In identity-based attack campaigns, any initial access activity can turn an already serious intrusion into a critical incident once it allows a threat actor to obtain domain-administration rights. At that point, the attacker effectively controls the Active Directory domain: they can change group memberships and Access Control Lists (ACLs), mint Kerberos tickets, replicate directory secrets, and push policy through mechanisms like Group Policy Objects (GPOs), among others.

What makes domain compromise especially challenging is how quickly it could happen: in many real-world cases, domain-level credentials are compromised immediately following the very first access, and once these credentials are exposed, they’re often abused immediately, well before defenders can fully scope what happened. Apart from this speed gap, responding to this type of compromise could also prove difficult. For one, incident responders can’t just simply “turn off” domain controllers, service accounts, or identity infrastructure and core services without risking business continuity. In addition, because compromised credential artifacts can spread fast and be replayed to expand access, restoring the identity infrastructure back to a trusted state usually means taking steps (for example, krbtgt rotation, GPO cleanup, and ACL validation) that could take additional time and effort in an already high-pressure situation.

These challenges highlight the need for a more proactive approach in disrupting and containing credential-based attacks as they happen. Microsoft Defender’s predictive shielding capability in automatic attack disruption helps address this need. Its ability to predict where attacks will pivot next and apply just in time hardening actions to  block credential abuse—including those targeting high-privilege accounts like domain admins—and lateral movement at near-real-time speed, shifting the advantageto the defenders.

Previously, we discussed how predictive shielding was able to disrupt a human-operated ransomware incident. In this blog post, we take a look at a real-world Active Directory domain compromise that illustrates the critical inflection point when a threat actor achieves domain -level control. We walk through the technical details of the incident to highlight attacker tradecraft, the operational challenges defenders face after domain compromise, and the value of proactive, exposure-based containment that predictive shielding provides.

Predictive shielding overview

Predictive shielding is a capability in Microsoft Defender’s automatic attack disruption that helps stop the spread of identity-based attacks, before an attacker fully operationalizes stolen credentials. Instead of waiting for an account to be observed doing something malicious, predictive shielding focuses on moments when credentials are likely exposed: when Defender sees high-confidence signals of credential theft activity on a device, it can proactively restrict the accounts that might have been exposed there.

Essentially, predictive shielding works as follows:

• Defender detects post-breach activity strongly associated with credential exposure on a device.
• It evaluates which high-privilege identities were likely exposed in that context.
• It applies containment to those identities to reduce the attacker’s ability to pivot, limiting lateral movement paths and high-impact identity operations while the incident is being investigated and remediated. The intent is to close the “speed gap” where attackers can reuse newly exposed credentials faster than responders can scope, reset, and clean up.

This capability is available as an out-of-the-box enhancement for Microsoft Defender for Endpoint P2 customers who meet the Microsoft Defender prerequisites.

The following section revisits a real-world domain compromise that showcases how attack disruption and predictive shielding changed the outcome by acting on exposure, rather than just observed abuse. Interestingly, this case happened just as we’re rolling out the predictive shielding, so you can see the changes in both attacker tradecraft and the detection and response actions before and after this capability was deployed.

Attack chain overview

In June 2025, a public sector organization was targeted by a threat actor. This threat actor progressed methodically: initial exploitation, local escalation, directory reconnaissance, credential access, and expansion into Microsoft Exchange and identity infrastructure.  

Initial entry: Pre-domain compromise

The campaign began at the edge: a file-upload flaw in an internet-facing Internet Information Services (IIS) server was abused to plant and launch a web shell. The attacker then simultaneously performed various reconnaissance activities using the compromised account through the web shell and escalated their privileges to NT AUTHORITY\SYSTEM by abusing a Potato-class token impersonation primitive (for example, BadPotato).

The discovery commands observed in the attack include the following example:

Using the compromised IIS service account, the attacker attempted to reset the passwords of high-impact identities, a common technique used to gain control over accounts without performing credential dumping. The attacker also deployed Mimikatz to dump logon secrets (for example, MSV, LSASS, and SAM), harvesting credentials that are exposed on the device.

Had predictive shielding been released at this point, automated restrictions on exposed accounts could have stopped the intrusion before it expanded beyond the single-host foothold. However, at the time of the incident, this capability hasn’t been deployed to customers yet.

Key takeaway: At this stage of an attack, it’s important to keep the containment host‑scoped. Defenders should prioritize blocking credential theft and stopping escalation before it reaches the identity infrastructure.

First pivot: Directory credential materialization and Exchange delegation

Within 24 hours, the attacker abused privileged accounts and remotely created a scheduled task on a domain controller. The task initiated NTDS snapshot activity and packaged the output using makecab.exe, enabling offline access to directory credential material that’s suitable for abusing credentials at scale:

Because the first malicious action by the abused account already surfaced the entire Active Directory credentials, stopping its path for total domain compromise was no longer feasible.

The threat actor then planted a Godzilla web shell on Exchange Server, used a privileged context to enumerate accounts with ApplicationImpersonation role assignments, and granted full access to a delegated principal across mailboxes using Add‑MailboxPermission. This access allowed the threat actor to read and manipulate all mailbox contents.

The attack also used Impacket’s atexec.py to enumerate the role assignments remotely. Its use triggered the attack disruption capability in Defender, revoking the account sessions of an admin account and blocking it from further use.

Following the abused account’s disruption, the attacker attempted several additional actions, such as resetting the disrupted account’s and other accounts’ passwords. They also attempted to dump credentials of a Veeam backup device.

Key takeaway: This pivot is a turning point. Once directory credentials and privileged delegation are in play, the scope and impact of an incident expand fast. Defenders should prioritize protecting domain controllers, privileged identities, and authentication paths.

Scale and speed: Tool return, spraying, and lateral movement

Weeks later, the threat actor returned with an Impacket tooling (for example, secretsdump and PsExec) that resulted in repeated disruptions by Defender against the abused accounts that they used. These disruptions forced the attacker to pivot to other compromised accounts and exhaust their resources.

Following Defender’s disruptions, the threat actor then launched a broad password spray from the initially compromised IIS server, unlocking access to at least 14 servers through password reuse. They also attempted remote credential dumping against a couple of domain controllers and an additional IIS server using multiple domain and service principals.

Key takeaway: Even though automatic attack disruption acted right away, the attacker already possessed multiple credentials due to the previous large-scale credential dumping. This scenario showcases the race to detect and disrupt credential abuse and is the reason we’re introducing predictive shielding to preemptively disrupt exposed accounts at risk.

Predictive shielding breaks the chain: Exposure-centric containment

In the second phase of the attack, we activated predictive shielding. When exposure signals surfaced (for example, credential dumping attempts and replay from compromised hosts), automated containment blocked new sign-in attempts and interactive pivots not only for the abused accounts, but also for context-linked identities that are active on the same compromised surfaces.

Attack disruption contained high-privileged principals to prevent these accounts from being abused. Crucially, when a high-tier Enterprise or Schema Admin credential was exposed, predictive shielding contained it pre-abuse, preventing what would normally become a catastrophic escalation.

Second pivot: Alternative paths to new credentials

With high-value identities pre-contained, the threat actor pivoted to exploiting Apache Tomcat servers. They compromised three Tomcat servers, dropped the Godzilla web shell, and launched the PowerShell-based Invoke-Mimikatz command to harvest additional credentials. At one point, the attacker operated under Schema Admin:

They then used Impacket WmiExec to access Microsoft Entra Connect servers and attempt to extract Entra Connect synchronization credentials. The account used for this pivot was later contained, limiting further lateral movement.

Last attempts and shutdown

In the final phase of the attack, the threat actor attempted a full LSASS dump on a file sharing server using comsvcs.dll MiniDump under a domain user account, followed by additional NTDS activity:

Attack disruption in Defender repeatedly severed sessions and blocked new sign-ins made by the threat actor. On July 28, 2025, the attack campaign lost momentum and stopped.

How predictive shielding changed the outcome

Before compromising a domain, attackers are mostly constrained by the hosts they control. However, even a small set of exposed credentials could remove their constraints and give them broad access through privileged authentication and delegated pathways. The blast radius spreads fast, time pressure spikes, and containment decisions become riskier because identity infrastructure and high-privilege accounts are production dependencies.

The incident we revisited earlier almost followed a similar pattern. It unfolded while predictive shielding was still being launched, so the automated predictive containment capability only became active at the midway of the attack campaign. During the attack’s first stages, the threat actor had room to scale—they returned with new tooling, launched a broad password spray attack, and expanded access across multiple servers. They also attempted remote credential dumping against domain controllers and servers.

When predictive shielding went live, it helped shift the story and we then saw the change of pace—instead of reacting to each newly abused account, the capability allowed Defender to act preemptively and turn credential theft attempts into blocked pivots. Defender was able to block new sign-ins and interactive pivots, not just for the single abused account, but also for context-linked identities that were active on the same compromised surfaces.

With high-value identities pre-contained, the adversary shifted tradecraft and chased other credential sources, but each of their subsequent attempts triggered targeted containment that limited their lateral reach until they lost momentum and stopped. How this incident concluded is the operational “tell” that containment is working, in that once privileged pivots get blocked, threat actors often hunt for alternate credential sources, and defenses must continue following the moving blast radius.

As predictive shielding matures, it will continue to expand its prediction logic and context-linked identities.

MITRE ATT&CK® techniques observed

The following table maps observed behaviors to ATT&CK®.

Tactics shown are per technique definition.

Tactic(s)	Technique ID	Technique name	Observed details
Initial Access	T1190	Exploit Public-Facing Application	Exploited a file-upload vulnerability in an IIS server to drop a web shell.
Persistence	T1505.003	Server Software Component: Web Shell	Deployed web shells for persistent access.
Execution	T1059.001	Command and Scripting Interpreter: PowerShell	Used PowerShell for Exchange role queries, mailbox permission changes, and Invoke-Mimikatz.
Privilege Escalation	T1068	Exploitation for Privilege Escalation	Used BadPotato to escalate to SYSTEM on an IIS server.
Credential Access	T1003.001	OS Credential Dumping: LSASS Memory	Dumped LSASS using Mimikatz and comsvcs.dll MiniDump.
Credential Access	T1003.003	OS Credential Dumping: NTDS	Performed NTDS-related activity using ntdsutil snapshot/IFM workflows on a domain controller.
Execution; Persistence; Privilege Escalation	T1053.005	Scheduled Task/Job: Scheduled Task	Created remote scheduled tasks to execute under SYSTEM on a domain controller.
Discovery	T1087.002	Account Discovery: Domain Account	Enumerated domain groups and accounts using net group and AD Explorer.
Lateral Movement	T1021.002	Remote Services: SMB/Windows Admin Shares	Used admin shares/SMB-backed tooling (for example, PsExec) for lateral movement.
Lateral Movement	T1021.003	Remote Services: Windows Remote Management	Used WmiExec against Microsoft Entra Connect servers.
Credential Access	T1110.003	Brute Force: Password Spraying	Performed password spraying leading to access across at least 14 servers.
Collection	T1114.002	Email Collection: Remote Email Collection	Expanded mailbox access broadly through impersonation or permission changes.
Command and Control	T1071.001	Application Layer Protocol: Web Protocols	Web shells communicated over HTTP/S.
Defense Evasion	T1070.004	Indicator Removal on Host: File Deletion	Used cleanup scripts (for example, del.bat) to remove dump artifacts.
Persistence; Privilege Escalation	T1098	Account Manipulation	Manipulated permissions and roles to expand access and sustain control.
Credential Access	T1078	Valid Accounts	Reused compromised service and domain accounts for access and lateral movement.

Learn more

For more information about automatic attack disruption and predictive shielding, see the following Microsoft Learn articles:

• Check out our latest Ninja show showcasing how predictive shielding expands to identity centric attacks
• Automatic attack disruption in Microsoft Defender XDR
• Predictive shielding in Microsoft Defender (Preview)

The post Containing a domain compromise: How predictive shielding shut down lateral movement appeared first on Microsoft Security Blog.

Microsoft announced Wednesday that it worked with international law enforcement to seize infrastructure used to run cybercrime subscription service RedVDS and organized civil actions in the United States and United Kingdom to disrupt its further use. 

RedVDS has enabled at least $40 million in fraud losses in the U.S. since March 2025, according to Microsoft. Victims that are joining Microsoft as co-plaintiffs in the civil action include Alabama-based H2 Pharma, a pharmaceutical company that lost more than $7.3 million, and Florida-based Gatehouse Dock Condominium Association, which was tricked out of nearly $500,000. 

“For as little as US $24 a month, RedVDS provides criminals with access to disposable virtual computers that make fraud cheap, scalable and difficult to trace,” Steven Masada, assistant general counsel at Microsoft Digital Crimes Unit, said in a blog post. “It provides access to cheap, effective, and disposable virtual computers running unlicensed software, including Windows, allowing criminals to operate quickly, anonymously and across borders.”

Microsoft said a joint operation with Europol and authorities in Germany allowed it to seize RedVDS’s infrastructure and take the marketplace offline. Cybercriminals used the site, which included a loyalty program and referral bonuses for customers, to send high-volume phishing attacks, host infrastructure for scams and facilitate fraud such as business email compromise.

Microsoft customers were among those impacted by RedVDS’s tools and services. 

“Since September 2025, RedVDS‑enabled attacks have led to the compromise or fraudulent access of more than 191,000 Microsoft email accounts across over 130,000 organizations worldwide,” Masada said in the blog post. “These figures represent only a subset of the impacted accounts across all technology providers, illustrating how quickly this infrastructure increases the scale of cyberattacks.”

Over the course of a month, more than 2,600 RedVDS virtual machines sent Microsoft customers an average of one million phishing messages per day, Masada added. 

RedVDS facilitated payment diversion fraud against organizations like H2 Pharma and the Gatehouse Dock Condominium Association through business email compromise. The marketplace was also used to compromise the accounts of realtors, escrow agents and title companies to divert payments, according to Microsoft.

More than 9,000 customers, many in Canada and Australia, were directly impacted by real estate-related fraud aided by RedVDS. Microsoft Threat Intelligence said other scams enabled by RedVDS hit organizations in construction, manufacturing, healthcare, logistics, education and legal services.

Researchers said the marketplace’s user interface was loaded with features that allowed eager cybercriminals to purchase unlicensed and inexpensive Windows-based remote desktop protocol servers with full administrator control. RedVDS reused a single, cloned Windows host image across the service, which allowed researchers to find unique technical fingerprints.

The group that develops and operates RedVDS is tracked by Microsoft as Storm-2470. At least five additional cybercrime groups and cybercriminals who used the Racoon0365 phishing service prior to its takedown in October were also using RedVDS infrastructure, according to Microsoft Threat Intelligence.

RedVDS’s site first launched in 2019 and has remained in operation since providing servers in the U.S., U.K., Canada, France, the Netherlands and Germany. The marketplace “has become a prolific tool for cybercriminals in the past year, facilitating thousands of attacks, including credential theft, account takeovers and mass phishing,” researchers said in a report.

RedVDS rented servers from third-party hosting providers, including at least five hosting companies in the U.S., Canada, U.K., France and the Netherlands. This allowed RedVDS to provision IP addresses in geolocations close to targets, allowing cybercriminals to evade location-based security filters and blend in with normal data center traffic, researchers added. 

“Cybercrime today is powered by shared infrastructure, which means disrupting individual attackers is not enough,” Masada said. “Through this coordinated action, Microsoft has disrupted RedVDS’s operations, including seizing two domains that host the RedVDS marketplace and customer portal, while also laying the groundwork to identify the individuals behind them.”

The post Microsoft seizes RedVDS infrastructure, disrupts fast-growing cybercrime marketplace appeared first on CyberScoop.

Authorities arrested 34 alleged cybercriminals in Spain, including some leaders of Black Axe, a transnational criminal organization responsible for adversary-in-the-middle scams such as business email compromise, money laundering and vehicle trafficking, the Spanish National Police said Friday.

A coordinated law enforcement operation that fanned out to Seville, Madrid, Malaga and Barcelona significantly disrupted the group’s activities, according to Europol, which supported the takedown alongside officers from Germany.

Officials targeted the organized crime network’s leadership and froze $139,000 in bank accounts. Police also seized $77,000 in cash, five vehicles and devices allegedly used for criminal activity.

Europol described Black Axe as a highly structured, hierarchical group that generates billions of dollars in criminal proceeds annually from many small-scale operations spanning dozens of countries. The group’s leaders, including 10 people arrested last week, are Nigerian nationals, authorities said. 

The Spanish National Police began investigating the group, which specializes in corporate fraud through business email compromise, in September 2023. Black Axe used an extensive network to conceal their money and recruited money mules throughout Europe to receive, transfer and withdraw funds from the scams, officials said. 

The group also allegedly established shell companies to acquire vehicles and then deliberately defaulted on payments before renting or selling the vehicles. Europol investigators estimate Black Axe is responsible for more than $6.9 million in fraud. 

Black Axe was involved in other criminal activities, including drug trafficking, human trafficking and prostitution, kidnapping and armed robbery, officials said. 

The Spanish National Police said four of Black Axe’s main leaders remain in custody and face charges for aggravated fraud, membership in a criminal organization, money laundering, document forgery and obstruction of justice.

The post Spanish police disrupt Black Axe, arrest alleged leaders in action spanning four cities appeared first on CyberScoop.

This blog will be referencing the ICS/OT Backdoors & Breaches expansion deck created by BHIS and Dragos. We will be reviewing the ICS-focused Initial Compromise cards that are used to simulate a cyber incident and suggest potential mitigations to what is presented.

The post ICS Hard Knocks: Mitigations to Scenarios Found in ICS/OT Backdoors & Breaches appeared first on Black Hills Information Security, Inc..

Patterson Cake // In PART 1 of “Wrangling the M365 UAL,” we talked about the value of the Unified Audit Log (UAL), some of the challenges associated with acquisition, parsing, […]

The post Wrangling the M365 UAL with SOF-ELK on EC2 (Part 2 of 3) appeared first on Black Hills Information Security, Inc..

Patterson Cake // When it comes to M365 audit and investigation, the “Unified Audit Log” (UAL) is your friend. It can be surly, obstinate, and wholly inadequate, but your friend […]

The post Wrangling the M365 UAL with PowerShell and SOF-ELK (Part 1 of 3) appeared first on Black Hills Information Security, Inc..

Jordan Drysdale//* In this blog, we are assuming that we have obtained an access key, a secret key and maybe a .pem key from a network user who left these […]

The post AWS: Assuming Access Key Compromise appeared first on Black Hills Information Security, Inc..