Latest news and updates about Security.
Microsoft has detailed a financially motivated Storm-2755 campaign targeting Canadian employees with payroll diversion attacks. The threat actor used SEO poisoning, malvertising, and adversary-in-the-middle techniques to steal sessions, bypass legacy MFA, and alter direct deposit details, making phishing-resistant MFA and session monitoring critical defenses.
Microsoft disclosed a severe intent redirection flaw in the third-party EngageSDK for Android, putting millions of crypto wallet users at potential risk of data exposure and privilege escalation. The issue was fixed in EngageSDK version 5.2.1, and the case highlights the growing security risk of opaque mobile app supply-chain dependencies.
Microsoft Threat Intelligence says Forest Blizzard has been compromising vulnerable home and small-office routers to hijack DNS traffic and, in some cases, enable adversary-in-the-middle attacks against targeted connections. The campaign matters to IT teams because unmanaged SOHO devices used by remote and hybrid workers can expose cloud access and sensitive data even when corporate environments remain secure.
Microsoft Threat Intelligence warns that Storm-1175 is rapidly exploiting vulnerable internet-facing systems to deploy Medusa ransomware, sometimes within 24 hours of initial access. The group’s focus on newly disclosed flaws, web shells, RMM tools, and fast lateral movement makes patch speed, exposure management, and post-compromise detection critical for defenders.
Microsoft Defender Security Research detailed a large-scale phishing campaign that abuses the OAuth device code flow using AI-generated lures, dynamic code generation, and automated backend infrastructure. The campaign raises the risk for organizations because it improves attacker success rates, bypasses traditional detection patterns, and enables token theft, inbox rule persistence, and Microsoft Graph reconnaissance.
Microsoft warns that threat actors are now embedding AI across the full cyberattack lifecycle, from reconnaissance and phishing to malware development and post-compromise operations. For defenders, this means faster, more precise attacks, higher phishing success rates, and a growing need to strengthen identity, MFA protections, and visibility into AI-driven attack surfaces.
Microsoft warns that threat actors are using HTTP cookies to control PHP webshells on Linux hosting environments, helping malicious code stay dormant unless specific cookie values are present. The technique reduces visibility in routine logs, supports persistence through cron jobs, and highlights the need for stronger monitoring, web protection, and endpoint detection on hosted Linux workloads.
Microsoft warned that malicious Axios npm versions 1.14.1 and 0.30.4 were used in a supply chain attack attributed to Sapphire Sleet. Organizations using the affected packages should immediately rotate secrets, downgrade to safe versions, and review developer endpoints and CI/CD systems for compromise.
Microsoft says the threat model for critical infrastructure has shifted from opportunistic attacks to persistent, identity-driven access designed for future disruption. For IT and security leaders, the message is clear: reduce exposure, harden identity, and validate operational readiness now as regulations and nation-state activity intensify.
Microsoft is advising CISOs to secure AI systems using the same core controls they already apply to software, identities, and data access. The guidance highlights least privilege, prompt injection defenses, and using AI itself to uncover permissioning issues before attackers or users do.
Microsoft Defender Experts uncovered a late-February 2026 campaign that uses WhatsApp messages to deliver malicious VBS files, then installs unsigned MSI packages for persistence and remote access. The attack blends social engineering, renamed Windows utilities, and trusted cloud services to evade detection, making endpoint controls and user awareness critical.
Microsoft outlines how Copilot Studio and the upcoming general availability of Agent 365 can help organizations address the OWASP Top 10 for Agentic Applications. The guidance matters because agentic AI systems can use real identities, data, and tools, creating security risks that go far beyond inaccurate outputs.