Latest news and updates about Security.
Microsoft Threat Intelligence warns that Storm-1175 is rapidly exploiting vulnerable internet-facing systems to deploy Medusa ransomware, sometimes within 24 hours of initial access. The group’s focus on newly disclosed flaws, web shells, RMM tools, and fast lateral movement makes patch speed, exposure management, and post-compromise detection critical for defenders.
Microsoft Defender Security Research detailed a large-scale phishing campaign that abuses the OAuth device code flow using AI-generated lures, dynamic code generation, and automated backend infrastructure. The campaign raises the risk for organizations because it improves attacker success rates, bypasses traditional detection patterns, and enables token theft, inbox rule persistence, and Microsoft Graph reconnaissance.
Microsoft warns that threat actors are now embedding AI across the full cyberattack lifecycle, from reconnaissance and phishing to malware development and post-compromise operations. For defenders, this means faster, more precise attacks, higher phishing success rates, and a growing need to strengthen identity, MFA protections, and visibility into AI-driven attack surfaces.
Microsoft warns that threat actors are using HTTP cookies to control PHP webshells on Linux hosting environments, helping malicious code stay dormant unless specific cookie values are present. The technique reduces visibility in routine logs, supports persistence through cron jobs, and highlights the need for stronger monitoring, web protection, and endpoint detection on hosted Linux workloads.
Microsoft warned that malicious Axios npm versions 1.14.1 and 0.30.4 were used in a supply chain attack attributed to Sapphire Sleet. Organizations using the affected packages should immediately rotate secrets, downgrade to safe versions, and review developer endpoints and CI/CD systems for compromise.
Microsoft says the threat model for critical infrastructure has shifted from opportunistic attacks to persistent, identity-driven access designed for future disruption. For IT and security leaders, the message is clear: reduce exposure, harden identity, and validate operational readiness now as regulations and nation-state activity intensify.
Microsoft is advising CISOs to secure AI systems using the same core controls they already apply to software, identities, and data access. The guidance highlights least privilege, prompt injection defenses, and using AI itself to uncover permissioning issues before attackers or users do.
Microsoft Defender Experts uncovered a late-February 2026 campaign that uses WhatsApp messages to deliver malicious VBS files, then installs unsigned MSI packages for persistence and remote access. The attack blends social engineering, renamed Windows utilities, and trusted cloud services to evade detection, making endpoint controls and user awareness critical.
Microsoft outlines how Copilot Studio and the upcoming general availability of Agent 365 can help organizations address the OWASP Top 10 for Agentic Applications. The guidance matters because agentic AI systems can use real identities, data, and tools, creating security risks that go far beyond inaccurate outputs.
Microsoft detailed how Microsoft Defender uses high-value asset awareness to detect and stop attacks targeting domain controllers, web servers, and identity infrastructure. By combining Security Exposure Management context with differentiated detections and automated disruption, Defender can raise protection levels on Tier-0 assets and reduce the blast radius of sophisticated intrusions.
Microsoft is positioning identity security as a unified control plane that combines identity infrastructure, access decisions, and threat protection in real time. At RSAC 2026, the company announced new Microsoft Entra and Defender capabilities, including an identity security dashboard, unified identity risk scoring, and adaptive risk remediation to help organizations reduce fragmentation and respond faster to identity-based attacks.
Microsoft has published detection, investigation, and mitigation guidance for the March 2026 Trivy supply chain compromise that affected the Trivy binary and related GitHub Actions. The incident matters because it weaponized trusted CI/CD security tooling to steal credentials from build pipelines, cloud environments, and developer systems while appearing to run normally.