{ "id": "b5b3693d-490d-4e1c-90d5-11cbff29ffcf", "created_at": "2026-04-06T00:08:31.186493Z", "updated_at": "2026-04-10T03:36:17.210262Z", "deleted_at": null, "sha1_hash": "a0fa9121cfd733b53cb0b79b22882334707ced0a", "title": "Microsoft Defender for Cloud Apps Archives | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50528, "plain_text": "Microsoft Defender for Cloud Apps Archives | Microsoft Security\r\nBlog\r\nPublished: 2026-03-04 · Archived: 2026-04-05 18:11:33 UTC\r\nInside Tycoon2FA: How a leading AiTM phishing kit operated at scale\r\nTycoon2FA has become a leading phishing-as-a-service (PhaaS) platforms, enabling campaigns that reach over\r\n500,000 organizations monthly, prompting Microsoft’s Digital Crimes Unit (DCU) to work with Europol and\r\nindustry partners to facilitate a disruption of Tycoon2FA’s infrastructure and operations.\r\nNew Microsoft Data Security Index report explores secure AI adoption to protect sensitive data\r\nThe 2026 Microsoft Data Security Index explores one of the most pressing questions facing organizations today:\r\nHow can we harness the power of generative while safeguarding sensitive data?\r\nPhishing actors exploit complex routing and misconfigurations to spoof domains\r\nThreat actors are exploiting complex routing scenarios and misconfigured spoof protections to send spoofed\r\nphishing emails, crafted to appear as internally sent messages.\r\nInvestigating targeted “payroll pirate” attacks affecting US universities\r\nMicrosoft Threat Intelligence has identified a financially motivated threat actor that we track as Storm-2657\r\ncompromising employee accounts to gain unauthorized access to employee profiles and divert salary payments to\r\nattacker-controlled accounts, attacks that have been dubbed “payroll pirate”.\r\nDisrupting threats targeting Microsoft Teams\r\nThreat actors seek to abuse Microsoft Teams features and capabilities across the attack chain, underscoring the\r\nimportance for defenders to proactively monitor, detect, and respond effectively.\r\nStorm-0501’s evolving techniques lead to cloud-based ransomware\r\nFinancially motivated threat actor Storm-0501 has continuously evolved their campaigns to achieve sharpened\r\nfocus on cloud-based tactics, techniques, and procedures (TTPs).\r\nJasper Sleet: North Korean remote IT workers’ evolving tactics to infiltrate organizations\r\nSince 2024, Microsoft Threat Intelligence has observed remote IT workers deployed by North Korea leveraging\r\nAI to improve the scale and sophistication of their operations, steal data, and generate revenue for the North\r\nKorean government.\r\nNew Russia-affiliated actor Void Blizzard targets critical sectors for espionage\r\nhttps://www.microsoft.com/security/blog/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/\r\nPage 1 of 2\n\nMicrosoft Threat Intelligence has discovered a cluster of worldwide cloud abuse activity conducted by a threat\r\nactor we track as Void Blizzard, who we assess with high confidence is Russia-affiliated and has been active since\r\nat least April 2024.\r\nSilk Typhoon targeting IT supply chain\r\nSilk Typhoon is a Chinese state actor focused on espionage campaigns targeting a wide range of industries in the\r\nUS and throughout the world.\r\nSecuring DeepSeek and other AI systems with Microsoft Security\r\nMicrosoft Security provides cyberthreat protection, posture management, data security, compliance and\r\ngovernance, and AI safety, to secure AI applications that you build and use.\r\nWhy security teams rely on Microsoft Defender Experts for XDR for managed detection and\r\nresponse\r\nMicrosoft Defender Experts for XDR is a mature and proven service that triages, investigates, and responds to\r\nincidents and hunts for threats on a customer’s behalf around the clock.\r\nChinese threat actor Storm-0940 uses credentials from password spray attacks from a covert\r\nnetwork\r\nSince August 2023, Microsoft has observed intrusion activity targeting and successfully stealing credentials from\r\nmultiple Microsoft customers that is enabled by highly evasive password spray attacks.\r\nSource: https://www.microsoft.com/security/blog/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtuali\r\nzation-based-security/\r\nhttps://www.microsoft.com/security/blog/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.microsoft.com/security/blog/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/" ], "report_names": [ "analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1f05374d-f103-4882-8f74-0c3081de112e", "created_at": "2025-06-29T02:01:57.226883Z", "updated_at": "2026-04-10T02:00:04.968464Z", "deleted_at": null, "main_name": "Void Blizzard", "aliases": [ "Laundry Bear" ], "source_name": "ETDA:Void Blizzard", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "c2f84ab8-e990-4fa8-97db-81eb3166b207", "created_at": "2025-10-29T02:00:51.915334Z", "updated_at": "2026-04-10T02:00:05.318636Z", "deleted_at": null, "main_name": "Storm-0501", "aliases": [ "Storm-0501" ], "source_name": "MITRE:Storm-0501", "tools": [ "Impacket", "Tasklist", "Cobalt Strike", "Rclone", "Nltest", "AADInternals" ], "source_id": "MITRE", "reports": null }, { "id": "046ca688-af96-46ec-8782-88350c635b4c", "created_at": "2024-12-21T02:00:02.852393Z", "updated_at": "2026-04-10T02:00:03.785762Z", "deleted_at": null, "main_name": "Storm-0940", "aliases": [ "CovertNetwork-1658", "ORB07" ], "source_name": "MISPGALAXY:Storm-0940", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "dcb6e92a-83be-408c-bc06-80652883a996", "created_at": "2025-06-05T02:00:04.420438Z", "updated_at": "2026-04-10T02:00:03.88532Z", "deleted_at": null, "main_name": "Void Blizzard", "aliases": [ "LAUNDRY BEAR", "UAC-0190" ], "source_name": "MISPGALAXY:Void Blizzard", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a0c148e-64fe-40fa-a35a-4d9a6ddd7fb0", "created_at": "2024-10-04T02:00:04.769179Z", "updated_at": "2026-04-10T02:00:03.716865Z", "deleted_at": null, "main_name": "Storm-0501", "aliases": [], "source_name": "MISPGALAXY:Storm-0501", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "d9069339-ff51-49f4-a04a-90def2a03d20", "created_at": "2026-01-23T02:00:03.280976Z", "updated_at": "2026-04-10T02:00:03.926956Z", "deleted_at": null, "main_name": "Storm-2657", "aliases": [], "source_name": "MISPGALAXY:Storm-2657", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ef59a0d9-c556-4448-8553-ed28f315d352", "created_at": "2025-06-29T02:01:57.047978Z", "updated_at": "2026-04-10T02:00:04.744218Z", "deleted_at": null, "main_name": "Operation Contagious Interview", "aliases": [ "Jasper Sleet", "Nickel Tapestry", "Operation Contagious Interview", "PurpleBravo", "Storm-0287", "Tenacious Pungsan", "UNC5267", "Wagemole", "WaterPlum" ], "source_name": "ETDA:Operation Contagious Interview", "tools": [ "BeaverTail", "InvisibleFerret", "OtterCookie", "PylangGhost" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434111, "ts_updated_at": 1775792177, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a0fa9121cfd733b53cb0b79b22882334707ced0a.pdf", "text": "https://archive.orkl.eu/a0fa9121cfd733b53cb0b79b22882334707ced0a.txt", "img": "https://archive.orkl.eu/a0fa9121cfd733b53cb0b79b22882334707ced0a.jpg" } }