybersecurity as a core strategic priority—not just an IT issue—and build resilience into their technology and operations from the ground up. In our sixth annual Microsoft Digital Defense Report, which covers trends from July 2024 through June 2025, we highlight that legacy security measures are no longer enough; we need modern defenses leveraging AI and strong collaboration across industries and governments to keep pace with the threat. For individuals, simple steps like using strong security tools—especially phishing-resistant multifactor authentication (MFA)—makes a big difference, as MFA can block over 99% of identity-based attacks. Below are some of the key findings.

A screenshot of a computer screen

AI-generated content may be incorrect.

Critical services are prime targets with a real-world impact.

Malicious actors remain focused on attacking critical public services –— targets that, when compromised, can have a direct and immediate impact on people’s lives. Hospitals and local governments, for example, are all targets because they store sensitive data, or have tight cybersecurity budgets with limited incident response capabilities, often resulting in outdated software. In the past year, cyberattacks on these sectors had real -world consequences, including delayed emergency medical care, disrupted emergency services, canceled school classes, and halted transportation systems.

Ransomware actors in particular focus on these critical sectors because of the targets’ limited options. For example, a hospital must quickly resolve its encrypted systems, or patients could die, potentially leaving no other recourse but to pay. Additionally, governments, hospitals, and research institutions store sensitive data that criminals can steal and monetize through illicit marketplaces on the dark web, fueling downstream criminal activity. Government and industry can collaborate to strengthen cybersecurity in these sectors—particularly for the most vulnerable. These efforts are critical to protecting communities and ensuring continuity of care, education, and emergency response.

Nation-state actors are expanding operations.

While cybercriminals are the biggest cyber threat by volume, nation-state actors still target key industries and regions, expanding their focus on espionage and, in some cases, on financial gain. Geopolitical objectives continue to drive a surge in state-sponsored cyber activity, with a notable expansion in targeting communications, research, and academia.

Key insights:

China is continuing its broad push across industries to conduct espionage and steal sensitive data. State-affiliated actors are increasingly attacking non-governmental organizations (NGOs) to expand their insights and are using covert networks and vulnerable internet-facing devices to gain entry and avoid detection. They have also become faster at operationalizing newly disclosed vulnerabilities.

Iran is going after a wider range of targets than ever before, from the Middle East to North America, as part of broadening espionage operations. Recently, three Iranian state-affiliated actors attacked shipping and logistics firms in Europe and the Persian Gulf to gain ongoing access to sensitive commercial data, raising the possibility that Iran may be pre-positioning to have the ability to interfere with commercial shipping operations.

Russia, while still focused on the war in Ukraine, has expanded its targets. For example, Microsoft has observed Russian state-affiliated actors targeting small businesses in countries supporting Ukraine. In fact, outside of Ukraine, the top ten countries most affected by Russian cyber activity all belong to the North Atlantic Treaty Organization (NATO) —a 25% increase compared to last year. Russian actors may view these smaller companies as possibly less resource-intensive pivot points they can use to access larger organizations. These actors are also increasingly leveraging the cybercriminal ecosystem for their attacks.

North Korea remains focused on revenue generation and espionage. In a trend that has gained significant attention, thousands of state-affiliated North Korean remote IT workers have applied for jobs with companies around the world, sending their salaries back to the government as remittances. When discovered, some of these workers have turned to extortion as another approach to bringing in money for the regime.

The cyber threats posed by nation-states are becoming more expansive and unpredictable. In addition, the shift by at least some nation-state actors to further leveraging the cybercriminal ecosystem will make attribution even more complicated. This underscores the need for organizations to stay abreast of the threats to their industries and work with both industry peers and governments to confront the threats posed by nation-state actors.

2025 saw an escalation in the use of AI by both attackers and defenders.

Over the past year, both attackers and defenders harnessed the power of generative AI. Threat actors are using AI to boost their attacks by automating phishing, scaling social engineering, creating synthetic media, finding vulnerabilities faster, and creating malware that can adapt itself. Nation-state actors, too, have continued to incorporate AI into their cyber influence operations. This activity has picked up in the past six months as actors use the technology to make their efforts more advanced, scalable, and targeted.

A graph on a blue background

AI-generated content may be incorrect.

For defenders, AI is also proving to be a valuable tool. Microsoft, for example, uses AI to spot threats, close detection gaps, catch phishing attempts, and protect vulnerable users. As both the risks and opportunities of AI rapidly evolve, organizations must prioritize securing their AI tools and training their teams. Everyone –— from industry to government –— must be proactive to keep pace with increasingly sophisticated attackers and to ensure that defenders keep ahead of adversaries.

Adversaries aren’t breaking in,; they’re signing in.

Amid the growing sophistication of cyber threats, one statistic stands out: more than 97% of identity attacks are password attacks. In the first half of 2025 alone, identity -based attacks surged by 32%. That means the vast majority of malicious sign-in attempts an organization might receive are via large-scale password guessing attempts. Attackers get usernames and passwords (“credentials”) for these bulk attacks by in largelargely from credential leaks.

However, credential leaks aren’t the only place where attackers can obtain credentials. This year, we saw a surge in the use of infostealer malware by cybercriminals. Infostealers can secretly gather credentials and information about your online accounts, like browser session tokens, at scale. Cybercriminals can then buy this stolen information on cybercrime forums, making it easy for anyone to access accounts for purposes such as the delivery of ransomware.

Luckily, the solution to identity compromise is simple. The implementation of phishing-resistant multifactor authentication (MFA) can stop over 99% of this type of attack even if the attacker has the correct username and password combination. To target the malicious supply chain, Microsoft’s Digital Crimes Unit (DCU) is fighting back against the cybercriminal use of infostealers. In May, the DCU disrupted the most popular infostealer —– Lumma Stealer –— alongside the US Department of Justice and Europol.

Moving forward: Cybersecurity is a shared defensive priority.

As threat actors grow more sophisticated, persistent, and opportunistic, organizations must stay vigilant, continually updating their defenses, and sharing intelligence. Microsoft remains committed to doing its part to strengthen our products and services via our Secure Future Initiative. We also continue to collaborate with others to track threats, alert targeted customers, and share insights with the broader public when appropriate.

However, security is not only a technical challenge, but a governance imperative. Defensive measures alone are not enough to deter nation-state adversaries. Governments must build frameworks that signal credible and proportionate consequences for malicious activity that violates international rules. Encouragingly, governments are increasingly attributing cyberattacks to foreign actors and imposing consequences such as indictments and sanctions. This growing transparency and accountability are important steps toward building collective deterrence. As digital transformation accelerates—amplified by the rise of AI—cyber threats pose risks to economic stability, governance, and personal safety. Addressing these challenges requires not only technical innovation but coordinated societal action.

The post Extortion and ransomware drive over half of cyberattacks appeared first on Microsoft Security Blog.

The Deputy CISO blog series is where Microsoft  Deputy Chief Information Security Officers (CISOs) share their thoughts on what is most important in their respective domains. In this series, you will get practical advice, tactics to start (and stop) deploying, forward-looking commentary on where the industry is going, and more. In this article, Raji Dani, Vice President and Deputy CISO for Microsoft business functions, finance, and marketing at Microsoft dives into the importance of securing customer service solutions.

In my role as Deputy CISO for Microsoft’s business operations, I focus on the unique risks within our customer support operations. The tools and processes that empower our customer support agents are essential for helping customers, but if architected with excessive privilege or trusted too broadly between services, they can introduce significant risk to Microsoft and our customers. Understanding and mitigating these risks is a core part of my job, and this post shares the key lessons we apply in this space.

Customer support: What could go wrong?

Customer support agents require powerful tools to resolve customer issues—unlocking accounts, troubleshooting complex environments, and more. Given how powerful they can be, the tools used by customer support agents, if not properly architected or protected, can be harmful if they fall into the wrong hands. Cyberattackers know that customer support operations can require privileged access, and that organizations sometimes treat customer support as an auxiliary function—resulting in a lower security bar. As a result, cyberattackers see customer support as an attractive target that can potentially serve as a vector to gain access to sensitive data and environments. To use the common security parlance, a major reason driving cyberattacker focus on customer support infrastructure is that this infrastructure can provide them with an opportunity to move laterally into core service that hosts customer data.

These risks are not theoretical. Recent cyberattacks, including those by nation-state actors like Midnight Blizzard, have targeted customer support operations at Microsoft and across the industry. Cyberattackers have targeted resources across customer support ecosystems—spanning support agent identities, case management systems, and diagnostic tools—in attempt to steal valuable data and gain access to other environments.

Securing customer support: What can we do?

Given the risks described above, a comprehensive security strategy is needed that spans the identities used for customer support and the tools used by those identities, specifically focusing on mitigating the risk that these identities and tools can be exploited in an attempt to access other environments or data. With that in mind, we are implementing (and will continually refine) the following approaches to mitigate risk in the customer support space.

1. Curated and secured support identities 

At Microsoft, we create dedicated identities curated and secured for the customer support function. These identities are separate from the accounts employees use to perform the parts of their job not related to customer support. Standardizing and strengthening these customer support identities—with Phishing Resistent Multifactor Authentication (PRMFA) and identity isolation—is foundational, as this helps mitigate the risk of lateral movement. Cyberattackers often target support agent accounts using phishing and password spray techniques, knowing that identity security can vary, especially when third parties are involved.

2. Least privilege and device protection

Even with hardened identities, we adopt an assume-breach mindset. We implement least privilege and enforce device protection so that no agent has standing access to support tools or data. Access is granted only for active cases, and permissions are tightly scoped—this is known as case-based role-based access control (RBAC), based on strong just-in-time (JIT) and just-enough-access (JEA) implementations that are informed by active cases. Additionally, when an agent does need to work on a case they operate from restricted, managed virtual desktops that prevent downloading unauthorized software, further reducing breach risk by reducing the likelihood that a malware-infected device is able to operate against customer support tools or data.

3. Architecting secure tools and managing service-to-service trust and high privileged access

Support tools often require access to production environments like Microsoft 365 or Microsoft Azure—for example, an agent may need to troubleshoot a performance issue on a customer’s Azure Virtual Machine. We ensure the tools used for these scenarios operate with scoped privileges and avoid unsafe high privileged access (HPA) patterns. Critically, we minimize service-to-service (S2S) trust. Support tools are designed to perform only specific support functions, with tightly scoped permissions against downstream resources that they may need to access. By limiting S2S trust, we prevent cyberattackers from using compromised support tools to access or damage production environments.

4. Monitoring and response

Continuing with the theme of assume breach, we implement strong telemetry across all the previously mentioned scenarios—we have to assume that cyberattackers will exploit our tools and operations, no matter how much we harden them. Strong telemetry gives our incident response teams visibility into any possible anomalies or attempts to exploit customer support agents or the tools they use, which enables us to stop potential cyberattacks faster. The fact that agents use a dedicated, isolated identity for customer support also enables us to more effectively respond if compromise is suspected since we can target our response operations precisely within the dedicated identity boundary.

Takeaways

Customer support tooling and operations can be exploited by cyberattackers to harm Microsoft and our customers. We cannot treat customer support as an auxiliary function with a low security bar. Given its relationship to core infrastructure, maintaining a high security posture is essential to prevent lateral movement by cyberattackers. We achieve this through identity isolation and protection, case-based RBAC, removal of unsafe access patterns, minimizing S2S trust, and strong telemetry at all layers to detect and mitigate anomalies.

These lessons extend beyond customer support—any business function historically considered auxiliary should be deeply understood for lateral movement risk and secured to a higher standard if needed. Security is not just a technical imperative. It’s a shared responsibility that must extend to every corner of the digital ecosystem, including customer support infrastructure and other business functions. Whether your organization manages its own support center or relies on a third-party provider, it’s important not to treat customer support as an afterthought in terms of security.

Approaches like ours—anchored in identity segmentation, JIT and JEA, case-based RBAC, task-specific controls, and enhanced telemetry—don’t have to be exclusive to large enterprises. They can be realistically adapted by organizations of all sizes. For those with in-house customer support teams, it’s a good idea to invest in security training and align performance metrics with secure outcomes. If you’re using third-party providers, require transparency, enforce contractual security obligations, and ensure that access controls are tightly scoped and monitored. All organizations, whether small businesses or large enterprises, should be mindful of the applications they use for customer support—how they’re designed, how they’re configured, and how they interact with other systems and data. Any customer support applications that can access sensitive resources or data need to have the strongest controls. Finally, having an assume breach mindset is critical. All organizations should implement strong telemetry that provides visibility into potential anomalies at both the identity and tooling layers, so potential cyberattacks can be quickly spotted and remediated.

Final thoughts on strengthening support operations and security

Security isn’t just a technical concern—it’s a shared responsibility that reaches every part of your digital ecosystem, including customer support infrastructure. Whether you manage your own support center or work with a third-party provider, don’t treat customer support as an afterthought when it comes to security.

Approaches like JIT and JEA, case-based RBAC, task-specific controls, and enhanced telemetry aren’t just for large enterprises. Organizations of all sizes can adapt them. If you have an in-house support team, invest in security training and align performance metrics with secure outcomes. If you work with third-party providers, require transparency, enforce contractual security obligations, and make sure access controls are tightly scoped and monitored. Even the smallest organizations should be mindful of the customer support applications they use—how they’re designed and configured matters.

The goal is to close gaps in your security. Treat customer support infrastructure as critical and apply layered, context-aware controls to reduce exposure to session hijacking and lateral movement across your network. Security must be holistic—it’s about protecting not just what you build, but also what supports it. These lessons apply to other business functions too, like sales, consulting, and reseller relationships. Each of these areas may use tools or systems that could allow lateral movement into core infrastructure. That’s why it’s important to prioritize these tools and make sure they meet the highest security standards.

Learn more with Microsoft Security

​​To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post The importance of hardening customer support tools against cyberattacks appeared first on Microsoft Security Blog.

Navigating the End of Windows 10: A Cybersecurity Wake-Up Call

As of October 14, 2025, Windows 10 has officially reached its end-of-life (EoL), marking the cessation of all security updates, feature improvements, and technical support from Microsoft. This milestone, long anticipated since its announcement years ago, leaves a staggering number of systems vulnerable in an increasingly hostile digital landscape.

Analysis from TeamViewer, based on 250 million anonymized connections between July and September 2025, reveals that over 40% of global endpoints still rely on Windows 10. A separate survey by Cloudhouse of 135 finance IT leaders found that 60% of organizations are running unsupported Windows versions on servers and desktops, with 90% grappling with “Windows technical debt” that diverts resources from innovation to mere maintenance. While no high-severity zero-days are currently known for Windows 10, the absence of future patches opens the door to threats like device takeovers and data exfiltration.

The implications are particularly acute for sectors like finance, where legacy systems drain budgets and stall digital transformation. Organizations must prioritize migration strategies now—95% of surveyed leaders want to shift focus to strategic projects, and nearly 90% plan infrastructure modernization within 24 months. Low-risk pathways, such as upgrading to Windows 11 or leveraging compatibility tools, are essential to mitigate these risks. In a world where cyber threats evolve daily, clinging to unsupported software isn’t just outdated—it’s dangerous.

Oracle Zero-Day Chaos: Harvard Breach Highlights Enterprise Vulnerabilities

A critical zero-day vulnerability in Oracle’s E-Business Suite (EBS), tracked as CVE-2025-61882, has been actively exploited by the Clop ransomware gang, leading to widespread data theft campaigns. This flaw allows unauthorized access to sensitive data, with exploits dating back to early August 2025. Clop, infamous for targeting zero-days in software like MOVEit and GoAnywhere, has used this bug to steal data and extort victims, demanding ransoms to avoid public leaks.

Harvard University emerged as a high-profile victim when added to Clop’s data leak site, with the breach linked to a small administrative unit affecting a limited number of parties. Oracle swiftly issued an emergency patch, and Harvard applied it upon notification, stating the issue impacts many EBS customers and isn’t isolated to them. No evidence of broader compromise at Harvard was found, but the university continues monitoring.

This incident underscores the perils of unpatched enterprise software, where a single flaw can cascade into mass extortion. With Clop listing more victims and sending extortion emails, organizations must emphasize rapid patching and vulnerability management to prevent similar fates. In 2025’s threat landscape, proactive defense isn’t optional—it’s survival.

Salesforce Data Leaks: Hackers Dump Billions of Records After Extortion Fails

The Scattered LAPSUS$ Hunters hacking group has escalated a major data breach campaign targeting Salesforce customers, leaking millions—potentially up to 1 billion—records after failed ransom demands. The breach, linked to extortion via the recently disrupted BreachForums, involves personal data like names and phone numbers from around 40 customers.

Following the FBI’s seizure of BreachForums domains in collaboration with French authorities, the group launched a new leak site and released stolen data, including from major British retailers. Salesforce investigated with experts and authorities, acknowledging extortion attempts but not specifying breach details. The leaks accelerated after Salesforce refused to pay, highlighting the group’s aggressive tactics.

This wave of leaks exposes the fragility of cloud-based CRM systems and the risks of inadequate access controls. Affected organizations should monitor for identity theft, enforce multi-factor authentication, and audit third-party integrations. As ransomware evolves into pure extortion, robust data governance is key to weathering these storms.

RondoDox Botnet: Exploiting Dozens of Flaws in a Global Assault

The RondoDox botnet, active since June 2025, is weaponizing over 50 vulnerabilities across more than 30 vendors, targeting IoT devices like routers, DVRs, CCTV systems, and web servers in a “shotgun” approach to infections. Operators rapidly incorporate newly disclosed flaws, such as those from Pwn2Own contests, into their arsenal, leading to widespread compromises.

This hit-and-run strategy has fueled a large-scale campaign, with upticks in activity noted by researchers from Trend Micro and Broadcom. The botnet’s exploits include CVE-2023-series flaws, enabling quick leveraging of edge vulnerabilities in consumer and enterprise devices.

With global reach, RondoDox amplifies DDoS and other attacks, stressing the need for timely patching and network segmentation. Device owners should update firmware immediately and monitor for unusual traffic. As botnets like this proliferate, vigilance against unpatched IoT remains a frontline defense.

Aisuru DDoS Botnet: Blanketing US Networks in Unprecedented Floods

The Aisuru botnet, the largest IoT-based DDoS network with over 300,000 compromised devices, has unleashed record-breaking attacks, peaking at 29.6 Tbps in early October 2025. Built on Mirai code, it infects vulnerable routers, cameras, and DVRs via zero-days and default credentials, growing rapidly after absorbing nodes from the dismantled Rapper Bot.

Primarily targeting Minecraft servers and gaming hosts like TCPShield and Cosmic, Aisuru causes collateral outages through network congestion. Attacks have hit 22 Tbps in September and 15 Tbps on October 8, overwhelming US ISPs like AT&T, Comcast, and Verizon, which contribute the bulk of traffic.

Operators rent it out for proxies and cybercrimes, exacerbating impacts. US ISPs face outbound suppression challenges, with mitigation costs soaring. To counter, secure IoT devices, enable auto-updates, and deploy DDoS protections—re-infection is swift without these measures.

SonicWall VPN Widespread Compromises: A Surge in Credential-Based Attacks

Over 100 SonicWall SSL VPN accounts across 16 customers have been compromised in a spike starting October 4, 2025, with attackers using valid credentials for rapid access. Originating from IP 202.155.8[.]73, intrusions involve network scanning and Windows account probes, separate from a recent MySonicWall backup file exposure containing sensitive configs.

This aligns with ransomware like Akira exploiting flaws such as CVE-2024-40766 for initial access, leading to escalation and exfiltration. No direct link to the backup breach, but exposed data could aid attacks.

Users should reset credentials, restrict WAN access, revoke API keys, monitor logs, and enforce MFA. Patching promptly is crucial amid rising threats—ignoring these steps invites deeper breaches.

In today’s data-driven world, protecting sensitive information is not just a compliance requirement—it’s a business imperative. Microsoft Purview offers a robust suite of tools to help organizations discover, classify, and protect sensitive data across their digital estate. This post walks through a practical approach to implementing data classification with Purview.

Why Classification Matters

Classification is the foundation of any data protection strategy. It enables organizations to identify what data is sensitive, where it resides, and how it should be handled. Without proper classification, enforcing security policies like encryption or access control becomes guesswork.

Purview’s Dual Approach: Classification vs. Sensitivity Labels

One common point of confusion is the difference between classification and sensitivity labels in Purview:

• Classification automatically detects sensitive content (e.g., credit card numbers, Social Security Numbers) using built-in or custom classifiers. It provides visibility into risk but does not enforce protection.

• Sensitivity Labels apply protection policies such as encryption, dynamic watermarking, and access restrictions. Labels can be applied manually by users or automatically based on policies

Together, these capabilities enable scalable, automated data security across Microsoft 365.

Step 1: Define What’s Sensitive

Start by identifying the types of information your organization considers sensitive. Purview provides Sensitive Information Types (SITs) out of the box—covering PII, financial data, and more. You can also create custom SITs tailored to your business needs.

Step 2: Locate and Classify

Use Purview’s data classification service to scan your environment. This includes documents, emails, and even structured data like databases. Built-in classifiers automatically tag sensitive content, while custom classifiers allow for advanced logic (e.g., checksum validation for IDs).

Step 3: Apply Sensitivity Labels

Once data is classified, apply sensitivity labels to enforce protection. Labels can:

• Encrypt files and emails

• Restrict access based on roles

• Trigger Data Loss Prevention (DLP) policies

• Enable Insider Risk Management

Step 4: Monitor and Optimize

Purview’s Data Security Posture Management (DSPM) provides continuous visibility into data risks and recommends controls to mitigate them. Combine this with analytics from Insider Risk Management and DLP to refine your policies over time.

Pro Tips for Success

• Educate your users: Awareness is key. Provide training on how classification and labeling work.

• Start small: Begin with high-risk data types and expand gradually.

• Leverage automation: Use auto-labeling policies to reduce manual effort.

• Integrate with AI workflows: If you’re building AI apps, Purview APIs can help govern prompts and responses to prevent oversharing.

Resources

• Microsoft Purview Documentation

• Sensitive Information Types Overview

ExCyTIn-Bench is Microsoft’s newest open-source benchmarking tool designed to evaluate how well AI systems perform real-world cybersecurity investigations.¹ It helps business leaders assess language models by simulating realistic cyberthreat scenarios and providing clear, actionable insights into how those tools reason through complex problems. In contrast to previous benchmarks that concentrated on threat intelligence trivia or static knowledge, this benchmark evaluates AI agents in multistep, data-rich, multistage cyberattack scenarios within a simulated security operations center (SOC) in Microsoft Azure. It incorporates 57 log tables from Microsoft Sentinel and related services to reflect the scale, noise, and complexity of real incidents and SOC operations.²

Why ExCyTIn-Bench matters for business

For chief information security officers (CISOs), IT leaders, and buyers, ExCyTIn-Bench offers a clear, objective way to assess AI capabilities for security. It’s not just about accuracy in cyberthreat reports, trivia, or toy simulations, but about how well AI can investigate, adapt, and explain its findings in the face of real-world cyberthreats. As cyberattacks grow in sophistication, tools like ExCyTIn-Bench help organizations select solutions that truly enhance detection, response, and resilience.

Microsoft uses this framework internally to strengthen its AI-powered security features and test their ability to withstand real-world cyberattacks. Our security-focused in-house models rely on feedback from ExCyTIn to uncover weaknesses in detection logic, tool capabilities, and data navigation. For broader integration, we are also collaborating with security products such as Microsoft Security Copilot, Microsoft Sentinel, and Microsoft Defender to evaluate and provide feedback on their AI features. Additionally, Microsoft Security product owners can monitor how different models perform and what they cost, allowing them to choose appropriate models for specific features.

How ExCyTIn-Bench improves upon traditional benchmarks

Unlike traditional benchmarks^3,4 that rely on multiple choice questions—which are often susceptible to guesswork—ExCyTIn-Bench adopts an innovative, principled methodology for generating questions and answers from threat investigation graphs. Human analysts conceptualize threat investigations using incident graphs, specifically bipartite alert-entity graphs.⁵ These serve as ground truth, supporting the creation of explainable question-answer pairs grounded in authentic security data. This enables rigorous analysis of strategy quality, not just final answers. Even recent industry publications, such as CyberSOCEval,³ focus on packaging realistic SOC scenarios and evaluating how models investigate static evidence in them. ExCyTIn adopts a different approach in both design and technical implementation by positioning the agent within a controlled Azure SOC environment: where the agent queries live log tables, transitions across data sources, and plans multistep investigations.

As a result, ExCyTIn evaluates comprehensive reasoning processes, including goal decomposition, tool usage, and evidence synthesis, under constraints that simulate an analyst’s workflow. By defining rigorous ground truths and extensible frameworks, ExCyTIn-Bench enables realistic, multiturn, agent-based experimentation, collaboration, and continuous self-improvement, all reinforced by verifiable, fine-grained reward mechanisms for AI-powered cyber defense.⁶

ExCyTIn-Bench innovations that deliver strategic value

• Realistic security evaluation. Unlike most open-source benchmarks,^3,4 ExCyTIn-Bench captures the complexity and ambiguity of actual cyber investigations. AI agents are challenged to analyze noisy, multitable security data, construct advanced queries, and uncover indicators of compromise (IoCs)—mirroring the work of human SOC analysts.
• Transparent, actionable metrics. The benchmark provides fine-grained, step-by-step reward signals for each investigative action over basic binary success and failure metrics found in current benchmarks. This transparency helps organizations understand not just what a model can do, but how it arrives at its conclusions—critical for actionability, trust, and compliance.
• Accelerating innovation. ExCyTIn-Bench is open-source and designed for collaboration. Researchers and vendors worldwide can use it to test, compare, and improve new models, driving rapid progress in automated cyber defense.
• Personalized benchmarks (coming soon). Create tailored cyberthreat investigation benchmarks specific to the threats occurring in each customer tenant.

Latest results—language models are getting smarter

Recent evaluations show that the newest models are making significant strides:

• GPT-5 (High Reasoning) leads with a 56.2% average reward, outperforming previous models and demonstrating the value of advanced reasoning for security tasks.
• Smaller models with effective chain-of-thought (CoT) reasoning—like GPT-5-mini—are now rivaling larger models, offering strong performance at lower cost.
• Explicit reasoning matters—Lower reasoning settings in GPT-5 drop performance by nearly 19%, highlighting that deep, step-by-step reasoning is essential for complex investigations.
• Open-source models are closing the gap with proprietary solutions, making high-quality security automation more accessible.
• New models are getting close to top CoT techniques (ReAct, reflection and BoN at 56.3%) but don’t surpass them, suggesting comparable reasoning during inference.

Get involved

ExCyTIn-Bench is open-source and free to access. Model developers and security teams are invited to contribute, benchmark, and share results through the official GitHub repository. For questions or partnership opportunities, reach out to the team at msecaimrbenchmarking@microsoft.com.

Thank you to the MSECAI Benchmarking team for helping this become reality.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

---

¹Benchmarking LLM agents on Cyber Threat Investigation

²https://huggingface.co/datasets/anandmudgerikar/excytin-bench

³CyberSOCEval: Benchmarking LLMs Capabilities for Malware Analysis and Threat Intelligence Reasoning

⁴[2406.07599] CTIBench: A Benchmark for Evaluating LLMs in Cyber Threat Intelligence

⁵Incident or Threat Investigation graphs portray multi-stage attacks by linking alerts, events, and indicators of compromise (IoCs) into a unified view. Nodes denote alerts (e.g., suspicious file downloads) or entities (e.g., user accounts) while edges capture their relationships (e.g., a phishing email that triggers a malicious download)

⁶[2507.14201] ExCyTIn-Bench: Evaluating LLM agents on Cyber Threat Investigation 

The post Microsoft raises the bar: A smarter way to measure AI for cybersecurity appeared first on Microsoft Security Blog.

submitted by /u/cyberLog4624
[link] [comments]

submitted by /u/TechnicalTadpole8359
[link] [comments]

Turbulence in the Skies: Qantas Faces Major Data Breach Aftermath

In a concerning development for air travelers, Qantas Airways has confirmed that customer personal data, stolen in a cyber breach earlier this year, has now been released on the dark web by cybercriminals. The incident, which occurred months ago, involved sensitive information from the airline’s frequent flyer program, including names, flight details, and possibly passport numbers. Affected customers are expressing mounting frustration, with calls for the Australian government to impose hefty penalties on the company for inadequate cybersecurity measures. Qantas has attributed the breach to issues with its outsourcing partners and internal protocols, but this has done little to assuage public anger. Experts warn that such leaks can lead to identity theft and phishing scams, highlighting the ongoing vulnerabilities in the aviation sector’s data handling practices. As investigations continue, this serves as a stark reminder for companies to prioritize robust encryption and third-party vendor audits to prevent future exposures.

Discord’s Data Dilemma: Age Verification IDs Exposed in Hack

Popular communication platform Discord is under scrutiny following a data breach that leaked proof-of-age identification documents submitted by users. The hack targeted a third-party age verification service integrated with Discord, compromising photos of IDs and potentially exposing minors to risks. This incident underscores the challenges of implementing age gates for online content, especially in light of platforms like Pornhub pulling out of states requiring similar verifications due to privacy concerns. Privacy advocates are raising alarms about the dangers of centralized data storage for sensitive personal information, which could lead to identity fraud or targeted harassment. Discord has yet to release full details on the scope, but users are advised to monitor their accounts and consider enabling two-factor authentication. This breach adds to the growing list of incidents in the gaming and social media space, prompting calls for stricter regulations on data collection for compliance purposes.

Identity Crisis in Healthcare: Interior Health Data Breach Leads to Wrongful Arrest

A massive data breach at Interior Health in British Columbia has resulted in real-world harm, with an innocent nurse arrested and fingerprinted due to identity theft stemming from the stolen information. The health authority has been accused of downplaying the incident, which exposed personal details of employees and patients, leading to fraudulent activities. This case illustrates the severe consequences of healthcare data vulnerabilities, where compromised records can disrupt lives beyond financial loss, including legal entanglements. Canadian authorities are investigating, but the event highlights systemic issues in protecting sensitive health data against cyber threats. Organizations in the sector must invest in advanced threat detection and employee training to mitigate such risks, as breaches like this erode public trust in essential services.

Escalating Shadows: China’s Cyber Hacking Capabilities Target U.S. Infrastructure

Former NSA head has warned that China’s ability to infiltrate U.S. systems is rapidly expanding, with focuses on critical infrastructure like power grids, transportation, and communications. These state-sponsored hacks aim to gather intelligence, disrupt operations, and potentially prepare for future conflicts, posing a significant national security threat. Recent reports detail how Chinese actors exploit vulnerabilities in software and supply chains to maintain persistent access. The U.S. government is urged to bolster defenses through international alliances and domestic cybersecurity investments. This ongoing cyber rivalry emphasizes the need for proactive measures, including regular vulnerability assessments and information sharing between public and private sectors, to counter the sophisticated tactics employed by adversarial nations.

Microsoft Purview is at the heart of modern data governance and compliance strategies. A well-designed Purview policy ensures sensitive data is protected, regulatory requirements are met, and organizational risk is minimized. However, creating effective policies requires more than just enabling features—it demands strategic thinking and awareness of common pitfalls.

Core Components of a Purview Policy

1. Scope Definition

   • Clearly identify which users, groups, and data sources fall under the policy.

   • Avoid overly broad scopes that can lead to unnecessary restrictions or performance issues.

2. Conditions and Triggers

   • Use content-based conditions (e.g., sensitivity labels, keywords) for precision.

   • Ensure compatibility with other technologies like MDA (Microsoft Defender for Apps) to prevent conflicts.

3. Actions and Enforcement

   • Define what happens when conditions are met: block, monitor, or allow with restrictions.

   • Leverage real-time content inspection for high-risk scenarios, but understand limitations across platforms.

Best Practices

• Start with Risk Assessment

  • Analyze insights and classify data before creating policies. This prevents misaligned controls.

• Leverage Sensitivity Labels

  • Apply labels consistently across Microsoft 365 and integrated services like Fabric for seamless governance.

• Iterative Monitoring

  • Regularly review audit logs and insider risk alerts to refine policies over time.

• Align with Compliance Frameworks

  • Map policies to GDPR, HIPAA, CCPA, or industry-specific standards for regulatory assurance.

Common Pitfalls

• Overlapping Policies

  • Conflicts between Purview and other solutions (e.g., MDA) can cause unexpected behavior. Always validate precedence rules.

• Neglecting AI Risks

  • With generative AI adoption, failing to include AI-specific controls in Purview policies exposes organizations to new threats.

• Static Configurations

  • Policies that remain unchanged despite evolving data landscapes lead to compliance gaps. Continuous improvement is key.

TLDR

A robust Purview policy is not a “set and forget” mechanism—it’s a living framework that evolves with your organization’s data strategy. By following best practices and avoiding common pitfalls, you can ensure that your policies deliver security, compliance, and operational efficiency.

Would you like me to expand this into a full-length blog post with examples and visuals, or create a concise executive summary for leadership? I can also add a section on Purview policy design for AI and Fabric environments if that’s relevant to your audience.

At Microsoft, building a lasting security culture is more than a strategic priority—it is a call to action. Security begins and ends with people, which is why every employee plays a critical role in protecting both Microsoft and our customers. When secure practices are woven into how we think, work, and collaborate, individual actions come together to form a unified, proactive, and resilient defense.

Over the past year, we’ve made significant strides through the Secure Future Initiative (SFI), embedding security into every layer of our engineering practices. But just as critical has been our transformation in how we educate and engage our employees. We revamped our employee security training program to tackle advanced cyberthreats like AI-enabled attacks and deepfakes. We launched the Microsoft Security Academy to empower our employees with personalized learning paths that create a relevant experience. We’ve made security culture a company-wide imperative, reinforcing vigilance, embedding secure habits into everyday work, and achieving what technology alone cannot. It is more than a mindset shift; it’s a company-wide movement, led from the top and setting a new standard for the industry.

To help other organizations take similar steps, we are introducing two new guides—focused on identity protection and defending against AI-enabled attacks—that offer actionable insights and practical tools. These resources are designed to help organizations rethink their approach in order to move beyond 101-level content and build a culture of security that is resilient, adaptive, and people-powered. Because in cybersecurity, culture is more than a defense—it is the difference between reacting to cyberthreats and staying ahead of them.

Training for proactive security: Empowering employees in a new era of advanced threats

Security is the responsibility of every Microsoft employee, and we’ve taken deliberate steps to make that responsibility tangible and actionable. Over the past year, we’ve worked hard to reinforce a security-first mindset throughout every part of the company—from engineering and operations to customer support—ensuring that security is a shared responsibility at every level. Through redesigned training, personalized guidance, regular feedback loops, and role-specific expectations, we are fostering a culture where security awareness is both instinctive and mandatory.

As cyberattackers become increasingly sophisticated, using AI, deepfakes, and social engineering, so must the way we educate and empower employees. The security training team at Microsoft has overhauled its annual learning program to reflect this urgency. Our training is thoughtfully designed to be even more accessible and inclusive, built from empathy for all job roles and the work they do. This helps ensure that all employees, regardless of background or technical expertise, can fully engage with the content and apply it in meaningful ways. The result is a lasting security culture that employees not only embrace in their work but also carry into their personal lives.

To ensure our lasting security culture is rooted in real-world cyberthreats and tactics, we’ve continued to push our Security Foundations series to feature dynamic, threat-informed content and real-world scenarios. We’ve also updated training content in traditional topics like phishing, identity spoofing, and AI-enabled cyberattacks like deepfakes. All full-time employees and interns are required to complete three sessions annually (90 minutes total), with newly created content every year.

Security training must resonate both in the workplace and at home to create a lasting impact. That is why we equip employees with a self-assessment tool that delivers personalized, risk-based feedback on identity protection, along with tailored guidance to help safeguard their identities—both on the job and in their personal lives.

The ingredients for successful security training

At Microsoft, the success of our security training programs hinges on several crucial ingredients: fresh, risk-based content; collaboration with internal experts; and a relentless focus on relevance and employee satisfaction. Rather than recycling old material, we rebuild our training from the ground up each year, driven by the changing cyberthreat landscape—not just compliance requirements. Each annual program begins with a risk-based approach informed by an extensive listening network that includes internal experts in threat intelligence, incident response, enterprise risk, security risk, and more. Together, we identify the top cyberthreats where employee judgment and decision-making are essential to keeping Microsoft secure—and how those cyberthreats are evolving.

Take social engineering, for instance. This topic is a consistent inclusion in our training because around 80% of security incidents start with a phishing incident or identity compromise. But we are not teaching phishing 101, as we expect our employees already have foundational awareness of this cyberthreat. Instead, we dive into emerging identity threats, real-world cyberattack scenarios, and examples of how cyberattackers are becoming more sophisticated and scaling faster than ever.

The impact we are making on the security culture at Microsoft is not by chance, nor is it anecdotal. The Education and Awareness team within the Office of the Chief Information Security Office (OCISO) applies behavioral science, adult learning theory, and human-centered design to the development of every Security Foundations course. This ensures that training resonates, sticks, and empowers behavioral change. We also continually measure learner satisfaction and content relevancy, both of which have climbed significantly in recent years. We attribute this positive change to the continual innovation and evolution of our content and the increased attention we pay to the learning and cultural needs of our employees.

This was one of the best Security Foundations that I’ve taken, well done! The emphasis on deepfake possible attacks was enlightening and surprising, I thought it was a great choice to actually deepfake [our actor] to show how real it sounds and show in real time what is possible to get that emphasis. The self-assessment was also great in terms of showing the areas that I need to work on and use more caution.

—Microsoft employee

Today, engagement with the Security Foundations training is strong, with 99% of employees completing each course. Learner satisfaction continues to climb, with the net satisfaction score rising from 144 in fiscal year (FY) 2023 to 170 today. Relevancy scores have followed a similar trend, increasing from 144 in FY 2023 to 169 today.¹ These scores reflect that our employees view the security training content as timely, applicable, and actionable.

Microsoft leadership sets the tone

Our security culture change started at the top, with Chief Executive Officer (CEO) Satya Nadella mandating that security be the company’s top priority. His directive to employees is clear: when security and other priorities conflict, security must always take precedence. Chief People Officer (CPO) Kathleen Hogan reinforced this commitment in a company-wide memo, stating, “Everyone at Microsoft will have security as a Core Priority. When faced with a tradeoff, the answer is clear and simple: security above all else.”

The Security Core Priority continues to enhance employee training around security at Microsoft. As of December 2024, every employee had a defined Security Core Priority and discussed their individual impact during performance check-ins with their manager. Hogan explains that this isn’t a one-time pledge, but a non-negotiable, ongoing responsibility shared by every employee. “The Security Core Priority is not a check-the-box compliance exercise; it is a way for every employee and manager to commit to—and be accountable for—prioritizing security, and a way for us to codify your contributions and to recognize you for your impact,” she said. “We all must act with a security-first mindset, speak up, and proactively look for opportunities to ensure security in everything we do.”

This commitment is embedded in how Microsoft governs and operates at the highest levels. Over the past year, the senior leadership team at Microsoft has focused on evaluating the state of our security culture and identifying ways to strengthen it. Security performance is reviewed at weekly executive meetings with deep dives into each of the six pillars of our Secure Future Initiative. The Board of Directors receives regular updates, reinforcing the message that security is a board-level concern. We’ve also reinforced our commitment to security by directly linking leadership compensation to security outcomes—elevating security to the same level of importance as growth, innovation, and financial performance. By using executive compensation as an accountability mechanism tied to specific security performance metrics, we’ve driven measurable improvements, especially in areas like secret hygiene across our code repositories.

Reinforcing security culture through engagement and hiring

Security culture is not built in a single training session; it is sustained through continuous engagement and visible reinforcement. To keep security top-of-mind, Microsoft runs regular awareness campaigns that revisit core training concepts and share timely updates across the company. These campaigns span internal platforms like Microsoft SharePoint, Teams, Viva Engage, and global digital signage in offices. This creates a consistent drumbeat that embeds security into daily workflows through reminders that reinforce key behaviors.

Launching fall 2025, the global security ambassador program will activate a grassroots network of trusted advocates within teams and departments across organizations and geographies. With a goal of reaching at least 5% employee participation, these ambassadors will serve as local champions, helping amplify initiatives, offering peer-to-peer guidance, and offering valuable feedback from the front lines. This approach not only sustains engagement but ensures Microsoft’s security strategy is informed by real-world insights from across the organization. As cyberattackers continue to grow more advanced, our employees must constantly learn and adapt. For this reason, security is a continuous journey that requires a culture of continuous improvement, where lessons from incidents are used to update policies and standards, and where employee feedback helps shape future training and engagement strategies.

Security culture is only as strong as the people who live it. That is why Microsoft is investing heavily in talent to scale its defenses through upskilling and hiring. Through the resulting increase in security engineers, we are making sure that every team, product, and customer benefits from the latest in security thinking and expertise.

Embedding security into engineering

The company leadership sets the vision, but real transformation happens when security is woven into our engineering. We are moving beyond simply applying security frameworks—reengineering how we design, test, and operate technology at scale. To drive this shift, we’ve aligned our engineering practices with the Protect Engineering Systems pillar of SFI, embedding security into every layer of development, from identity protection to threat detection. Our Microsoft Security Development Lifecycle (SDL), once published as a standalone methodology, is now deeply integrated into the Secure by Design pillar of SFI, ensuring security is part of the process, from the first line of code to final deployment.

We’ve embedded DevSecOps and shift-left strategies throughout our development lifecycle, backed by new governance models and accountability structures. Every engineering division now has a Deputy Chief Information Security Officers (CISO) responsible for embedding security into their workflows. These practices reduce costs, minimize disruption, and ultimately lead to more resilient products.

Under SFI, security is treated as a core attribute of product innovation, quality, innovation, and trust. And as Microsoft redefines how security is built into engineering, we are also transforming how it is lived. This means providing every employee with the awareness and agility needed to counter the most advanced cyberthreats.

Security culture as a matter of business trust

For Microsoft, a strong security culture helps us protect internal systems and uphold customer and partner trust. With a global presence, broad product footprint, and a customer base that spans nearly all industries, even a single lapse can have impact at a scale where even a single security lapse can have wide-reaching implications. Embedding security into every layer of the company is both complex and essential—and involves more than just cutting-edge tools or isolated policies. Our security-first employee mindset views security not as a discrete function, but as something that informs every role, decision, and workflow. And while tools are indispensable in addressing technical cyberthreats, it is culture that ensures those tools are consistently applied, refined, and scaled across the organization.

Paving the road ahead for lasting security culture

The famous quote attributed to renowned management consultant Peter Drucker that “culture eats strategy for breakfast” holds especially true in cybersecurity. No matter how well-designed a security strategy may be, it can’t succeed without a culture that supports and sustains it. Ultimately, the formula for proactive security at Microsoft is built on three connected elements: people, process, and culture. And although we’ve made meaningful progress on all three fronts, the work is never finished. The cybersecurity landscape is constantly shifting, and with each new challenge comes an opportunity to adapt, improve, and lead.

The decision by Microsoft to treat security not as an isolated discipline, but as a foundational value—something that informs how products are built, how leaders are evaluated, and how employees across the company show up every day—is a core aspect of SFI. This initiative has already led to measurable improvements, including the appointment of Deputy CISOs across engineering divisions, the redesign of employee training to reflect AI-enabled threats, and the coming launch of grassroots programs like the global Security Ambassador program.

The Microsoft Secure Future Initiative is our commitment to building a lasting culture that embeds security into every decision, every product, and every employee mindset. We invite others to join us and transform how security is lived. Because in the current threat landscape, culture is not just a defense—it makes the difference.

Culture in practices: Tools to build a security-first mindset

To reinforce a security-first mindset across work and home, we’ve developed the following resources for our internal employees. We are also making them available for you to help drive the same commitment in your organization.

• Identity Protection Guide—Critical identity protection practices for reduce your risk of cyberattacks” of a cyberattack, at work and at home.
• Security Foundations: Guarding Against AI-Powered Attacks—A reference guide to spotting and protecting yourself against AI-powered cyberattacks.

To learn more about Microsoft Security solutions, go to our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

---

¹Microsoft internal data

The post Building a lasting security culture at Microsoft appeared first on Microsoft Security Blog.

submitted by /u/FiniteStateAutomata
[link] [comments]

Crimson Collective Claims Nintendo Breach: A New Target in Their Growing Campaign

In the ever-evolving landscape of cybersecurity threats, the hacking group known as Crimson Collective has once again made headlines. Fresh off their high-profile breach of Red Hat’s consulting GitLab instance, where they allegedly exfiltrated 570GB of compressed data from over 28,000 repositories, the group is now claiming to have infiltrated Nintendo. This announcement surfaced on October 11, 2025, via cybersecurity tracking platforms, stirring concerns across the gaming and tech industries.

Crimson Collective first gained notoriety with the Red Hat incident earlier this month, compromising sensitive customer engagement data affecting more than 800 organizations. The group accessed private GitHub repositories, highlighting vulnerabilities in cloud-based development environments. Now, turning their sights on Nintendo—a Japanese gaming giant—the implications could be vast, potentially exposing proprietary game development code, user data, or internal strategies.

While details remain scarce and unconfirmed by Nintendo as of this writing, this claim underscores a pattern of targeting high-value tech firms. Cybersecurity experts are urging organizations to review authentication tokens and cloud access controls, as similar tactics were used in the Red Hat attack. For Nintendo fans and stakeholders, this serves as a reminder of the persistent risks in digital entertainment. Stay tuned for updates as investigations unfold—proactive patching and monitoring could be key to mitigating such threats.

Cl0p Ransomware Group Targets Harvard University Amid Oracle Zero-Day Exploits

The Cl0p ransomware group, infamous for large-scale extortion campaigns, has claimed a breach against Harvard University, leveraging a critical zero-day vulnerability in Oracle’s E-Business Suite (EBS). This incident, reported on October 11, 2025, ties into a broader wave of attacks exploiting CVE-2025-61882, a flaw with a CVSS score of 9.8 that allows unauthenticated remote code execution.

Oracle issued an emergency patch for CVE-2025-61882 on October 4, 2025, after Cl0p began mass-exploiting it for data theft and extortion. The vulnerability affects the BI Publisher Integration component, enabling attackers to compromise systems without credentials. Google and cybersecurity firms like CrowdStrike have warned that dozens—potentially over 100—organizations have been impacted, with Cl0p sending extortion emails claiming data theft.

Harvard’s inclusion in this list raises alarms for academic institutions reliant on enterprise software. While specifics on what data was accessed remain undisclosed, past Cl0p operations, like the MOVEit breach affecting nearly 2,800 companies, suggest risks to sensitive research, student records, or financial information. CISA has added the flaw to its Known Exploited Vulnerabilities catalog, mandating federal agencies to patch by October 27, 2025.

This attack highlights the dangers of supply chain vulnerabilities. Organizations using Oracle EBS should apply patches immediately and monitor for unusual activity. For Harvard and similar entities, enhancing multi-factor authentication and regular audits could prevent future incursions.

Discord Support Breach: Over 70,000 Government IDs Exposed in Vendor Hack

A significant data breach has rocked Discord, with hackers exposing images of government-issued IDs from at least 70,000 users through a compromised third-party support system. The incident, confirmed on October 11, 2025, stems from a 58-hour unauthorized access starting September 20, 2025, via a support agent’s account at an outsourced vendor using Zendesk.

Attackers stole 1.6TB of data, including 1.5TB of ticket attachments and transcripts from 8.4 million support tickets. This encompassed personal info on 5.5 million unique users and payment details for 580,000 others. The leak heavily involves age-verification tickets, where users submitted IDs—hackers claim over 520,000 such tickets were affected, suggesting the ID exposure is far greater than reported.

Discord maintains the breach was isolated to the vendor and not its core systems, refusing to pay the ransom demanded by hackers who accuse the company of downplaying the scope. The platform has not explained why IDs were retained post-verification, raising privacy concerns amid growing scrutiny on data handling practices.

This event amplifies risks in third-party vendor ecosystems and mandatory ID verifications. Users should monitor for identity theft, enable two-factor authentication, and consider credit freezes. For Discord, transparency and improved vendor oversight are crucial to rebuilding trust in an era of escalating cyber threats.