Security

Sapphire Sleet macOS Intrusion: Key Defender Insights

3 min read

Summary

Microsoft Threat Intelligence detailed a macOS-focused campaign by Sapphire Sleet that uses social engineering and fake software updates instead of exploiting vulnerabilities. The attack chain relies on user-initiated AppleScript and Terminal execution to bypass native macOS protections, making layered defenses, user awareness, and endpoint detection especially important.

Need help with Security?Talk to an Expert

Introduction

Microsoft has published new research on a macOS intrusion campaign tied to Sapphire Sleet, a North Korean threat actor known for targeting cryptocurrency and finance organizations. The report matters because it shows how attackers can compromise Macs without using a software exploit—simply by convincing users to run what appears to be a legitimate update.

What’s new in this campaign

Microsoft observed Sapphire Sleet using a fake Zoom SDK Update.scpt file to start a multi-stage infection chain on macOS.

Key techniques highlighted

  • Social engineering over exploits: The campaign depends on users manually opening and running a malicious AppleScript file.
  • Trusted app abuse: The lure opens in macOS Script Editor, a legitimate Apple application, which helps the activity appear benign.
  • Multi-stage payload delivery: The script uses curl and osascript to fetch and run additional AppleScript payloads from attacker-controlled infrastructure.
  • Credential theft and persistence: Later stages harvest passwords, target cryptocurrency assets, manipulate TCC-related behavior, establish persistence, and exfiltrate sensitive data.
  • Decoy update workflow: The malicious script includes fake update instructions and launches trusted system tools to reinforce legitimacy.

Microsoft noted this attack chain can operate outside normal macOS security enforcement boundaries when execution is user-initiated, reducing the effectiveness of controls such as Gatekeeper, notarization checks, quarantine enforcement, and parts of the Transparency, Consent, and Control framework.

Why this matters for defenders

For IT and security teams, the main takeaway is that macOS users remain highly vulnerable to convincing lures, especially in high-value sectors like cryptocurrency, venture capital, finance, and blockchain. The campaign also shows that attackers are increasingly combining legitimate macOS utilities with staged payload delivery to avoid raising suspicion.

Organizations using Microsoft Defender should review Microsoft’s newly published detections, hunting guidance, and indicators of compromise for this activity. Cross-platform visibility is essential, particularly for environments that have historically treated Macs as lower-risk endpoints.

  • Educate users to avoid running unexpected update files, especially .scpt files or scripts delivered outside official channels.
  • Keep macOS up to date with Apple’s latest protections and security updates.
  • Review endpoint detections for suspicious use of Script Editor, osascript, and curl in sequence.
  • Hunt for fake update activity and abnormal AppleScript execution tied to external downloads.
  • Prioritize high-risk users in finance, crypto, and executive roles for stronger monitoring and phishing-resistant controls.

This research is a reminder that modern macOS attacks often succeed through persuasion, not exploitation. Security teams should combine user awareness, endpoint monitoring, and layered defense controls to reduce exposure.

Need help with Security?

Our experts can help you implement and optimize your Microsoft solutions.

Talk to an Expert

Stay updated on Microsoft technologies

Sapphire SleetmacOS securityMicrosoft Defendersocial engineeringcredential theft

Related Posts

Security

ACR Stealer Campaigns: ClickFix Threats Rise

Microsoft reports increased ACR Stealer activity targeting enterprises through ClickFix social engineering, with two intrusion chains using WebDAV, Python loaders, MSHTA, obfuscated PowerShell, and steganography. The campaigns focus on stealing browser credentials, session tokens, and sensitive documents, making early detection and user awareness critical for defenders.

Security

AI Agent Least Privilege: Identity and RBAC Guide

Microsoft is urging organizations to treat AI agents as first-class identities with tightly scoped access, explicit role assignments, and controlled tool bindings. The guidance matters because agentic workflows can span multiple systems, increasing the blast radius of misconfigured permissions, weak audit trails, and unclear accountability.

Security

AsyncAPI npm Supply Chain Attack: Import-Time Malware

Microsoft Threat Intelligence uncovered a coordinated compromise of the AsyncAPI npm organization that republished five package versions with malicious code that runs when packages are imported, not just installed. The incident matters because common mitigations like npm install --ignore-scripts do not stop this technique, putting developer workstations, CI/CD pipelines, and production services at risk if they resolved the affected versions.

Security

Defender Experts Adds Threat Intelligence and MDR

Microsoft has launched Defender Experts Threat Intelligence and expanded Defender Experts MDR with third-party and multi-cloud coverage powered by Microsoft Sentinel. The update helps security teams turn threat intelligence into action faster by combining expert-led guidance, unified Defender portal workflows, and broader cross-platform incident response.

Security

Salesforce OAuth Abuse: Microsoft Guidance on ShinyHunters

Microsoft detailed how threat activity associated with ShinyHunters abused trusted OAuth relationships in Salesforce to gain persistent access, exfiltrate CRM data, and evade traditional sign-in detections. The company also announced improved Salesforce telemetry and near-real-time detection in Defender for Cloud Apps, giving security teams better visibility into connected apps, OAuth scopes, and suspicious SaaS activity.

Security

Microsoft Entra ID Passkeys Default Rollout Dates

Microsoft will make passkeys the default authentication experience in Entra ID starting September 1, 2026, automatically prompting users currently using SMS or voice MFA to register a passkey. The change matters because Microsoft-provided SMS and voice authentication will be retired on February 1, 2027, pushing organizations toward phishing-resistant authentication and requiring admins to plan migrations now.