Latest news and updates about Security.
Microsoft says AI is accelerating how vulnerabilities are found and exploited, shrinking the time defenders have to respond. In response, the company is expanding AI-driven vulnerability discovery, exposure management, and Defender-based protections, while also previewing a new multi-model scanning solution for customers in June 2026.
Microsoft has outlined detection strategies for identifying North Korea-aligned threat actors posing as remote IT hires to infiltrate organizations. The guidance focuses on correlating HR SaaS, identity, email, conferencing, and Microsoft 365 signals so security and HR teams can spot suspicious candidates before and after onboarding.
Microsoft is urging organizations to make opportunistic cyberattacks harder by removing credentials, shrinking public attack surfaces, and standardizing secure platform patterns. The guidance is especially relevant for teams running Azure, Dynamics 365, and Power Platform workloads at scale, where inconsistent architectures and exposed secrets can make lateral movement easier for attackers.
Microsoft has detailed a human-operated intrusion chain where attackers use cross-tenant Microsoft Teams chats to impersonate helpdesk staff and trick users into granting remote access through tools like Quick Assist. The campaign matters because it blends legitimate collaboration, remote support, and admin tools to enable lateral movement, persistence, and data exfiltration while appearing like normal IT activity.
Microsoft detailed how Defender’s predictive shielding can contain Active Directory domain compromise by restricting exposed high-privilege accounts before attackers can reuse stolen credentials. The capability helps security teams reduce lateral movement and close the response gap during fast-moving identity attacks.
Microsoft Threat Intelligence detailed a macOS-focused campaign by Sapphire Sleet that uses social engineering and fake software updates instead of exploiting vulnerabilities. The attack chain relies on user-initiated AppleScript and Terminal execution to bypass native macOS protections, making layered defenses, user awareness, and endpoint detection especially important.
Microsoft is urging organizations to treat cryptographic inventory as the first practical step toward post-quantum readiness. The company outlines a continuous cryptography posture management lifecycle to help security teams discover, assess, prioritize, and remediate cryptographic risks across code, networks, runtime, and storage.
Microsoft says traditional incident response principles still apply to AI systems, but teams must adapt to non-deterministic behavior, faster harm at scale, and new categories of risk. The company highlights the need for better AI telemetry, cross-functional response plans, and staged remediation to contain issues quickly while longer-term fixes are developed.
Microsoft is outlining an "agentic SOC" model that combines autonomous threat disruption with AI agents to accelerate investigations and reduce alert fatigue. The approach aims to shift security operations from reactive incident response to faster, more adaptive defense, giving SOC teams more time for strategic risk reduction and governance.
Microsoft has detailed a financially motivated Storm-2755 campaign targeting Canadian employees with payroll diversion attacks. The threat actor used SEO poisoning, malvertising, and adversary-in-the-middle techniques to steal sessions, bypass legacy MFA, and alter direct deposit details, making phishing-resistant MFA and session monitoring critical defenses.
Microsoft disclosed a severe intent redirection flaw in the third-party EngageSDK for Android, putting millions of crypto wallet users at potential risk of data exposure and privilege escalation. The issue was fixed in EngageSDK version 5.2.1, and the case highlights the growing security risk of opaque mobile app supply-chain dependencies.
Microsoft Threat Intelligence says Forest Blizzard has been compromising vulnerable home and small-office routers to hijack DNS traffic and, in some cases, enable adversary-in-the-middle attacks against targeted connections. The campaign matters to IT teams because unmanaged SOHO devices used by remote and hybrid workers can expose cloud access and sensitive data even when corporate environments remain secure.