Phish, Click, Breach: Hunting for a Sophisticated Cyber Attack By Zophar Published: 2024-10-15 · Archived: 2026-04-05 15:05:07 UTC "}},"componentScriptGroups({\"componentId\":\"custom.widget.SocialSharing\"})": {"__typename":"ComponentScriptGroups","scriptGroups": {"__typename":"ComponentScriptGroupsDefinition","afterInteractive": {"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad": {"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts": []},"component({\"componentId\":\"custom.widget.MicrosoftFooter\"})": {"__typename":"Component","render({\"context\":{\"component\":{\"entities\":[],\"props\":{}},\"page\":{\"entities\": [\"message:4267916\"],\"name\":\"BlogMessagePage\",\"props\": {},\"url\":\"https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916\"}}})":{"__typename":"ComponentRenderResult","html":" "}},"componentScriptGroups({\"componentId\":\"custom.widget.MicrosoftFooter\"})": {"__typename":"ComponentScriptGroups","scriptGroups": {"__typename":"ComponentScriptGroupsDefinition","afterInteractive": {"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad": {"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts": []},"cachedText({\"lastModified\":\"1775111750899\",\"locale\":\"en-US\",\"namespaces\": [\"components/community/NavbarDropdownToggle\"]})":[{"__ref":"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1775111750899"}],"cachedText({\"lastModified\":\"1775111750899\",\"locale\":\"en-US\",\"namespaces\": [\"components/messages/MessageCoverImage\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageCoverImage-1775111750899"}],"cachedText({\"lastModified\":\"1775111750899\",\"locale\":\"en-US\",\"namespaces\": [\"shared/client/components/nodes/NodeTitle\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeTitle-1775111750899"}],"cachedText({\"lastModified\":\"1775111750899\",\"locale\":\"en-US\",\"namespaces\": [\"components/messages/MessageTimeToRead\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageTimeToRead-1775111750899"}],"cachedText({\"lastModified\":\"1775111750899\",\"locale\":\"en-US\",\"namespaces\": [\"components/messages/MessageSubject\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageSubject-1775111750899"}],"cachedText({\"lastModified\":\"1775111750899\",\"locale\":\"en-US\",\"namespaces\": [\"components/users/UserLink\"]})":[{"__ref":"CachedAsset:text:en_US-components/users/UserLink-1775111750899"}],"cachedText({\"lastModified\":\"1775111750899\",\"locale\":\"en-US\",\"namespaces\": [\"shared/client/components/users/UserRank\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/users/UserRank-1775111750899"}],"cachedText({\"lastModified\":\"1775111750899\",\"locale\":\"en-US\",\"namespaces\": [\"components/messages/MessageTime\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageTime-1775111750899"}],"cachedText({\"lastModified\":\"1775111750899\",\"locale\":\"en-US\",\"namespaces\": [\"components/messages/MessageBody\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageBody-1775111750899"}],"cachedText({\"lastModified\":\"1775111750899\",\"locale\":\"en-US\",\"namespaces\": [\"components/messages/MessageCustomFields\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageCustomFields-1775111750899"}],"cachedText({\"lastModified\":\"1775111750899\",\"locale\":\"en-US\",\"namespaces\": [\"components/messages/MessageRevision\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageRevision-1775111750899"}],"cachedText({\"lastModified\":\"1775111750899\",\"locale\":\"en-US\",\"namespaces\": [\"shared/client/components/common/QueryHandler\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1775111750899"}],"cachedText({\"lastModified\":\"1775111750899\",\"locale\":\"en-US\",\"namespaces\": [\"components/tags/TagList\"]})":[{"__ref":"CachedAsset:text:en_US-components/tags/TagList-1775111750899"}],"cachedText({\"lastModified\":\"1775111750899\",\"locale\":\"en-US\",\"namespaces\": [\"components/messages/MessageReplyButton\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageReplyButton-1775111750899"}],"cachedText({\"lastModified\":\"1775111750899\",\"locale\":\"en-US\",\"namespaces\": [\"components/messages/MessageAuthorBio\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageAuthorBio-1775111750899"}],"cachedText({\"lastModified\":\"1775111750899\",\"locale\":\"en-US\",\"namespaces\": [\"shared/client/components/users/UserAvatar\"]})":[{"__ref":"CachedAsset:text:en_US-https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 1 of 44 shared/client/components/users/UserAvatar-1775111750899"}],"cachedText({\"lastModified\":\"1775111750899\",\"locale\":\"en-US\",\"namespaces\": [\"shared/client/components/ranks/UserRankLabel\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1775111750899"}],"cachedText({\"lastModified\":\"1775111750899\",\"locale\":\"en-US\",\"namespaces\": [\"components/tags/TagView/TagViewChip\"]})":[{"__ref":"CachedAsset:text:en_US-components/tags/TagView/TagViewChip-1775111750899"}],"cachedText({\"lastModified\":\"1775111750899\",\"locale\":\"en-US\",\"namespaces\": [\"components/users/UserRegistrationDate\"]})":[{"__ref":"CachedAsset:text:en_US-components/users/UserRegistrationDate-1775111750899"}],"cachedText({\"lastModified\":\"1775111750899\",\"locale\":\"en-US\",\"namespaces\": [\"shared/client/components/nodes/NodeAvatar\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeAvatar-1775111750899"}],"cachedText({\"lastModified\":\"1775111750899\",\"locale\":\"en-US\",\"namespaces\": [\"shared/client/components/nodes/NodeDescription\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeDescription-1775111750899"}],"cachedText({\"lastModified\":\"1775111750899\",\"locale\":\"en-US\",\"namespaces\": [\"shared/client/components/nodes/NodeIcon\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1775111750899"}]},"Theme:customTheme1": {"__typename":"Theme","id":"customTheme1"},"User:user:-1": {"__typename":"User","id":"user:-1","entityType":"USER","eventPath":"community:gxcuf89792/user:-1","uid":-1,"login":"Deleted","email":"","avatar": {"__typename":"RegistrationData","status":"ANONYMOUS","registrationTime":null,"confirmEmailStatus":false,"registrationAccessLevel":"VIEW","ss []},"ssoId":null,"profileSettings":{"__typename":"ProfileSettings","dateDisplayStyle": {"__typename":"InheritableStringSettingWithPossibleValues","key":"layout.friendly_dates_enabled","value":"false","localValue":"true","possibleValues" ["true","false"]},"dateDisplayFormat": {"__typename":"InheritableStringSetting","key":"layout.format_pattern_date","value":"MMM dd yyyy","localValue":"MM-dd-yyyy"},"language":{"__typename":"InheritableStringSettingWithPossibleValues","key":"profile.language","value":"en-US","localValue":null,"possibleValues":["en-US","es-ES"]},"repliesSortOrder": {"__typename":"InheritableStringSettingWithPossibleValues","key":"config.user_replies_sort_order","value":"DEFAULT","localValue":"DEFAULT","po ["DEFAULT","LIKES","PUBLISH_TIME","REVERSE_PUBLISH_TIME"]}},"deleted":false},"CachedAsset:pages-1775111737667":{"__typename":"CachedAsset","id":"pages-1775111737667","value": [{"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"BlogViewAllPostsPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId/all-posts/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"CasePortalPage","type":"CASE_PORTAL","urlPath":"/caseportal","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"CreateGroupHubPage","type":"GROUP_HUB","urlPath":"/groups/create","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"CaseViewPage","type":"CASE_DETAILS","urlPath":"/case/:caseId/:caseNumber","__typename":"PageDescriptor"},"__typename":"PageResource {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"InboxPage","type":"COMMUNITY","urlPath":"/inbox","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"HelpFAQPage","type":"COMMUNITY","urlPath":"/help","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"IdeaMessagePage","type":"IDEA_POST","urlPath":"/idea/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename" {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"IdeaViewAllIdeasPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/all-ideas/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"LoginPage","type":"USER","urlPath":"/signin","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"WorkstreamsPage","type":"COMMUNITY","urlPath":"/workstreams","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"BlogPostPage","type":"BLOG","urlPath":"/category/:categoryId/blogs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageRes {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"UserBlogPermissions.Page","type":"COMMUNITY","urlPath":"/c/user-blog-permissions/page","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"ThemeEditorPage","type":"COMMUNITY","urlPath":"/designer/themes","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"TkbViewAllArticlesPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId/all-articles/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1730819800000,"localOverride":null,"page": https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 2 of 44 {"id":"AllEvents","type":"CUSTOM","urlPath":"/Events","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"OccasionEditPage","type":"EVENT","urlPath":"/event/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"OAuthAuthorizationAllowPage","type":"USER","urlPath":"/auth/authorize/allow","__typename":"PageDescriptor"},"__typename":"PageResource {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"PageEditorPage","type":"COMMUNITY","urlPath":"/designer/pages","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"PostPage","type":"COMMUNITY","urlPath":"/category/:categoryId/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResou {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"CreateUserGroup.Page","type":"COMMUNITY","urlPath":"/c/create-user-group/page","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"ForumBoardPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId","__typename":"PageDescriptor"},"__typename":"Pag {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"TkbBoardPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"EventPostPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageR {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"UserBadgesPage","type":"COMMUNITY","urlPath":"/users/:login/:userId/badges","__typename":"PageDescriptor"},"__typename":"PageResourc {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"GroupHubMembershipAction","type":"GROUP_HUB","urlPath":"/membership/join/:nodeId/:membershipType","__typename":"PageDescriptor"} {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"MaintenancePage","type":"COMMUNITY","urlPath":"/maintenance","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"IdeaReplyPage","type":"IDEA_REPLY","urlPath":"/idea/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescripto {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"UserSettingsPage","type":"USER","urlPath":"/mysettings/:userSettingsTab","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"GroupHubsPage","type":"GROUP_HUB","urlPath":"/groups","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"ForumPostPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/create","__typename":"PageDescriptor"},"__typename": {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"OccasionRsvpActionPage","type":"OCCASION","urlPath":"/event/:boardId/:messageSubject/:messageId/rsvp/:responseType","__typename":"Pag {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"VerifyUserEmailPage","type":"USER","urlPath":"/verifyemail/:userId/:verifyEmailToken","__typename":"PageDescriptor"},"__typename":"PageR {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"AllOccasionsPage","type":"OCCASION","urlPath":"/category/:categoryId/events/:boardId/all-events/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"EventBoardPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId","__typename":"PageDescriptor"},"__typename":"PageResou {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"TkbReplyPage","type":"TKB_REPLY","urlPath":"/kb/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"} {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"IdeaBoardPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource" {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"CommunityGuideLinesPage","type":"COMMUNITY","urlPath":"/communityguidelines","__typename":"PageDescriptor"},"__typename":"PageR {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"CaseCreatePage","type":"SALESFORCE_CASE_CREATION","urlPath":"/caseportal/create","__typename":"PageDescriptor"},"__typename":"Pa {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"TkbEditPage","type":"TKB","urlPath":"/kb/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageRes {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"ForgotPasswordPage","type":"USER","urlPath":"/forgotpassword","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"IdeaEditPage","type":"IDEA","urlPath":"/idea/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageR {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"TagPage","type":"COMMUNITY","urlPath":"/tag/:tagName","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"BlogBoardPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource" {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"OccasionMessagePage","type":"OCCASION_TOPIC","urlPath":"/event/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"ManageContentPage","type":"COMMUNITY","urlPath":"/managecontent","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 3 of 44 {"id":"ClosedMembershipNodeNonMembersPage","type":"GROUP_HUB","urlPath":"/closedgroup/:groupHubId","__typename":"PageDescriptor"},"__t {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"CommunityPage","type":"COMMUNITY","urlPath":"/","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"ForumMessagePage","type":"FORUM_TOPIC","urlPath":"/discussions/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"}," {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"IdeaPostPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResou {"lastUpdatedTime":1730819800000,"localOverride":null,"page": {"id":"CommunityHub.Page","type":"CUSTOM","urlPath":"/Directory","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"BlogMessagePage","type":"BLOG_ARTICLE","urlPath":"/blog/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typen {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"RegistrationPage","type":"USER","urlPath":"/register","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"EditGroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/edit","__typename":"PageDescriptor"},"__typename":"PageResource {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"ForumEditPage","type":"FORUM","urlPath":"/discussions/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typena {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"ResetPasswordPage","type":"USER","urlPath":"/resetpassword/:userId/:resetPasswordToken","__typename":"PageDescriptor"},"__typename":"Pa {"lastUpdatedTime":1730819800000,"localOverride":null,"page": {"id":"AllBlogs.Page","type":"CUSTOM","urlPath":"/blogs","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"TkbMessagePage","type":"TKB_ARTICLE","urlPath":"/kb/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"BlogEditPage","type":"BLOG","urlPath":"/blog/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"Page {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"ManageUsersPage","type":"USER","urlPath":"/users/manage/:tab?/:manageUsersTab?","__typename":"PageDescriptor"},"__typename":"PageRes {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"ForumReplyPage","type":"FORUM_REPLY","urlPath":"/discussions/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageD {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"PrivacyPolicyPage","type":"COMMUNITY","urlPath":"/privacypolicy","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"NotificationPage","type":"COMMUNITY","urlPath":"/notifications","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"UserPage","type":"USER","urlPath":"/users/:login/:userId","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"HealthCheckPage","type":"COMMUNITY","urlPath":"/health","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"OccasionReplyPage","type":"OCCASION_REPLY","urlPath":"/event/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"P {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"ManageMembersPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/manage/:tab?","__typename":"PageDescriptor"},"__typename":"P {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"SearchResultsPage","type":"COMMUNITY","urlPath":"/search","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"BlogReplyPage","type":"BLOG_REPLY","urlPath":"/blog/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageDescriptor" {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"GroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"TermsOfServicePage","type":"COMMUNITY","urlPath":"/termsofservice","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"CategoryPage","type":"CATEGORY","urlPath":"/category/:categoryId","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"ForumViewAllTopicsPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/all-topics/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"TkbPostPage","type":"TKB","urlPath":"/category/:categoryId/kbs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource {"lastUpdatedTime":1775111737667,"localOverride":null,"page": {"id":"GroupHubPostPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/:boardId/create","__typename":"PageDescriptor"},"__typename":"Pa components/context/AppContext/AppContextProvider-0":{"__typename":"CachedAsset","id":"text:en_US-components/context/AppContext/AppContextProvider-0","value":{"noCommunity":"Cannot find community","noUser":"Cannot find current user","noNode":"Cannot find node with id {nodeId}","noMessage":"Cannot find message with id {messageId}","userBanned":"We're sorry, but you have been banned from using this site.","userBannedReason":"You have been banned for the following reason: {reason}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Loading/LoadingDot-0": https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 4 of 44 {"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-0","value": {"title":"Loading..."},"localOverride":false},"AssociatedImage: {\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/cmstNC05WEo0blc\"}": {"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/cmstNC05WEo0blc","height":512,"width":512," {"__typename":"Rank","id":"rank:4","position":2,"name":"Microsoft","color":"333333","icon":{"__ref":"AssociatedImage: {\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/cmstNC05WEo0blc\"}"},"rankStyle":"OUTLINE"},"User:user:2592816": {"__typename":"User","id":"user:2592816","uid":2592816,"login":"Zophar","deleted":false,"avatar": {"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/dS0yNTkyODE2LTYwNDYyM2k1QTM2MDU5ODB {"__ref":"Rank:rank:4"},"email":"","messagesCount":9,"biography":null,"topicsCount":9,"kudosReceivedCount":9,"kudosGivenCount":0,"kudosWeight" {"__typename":"RegistrationData","status":null,"registrationTime":"2024-07-24T11:02:51.653- 07:00","confirmEmailStatus":null},"followersCount":null,"solutionsCount":0},"Category:category:microsoft-security-product":{"__typename":"Category","id":"category:microsoft-security-product","entityType":"CATEGORY","displayId":"microsoft-security-product","nodeType":"category","depth":4,"title":"Microsoft Security","shortTitle":"Microsoft Security","parent": {"__ref":"Category:category:microsoft-security"}},"Category:category:top": {"__typename":"Category","id":"category:top","entityType":"CATEGORY","displayId":"top","nodeType":"category","depth":0,"title":"Top","shortTitle" {"__typename":"Category","id":"category:communities","entityType":"CATEGORY","displayId":"communities","nodeType":"category","depth":1,"paren {"__ref":"Category:category:top"},"title":"Communities","shortTitle":"Communities"},"Category:category:products-services":{"__typename":"Category","id":"category:products-services","entityType":"CATEGORY","displayId":"products-services","nodeType":"category","depth":2,"parent": {"__ref":"Category:category:communities"},"title":"Products","shortTitle":"Products"},"Category:category:microsoft-security":{"__typename":"Category","id":"category:microsoft-security","entityType":"CATEGORY","displayId":"microsoft-security","nodeType":"category","depth":3,"parent": {"__ref":"Category:category:products-services"},"title":"Microsoft Security","shortTitle":"Microsoft Security","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Blog:board:MicrosoftSecurityExperts": {"__typename":"Blog","id":"board:MicrosoftSecurityExperts","entityType":"BLOG","displayId":"MicrosoftSecurityExperts","nodeType":"board","depth {"__typename":"RepliesProperties","sortOrder":"REVERSE_PUBLISH_TIME","repliesFormat":"threaded"},"tagProperties": {"__typename":"TagNodeProperties","tagsEnabled": {"__typename":"PolicyResult","failureReason":null}},"requireTags":true,"tagType":"PRESET_ONLY","description":"","title":"Microsoft Security Experts Blog","shortTitle":"Microsoft Security Experts Blog","parent":{"__ref":"Category:category:microsoft-security-product"},"ancestors":{"__typename":"CoreNodeConnection","edges":[{"__typename":"CoreNodeEdge","node": {"__ref":"Community:community:gxcuf89792"}},{"__typename":"CoreNodeEdge","node": {"__ref":"Category:category:communities"}},{"__typename":"CoreNodeEdge","node": {"__ref":"Category:category:products-services"}},{"__typename":"CoreNodeEdge","node": {"__ref":"Category:category:microsoft-security"}},{"__typename":"CoreNodeEdge","node": {"__ref":"Category:category:microsoft-security-product"}}]},"userContext": {"__typename":"NodeUserContext","canAddAttachments":false,"canUpdateNode":false,"canPostMessages":false,"isSubscribed":false},"theme": {"__ref":"Theme:customTheme1"},"boardPolicies":{"__typename":"BoardPolicies","canViewSpamDashBoard": {"__typename":"PolicyResult","failureReason": {"__typename":"FailureReason","message":"error.lithium.policies.feature.moderation_spam.action.access_spam_quarantine.allowed.accessDenied","key" []}},"canArchiveMessage":{"__typename":"PolicyResult","failureReason": {"__typename":"FailureReason","message":"error.lithium.policies.content_archivals.enable_content_archival_settings.accessDenied","key":"error.lithium []}},"canPublishArticleOnCreate":{"__typename":"PolicyResult","failureReason": {"__typename":"FailureReason","message":"error.lithium.policies.forums.policy_can_publish_on_create_workflow_action.accessDenied","key":"error.lit []}}},"linkProperties": {"__typename":"LinkProperties","isExternalLinkWarningEnabled":false}},"BlogTopicMessage:message:4267916": {"__typename":"BlogTopicMessage","uid":4267916,"subject":"Phish, Click, Breach: Hunting for a Sophisticated Cyber Attack","id":"message:4267916","entityType":"BLOG_ARTICLE","eventPath":"category:microsoft-security-product/category:microsoft-security/category:products-services/category:communities/community:gxcuf89792board:MicrosoftSecurityExperts/message:4267916","revisionNum":16,"repliesCount":0,"author": {"__ref":"User:user:2592816"},"depth":0,"hasGivenKudo":false,"board": {"__ref":"Blog:board:MicrosoftSecurityExperts"},"conversation": {"__ref":"Conversation:conversation:4267916"},"messagePolicies": {"__typename":"MessagePolicies","canPublishArticleOnEdit":{"__typename":"PolicyResult","failureReason": {"__typename":"FailureReason","message":"error.lithium.policies.forums.policy_can_publish_on_edit_workflow_action.accessDenied","key":"error.lithi []}},"canModerateSpamMessage":{"__typename":"PolicyResult","failureReason": {"__typename":"FailureReason","message":"error.lithium.policies.feature.moderation_spam.action.moderate_entity.allowed.accessDenied","key":"error.li []}},"canReply":{"__typename":"PolicyResult","failureReason": {"__typename":"FailureReason","message":"error.lithium.policies.forums.action.message.reply_to_entity.allow.accessDenied","key":"error.lithium.polici []}},"canAcceptSolution":{"__typename":"PolicyResult","failureReason": {"__typename":"FailureReason","message":"error.lithium.policies.accepted_solutions.action_allow.message.mark_as_accepted_solution.accessDenied","k []}},"canRejectSolution":{"__typename":"PolicyResult","failureReason": {"__typename":"FailureReason","message":"error.lithium.policies.accepted_solutions.action_allow.message.unmark_as_accepted_solution.accessDenied" https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 5 of 44 []}},"canTag":{"__typename":"PolicyResult","failureReason": {"__typename":"FailureReason","message":"error.lithium.policies.labels.action.labelableentity.set_labels.allow.accessDenied","key":"error.lithium.policie []}},"canEdit":{"__typename":"PolicyResult","failureReason": {"__typename":"FailureReason","message":"error.lithium.policies.forums.action_allow.edit_message.accessDenied","key":"error.lithium.policies.forums. []}},"canKudo":{"__typename":"PolicyResult","failureReason": {"__typename":"FailureReason","message":"error.lithium.policies.kudos.action.entity.give_kudos.allow.accessDenied","key":"error.lithium.policies.kudo []}}},"contentWorkflow": {"__typename":"ContentWorkflow","state":"PUBLISH","scheduledPublishTime":null,"scheduledTimezone":null,"userContext": {"__typename":"MessageWorkflowContext","canSubmitForReview":null,"canEdit":false,"canRecall":null,"canSubmitForPublication":null,"canReturnTo {"__ref":"ModerationData:moderation_data:4267916"},"teaser":"\n Threat actors make problems for users and then offer to fix them.  With an RMM tool and user clicks, they are in.   ","body":" Authors: \n -Gourav Khandelwal (@Gourav_Khandelwal) \n -Akash Chaudhuri (@AkashChaudhuri) \n -Matthew Mesa (@matthewmesa) \n -Sagar Patil (@Sagar256)  \n -Uri Oren (@orenuri) \n -Krithika Ramakrishnan (@krithikar) \n\n\n\n Since April 2024, we have observed a significant increase in Teams phishing attacks, which have led to endpoint-related incidents, particularly through the abuse of Remote Monitoring and Management (RMM) tools such as Quick Assist (Ref : Threat actors misusing Quick Assist in social engineering attacks leading to ransomware | Microsoft Security Blog), and other tools such as Any Desk, and Team Viewer. \n\n Initially, the attack began with a spam flood, followed by the attacker impersonating the Help Desk on Teams. The attacker would contact the user via Teams, send a malicious link to start the RMM session, and deliver the harmful payload during the session. This would lead to hands-on keyboard activity, data exfiltration, and ultimately result in ransomware attacks. \n\n Over time, the attack method evolved. The attackers now directly reach out to users on Teams, impersonating the service desk. Once the user accepts the Teams invite, the attacker provides a SharePoint link containing malicious payloads, which could lead to critical security breaches. Recent trends in social engineering attacks highlight this adaptability, with attackers varying their tactics based on the target. For instance, they might use a SharePoint link for one victim while opting for a different hosting platform for another on the same day. Moreover, attackers are moving beyond traditional link-based strategies by persuading users to install remote access software like AnyDesk and TeamViewer or convincing them to initiate connections via Microsoft's Quick Assist, which is installed by default in the Windows Operating System. \n\n Microsoft continues to aggressively combat threats, such as halting notorious DarkGate, which is a very capable malware. Since December 2023, Microsoft Threat Intelligence has been tracking Storm-1674 attacker group misusing App Installers with Teams Phishing as the initial access vector (Ref : Intel Article - Microsoft Defender). In this scenario, the attacker convinces the user that they are interacting with the service desk, allowing the attacker to perform malicious activities on the device through Remote Monitoring and Management (RMM) tools. What makes this attack unique is that each attack kill chain is different, as every payload varies. https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 6 of 44 \n\n The activity is attributed to Storm-1811 and Storm-1674 by Microsoft Threat Intelligence. \n In this blog, we will walk through one of the observed scenarios and discuss hunting approaches for detecting such attacks. \n\n\n\n\n\n\n In the majority of the attacks observed, impersonation of the IT desk in a one-on-one Teams conversation from attacker owned tenants. Attackers also call the users on Teams, create meetings and send chat messages that contain malicious URLs or attachments to through the meeting's chat feature. \n The tenants were usually newly created in a span of less than 7 days. In a few scenarios, the Teams Phishing was preceded by a spam flood with more than 1000+ emails every hour. This was used to set the context for the attacker to call the user impersonating the help desk under the pretext of fixing the spam flood. \n The attacks were highly targeted, with attackers focusing on at least three users per tenant through Teams phishing. By aggregating the number of users targeted by an external user from a tenant every hour, we can identify these attacks more effectively. \n\n\n\n\n\n EmailEvents  \n | where Timestamp > ago(1d) \n | where EmailDirection == \"Inbound\"  \n | make-series Emailcount = count()  \n               on Timestamp step 1h by RecipientObjectId  \n | extend (Anomalies, AnomalyScore, ExpectedEmails) = series_decompose_anomalies(Emailcount)  \n | mv-expand Emailcount, Anomalies, AnomalyScore, ExpectedEmails to typeof(double), Timestamp  \n | where Anomalies != 0  \n | where AnomalyScore >= 10  \n\n Hunt for Suspicious External Teams messages \n\n CloudAppEvents \n  where Timestamp > ago(1d) \n |where  ApplicationId == 28375 https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 7 of 44 \n // This action type is recorded when a new chat is created with the user \n | where ActionType == \"ChatCreated\" \n // This field records the sender’s Account Object ID, since the sender is a third party, the field is expected to be empty \n | where isempty(AccountObjectId) \n // Validation for the message being sent from a Foreign tenant \n | where tobool(RawEventData.ParticipantInfo.HasForeignTenantUsers) == true  \n | where RawEventData.CommunicationType == \"OneOnOne\" \n // Validation that the conversation is not initiated from a guest tenant \n | where tobool(RawEventData.ParticipantInfo.HasGuestUsers) == false \n | where tobool(RawEventData.ParticipantInfo.HasOtherGuestUsers) == false \n // Validation that the sender is not recognized. If the sender is not recognized, only the email address is populated here \n | where AccountId has \"@\" \n\n This query can also be appended with aggregation by sender tenant to identify targeted attempts: \n\n | extend TargetUserUPN = tolower(tostring(RawEventData.Members[1].UPN)) \n | extend  TargetTenant = tostring(RawEventData.OrganizationId) \n | extend  AttackerTenant = tostring(RawEventData.Members[0].OrganizationId) \n | extend  AttackerUPN = tostring(RawEventData.Members[0].UPN) \n | extend  AttackerName = tostring(RawEventData.Members[0].DisplayName) \n |summarize summarize UsersTargeted = dcount(TargetUserUPN ) by AttackerTenant, AttackerUPN, bin(Timestamp, 1h) \n https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 8 of 44 |where  UsersTargeted >= 2 \n\n\n\n\n In cases involving spam floods, the attacker will often call the user via Teams and persuade them to open the Quick Assist application (one of the most targeted RMM applications) and provide the access code. Once the user shares the code, the attacker gains access to the device. If the user also approves the \"Request control\" prompt, the attacker gains full control over the device. \n\n\n\n\n\n let interestingUsers = DeviceProcessEvents \n | where Timestamp > ago(1h) \n | where isnotempty(InitiatingProcessAccountObjectId) \n |where FileName has_any (“quickassist.exe”, “anydesk.exe”, “teamviewer_service.exe”)    // Multiple RMM tools can be abused here \n  | project InitiatingProcessAccountUpn; \n CloudAppEvents \n | where Timestamp > ago(1d) \n | where Application == \"Microsoft Teams\"  \n | where ActionType == \"ChatCreated\"  \n | where isempty(AccountObjectId) \n | where RawEventData.ParticipantInfo.HasForeignTenantUsers == true  \n | where RawEventData.CommunicationType == \"OneOnOne\"  \n | where RawEventData.ParticipantInfo.HasGuestUsers == false  \n | where RawEventData.ParticipantInfo.HasOtherGuestUsers == false  \n | where AccountId has \"@\" \n | extend TargetUPN = tolower(tostring(RawEventData.Members[1].UPN)) \n | where TargetUPN  in (interestingUsers ) https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 9 of 44 \n | extend VictimTenant = tostring(RawEventData.OrganizationId) \n | extend AttackerTenant = RawEventData.Members[0].OrganizationId \n | extend AttackerUPN = RawEventData.Members[0].UPN \n | extend AttackerName = RawEventData.Members[0].DisplayName \n\n\n\n The Storm-1811 actor calls users on Teams, then abuses RMM tools to deploy payloads and initiate credential theft for initial access. And, the Storm-1674 actor either calls users or uses Teams chat to deliver malicious payloads via phishing links hosted on file-sharing services usually like SharePoint. \n\n\n\n In addition to the Teams phishing activities recorded in CloudAppEvents telemetry, clicks on SharePoint URLs are logged in the UrlClickEvents table. Correlating suspicious signals on devices with UrlClickEvents table can help identify and highlight this activity. \n\n Correlating URL click events on alerted devices \n\n let alertedDevices = AlertEvidence \n  | where Timestamp > ago(1h) \n  | where isnotempty(DeviceId) \n |distinct DeviceId; \n let interestedUsers = DeviceProcessEvents \n | where Timestamp > ago(1h) \n | where DeviceId in (alertedDevices) \n | where isnotempty(InitiatingProcessAccountUpn) \n | distinct InitiatingProcessAccountUpn; \n UrlClickEvents \n | where Timestamp > ago(1d) \n https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 10 of 44 | where ActionType == \"ClickAllowed\" or IsClickedThrough !=\"0\" \n | where Workload has “Teams” \n | where AccountUpn in (interestedUsers) \n\n\n\n After taking control of the target user’s device through RMM, the attacker executes a script under the pretext of fixing the spam flood activity. The name of the script also justifies the intent to convince the user for the next steps (Eg : Spam Filter Update). When the script is executed, it prompts the target user to provide the credentials, persuaded by the attacker. \n\n In a few other scenarios, the attacker also redirects the user to an AiTM phishing page to complete the sign-in with MFA to compromise the session token. \n\n\n\n These compromises can be identified by correlating risky sign-in attempts with Teams phishing from external tenants. The below query can be used to identify identity compromises (Adversary-in-the-middle attack) through Teams messages with malicious links/attachments as well: \n\n let usersWithRiskySignIn = AADSignInEventsBeta \n  |where Timestamp > ago(1h) \n  |where RiskLevelDuringSignIn == 100 \n |project AccountUpn; \n CloudAppEvents \n | where Timestamp > ago(1d) \n | where Application == \"Microsoft Teams\"  \n | where ActionType == \"ChatCreated\"  \n | where isempty(AccountObjectId) \n | where RawEventData.ParticipantInfo.HasForeignTenantUsers == true  \n | where RawEventData.CommunicationType == \"OneOnOne\"  \n | where RawEventData.ParticipantInfo.HasGuestUsers == false  \n https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 11 of 44 | where RawEventData.ParticipantInfo.HasOtherGuestUsers == false  \n | where AccountId has \"@\" \n | extend TargetUPN = tolower(tostring(RawEventData.Members[1].UPN)) \n | where TargetUPN  in (interestingUsers ) \n | extend TargetTenant = tostring(RawEventData.OrganizationId) \n | extend AttackerTenant = RawEventData.Members[0].OrganizationId \n |where TargetTenant != AttackerTenant \n | extend AttackerUPN = RawEventData.Members[0].UPN \n | extend AttackerName = RawEventData.Members[0].DisplayName \n |project project-reorder Timestamp, AttackerTenant, AttackerUPN, AttackerName, TargetUPN  \n\n\n\n Using a scripted cURL command, the attacker downloads additional payloads in an RMM session, or shares a SharePoint link on Microsoft Teams with payloads and tools (like NetSupport RAT). In a few scenarios, an SSH connection was also setup with the attacker’s machine. \n\n\n\n\n In conjunction with RMM tools, attackers use various command-line utilities to manipulate Active Directory (AD) environments. One such utility is Csvde, a command-line tool that imports and exports data from Active Directory Domain Services (AD DS). Csvde can be exploited by threat actors to extract sensitive AD information or to introduce malicious entries into the directory, further compromising the security of the environment. \n\n Detect suspicious file downloads \n\n DeviceNetworkEvents \n | where InitiatingProcessFileName in~ (\"curl.exe\", \"powershell.exe\", \"certutil.exe\", \"bitsadmin.exe\") \n | where RemoteIPType == \"Public\" \n | where RemoteUrl endswith \".exe\" or RemoteUrl endswith \".dll\" or RemoteUrl endswith \".zip\" \n | project Timestamp, DeviceId, InitiatingProcessFileName, RemoteIP, RemoteUrl \n https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 12 of 44 | extend AlertType = \"Suspicious file download from unknown IP address\" \n\n\n Detection of csvde.exe Download and AD Enumeration \n\n // Detect curl downloading csvde.exe \n let csvde_download =   DeviceProcessEvents \n     | where InitiatingProcessFileName =~\"cmd.exe\" \n     | where ProcessCommandLine has_all (\"curl\",\"-o\",\"csvde.exe\",\"http:\") \n     |  project DeviceId,Timestamp,CurlCommandLine=ProcessCommandLine, CurlProcessId = ProcessId; \n // Detect execution of csvde.exe with specific parameters \n let csvde_execution = \n     DeviceProcessEvents \n     | where FileName =~ \"csvde.exe\" \n     | where ProcessCommandLine has_all  (\"-r\",\"objectClass=Computer\") \n         and ProcessCommandLine has_all (\"-l\",\"samAccountName\",\"description\",\"info\",\"operatingSystem\") \n         and ProcessCommandLine contains \"-f\" \n    |  project DeviceId,Timestamp, CsvdeCommandLine= ProcessCommandLine,CsvdeProcessId = ProcessId; \n Join the two events and look for them occurring within 5 minutes \n csvde_download \n | join kind=inner ( \n     csvde_execution \n ) on DeviceId https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 13 of 44 \n | where Timestamp  between (Timestamp1 .. Timestamp1 + 5m) \n | extend   AlertType = \"Potential Active Directory Enumeration\",  Details = strcat(\"curl.exe was used to download csvde.exe, which was then executed to enumerate AD computers. \") \n\n\n // Detect potential data compression and exfiltration \n let compress_exfil = DeviceProcessEvents \n | where FileName =~ \"7z.exe\" \n | where ProcessCommandLine contains \"x -p\" \n | project Timestamp, DeviceId, FileName, ProcessCommandLine, ProcessId \n | join kind=inner ( \n     DeviceNetworkEvents \n     | where InitiatingProcessId != 0 \n ) on $left.ProcessId == $right.InitiatingProcessId \n | project Timestamp, DeviceId, FileName, ProcessCommandLine, RemoteIP, RemotePort \n | extend AlertType = \"Potential data compression and exfiltration\"; \n\n\n\n\n This attack specifically involved high number of reconnaissance commands including ipconfig, systeminfo, geo location scans, user recons, EDR protection status. In a typical attack, this information is exfiltrated to an external C2 server. However, in these attacks, the attacker could have probably taken a screenshot through the RMM. \n\n\n\n The payloads downloaded by the attacker was used to create persistence either using scheduled tasks or by being added to the startup folder. \n\n // Persistence through Startup operations let regKeys = pack_array(@\"CurrentVersion\\Run\", @\"CurrentVersion\\RunOnce\", @\"CurrentVersion\\RunOnceEx\", @\"Programs\\Startup\", @\"CurrentVersion\\RunServicesOnce\", @\"CurrentVersion\\RunServices\", @\"CurrentVersion\\Policies\\Explorer\\Run\", @\"Windows NT\\CurrentVersion\\Windows\", https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 14 of 44 @\"System\\CurrentControlSet\\Control\\Session Manager\"); let startUpOperations = DeviceFileEvents | where FolderPath has @\"Start Menu\\Programs\\Startup\\\" | where ActionType in (\"FileCreated\", \"FileModified\", \"FileRenamed\"); // Persistence through Registry Tampering let regOperations = DeviceRegistryEvents | where hasAlertDevices | where Timestamp between (startTime .. endTime) | where DeviceId in (alertedDevices) | where RegistryKey has_any (regKeys) | where ActionType in (\"SetValue\" ,\"CreateKey\" , \"RenameKey\"); // Persistence through Scheduled task creation let scheduledOperations = DeviceProcessEvents | where Timestamp between (startTime .. endTime) | where DeviceId in (alertedDevices) | where (InitiatingProcessCommandLine has \"schtasks\" and InitiatingProcessCommandLine has_any (\"run\", \"create\" , \"change\")); union startUpOperations, regOperations, scheduledOperations | summarize arg_min(Timestamp, *) by DeviceId \n\n\n\n \n Suspicious activity using Quick Assist \n Possible remote access tool activity \n Suspicious usage of remote management software \n Suspicious location of remote management software \n Possible NetSupport Manager activity \n \n\n\n\n NOTE: The following references are available for Microsoft Defender customers. \n \n Qakbot distributor Storm-0464 shifts to DarkGate and IcedID : Intel Article - Microsoft Defender - Shift to DarkGate and IcedID \n Financially motivated threat actors misusing App Installer : Intel Article - Microsoft Defender - App Installer misuse \n Threat actors misusing Quick Assist in social engineering attacks leading to ransomware : Intel Article - Microsoft Defender - Quick Assist misuse \n \n\n\n\n \n Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and never share their account information or authorize sign-in requests over chat.  \n Administrators have an option to manage chats/Teams meetings with external users not managed by the Organization \n Apply Microsoft’s security best practices for Microsoft Teams to safeguard Teams users.  \n Educate users about diligent use of RMM tools \n Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.  \n Enable investigation and remediation in full automated mode to allow Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.  https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 15 of 44 \n \n NOTE: The following is available for Microsoft Defender customers. \n \n Refer to Microsoft’s human-operated ransomware overview for general hardening recommendations against ransomware attacks.  \n ","body@stringLength":"27298","rawBody":" Authors: \n -Gourav Khandelwal (@Gourav_Khandelwal) \n -Akash Chaudhuri (@AkashChaudhuri) \n -Matthew Mesa (@matthewmesa) \n -Sagar Patil (@Sagar256)  \n -Uri Oren (@orenuri) \n -Krithika Ramakrishnan (@krithikar) \n\n Introduction \n\n Since April 2024, we have observed a significant increase in Teams phishing attacks, which have led to endpoint-related incidents, particularly through the abuse of Remote Monitoring and Management (RMM) tools such as Quick Assist (Ref : Threat actors misusing Quick Assist in social engineering attacks leading to ransomware | Microsoft Security Blog), and other tools such as Any Desk, and Team Viewer. \n\n Initially, the attack began with a spam flood, followed by the attacker impersonating the Help Desk on Teams. The attacker would contact the user via Teams, send a malicious link to start the RMM session, and deliver the harmful payload during the session. This would lead to hands-on keyboard activity, data exfiltration, and ultimately result in ransomware attacks. \n\n Over time, the attack method evolved. The attackers now directly reach out to users on Teams, impersonating the service desk. Once the user accepts the Teams invite, the attacker provides a SharePoint link containing malicious payloads, which could lead to critical security breaches. Recent trends in social engineering attacks highlight this adaptability, with attackers varying their tactics based on the target. For instance, they might use a SharePoint link for one victim while opting for a different hosting platform for another on the same day. Moreover, attackers are moving beyond traditional link-based strategies by persuading users to install remote access software like AnyDesk and TeamViewer or convincing them to initiate connections via Microsoft's Quick Assist, which is installed by default in the Windows Operating System. \n\n Microsoft continues to aggressively combat threats, such as halting notorious DarkGate, which is a very capable malware. Since December 2023, Microsoft Threat Intelligence has been tracking Storm-1674 attacker group misusing App Installers with Teams Phishing as the initial access vector (Ref : Intel Article - Microsoft Defender). In this scenario, the attacker convinces the user that they are interacting with the service desk, allowing the attacker to perform malicious activities on the https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 16 of 44 device through Remote Monitoring and Management (RMM) tools. What makes this attack unique is that each attack kill chain is different, as every payload varies. \n\n The activity is attributed to Storm-1811 and Storm-1674 by Microsoft Threat Intelligence. \n In this blog, we will walk through one of the observed scenarios and discuss hunting approaches for detecting such attacks. \n\n Attack Flow \n\n\n Teams Phishing \n\n In the majority of the attacks observed, impersonation of the IT desk in a one-on-one Teams conversation from attacker owned tenants. Attackers also call the users on Teams, create meetings and send chat messages that contain malicious URLs or attachments to through the meeting's chat feature. \n The tenants were usually newly created in a span of less than 7 days. In a few scenarios, the Teams Phishing was preceded by a spam flood with more than 1000+ emails every hour. This was used to set the context for the attacker to call the user impersonating the help desk under the pretext of fixing the spam flood. \n The attacks were highly targeted, with attackers focusing on at least three users per tenant through Teams phishing. By aggregating the number of users targeted by an external user from a tenant every hour, we can identify these attacks more effectively. \n\n Hunting for Compromises \n\n Hunt for spam flood attack \n\n EmailEvents  \n | where Timestamp > ago(1d) \n | where EmailDirection == \"Inbound\"  \n | make-series Emailcount = count()  \n               on Timestamp step 1h by RecipientObjectId  \n | extend (Anomalies, AnomalyScore, ExpectedEmails) = series_decompose_anomalies(Emailcount)  \n | mv-expand Emailcount, Anomalies, AnomalyScore, ExpectedEmails to typeof(double), Timestamp  \n https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 17 of 44 | where Anomalies != 0  \n | where AnomalyScore >= 10  \n\n Hunt for Suspicious External Teams messages \n\n CloudAppEvents \n  where Timestamp > ago(1d) \n |where  ApplicationId == 28375 \n // This action type is recorded when a new chat is created with the user \n | where ActionType == \"ChatCreated\" \n // This field records the sender’s Account Object ID, since the sender is a third party, the field is expected to be empty \n | where isempty(AccountObjectId) \n // Validation for the message being sent from a Foreign tenant \n | where tobool(RawEventData.ParticipantInfo.HasForeignTenantUsers) == true  \n | where RawEventData.CommunicationType == \"OneOnOne\" \n // Validation that the conversation is not initiated from a guest tenant \n | where tobool(RawEventData.ParticipantInfo.HasGuestUsers) == false \n | where tobool(RawEventData.ParticipantInfo.HasOtherGuestUsers) == false \n // Validation that the sender is not recognized. If the sender is not recognized, only the email address is populated here \n | where AccountId has \"@\" \n\n This query can also be appended with aggregation by sender tenant to identify targeted attempts: \n\n | extend TargetUserUPN = tolower(tostring(RawEventData.Members[1].UPN)) https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 18 of 44 \n | extend  TargetTenant = tostring(RawEventData.OrganizationId) \n | extend  AttackerTenant = tostring(RawEventData.Members[0].OrganizationId) \n | extend  AttackerUPN = tostring(RawEventData.Members[0].UPN) \n | extend  AttackerName = tostring(RawEventData.Members[0].DisplayName) \n |summarize summarize UsersTargeted = dcount(TargetUserUPN ) by AttackerTenant, AttackerUPN, bin(Timestamp, 1h) \n |where  UsersTargeted >= 2 \n\n\n RMM Tools Abuse \n\n In cases involving spam floods, the attacker will often call the user via Teams and persuade them to open the Quick Assist application (one of the most targeted RMM applications) and provide the access code. Once the user shares the code, the attacker gains access to the device. If the user also approves the \"Request control\" prompt, the attacker gains full control over the device. \n\n Hunting for Compromises \n\n Hunt for Teams Activity followed by suspicious RMM: \n\n let interestingUsers = DeviceProcessEvents \n | where Timestamp > ago(1h) \n | where isnotempty(InitiatingProcessAccountObjectId) \n |where FileName has_any (“quickassist.exe”, “anydesk.exe”, “teamviewer_service.exe”)    // Multiple RMM tools can be abused here \n  | project InitiatingProcessAccountUpn; \n CloudAppEvents \n | where Timestamp > ago(1d) \n | where Application == \"Microsoft Teams\"  https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 19 of 44 \n | where ActionType == \"ChatCreated\"  \n | where isempty(AccountObjectId) \n | where RawEventData.ParticipantInfo.HasForeignTenantUsers == true  \n | where RawEventData.CommunicationType == \"OneOnOne\"  \n | where RawEventData.ParticipantInfo.HasGuestUsers == false  \n | where RawEventData.ParticipantInfo.HasOtherGuestUsers == false  \n | where AccountId has \"@\" \n | extend TargetUPN = tolower(tostring(RawEventData.Members[1].UPN)) \n | where TargetUPN  in (interestingUsers ) \n | extend VictimTenant = tostring(RawEventData.OrganizationId) \n | extend AttackerTenant = RawEventData.Members[0].OrganizationId \n | extend AttackerUPN = RawEventData.Members[0].UPN \n | extend AttackerName = RawEventData.Members[0].DisplayName \n\n Initial Access \n\n The Storm-1811 actor calls users on Teams, then abuses RMM tools to deploy payloads and initiate credential theft for initial access. And, the Storm-1674 actor either calls users or uses Teams chat to deliver malicious payloads via phishing links hosted on file-sharing services usually like SharePoint. \n\n Hunting for Compromises \n\n In addition to the Teams phishing activities recorded in CloudAppEvents telemetry, clicks on SharePoint URLs are logged in the UrlClickEvents table. Correlating suspicious signals on devices with UrlClickEvents table can help identify and highlight this activity. \n\n Correlating URL click events on alerted devices https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 20 of 44 \n\n let alertedDevices = AlertEvidence \n  | where Timestamp > ago(1h) \n  | where isnotempty(DeviceId) \n |distinct DeviceId; \n let interestedUsers = DeviceProcessEvents \n | where Timestamp > ago(1h) \n | where DeviceId in (alertedDevices) \n | where isnotempty(InitiatingProcessAccountUpn) \n | distinct InitiatingProcessAccountUpn; \n UrlClickEvents \n | where Timestamp > ago(1d) \n | where ActionType == \"ClickAllowed\" or IsClickedThrough !=\"0\" \n | where Workload has “Teams” \n | where AccountUpn in (interestedUsers) \n\n Credential Access \n\n After taking control of the target user’s device through RMM, the attacker executes a script under the pretext of fixing the spam flood activity. The name of the script also justifies the intent to convince the user for the next steps (Eg : Spam Filter Update). When the script is executed, it prompts the target user to provide the credentials, persuaded by the attacker. \n\n In a few other scenarios, the attacker also redirects the user to an AiTM phishing page to complete the sign-in with MFA to compromise the session token. \n\n Hunting for Compromises \n\n https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 21 of 44 These compromises can be identified by correlating risky sign-in attempts with Teams phishing from external tenants. The below query can be used to identify identity compromises (Adversary-in-the-middle attack) through Teams messages with malicious links/attachments as well: \n\n let usersWithRiskySignIn = AADSignInEventsBeta \n  |where Timestamp > ago(1h) \n  |where RiskLevelDuringSignIn == 100 \n |project AccountUpn; \n CloudAppEvents \n | where Timestamp > ago(1d) \n | where Application == \"Microsoft Teams\"  \n | where ActionType == \"ChatCreated\"  \n | where isempty(AccountObjectId) \n | where RawEventData.ParticipantInfo.HasForeignTenantUsers == true  \n | where RawEventData.CommunicationType == \"OneOnOne\"  \n | where RawEventData.ParticipantInfo.HasGuestUsers == false  \n | where RawEventData.ParticipantInfo.HasOtherGuestUsers == false  \n | where AccountId has \"@\" \n | extend TargetUPN = tolower(tostring(RawEventData.Members[1].UPN)) \n | where TargetUPN  in (interestingUsers ) \n | extend TargetTenant = tostring(RawEventData.OrganizationId) \n | extend AttackerTenant = RawEventData.Members[0].OrganizationId \n https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 22 of 44 |where TargetTenant != AttackerTenant \n | extend AttackerUPN = RawEventData.Members[0].UPN \n | extend AttackerName = RawEventData.Members[0].DisplayName \n |project project-reorder Timestamp, AttackerTenant, AttackerUPN, AttackerName, TargetUPN  \n\n Execution \n\n Using a scripted cURL command, the attacker downloads additional payloads in an RMM session, or shares a SharePoint link on Microsoft Teams with payloads and tools (like NetSupport RAT). In a few scenarios, an SSH connection was also setup with the attacker’s machine. \n\n\n\n\n In conjunction with RMM tools, attackers use various command-line utilities to manipulate Active Directory (AD) environments. One such utility is Csvde, a command-line tool that imports and exports data from Active Directory Domain Services (AD DS). Csvde can be exploited by threat actors to extract sensitive AD information or to introduce malicious entries into the directory, further compromising the security of the environment. \n\n Detect suspicious file downloads \n\n DeviceNetworkEvents \n | where InitiatingProcessFileName in~ (\"curl.exe\", \"powershell.exe\", \"certutil.exe\", \"bitsadmin.exe\") \n | where RemoteIPType == \"Public\" \n | where RemoteUrl endswith \".exe\" or RemoteUrl endswith \".dll\" or RemoteUrl endswith \".zip\" \n | project Timestamp, DeviceId, InitiatingProcessFileName, RemoteIP, RemoteUrl \n | extend AlertType = \"Suspicious file download from unknown IP address\" \n\n\n Detection of csvde.exe Download and AD Enumeration \n\n // Detect curl downloading csvde.exe \n let csvde_download =   DeviceProcessEvents \n     | where InitiatingProcessFileName =~\"cmd.exe\" \n https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 23 of 44 | where ProcessCommandLine has_all (\"curl\",\"-o\",\"csvde.exe\",\"http:\") \n     |  project DeviceId,Timestamp,CurlCommandLine=ProcessCommandLine, CurlProcessId = ProcessId; \n // Detect execution of csvde.exe with specific parameters \n let csvde_execution = \n     DeviceProcessEvents \n     | where FileName =~ \"csvde.exe\" \n     | where ProcessCommandLine has_all  (\"-r\",\"objectClass=Computer\") \n         and ProcessCommandLine has_all (\"-l\",\"samAccountName\",\"description\",\"info\",\"operatingSystem\") \n         and ProcessCommandLine contains \"-f\" \n    |  project DeviceId,Timestamp, CsvdeCommandLine= ProcessCommandLine,CsvdeProcessId = ProcessId; \n Join the two events and look for them occurring within 5 minutes \n csvde_download \n | join kind=inner ( \n     csvde_execution \n ) on DeviceId \n | where Timestamp  between (Timestamp1 .. Timestamp1 + 5m) \n | extend   AlertType = \"Potential Active Directory Enumeration\",  Details = strcat(\"curl.exe was used to download csvde.exe, which was then executed to enumerate AD computers. \") \n\n\n // Detect potential data compression and exfiltration \n let compress_exfil = DeviceProcessEvents \n | where FileName =~ \"7z.exe\" https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 24 of 44 \n | where ProcessCommandLine contains \"x -p\" \n | project Timestamp, DeviceId, FileName, ProcessCommandLine, ProcessId \n | join kind=inner ( \n     DeviceNetworkEvents \n     | where InitiatingProcessId != 0 \n ) on $left.ProcessId == $right.InitiatingProcessId \n | project Timestamp, DeviceId, FileName, ProcessCommandLine, RemoteIP, RemotePort \n | extend AlertType = \"Potential data compression and exfiltration\"; \n\n\n Reconnaissance \n\n This attack specifically involved high number of reconnaissance commands including ipconfig, systeminfo, geo location scans, user recons, EDR protection status. In a typical attack, this information is exfiltrated to an external C2 server. However, in these attacks, the attacker could have probably taken a screenshot through the RMM. \n\n Persistence \n\n The payloads downloaded by the attacker was used to create persistence either using scheduled tasks or by being added to the startup folder. \n\n // Persistence through Startup operations let regKeys = pack_array(@\"CurrentVersion\\Run\", @\"CurrentVersion\\RunOnce\", @\"CurrentVersion\\RunOnceEx\", @\"Programs\\Startup\", @\"CurrentVersion\\RunServicesOnce\", @\"CurrentVersion\\RunServices\", @\"CurrentVersion\\Policies\\Explorer\\Run\", @\"Windows NT\\CurrentVersion\\Windows\", @\"System\\CurrentControlSet\\Control\\Session Manager\"); let startUpOperations = DeviceFileEvents | where FolderPath has @\"Start Menu\\Programs\\Startup\\\" | where ActionType in (\"FileCreated\", \"FileModified\", \"FileRenamed\"); // Persistence through Registry Tampering let regOperations = DeviceRegistryEvents | where hasAlertDevices | where Timestamp between (startTime .. endTime) | where DeviceId in (alertedDevices) | where RegistryKey has_any (regKeys) https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 25 of 44 | where ActionType in (\"SetValue\" ,\"CreateKey\" , \"RenameKey\"); // Persistence through Scheduled task creation let scheduledOperations = DeviceProcessEvents | where Timestamp between (startTime .. endTime) | where DeviceId in (alertedDevices) | where (InitiatingProcessCommandLine has \"schtasks\" and InitiatingProcessCommandLine has_any (\"run\", \"create\" , \"change\")); union startUpOperations, regOperations, scheduledOperations | summarize arg_min(Timestamp, *) by DeviceId \n\n Detections \n\n \n Suspicious activity using Quick Assist \n Possible remote access tool activity \n Suspicious usage of remote management software \n Suspicious location of remote management software \n Possible NetSupport Manager activity \n \n\n References \n\n NOTE: The following references are available for Microsoft Defender customers. \n \n Qakbot distributor Storm-0464 shifts to DarkGate and IcedID : Intel Article - Microsoft Defender - Shift to DarkGate and IcedID \n Financially motivated threat actors misusing App Installer : Intel Article - Microsoft Defender - App Installer misuse \n Threat actors misusing Quick Assist in social engineering attacks leading to ransomware : Intel Article - Microsoft Defender - Quick Assist misuse \n \n\n Recommendations \n\n \n Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and never share their account information or authorize sign-in requests over chat.  \n Administrators have an option to manage chats/Teams meetings with external users not managed by the Organization \n Apply Microsoft’s security best practices for Microsoft Teams to safeguard Teams users.  \n Educate users about diligent use of RMM tools \n Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.  \n https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 26 of 44 Enable investigation and remediation in full automated mode to allow Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.  \n \n NOTE: The following is available for Microsoft Defender customers. \n \n Refer to Microsoft’s human-operated ransomware overview for general hardening recommendations against ransomware attacks.  \n ","kudosSumWeight":6,"postTime":"2024-10-15T05:00:00.029-07:00","images": {"__typename":"AssociatedImageConnection","edges": [{"__typename":"AssociatedImageEdge","cursor":"MjYuMXwyLjF8b3wyNXxfTlZffDE","node": {"__ref":"AssociatedImage: {\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjY3OTE2LTYyOTAwNmk5OTE3RUI4ODM3NzkwM0M3? revision=16\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjYuMXwyLjF8b3wyNXxfTlZffDI","node": {"__ref":"AssociatedImage: {\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjY3OTE2LTYyODIyM2kzQzk5OUEyNUU1QkE1NzhB? revision=16\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjYuMXwyLjF8b3wyNXxfTlZffDM","node": {"__ref":"AssociatedImage: {\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjY3OTE2LTYyODIyNGlENTVGRDQ5RDc0MkMyN0E0? revision=16\"}"}}],"totalCount":3,"pageInfo": {"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"attachments": {"__typename":"AttachmentConnection","pageInfo": {"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges": []},"tags":{"__typename":"TagConnection","pageInfo": {"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges": [{"__typename":"TagEdge","cursor":"MjYuMXwyLjF8b3wxMHxfTlZffDE","node": {"__typename":"Tag","id":"tag:defender experts for hunting","text":"defender experts for hunting","time":"2023-03- 14T16:33:24.891-07:00","lastActivityTime":null,"messagesCount":null,"followersCount":null}}, {"__typename":"TagEdge","cursor":"MjYuMXwyLjF8b3wxMHxfTlZffDI","node":{"__typename":"Tag","id":"tag:defender experts for xdr","text":"defender experts for xdr","time":"2022-11-22T08:22:46.355- 08:00","lastActivityTime":null,"messagesCount":null,"followersCount":null}}, {"__typename":"TagEdge","cursor":"MjYuMXwyLjF8b3wxMHxfTlZffDM","node": {"__typename":"Tag","id":"tag:microsoft security enterprise services","text":"microsoft security enterprise services","time":"2024-06-12T14:10:16.501- 07:00","lastActivityTime":null,"messagesCount":null,"followersCount":null}}]},"timeToRead":9,"rawTeaser":"\n Threat actors make problems for users and then offer to fix them.  With an RMM tool and user clicks, they are in.   ","introduction":"","coverImage":null,"coverImageProperties": {"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""},"currentRevision": {"__ref":"Revision:revision:4267916_16"},"latestVersion": {"__typename":"FriendlyVersion","major":"6","minor":"0"},"metrics": {"__typename":"MessageMetrics","views":8248},"read":false,"visibilityScope":"PUBLIC","canonicalUrl":null,"seoTitle":null,"seoDescription":null,"pla {"__typename":"UserConnection","edges":[]},"nonCoAuthorContributors":{"__typename":"UserConnection","edges": []},"coAuthors":{"__typename":"UserConnection","edges":[]},"blogMessagePolicies": {"__typename":"BlogMessagePolicies","canDoAuthoringActionsOnBlog":{"__typename":"PolicyResult","failureReason": {"__typename":"FailureReason","message":"error.lithium.policies.blog.action_can_do_authoring_action.accessDenied","key":"error.lithium.policies.blog []}}},"archivalData":null,"customFields":[],"revisions({\"constraints\":{\"isPublished\":{\"eq\":true}}})": {"__typename":"RevisionConnection","totalCount":16}},"Conversation:conversation:4267916": {"__typename":"Conversation","id":"conversation:4267916","solved":false,"topic": {"__ref":"BlogTopicMessage:message:4267916"},"lastPostingActivityTime":"2024-10-22T07:56:53.028- 07:00","lastPostTime":"2024-10-15T05:00:00.029- 07:00","unreadReplyCount":0,"isSubscribed":false},"ModerationData:moderation_data:4267916": {"__typename":"ModerationData","id":"moderation_data:4267916","status":"APPROVED","rejectReason":null,"isReportedAbuse":false,"rejectUser":nu {\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjY3OTE2LTYyOTAwNmk5OTE3RUI4ODM3NzkwM0M3? revision=16\"}": {"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjY3OTE2LTYyOTAwNmk5OTE3RUI4O revision=16","title":"China SOC.png","associationType":"TEASER","width":993,"height":664,"altText":null},"AssociatedImage: https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 27 of 44 {\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjY3OTE2LTYyODIyM2kzQzk5OUEyNUU1QkE1NzhB? revision=16\"}": {"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjY3OTE2LTYyODIyM2kzQzk5OUEyNU revision=16","title":"Zophar_0- 1728599612072.png","associationType":"BODY","width":1836,"height":453,"altText":null},"AssociatedImage: {\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjY3OTE2LTYyODIyNGlENTVGRDQ5RDc0MkMyN0E0? revision=16\"}": {"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjY3OTE2LTYyODIyNGlENTVGRDQ5R revision=16","title":"Zophar_1- 1728599612081.png","associationType":"BODY","width":1249,"height":897,"altText":null},"Revision:revision:4267916_16": {"__typename":"Revision","id":"revision:4267916_16","lastEditTime":"2024-10-22T07:55:47.002- 07:00"},"CachedAsset:theme:customTheme1-1775107807370":{"__typename":"CachedAsset","id":"theme:customTheme1- 1775107807370","value":{"id":"customTheme1","animation": {"fast":"150ms","normal":"250ms","slow":"500ms","slowest":"750ms","function":"cubic-bezier(0.07, 0.91, 0.51, 1)","__typename":"AnimationThemeSettings"},"avatar":{"borderRadius":"50%","collections": ["default"],"__typename":"AvatarThemeSettings"},"basics":{"browserIcon":{"imageAssetName":"favicon-1730836283320.png","imageLastModified":"1730836286415","__typename":"ThemeAsset"},"customerLogo": {"imageAssetName":"favicon-1730836271365.png","imageLastModified":"1730836274203","__typename":"ThemeAsset"},"maximumWidthOfPageContent":"1300px","oneColumnN {"borderRadiusSm":"3px","borderRadius":"3px","borderRadiusLg":"5px","paddingY":"5px","paddingYLg":"7px","paddingYHero":"var(- -lia-bs-btn-padding-y-lg)","paddingX":"12px","paddingXLg":"16px","paddingXHero":"60px","fontStyle":"NORMAL","fontWeight":"700","textTransform":"NONE","disabled -lia-bs-white)","primaryTextHoverColor":"var(--lia-bs-white)","primaryTextActiveColor":"var(--lia-bs-white)","primaryBgColor":"var(--lia-bs-primary)","primaryBgHoverColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.85))","primaryBgActiveColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.7))","primaryBorder":"1px solid transparent","primaryBorderHover":"1px solid transparent","primaryBorderActive":"1px solid transparent","primaryBorderFocus":"1px solid var(--lia-bs-white)","primaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","secondaryTextColor":"var(--lia-bs-gray-900)","secondaryTextHoverColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))","secondaryTextActiveColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.9))","secondaryBgColor":"var(--lia-bs-gray-200)","secondaryBgHoverColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.96))","secondaryBgActiveColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.92))","secondaryBorder":"1px solid transparent","secondaryBorderHover":"1px solid transparent","secondaryBorderActive":"1px solid transparent","secondaryBorderFocus":"1px solid transparent","secondaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","tertiaryTextColor":"var(--lia-bs-gray-900)","tertiaryTextHoverColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))","tertiaryTextActiveColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900- s), calc(var(--lia-bs-gray-900-l) * 0.9))","tertiaryBgColor":"transparent","tertiaryBgHoverColor":"transparent","tertiaryBgActiveColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.04)","tertiaryBorder":"1px solid transparent","tertiaryBorderHover":"1px solid hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","tertiaryBorderActive":"1px solid transparent","tertiaryBorderFocus":"1px solid transparent","tertiaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","destructiveTextColor":"var(--lia-bs-danger)","destructiveTextHoverColor":"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) * 0.95))","destructiveTextActiveColor":"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) * 0.9))","destructiveBgColor":"var(--lia-bs-gray-200)","destructiveBgHoverColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.96))","destructiveBgActiveColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.92))","destructiveBorder":"1px solid transparent","destructiveBorderHover":"1px solid transparent","destructiveBorderActive":"1px solid transparent","destructiveBorderFocus":"1px solid transparent","destructiveBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","__typename":"ButtonsThemeSettings"},"border":{"color":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","mainContent":"NONE","sideContent":"LIGHT","radiusSm":"3px","radius":"5px","radiusLg":"9px","radius50":"100vw","__typename":"BorderT {"xs":"0 0 0 1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.08), 0 3px 0 -1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.16)","sm":"0 2px 4px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.12)","md":"0 5px 15px hsla(var(--lia-bs-gray-900-h), var(-- lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.3)","lg":"0 10px 30px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.3)","__typename":"BoxShadowThemeSettings"},"cards":{"bgColor":"var(--lia-panel-bg-color)","borderRadius":"var(--lia-panel-border-radius)","boxShadow":"var(--lia-box-shadow-xs)","__typename":"CardsThemeSettings"},"chip": https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 28 of 44 {"maxWidth":"300px","height":"30px","__typename":"ChipThemeSettings"},"coreTypes": {"defaultMessageLinkColor":"var(--lia-bs-link-color)","defaultMessageLinkDecoration":"none","defaultMessageLinkFontStyle":"NORMAL","defaultMessageLinkFontWeight":"400","defaultMessageF -lia-bs-font-family-base)","forumColor":"#4099E2","forumFontFamily":"var(--lia-bs-font-family-base)","forumFontWeight":"var(--lia-default-message-font-weight)","forumLineHeight":"var(--lia-bs-line-height-base)","forumFontStyle":"var(--lia-default-message-font-style)","forumMessageLinkColor":"var(--lia-default-message-link-color)","forumMessageLinkDecoration":"var(--lia-default-message-link-decoration)","forumMessageLinkFontStyle":"var(-- lia-default-message-link-font-style)","forumMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","forumSolvedColor":"#148563","blogColor":"#1CBAA0","blogFontFamily":"var(--lia-bs-font-family-base)","blogFontWeight":"var(--lia-default-message-font-weight)","blogLineHeight":"1.75","blogFontStyle":"var(--lia-default-message-font-style)","blogMessageLinkColor":"var(--lia-default-message-link-color)","blogMessageLinkDecoration":"var(--lia-default-message-link-decoration)","blogMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","blogMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","tkbColor":"#4C6B90","tkbFontFamily":"var(--lia-bs-font-family-base)","tkbFontWeight":"var(--lia-default-message-font-weight)","tkbLineHeight":"1.75","tkbFontStyle":"var(--lia-default-message-font-style)","tkbMessageLinkColor":"var(--lia-default-message-link-color)","tkbMessageLinkDecoration":"var(--lia-default-message-link-decoration)","tkbMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","tkbMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","qandaColor":"#4099E2","qandaFontFamily":"var(--lia-bs-font-family-base)","qandaFontWeight":"var(--lia-default-message-font-weight)","qandaLineHeight":"var(--lia-bs-line-height-base)","qandaFontStyle":"var(--lia-default-message-link-font-style)","qandaMessageLinkColor":"var(--lia-default-message-link-color)","qandaMessageLinkDecoration":"var(--lia-default-message-link-decoration)","qandaMessageLinkFontStyle":"var(-- lia-default-message-link-font-style)","qandaMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","qandaSolvedColor":"#3FA023","ideaColor":"#FF8000","ideaFontFamily":"var(--lia-bs-font-family-base)","ideaFontWeight":"var(--lia-default-message-font-weight)","ideaLineHeight":"var(--lia-bs-line-height-base)","ideaFontStyle":"var(--lia-default-message-font-style)","ideaMessageLinkColor":"var(--lia-default-message-link-color)","ideaMessageLinkDecoration":"var(--lia-default-message-link-decoration)","ideaMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","ideaMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","contestColor":"#FCC845","contestFontFamily":"var(--lia-bs-font-family-base)","contestFontWeight":"var(--lia-default-message-font-weight)","contestLineHeight":"var(--lia-bs-line-height-base)","contestFontStyle":"var(--lia-default-message-link-font-style)","contestMessageLinkColor":"var(--lia-default-message-link-color)","contestMessageLinkDecoration":"var(--lia-default-message-link-decoration)","contestMessageLinkFontStyle":"ITALIC","contestMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","occasionColor":"#bc341b","occasionFontFamily":"var(--lia-bs-font-family-base)","occasionFontWeight":"var(--lia-default-message-font-weight)","occasionLineHeight":"var(--lia-bs-line-height-base)","occasionFontStyle":"var(--lia-default-message-font-style)","occasionMessageLinkColor":"var(--lia-default-message-link-color)","occasionMessageLinkDecoration":"var(--lia-default-message-link-decoration)","occasionMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","occasionMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","grouphubColor":"#333333","categoryColor":"#949494","communityColor":"#FFFFFF","productColor":"#949494","__typename":"CoreTypesT {"black":"#000000","white":"#FFFFFF","gray100":"#F7F7F7","gray200":"#F7F7F7","gray300":"#E8E8E8","gray400":"#D9D9D9","gray500":"#CCCC -lia-bs-primary)","custom":["#D3F5A4","#243A5E"],"__typename":"ColorsThemeSettings"},"divider": {"size":"3px","marginLeft":"4px","marginRight":"4px","borderRadius":"50%","bgColor":"var(--lia-bs-gray-600)","bgColorActive":"var(--lia-bs-gray-600)","__typename":"DividerThemeSettings"},"dropdown":{"fontSize":"var(-- lia-bs-font-size-sm)","borderColor":"var(--lia-bs-border-color)","borderRadius":"var(--lia-bs-border-radius-sm)","dividerBg":"var(--lia-bs-gray-300)","itemPaddingY":"5px","itemPaddingX":"20px","headerColor":"var(--lia-bs-gray-700)","__typename":"DropdownThemeSettings"},"email":{"link": {"color":"#0069D4","hoverColor":"#0061c2","decoration":"none","hoverDecoration":"underline","__typename":"EmailLinkSettings"},"border": {"color":"#e4e4e4","__typename":"EmailBorderSettings"},"buttons": {"borderRadiusLg":"5px","paddingXLg":"16px","paddingYLg":"7px","fontWeight":"700","primaryTextColor":"#ffffff","primaryTextHoverColor":"#fffff solid transparent","primaryBorderHover":"1px solid transparent","__typename":"EmailButtonsSettings"},"panel": {"borderRadius":"5px","borderColor":"#e4e4e4","__typename":"EmailPanelSettings"},"__typename":"EmailThemeSettings"},"emoji": {"skinToneDefault":"#ffcd43","skinToneLight":"#fae3c5","skinToneMediumLight":"#e2cfa5","skinToneMedium":"#daa478","skinToneMediumDark":"# {"color":"var(--lia-bs-body-color)","fontFamily":"Segoe UI","fontStyle":"NORMAL","fontWeight":"400","h1FontSize":"34px","h2FontSize":"32px","h3FontSize":"28px","h4FontSize":"24px","h5FontSize":"20 -lia-bs-headings-font-weight)","h2FontWeight":"var(--lia-bs-headings-font-weight)","h3FontWeight":"var(--lia-bs-headings-font-weight)","h4FontWeight":"var(--lia-bs-headings-font-weight)","h5FontWeight":"var(--lia-bs-headings-font-weight)","h6FontWeight":"var(--lia-bs-headings-font-weight)","__typename":"HeadingThemeSettings"},"icons": {"size10":"10px","size12":"12px","size14":"14px","size16":"16px","size20":"20px","size24":"24px","size30":"30px","size40":"40px","size50":"50px","s {"bgColor":"var(--lia-bs-gray-900)","titleColor":"var(--lia-bs-white)","controlColor":"var(--lia-bs-white)","controlBgColor":"var(--lia-bs-gray-800)","__typename":"ImagePreviewThemeSettings"},"input": {"borderColor":"var(--lia-bs-gray-600)","disabledColor":"var(--lia-bs-gray-600)","focusBorderColor":"var(--lia-bs-primary)","labelMarginBottom":"10px","btnFontSize":"var(--lia-bs-font-size-sm)","focusBoxShadow":"0 0 0 3px hsla(var(- -lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 29 of 44 0.2)","checkLabelMarginBottom":"2px","checkboxBorderRadius":"3px","borderRadiusSm":"var(--lia-bs-border-radius-sm)","borderRadius":"var(--lia-bs-border-radius)","borderRadiusLg":"var(--lia-bs-border-radius-lg)","formTextMarginTop":"4px","textAreaBorderRadius":"var(--lia-bs-border-radius)","activeFillColor":"var(--lia-bs-primary)","__typename":"InputThemeSettings"},"loading":{"dotDarkColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.2)","dotLightColor":"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l), 0.5)","barDarkColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.06)","barLightColor":"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l), 0.4)","__typename":"LoadingThemeSettings"},"link":{"color":"var(--lia-bs-primary)","hoverColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) - 10%))","decoration":"none","hoverDecoration":"underline","__typename":"LinkThemeSettings"},"listGroup": {"itemPaddingY":"15px","itemPaddingX":"15px","borderColor":"var(--lia-bs-gray-300)","__typename":"ListGroupThemeSettings"},"modal":{"contentTextColor":"var(--lia-bs-body-color)","contentBg":"var(--lia-bs-white)","backgroundBg":"var(--lia-bs-black)","smSize":"440px","mdSize":"760px","lgSize":"1080px","backdropOpacity":0.3,"contentBoxShadowXs":"var(--lia-bs-box-shadow-sm)","contentBoxShadow":"var(--lia-bs-box-shadow)","headerFontWeight":"700","__typename":"ModalThemeSettings"},"navbar":{"position":"FIXED","background": {"attachment":null,"clip":null,"color":"var(--lia-bs-white)","imageAssetName":"","imageLastModified":"0","origin":null,"position":"CENTER_CENTER","repeat":"NO_REPEAT","size":"COVER","__typ solid var(--lia-bs-border-color)","boxShadow":"var(--lia-bs-box-shadow-sm)","brandMarginRight":"30px","brandMarginRightSm":"10px","brandLogoHeight":"30px","linkGap":"10px","linkJustifyContent":"flex-start","linkPaddingY":"5px","linkPaddingX":"10px","linkDropdownPaddingY":"9px","linkDropdownPaddingX":"var(--lia-nav-link-px)","linkColor":"var(--lia-bs-body-color)","linkHoverColor":"var(--lia-bs-primary)","linkFontSize":"var(--lia-bs-font-size-sm)","linkFontStyle":"NORMAL","linkFontWeight":"400","linkTextTransform":"NONE","linkLetterSpacing":"normal","linkBorderRadius":"var(- -lia-bs-border-radius-sm)","linkBgColor":"transparent","linkBgHoverColor":"transparent","linkBorder":"none","linkBorderHover":"none","linkBoxShadow":"none","linkBoxS -lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","controllerBgHoverColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.1)","controllerIconColor":"var(--lia-bs-body-color)","controllerIconHoverColor":"var(--lia-bs-body-color)","controllerTextColor":"var(--lia-nav-controller-icon-color)","controllerTextHoverColor":"var(--lia-nav-controller-icon-hover-color)","controllerHighlightColor":"hsla(30, 100%, 50%)","controllerHighlightTextColor":"var(--lia-yiq-light)","controllerBorderRadius":"var(--lia-border-radius-50)","hamburgerColor":"var(--lia-nav-controller-icon-color)","hamburgerHoverColor":"var(--lia-nav-controller-icon-color)","hamburgerBgColor":"transparent","hamburgerBgHoverColor":"transparent","hamburgerBorder":"none","hamburgerBorderHover":"none","collap -lia-nav-link-color)","collapseMenuDividerOpacity":0.16,"__typename":"NavbarThemeSettings"},"pager": {"textColor":"var(--lia-bs-link-color)","textFontWeight":"var(--lia-font-weight-md)","textFontSize":"var(--lia-bs-font-size-sm)","__typename":"PagerThemeSettings"},"panel":{"bgColor":"var(--lia-bs-white)","borderRadius":"var(--lia-bs-border-radius)","borderColor":"var(--lia-bs-border-color)","boxShadow":"none","__typename":"PanelThemeSettings"},"popover": {"arrowHeight":"8px","arrowWidth":"16px","maxWidth":"300px","minWidth":"100px","headerBg":"var(--lia-bs-white)","borderColor":"var(--lia-bs-border-color)","borderRadius":"var(--lia-bs-border-radius)","boxShadow":"0 0.5rem 1rem hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.15)","__typename":"PopoverThemeSettings"},"prism":{"color":"#000000","bgColor":"#f5f2f0","fontFamily":"var(--font-family-monospace)","fontSize":"var(--lia-bs-font-size-base)","fontWeightBold":"var(--lia-bs-font-weight-bold)","fontStyleItalic":"italic","tabSize":2,"highlightColor":"#b3d4fc","commentColor":"#62707e","punctuationColor":"#6f6f6f","namespaceOpacity":" 0%, 100%, 0.5)","keywordColor":"#0076a9","functionColor":"#d3284b","variableColor":"#c14700","__typename":"PrismThemeSettings"},"rte": {"bgColor":"var(--lia-bs-white)","borderRadius":"var(--lia-panel-border-radius)","boxShadow":" var(--lia-panel-box-shadow)","customColor1":"#bfedd2","customColor2":"#fbeeb8","customColor3":"#f8cac6","customColor4":"#eccafa","customColor5":"#c2e0f4","custo 53%, 51%, 0.4)","diffChangedColor":"hsla(43, 97%, 63%, 0.4)","diffNoneColor":"hsla(0, 0%, 80%, 0.4)","diffRemovedColor":"hsla(9, 74%, 47%, 0.4)","specialMessageHeaderMarginTop":"40px","specialMessageHeaderMarginBottom":"20px","specialMessageItemMarginTop":"0","specialMessageIt -lia-bs-gray-700)","tableBorderStyle":"solid","tableCellPaddingX":"5px","tableCellPaddingY":"5px","tableTextColor":"var(--lia-bs-body-color)","tableVerticalAlign":"middle","__typename":"RteThemeSettings"},"tags":{"bgColor":"var(--lia-bs-gray-200)","bgHoverColor":"var(--lia-bs-gray-400)","borderRadius":"var(--lia-bs-border-radius-sm)","color":"var(--lia-bs-body-color)","hoverColor":"var(--lia-bs-body-color)","fontWeight":"var(--lia-font-weight-md)","fontSize":"var(--lia-font-size-xxs)","textTransform":"UPPERCASE","letterSpacing":"0.5px","__typename":"TagsThemeSettings"},"toasts": {"borderRadius":"var(--lia-bs-border-radius)","paddingX":"12px","__typename":"ToastsThemeSettings"},"typography": {"fontFamilyBase":"Segoe UI","fontStyleBase":"NORMAL","fontWeightBase":"400","fontWeightLight":"300","fontWeightNormal":"400","fontWeightMd":"500","fontWeightBold [{"source":"SERVER","name":"Segoe UI","styles":[{"style":"NORMAL","weight":"400","__typename":"FontStyleData"}, {"style":"NORMAL","weight":"300","__typename":"FontStyleData"}, {"style":"NORMAL","weight":"600","__typename":"FontStyleData"}, {"style":"NORMAL","weight":"700","__typename":"FontStyleData"}, {"style":"ITALIC","weight":"400","__typename":"FontStyleData"}],"assetNames":["SegoeUI-normal-https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 30 of 44 400.woff2","SegoeUI-normal-300.woff2","SegoeUI-normal-600.woff2","SegoeUI-normal-700.woff2","SegoeUI-italic-400.woff2"],"__typename":"CustomFont"},{"source":"SERVER","name":"MWF Fluent Icons","styles": [{"style":"NORMAL","weight":"400","__typename":"FontStyleData"}],"assetNames":["MWFFluentIcons-normal-400.woff2"],"__typename":"CustomFont"}],"__typename":"TypographyThemeSettings"},"unstyledListItem": {"marginBottomSm":"5px","marginBottomMd":"10px","marginBottomLg":"15px","marginBottomXl":"20px","marginBottomXxl":"25px","__typename" {"light":"#ffffff","dark":"#000000","__typename":"YiqThemeSettings"},"colorLightness": {"primaryDark":0.36,"primaryLight":0.74,"primaryLighter":0.89,"primaryLightest":0.95,"infoDark":0.39,"infoLight":0.72,"infoLighter":0.85,"infoLighte shared/client/components/common/Loading/LoadingDot-1775111750899": {"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-1775111750899","value": {"title":"Loading..."},"localOverride":false},"CachedAsset:quilt:o365.prod:pages/blogs/BlogMessagePage:board:MicrosoftSecurityExperts-1775111749122": {"__typename":"CachedAsset","id":"quilt:o365.prod:pages/blogs/BlogMessagePage:board:MicrosoftSecurityExperts-1775111749122","value":{"id":"BlogMessagePage","container":{"id":"Common","headerProps": {"backgroundImageProps":null,"backgroundColor":null,"addComponents":null,"removeComponents": ["community.widget.bannerWidget"],"componentOrder":null,"__typename":"QuiltContainerSectionProps"},"headerComponentProps": {"community.widget.breadcrumbWidget": {"disableLastCrumbForDesktop":false}},"footerProps":null,"footerComponentProps":null,"items":[{"id":"blog-article","layout":"ONE_COLUMN","bgColor":null,"showTitle":null,"showDescription":null,"textPosition":null,"textColor":null,"sectionEditLevel":"LOC {"main":[{"id":"blogs.widget.blogArticleWidget","className":"lia-blog-container","props":null,"__typename":"QuiltComponent"}],"__typename":"OneSectionColumns"}},{"id":"section-1729184836777","layout":"MAIN_SIDE","bgColor":"transparent","showTitle":false,"showDescription":false,"textPosition":"CENTER","textColor":"var -lia-bs-body-color)","sectionEditLevel":null,"bgImage":null,"disableSpacing":null,"edgeToEdgeDisplay":null,"fullHeight":null,"showBorder":null,"__typename":"Ma {"main":[],"side":[{"id":"custom.widget.UnregisteredCTAWidget","className":null,"props": {"widgetVisibility":"anonymousOnly","useTitle":true,"useBackground":false,"title":"","lazyLoad":false,"widgetChooser":"custom.widget.UnregisteredCT components/common/EmailVerification-1775111750899":{"__typename":"CachedAsset","id":"text:en_US-components/common/EmailVerification-1775111750899","value":{"email.verification.title":"Email Verification Required","email.verification.message.update.email":"To participate in the community, you must first verify your email address. The verification email was sent to {email}. To change your email, visit My Settings.","email.verification.message.resend.email":"To participate in the community, you must first verify your email address. The verification email was sent to {email}. Resend email."},"localOverride":false},"CachedAsset:text:en_US-pages/blogs/BlogMessagePage-1775111750899":{"__typename":"CachedAsset","id":"text:en_US-pages/blogs/BlogMessagePage-1775111750899","value":{"title":"{contextMessageSubject} | {communityTitle}","errorMissing":"This blog post cannot be found","name":"Blog Message Page","section.blog-article.title":"Blog Post","archivedMessageTitle":"This Content Has Been Archived","section.section-1729184836777.title":"","section.section-1729184836777.description":"","section.CncIde.title":"Blog Post","section.tifEmD.description":"","section.tifEmD.title":""},"localOverride":false},"CachedAsset:quiltWrapper:o365.prod:Common:1775111735077" {"__typename":"CachedAsset","id":"quiltWrapper:o365.prod:Common:1775111735077","value": {"id":"Common","header":{"backgroundImageProps": {"assetName":null,"backgroundSize":"COVER","backgroundRepeat":"NO_REPEAT","backgroundPosition":"CENTER_CENTER","lastModified":null," [{"id":"community.widget.navbarWidget","props": {"showUserName":true,"showRegisterLink":true,"useIconLanguagePicker":true,"useLabelLanguagePicker":true,"style": {"boxShadow":"var(--lia-bs-box-shadow-sm)","linkFontWeight":"400","controllerHighlightColor":"hsla(30, 100%, 50%)","dropdownDividerMarginBottom":"10px","hamburgerBorderHover":"none","linkFontSize":"14px","linkBoxShadowHover":"none","backgroundO -lia-border-radius-50)","hamburgerBgColor":"transparent","linkTextBorderBottom":"none","hamburgerColor":"var(--lia-nav-controller-icon-color)","brandLogoHeight":"30px","linkLetterSpacing":"normal","linkBgHoverColor":"transparent","collapseMenuDividerOpacity":0.16,"paddingBottom solid var(--lia-bs-border-color)","hamburgerBorder":"none","dropdownPaddingX":"10px","brandMarginRightSm":"10px","linkBoxShadow":"none","linkJustifyContent":"flex-start","linkColor":"var(--lia-bs-body-color)","collapseMenuDividerBg":"var(--lia-nav-link-color)","dropdownPaddingTop":"10px","controllerTextColor":"var(--lia-nav-controller-icon-color)","controllerHighlightTextColor":"var(--lia-yiq-dark)","background":{"imageAssetName":"","color":"var(--lia-bs-white)","size":"COVER","repeat":"NO_REPEAT","position":"CENTER_CENTER","imageLastModified":""},"linkBorderRadius":"var(- -lia-bs-border-radius-sm)","linkHoverColor":"var(--lia-bs-body-color)","position":"FIXED","linkBorder":"none","linkTextBorderBottomHover":"2px solid var(--lia-bs-primary)","brandMarginRight":"30px","hamburgerHoverColor":"var(--lia-nav-controller-icon-color)","linkBorderHover":"none","collapseMenuMarginLeft":"20px","linkFontStyle":"NORMAL","linkPaddingX":"10px","controllerTextHoverColor": -lia-nav-controller-icon-hover-color)","paddingTop":"15px","linkPaddingY":"5px","linkTextTransform":"NONE","dropdownBorderColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","controllerBgHoverColor":"hsla(var(--lia-bs-black-h), var(-- lia-bs-black-s), var(--lia-bs-black-l), 0.1)","linkDropdownPaddingX":"var(--lia-nav-link-px)","linkBgColor":"transparent","linkDropdownPaddingY":"9px","controllerIconColor":"var(--lia-bs-body-color)","dropdownDividerMarginTop":"10px","linkGap":"10px","controllerIconHoverColor":"var(--lia-bs-body-https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 31 of 44 color)"},"links":{"sideLinks":[],"logoLinks":[],"mainLinks":[{"children": [],"linkType":"INTERNAL","id":"gxcuf89792","params":{},"routeName":"CommunityPage"},{"children": [],"linkType":"EXTERNAL","id":"community-hub-link","url":"/Directory","target":"SELF"},{"children": [{"linkType":"INTERNAL","id":"Common-microsoft365-link","params": {"categoryId":"microsoft365"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-windows-link","params":{"categoryId":"Windows"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-microsoft-security-link","params":{"categoryId":"microsoft-security"},"routeName":"CategoryPage"}, {"linkType":"INTERNAL","id":"Common-microsoft-teams-link","params": {"categoryId":"MicrosoftTeams"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-azure-link","params":{"categoryId":"Azure"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-content_management-link","params":{"categoryId":"Content_Management"},"routeName":"CategoryPage"}, {"linkType":"INTERNAL","id":"Common-microsoftintune-link","params": {"categoryId":"microsoftintune"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-exchange-link","params":{"categoryId":"Exchange"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-windows-server-link","params":{"categoryId":"Windows-Server"},"routeName":"CategoryPage"}, {"linkType":"INTERNAL","id":"Common-outlook-link","params": {"categoryId":"Outlook"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-microsoft365-copilot-link","params":{"categoryId":"Microsoft365Copilot"},"routeName":"CategoryPage"}, {"linkType":"EXTERNAL","id":"Common_Enntvz-view-all-products-link","url":"/Directory","target":"SELF"}],"linkType":"EXTERNAL","id":"products-link","url":"/","target":"SELF"}, {"children":[{"linkType":"INTERNAL","id":"Common-education-sector-link","params": {"categoryId":"EducationSector"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-partner-community-link","params":{"categoryId":"PartnerCommunity"},"routeName":"CategoryPage"}, {"linkType":"INTERNAL","id":"Common-healthcare-and-life-sciences-link","params": {"categoryId":"HealthcareAndLifeSciences"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-i-t-ops-talk-link","params":{"categoryId":"ITOpsTalk"},"routeName":"CategoryPage"}, {"linkType":"INTERNAL","id":"Common-public-sector-link","params": {"categoryId":"PublicSector"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-microsoftfor-nonprofits-link","params":{"categoryId":"MicrosoftforNonprofits"},"routeName":"CategoryPage"}, {"linkType":"INTERNAL","id":"Common-io-t-link","params":{"categoryId":"IoT"},"routeName":"CategoryPage"}, {"linkType":"INTERNAL","id":"Common-mvp-link","params":{"categoryId":"mvp"},"routeName":"CategoryPage"}, {"linkType":"INTERNAL","id":"Common-microsoft-mechanics-link","params": {"categoryId":"MicrosoftMechanics"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-driving-adoption-link","params":{"categoryId":"DrivingAdoption"},"routeName":"CategoryPage"}, {"linkType":"INTERNAL","id":"Common-microsoft-learn-for-educators-link","params":{"categoryId":"microsoft-learn-for-educators"},"routeName":"CategoryPage"}],"linkType":"EXTERNAL","id":"topics-link","url":"/","target":"SELF"}, {"children":[],"linkType":"EXTERNAL","id":"all-blogs-link","url":"/Blogs","target":"SELF"},{"children": [],"linkType":"EXTERNAL","id":"all-events-link","url":"/Events","target":"SELF"},{"children": [{"linkType":"INTERNAL","id":"Skills-Hub-link","params":{"categoryId":"skills-hub"},"routeName":"CategoryPage"}, {"linkType":"INTERNAL","id":"Skills-Hub-Blog","params":{"boardId":"skills-hub-blog","categoryId":"skills-hub"},"routeName":"BlogBoardPage"},{"linkType":"EXTERNAL","id":"ms-learn-ext-LD","url":"/category/skills-hub? tab=grouphub","target":"BLANK"},{"linkType":"EXTERNAL","id":"ms-learn-ext-dynamics","url":"https://docs.microsoft.com/learn/dynamics365/?WT.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"ms-learn-ext-m365","url":"https://docs.microsoft.com/learn/m365/?wt.mc_id=techcom_header-webpage-m365","target":"BLANK"}, {"linkType":"EXTERNAL","id":"ms-learn-ext-security","url":"https://docs.microsoft.com/learn/topics/sci/? wt.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"ms-learn-ext-pp","url":"https://docs.microsoft.com/learn/powerplatform/?wt.mc_id=techcom_header-webpage-powerplatform","target":"BLANK"},{"linkType":"EXTERNAL","id":"ms-learn-ext-github","url":"https://docs.microsoft.com/learn/github/?wt.mc_id=techcom_header-webpage-github","target":"BLANK"}, {"linkType":"EXTERNAL","id":"ms-learn-ext-teams","url":"https://docs.microsoft.com/learn/teams/? wt.mc_id=techcom_header-webpage-teams","target":"BLANK"},{"linkType":"EXTERNAL","id":"ms-learn-ext-net","url":"https://docs.microsoft.com/learn/dotnet/?wt.mc_id=techcom_header-webpage-dotnet","target":"BLANK"}, {"linkType":"EXTERNAL","id":"ms-learn-ext-azure","url":"https://docs.microsoft.com/learn/azure/? WT.mc_id=techcom_header-webpage-m365","target":"BLANK"}],"linkType":"INTERNAL","id":"Skills-Hub","params": {"categoryId":"skills-hub"},"routeName":"CategoryPage"},{"children":[{"linkType":"INTERNAL","id":"Common-community-info-center-link","params":{"categoryId":"Community-Info-Center"},"routeName":"CategoryPage"}, {"linkType":"INTERNAL","id":"Common-usergroups-link","params": {"categoryId":"usergroups"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-community-news-desk-link","params":{"categoryId":"CommunityNewsDesk"},"routeName":"CategoryPage"}, {"linkType":"INTERNAL","id":"Common-microsoft-global-community-initiative-link","params":{"categoryId":"microsoft-global-community-initiative"},"routeName":"CategoryPage"}],"linkType":"INTERNAL","id":"Common-gxcuf89792- community","params": {},"routeName":"CommunityPage"}]},"showSearchIcon":true,"languagePickerStyle":"iconAndLabel"},"__typename":"QuiltComponent"}, https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 32 of 44 {"id":"community.widget.breadcrumbWidget","props":{"backgroundColor":"transparent","linkHighlightColor":"var(--lia-bs-primary)","visualEffects":{"showBottomBorder":true},"linkTextColor":"var(--lia-bs-gray-700)"},"__typename":"QuiltComponent"},{"id":"custom.widget.CommunityBanner","props": {"widgetVisibility":"signedInOrAnonymous","useTitle":true,"usePageWidth":false,"useBackground":false,"title":"","lazyLoad":false},"__typename":"Qu {"id":"custom.widget.ChatbotWidget","props": {"customComponentId":"custom.widget.ChatbotWidget","cDisplay_form":true,"useBackground":false},"__typename":"QuiltComponent"}, {"id":"custom.widget.HeroBanner","props": {"widgetVisibility":"signedInOrAnonymous","usePageWidth":false,"useTitle":true,"cMax_items":3,"useBackground":false,"title":"","lazyLoad":false,"w {"backgroundImageProps": {"assetName":null,"backgroundSize":"COVER","backgroundRepeat":"NO_REPEAT","backgroundPosition":"CENTER_CENTER","lastModified":null," [{"id":"custom.widget.SocialSharing","props": {"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"}, {"id":"custom.widget.MicrosoftFooter","props": {"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"}],"__ty components/common/ActionFeedback-1775111750899":{"__typename":"CachedAsset","id":"text:en_US-components/common/ActionFeedback-1775111750899","value": {"joinedGroupHub.title":"Welcome","joinedGroupHub.message":"You are now a member of this group and are subscribed to updates.","groupHubInviteNotFound.title":"Invitation Not Found","groupHubInviteNotFound.message":"Sorry, we could not find your invitation to the group. The owner may have canceled the invite.","groupHubNotFound.title":"Group Not Found","groupHubNotFound.message":"The grouphub you tried to join does not exist. It may have been deleted.","existingGroupHubMember.title":"Already Joined","existingGroupHubMember.message":"You are already a member of this group.","accountLocked.title":"Account Locked","accountLocked.message":"Your account has been locked due to multiple failed attempts. Try again in {lockoutTime} minutes.","editedGroupHub.title":"Changes Saved","editedGroupHub.message":"Your group has been updated.","leftGroupHub.title":"Goodbye","leftGroupHub.message":"You are no longer a member of this group and will not receive future updates.","deletedGroupHub.title":"Deleted","deletedGroupHub.message":"The group has been deleted.","groupHubCreated.title":"Group Created","groupHubCreated.message":"{groupHubName} is ready to use","accountClosed.title":"Account Closed","accountClosed.message":"The account has been closed and you will now be redirected to the homepage","resetTokenExpired.title":"Reset Password Link has Expired","resetTokenExpired.message":"Try resetting your password again","invalidUrl.title":"Invalid URL","invalidUrl.message":"The URL you're using is not recognized. Verify your URL and try again.","accountClosedForUser.title":"Account Closed","accountClosedForUser.message":"{userName}'s account is closed","inviteTokenInvalid.title":"Invitation Invalid","inviteTokenInvalid.message":"Your invitation to the community has been canceled or expired.","inviteTokenError.title":"Invitation Verification Failed","inviteTokenError.message":"The url you are utilizing is not recognized. Verify your URL and try again","pageNotFound.title":"Access Denied","pageNotFound.message":"You do not have access to this area of the community or it doesn't exist","eventAttending.title":"Responded as Attending","eventAttending.message":"You'll be notified when there's new activity and reminded as the event approaches","eventInterested.title":"Responded as Interested","eventInterested.message":"You'll be notified when there's new activity and reminded as the event approaches","eventNotFound.title":"Event Not Found","eventNotFound.message":"The event you tried to respond to does not exist.","redirectToRelatedPage.title":"Showing Related Content","redirectToRelatedPageForBaseUsers.title":"Showing Related Content","redirectToRelatedPageForBaseUsers.message":"The content you are trying to access is archived","redirectToRelatedPage.message":"The content you are trying to access is archived","relatedUrl.archivalLink.flyoutMessage":"The content you are trying to access is archived View Archived Content"},"localOverride":false},"CachedAsset:component:custom.widget.CommunityBanner-en-us-1775107888865": {"__typename":"CachedAsset","id":"component:custom.widget.CommunityBanner-en-us-1775107888865","value": {"component":{"id":"custom.widget.CommunityBanner","template": {"id":"CommunityBanner","markupLanguage":"REACT","style":null,"texts":null,"defaults":{"config":{"applicablePages": [],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props": [],"__typename":"ComponentProperties"},"components": [{"id":"custom.widget.CommunityBanner","form":null,"config":null,"props": [],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config": {"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props": [],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":null,"form":null},"localOverride": en-us-1775107888865":{"__typename":"CachedAsset","id":"component:custom.widget.ChatbotWidget-en-us-1775107888865","value":{"component":{"id":"custom.widget.ChatbotWidget","template": {"id":"ChatbotWidget","markupLanguage":"REACT","style":null,"texts":{"chatbot.references.title":"Related Articles","chatbot.welcome.title":"Welcome!","chatbot.welcome.description":"I'm here to help you explore and discover great content.","chatbot.welcome.prompt":"Ask me a question or choose a suggestion below to get started:","chatbot.welcome.cta":"Let's dive in—what would you like to discover today?","chatbot.status.typing":"Assistant is typing…","chatbot.status.error":"error","chatbot.error.response":"Failed to get response. Please try again.","chatbot.error.processing":"There was an error processing your message.","chatbot.error.configuration":"API URL not configured","chatbot.error.network":"Network error occurred. Please check your connection and try again.","chatbot.error.timeout":"Request timed out. Please try again.","chatbot.error.emptyResponse":"I couldn't generate a https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 33 of 44 response. Please try rephrasing your question.","chatbot.buttons.send":"Send","chatbot.buttons.close":"Close chat","chatbot.buttons.newChat":"Start new chat","chatbot.buttons.collapse":"Collapse chat panel","chatbot.buttons.expand":"Expand chat panel","chatbot.buttons.fullscreen":"Enter fullscreen","chatbot.buttons.exitFullscreen":"Exit fullscreen","chatbot.buttons.like":"Like this response","chatbot.buttons.dislike":"Dislike this response","chatbot.buttons.removeLike":"Remove like","chatbot.buttons.removeDislike":"Remove dislike","chatbot.aria.chatInput":"Chat input","chatbot.aria.sendMessage":"Send message","chatbot.aria.openChat":"Open chat assistant","chatbot.aria.closeChat":"Close chat assistant","chatbot.defaults.title":"Ask Tech Community","chatbot.defaults.subtitle":"Ask questions – get answers","chatbot.defaults.entryHeading":"Find answers","chatbot.defaults.entrySubtext":"Ask the agent","chatbot.defaults.placeholder":"Type your message…","chatbot.defaults.initialMessage":"Hi! I'm your assistant. Ask me something or pick a suggestion above to begin.","chatbot.suggestions.findBlogs":"Find insightful blogs","chatbot.suggestions.exploreEvents":"Explore upcoming events","chatbot.suggestions.startJourney":"Start your journey with something new","chatbot.dialog.endConversation":"End conversation","chatbot.dialog.confirmEndConversation":"Do you want to end this conversation and start over?","chatbot.dialog.endConversationButton":"End conversation","chatbot.dialog.cancel":"Cancel","chatbot.error.genericServiceUnavailable":"The service is currently unavailable. Please try again later.","chatbot.error.noResults":"We could not find any information related to your query. Try rephrasing your query."},"defaults":{"config":{"applicablePages": [],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props": [],"__typename":"ComponentProperties"},"components": [{"id":"custom.widget.ChatbotWidget","form":null,"config":null,"props": [],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config": {"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props": [],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":null,"form":null},"localOverride": en-us-1775107888865":{"__typename":"CachedAsset","id":"component:custom.widget.HeroBanner-en-us-1775107888865","value":{"component":{"id":"custom.widget.HeroBanner","template": {"id":"HeroBanner","markupLanguage":"REACT","style":null,"texts":{"searchPlaceholderText":"Search this community","followActionText":"Follow","unfollowActionText":"Following","searchOnHoverText":"Please enter your search term(s) and then press return key to complete a search.","blogs.sidebar.pagetitle":"Latest Blogs | Microsoft Tech Community","followThisNode":"Follow this node","unfollowThisNode":"Unfollow this node","customField.teamsLink.title":"Microsoft teams link","customField.teamsLink.label":"Teams meeting url"},"defaults":{"config":{"applicablePages": [],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props": [{"id":"max_items","dataType":"NUMBER","list":false,"defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"control":"INPUT","__typename":"PropDefinition"}],"__typename":"ComponentProperties"},"components": [{"id":"custom.widget.HeroBanner","form":{"fields": [{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description {"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possi {"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":nul {"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"descripti {"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description {"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":n {"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows": [{"id":"widgetChooserGroup","type":"fieldset","as":null,"items": [{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant": {"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"}, {"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"to {"id":"useBackground","type":"fieldset","as":null,"items": [{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant" {"id":"widgetVisibility","type":"fieldset","as":null,"items": [{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant" {"id":"moreOptionsGroup","type":"fieldset","as":null,"items": [{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":nu {"id":"componentPropsGroup","type":"fieldset","as":null,"items": [{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":nu [],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config": {"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props": [{"id":"max_items","dataType":"NUMBER","list":false,"defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"control":"INPUT","__typename":"PropDefinition"}],"__typename":"ComponentProperties"},"form": {"fields": https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 34 of 44 [{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description {"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possi {"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":nul {"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"descripti {"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description {"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":n {"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows": [{"id":"widgetChooserGroup","type":"fieldset","as":null,"items": [{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant": {"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"}, {"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"to {"id":"useBackground","type":"fieldset","as":null,"items": [{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant" {"id":"widgetVisibility","type":"fieldset","as":null,"items": [{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant" {"id":"moreOptionsGroup","type":"fieldset","as":null,"items": [{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":nu {"id":"componentPropsGroup","type":"fieldset","as":null,"items": [{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":nu {"fields": [{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description {"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possi {"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":nul {"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"descripti {"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description {"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":n {"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows": [{"id":"widgetChooserGroup","type":"fieldset","as":null,"items": [{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant": {"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"}, {"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"to {"id":"useBackground","type":"fieldset","as":null,"items": [{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant" {"id":"widgetVisibility","type":"fieldset","as":null,"items": [{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant" {"id":"moreOptionsGroup","type":"fieldset","as":null,"items": [{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":nu {"id":"componentPropsGroup","type":"fieldset","as":null,"items": [{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":nu en-us-1775107888865":{"__typename":"CachedAsset","id":"component:custom.widget.UnregisteredCTAWidget-en-us-1775107888865","value":{"component":{"id":"custom.widget.UnregisteredCTAWidget","template": {"id":"UnregisteredCTAWidget","markupLanguage":"REACT","style":null,"texts":{"register.communityHub":"Welcome to the {name} Community Hub. Sign in to like, participate, or start a conversation.","register.category":"Welcome to the {name} Community Hub. Sign in to like, participate, or start a conversation.","register.discussionBoard":"Welcome to the {name} space. Sign in to like, reply, or start a discussion.","register.blogSpace":"Welcome to the {name} space. Sign in to like or comment on articles in this space.","register.eventSpace":"Welcome to the {name} space. Sign in to RSVP, add events to your calendar, and join the conversation.","register.ideaSpace":"Welcome to the {name} space. Sign in to vote, comment, or submit your own feedback.","buttonRegister":"Sign in","register.discussionBoardArticle":"Have a question or insight to share? Sign in to join the discussion.","register.blogSpaceArticle":"Enjoying the article? Sign in to share your thoughts.","register.eventSpaceArticle":"Don’t just watch - take part. Sign in to RSVP, ask questions, and join the discussion.","register.ideaSpaceArticle":"Sign in to submit ideas, upvote ideas, and join the conversation."},"defaults": {"config":{"applicablePages": [],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props": [],"__typename":"ComponentProperties"},"components": [{"id":"custom.widget.UnregisteredCTAWidget","form":null,"config":null,"props": [],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config": {"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props": [],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":null,"form":null},"localOverride": en-us-1775107888865":{"__typename":"CachedAsset","id":"component:custom.widget.SocialSharing-en-us-1775107888865","value":{"component":{"id":"custom.widget.SocialSharing","template": https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 35 of 44 {"id":"SocialSharing","markupLanguage":"HANDLEBARS","style":".sharePage {\n display: flex;\n justify-content: center;\n background: #d7d7d7;\n padding: 0px;\n height: 60px;\n}\n.singleSocialIcons {\n display: flex;\n gap: 12px;\n list-style-type: none;\n padding: 0px;\n margin: 0;\n}\n.containers {\n display: flex;\n gap: 30px;\n}\n\n.listIcon {\n align-content: center;\n}\n.headingShare {\n display: inline;\n margin-right: 25px;\n margin-bottom: 0px;\n font-size: 20px;\n font-weight: 550;\n align-content: center;\n}\n\n@media (max-width: 990px) {\n .sharePage {\n display: flex;\n justify-content: center;\n }\n\n .containers {\n display: inline-block;\n justify-content: center;\n align-content: center;\n align-items: center;\n }\n .headingShare {\n display: flex;\n justify-content: center;\n }\n .singleSocialIcons {\n }\n}\n","texts":null,"defaults":{"config":{"applicablePages":[],"description":"Adds buttons to share to various social media websites","fetchedContent":null,"__typename":"ComponentConfiguration"},"props": [],"__typename":"ComponentProperties"},"components": [{"id":"custom.widget.SocialSharing","form":null,"config":null,"props": [],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config": {"applicablePages":[],"description":"Adds buttons to share to various social media websites","fetchedContent":null,"__typename":"ComponentConfiguration"},"props": [],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss": {"css":".custom_widget_SocialSharing_sharePage_6x3n8_1 {\n display: flex;\n justify-content: center;\n background: #d7d7d7;\n padding: 0;\n height: 3.75rem;\n}\n.custom_widget_SocialSharing_singleSocialIcons_6x3n8_8 {\n display: flex;\n gap: 0.75rem;\n list-style-type: none;\n padding: 0;\n margin: 0;\n}\n.custom_widget_SocialSharing_containers_6x3n8_15 {\n display: flex;\n gap: 1.875rem;\n}\n.custom_widget_SocialSharing_listIcon_6x3n8_20 {\n align-content: center;\n}\n.custom_widget_SocialSharing_headingShare_6x3n8_23 {\n display: inline;\n margin-right: 1.5625rem;\n margin-bottom: 0;\n font-size: 1.25rem;\n font-weight: 550;\n align-content: center;\n}\n@media (max-width: 990px) {\n .custom_widget_SocialSharing_sharePage_6x3n8_1 {\n display: flex;\n justify-content: center;\n }\n\n .custom_widget_SocialSharing_containers_6x3n8_15 {\n display: inline-block;\n justify-content: center;\n align-content: center;\n align-items: center;\n }\n .custom_widget_SocialSharing_headingShare_6x3n8_23 {\n display: flex;\n justify-content: center;\n }\n .custom_widget_SocialSharing_singleSocialIcons_6x3n8_8 {\n }\n}\n","tokens": {"sharePage":"custom_widget_SocialSharing_sharePage_6x3n8_1","singleSocialIcons":"custom_widget_SocialSharing_singleSocialIcons_6x3n8_8","co en-us-1775107888865":{"__typename":"CachedAsset","id":"component:custom.widget.MicrosoftFooter-en-us-1775107888865","value":{"component":{"id":"custom.widget.MicrosoftFooter","template": {"id":"MicrosoftFooter","markupLanguage":"HANDLEBARS","style":".context-uhf {\r\n min-width: 280px;\r\n font-size: 15px;\r\n box-sizing: border-box;\r\n -ms-text-size-adjust: 100%;\r\n -webkit-text-size-adjust: 100%;\r\n & *,\r\n & *:before,\r\n & *:after {\r\n box-sizing: inherit;\r\n }\r\n a.c-uhff-link {\r\n color: #616161;\r\n word-break: break-word;\r\n text-decoration: none;\r\n }\r\n &a:link,\r\n &a:focus,\r\n &a:hover,\r\n &a:active,\r\n &a:visited {\r\n text-decoration: none;\r\n color: inherit;\r\n }\r\n & div {\r\n font-family: 'Segoe UI', SegoeUI, 'Helvetica Neue', Helvetica, Arial, sans-serif;\r\n }\r\n}\r\n.c-uhff {\r\n background: #f2f2f2;\r\n margin: -1.5625;\r\n width: auto;\r\n height: auto;\r\n}\r\n.c-uhff-nav {\r\n margin: 0 auto;\r\n max-width: calc(1600px + 10%);\r\n padding: 0 5%;\r\n box-sizing: inherit;\r\n &:before,\r\n &:after {\r\n content: ' ';\r\n display: table;\r\n clear: left;\r\n }\r\n @media only screen and (max-width: 1083px) {\r\n padding-left: 12px;\r\n }\r\n .c-heading-4 {\r\n color: #616161;\r\n word-break: break-word;\r\n font-size: 15px;\r\n line-height: 20px;\r\n padding: 36px 0 4px;\r\n font-weight: 600;\r\n }\r\n .c-uhff-nav-row {\r\n .c-uhff-nav-group {\r\n display: block;\r\n float: left;\r\n min-height: 1px;\r\n vertical-align: text-top;\r\n padding: 0 12px;\r\n width: 100%;\r\n zoom: 1;\r\n &:first-child {\r\n padding-left: 0;\r\n @media only screen and (max-width: 1083px) {\r\n padding-left: 12px;\r\n }\r\n }\r\n @media only screen and (min-width: 540px) and (max-width: 1082px) {\r\n width: 33.33333%;\r\n }\r\n @media only screen and (min-width: 1083px) {\r\n width: 16.6666666667%;\r\n }\r\n ul.c-list.f-bare {\r\n font-size: 11px;\r\n line-height: 16px;\r\n margin-top: 0;\r\n margin-bottom: 0;\r\n padding-left: 0;\r\n list-style-type: none;\r\n li {\r\n word-break: break-word;\r\n padding: 8px 0;\r\n margin: 0;\r\n }\r\n }\r\n }\r\n }\r\n}\r\n.c-uhff-base {\r\n background: #f2f2f2;\r\n margin: 0 auto;\r\n max-width: calc(1600px + 10%);\r\n padding: 30px 5% 16px;\r\n &:before,\r\n &:after {\r\n content: ' ';\r\n display: table;\r\n }\r\n &:after {\r\n clear: both;\r\n }\r\n a.c-uhff-ccpa,\r\n a.c-uhff-consumer {\r\n display: flex;\r\n float: left;\r\n font-size: 11px;\r\n line-height: 16px;\r\n padding: 4px 24px 0 0;\r\n }\r\n a.c-uhff-ccpa:hover,\r\n a.c-uhff-consumer:hover {\r\n text-decoration: underline;\r\n }\r\n ul.c-list {\r\n font-size: 11px;\r\n line-height: 16px;\r\n float: right;\r\n margin: 3px 0;\r\n color: #616161;\r\n li {\r\n padding: 0 24px 4px 0;\r\n display: inline-block;\r\n }\r\n }\r\n .c-list.f-bare {\r\n padding-left: 0;\r\n list-style-type: none;\r\n }\r\n @media only screen and (max-width: 1083px) {\r\n display: flex;\r\n flex-wrap: wrap;\r\n padding: 30px 24px 16px;\r\n }\r\n}\r\n\r\n.social-share {\r\n position: fixed;\r\n top: 60%;\r\n transform: translateY(-50%);\r\n left: 0;\r\n z-index: 1000;\r\n}\r\n\r\n.sharing-options {\r\n list-style: none;\r\n padding: 0;\r\n margin: 0;\r\n display: block;\r\n flex-direction: column;\r\n background-color: white;\r\n width: 50px;\r\n border-radius: 0px 7px 7px 0px;\r\n}\r\n.linkedin-icon {\r\n border-top-right-radius: 7px;\r\n}\r\n.linkedin-icon:hover {\r\n border-radius: 0;\r\n}\r\n\r\n.social-share-email-image:hover {\r\n border-radius: 0;\r\n}\r\n\r\n.social-link-footer:hover .linkedin-icon {\r\n border-radius: 0;\r\n}\r\n.social-link-footer:hover .social-share-email-image {\r\n border-radius: 0;\r\n}\r\n\r\n.social-link-footer img {\r\n width: 30px;\r\n height: auto;\r\n transition: filter 0.3s ease;\r\n}\r\n\r\n.social-share-list {\r\n width: 50px;\r\n}\r\n.social-share-rss-image {\r\n width: 30px;\r\n height: auto;\r\n transition: filter 0.3s ease;\r\n}\r\n.sharing-options li {\r\n width: 50px;\r\n height: 50px;\r\n padding: 8px;\r\n box-sizing: border-box;\r\n border: 2px solid white;\r\n display: inline-block;\r\n text-align: center;\r\n opacity: 1;\r\n visibility: visible;\r\n transition: border 0.3s ease; /* Smooth transition effect */\r\n border-left: none;\r\n border-bottom: none; /* Apply bottom border to only last item */\r\n}\r\n\r\n.social-share-list-linkedin {\r\n background-color: #0474b4;\r\n border-top-right-radius: 5px; /* Rounded top right corner of first item*/\r\n}\r\n.social-share-list-facebook {\r\n background-color: #3c5c9c;\r\n}\r\n.social-share-list-https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 36 of 44 xicon {\r\n background-color: #000;\r\n}\r\n.social-share-list-reddit {\r\n background-color: #fc4404;\r\n}\r\n.social-share-list-bluesky {\r\n background-color: #f0f2f5;\r\n}\r\n.social-share-list-rss {\r\n background-color: #ec7b1c;\r\n}\r\n.social-share-list-mail {\r\n background-color: #848484;\r\n border-bottom-right-radius: 5px; /* Rounded bottom right corner of last item*/\r\n}\r\n.sharing-options li.social-share-list-mail {\r\n border-bottom: 2px solid white; /* Add bottom border only to the last item */\r\n height: 52px; /* Increase last child height to make in align with the hover label */\r\n}\r\n.x-icon {\r\n filter: invert(100%);\r\n transition: filter 0.3s ease;\r\n width: 20px !important;\r\n height: auto;\r\n padding-top: 5px !important;\r\n}\r\n.bluesky-icon {\r\n filter: invert(20%) sepia(100%) saturate(3000%) hue-rotate(180deg);\r\n transition: filter 0.3s ease;\r\n padding-top: 5px !important;\r\n width: 25px !important;\r\n}\r\n\r\n.share-icon {\r\n border: 2px solid transparent;\r\n display: inline-block;\r\n position: relative;\r\n}\r\n\r\n.sharing-options li:hover {\r\n border: 2px solid white;\r\n border-left: none;\r\n border-bottom: none;\r\n border-radius: 0px;\r\n}\r\n.sharing-options li.social-share-list-mail:hover {\r\n border-bottom: 2px solid white; /* Add bottom border only to the last item */\r\n}\r\n\r\n.sharing-options li:hover .label {\r\n opacity: 1;\r\n visibility: visible;\r\n border: 2px solid white;\r\n box-sizing: border-box;\r\n border-left: none;\r\n}\r\n\r\n.label {\r\n position: absolute;\r\n left: 100%;\r\n white-space: nowrap;\r\n opacity: 0;\r\n visibility: hidden;\r\n transition: all 0.2s ease;\r\n color: white;\r\n border-radius: 0 10 0 10px;\r\n top: 50%;\r\n transform: translateY(-50%);\r\n height: 52px;\r\n display: flex;\r\n align-items: center;\r\n justify-content: center;\r\n padding: 10px 12px 15px 8px;\r\n border: 2px solid white;\r\n}\r\n.linkedin {\r\n background-color: #0474b4;\r\n border-top-right-radius: 5px; /* Rounded top right corner of first item*/\r\n}\r\n.facebook {\r\n background-color: #3c5c9c;\r\n}\r\n.twitter {\r\n background-color: black;\r\n color: white;\r\n}\r\n.reddit {\r\n background-color: #fc4404;\r\n}\r\n.mail {\r\n background-color: #848484;\r\n border-bottom-right-radius: 5px; /* Rounded bottom right corner of last item*/\r\n}\r\n.bluesky {\r\n background-color: #f0f2f5;\r\n color: black;\r\n}\r\n.rss {\r\n background-color: #ec7b1c;\r\n}\r\n\r\n@media (max-width: 991px) {\r\n .social-share {\r\n display: none;\r\n }\r\n}\r\n","texts":{"heading.whatsNew":"What's new","heading.store":"Microsoft Store","heading.education":"Education","heading.business":"Business","heading.developer":"Developer & IT","heading.company":"Company","link.whatsNew.surfacePro":"Surface Pro","aria.whatsNew.surfacePro":"Surface Pro What's new","link.whatsNew.surfaceLaptop":"Surface Laptop","aria.whatsNew.surfaceLaptop":"Surface Laptop What's new","link.whatsNew.surfaceLaptopStudio2":"Surface Laptop Studio 2","aria.whatsNew.surfaceLaptopStudio2":"Surface Laptop Studio 2 What's new","link.whatsNew.copilotOrganizations":"Copilot for organizations","aria.whatsNew.copilotOrganizations":"Copilot for organizations What's new","link.whatsNew.copilotPersonal":"Copilot for personal use","aria.whatsNew.copilotPersonal":"Copilot for personal use What's new","link.whatsNew.aiInWindows":"AI in Windows","aria.whatsNew.aiInWindows":"AI in Windows What's new","link.whatsNew.exploreProducts":"Explore Microsoft products","aria.whatsNew.exploreProducts":"Explore Microsoft products What's new","link.whatsNew.windows11Apps":"Windows 11 apps","aria.whatsNew.windows11Apps":"Windows 11 apps What's new","link.store.accountProfile":"Account profile","aria.store.accountProfile":"Account profile Microsoft Store","link.store.downloadCenter":"Download Center","aria.store.downloadCenter":"Download Center Microsoft Store","link.store.support":"Microsoft Store support","aria.store.support":"Microsoft Store support Microsoft Store","link.store.returns":"Returns","aria.store.returns":"Returns Microsoft Store","link.store.orderTracking":"Order tracking","aria.store.orderTracking":"Order tracking Microsoft Store","link.store.certifiedRefurbished":"Certified Refurbished","aria.store.certifiedRefurbished":"Certified Refurbished Microsoft Store","link.store.promise":"Microsoft Store Promise","aria.store.promise":"Microsoft Store Promise Microsoft Store","link.store.flexiblePayments":"Flexible Payments","aria.store.flexiblePayments":"Flexible Payments Microsoft Store","link.education.microsoftInEducation":"Microsoft in education","aria.education.microsoftInEducation":"Microsoft in education Education","link.education.devices":"Devices for education","aria.education.devices":"Devices for education Education","link.education.teams":"Microsoft Teams for Education","aria.education.teams":"Microsoft Teams for Education Education","link.education.m365":"Microsoft 365 Education","aria.education.m365":"Microsoft 365 Education Education","link.education.howToBuy":"How to buy for your school","aria.education.howToBuy":"How to buy for your school Education","link.education.training":"Educator training and development","aria.education.training":"Educator training and development Education","link.education.deals":"Deals for students and parents","aria.education.deals":"Deals for students and parents Education","link.education.ai":"AI for education","aria.education.ai":"AI for education Education","link.business.microsoftAi":"Microsoft AI","aria.business.microsoftAi":"Microsoft AI Business","link.business.security":"Microsoft Security","aria.business.security":"Microsoft Security Business","link.business.dynamics":"Dynamics 365","aria.business.dynamics":"Dynamics 365 Business","link.business.m365":"Microsoft 365","aria.business.m365":"Microsoft 365 Business","link.business.powerPlatform":"Microsoft Power Platform","aria.business.powerPlatform":"Microsoft Power Platform Business","link.business.teams":"Microsoft Teams","aria.business.teams":"Microsoft Teams Business","link.business.m365Copilot":"Microsoft 365 Copilot","aria.business.m365Copilot":"Microsoft 365 Copilot Business","link.business.smallBusiness":"Small Business","aria.business.smallBusiness":"Small Business Business","link.developer.azure":"Azure","aria.developer.azure":"Azure Developer & IT","link.developer.developerCenter":"Microsoft Developer","aria.developer.developerCenter":"Microsoft Developer Developer & IT","link.developer.learn":"Microsoft Learn","aria.developer.learn":"Microsoft Learn Developer & IT","link.developer.aiMarketplace":"Support for AI marketplace apps","aria.developer.aiMarketplace":"Support for AI marketplace apps Developer & IT","link.developer.techCommunity":"Microsoft Tech Community","aria.developer.techCommunity":"Microsoft Tech Community Developer & IT","link.developer.marketplace":"Microsoft Marketplace","aria.developer.marketplace":"Microsoft Marketplace Developer & IT","link.developer.marketplaceRewards":"Marketplace Rewards","aria.developer.marketplaceRewards":"Marketplace https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 37 of 44 Rewards Developer & IT","link.developer.visualStudio":"Visual Studio","aria.developer.visualStudio":"Visual Studio Developer & IT","link.company.careers":"Careers","aria.company.careers":"Careers Company","link.company.about":"About Microsoft","aria.company.about":"About Microsoft Company","link.company.news":"Company news","aria.company.news":"Company news Company","link.company.privacy":"Privacy at Microsoft","aria.company.privacy":"Privacy at Microsoft Company","link.company.investors":"Investors","aria.company.investors":"Investors Company","link.company.diversity":"Diversity and inclusion","aria.company.diversity":"Diversity and inclusion Company","link.company.accessibility":"Accessibility","aria.company.accessibility":"Accessibility Company","link.company.sustainability":"Sustainability","aria.company.sustainability":"Sustainability Company","ccpa.label":"Your Privacy Choices","consumerhealthprivacy.label":"Consumer Health Privacy","corp.sitemap":"Sitemap","corp.contact":"Contact Microsoft","corp.privacy":"Privacy","corp.manageCookies":"Manage cookies","corp.terms":"Terms of use","corp.trademarks":"Trademarks","corp.safetyEco":"Safety & eco","corp.recycling":"Recycling","corp.aboutAds":"About our ads","corp.microsoft":"Microsoft","social.linkedin.alt":"Share to LinkedIn","social.linkedin.label":"Share on LinkedIn","social.facebook.alt":"Share to Facebook","social.facebook.label":"Share on Facebook","social.x.alt":"Share to X","social.x.label":"Share on X","social.reddit.alt":"Share to Reddit","social.reddit.label":"Share on Reddit","social.bluesky.alt":"Share to Blue Sky","social.bluesky.label":"Share on Bluesky","social.rss.alt":"Subscribe to RSS","social.rss.label":"Share on RSS","social.email.alt":"Share to Email","social.email.label":"Share on Email"},"defaults":{"config":{"applicablePages":[],"description":"The Microsoft Footer","fetchedContent":null,"__typename":"ComponentConfiguration"},"props": [],"__typename":"ComponentProperties"},"components": [{"id":"custom.widget.MicrosoftFooter","form":null,"config":null,"props": [],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config": {"applicablePages":[],"description":"The Microsoft Footer","fetchedContent":null,"__typename":"ComponentConfiguration"},"props": [],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss": {"css":".custom_widget_MicrosoftFooter_context-uhf_qp4x5_1 {\r\n min-width: 17.5rem;\r\n font-size: 0.9375rem;\r\n box-sizing: border-box;\r\n -ms-text-size-adjust: 100%;\r\n -webkit-text-size-adjust: 100%;\r\n & *,\r\n & *:before,\r\n & *:after {\r\n box-sizing: inherit;\r\n }\r\n a.custom_widget_MicrosoftFooter_c-uhff-link_qp4x5_23 {\r\n color: #616161;\r\n word-break: break-word;\r\n text-decoration: none;\r\n }\r\n &a:link,\r\n &a:focus,\r\n &a:hover,\r\n &a:active,\r\n &a:visited {\r\n text-decoration: none;\r\n color: inherit;\r\n }\r\n & div {\r\n font-family: 'Segoe UI', SegoeUI, 'Helvetica Neue', Helvetica, Arial, sans-serif;\r\n }\r\n}\r\n.custom_widget_MicrosoftFooter_c-uhff_qp4x5_23 {\r\n background: #f2f2f2;\r\n margin: -1.5625;\r\n width: auto;\r\n height: auto;\r\n}\r\n.custom_widget_MicrosoftFooter_c-uhff-nav_qp4x5_69 {\r\n margin: 0 auto;\r\n max-width: calc(100rem + 10%);\r\n padding: 0 5%;\r\n box-sizing: inherit;\r\n &:before,\r\n &:after {\r\n content: ' ';\r\n display: table;\r\n clear: left;\r\n }\r\n @media only screen and (max-width: 1083px) {\r\n padding-left: 0.75rem;\r\n }\r\n .custom_widget_MicrosoftFooter_c-heading-4_qp4x5_97 {\r\n color: #616161;\r\n word-break: break-word;\r\n font-size: 0.9375rem;\r\n line-height: 1.25rem;\r\n padding: 2.25rem 0 0.25rem;\r\n font-weight: 600;\r\n }\r\n .custom_widget_MicrosoftFooter_c-uhff-nav-row_qp4x5_113 {\r\n .custom_widget_MicrosoftFooter_c-uhff-nav-group_qp4x5_115 {\r\n display: block;\r\n float: left;\r\n min-height: 0.0625rem;\r\n vertical-align: text-top;\r\n padding: 0 0.75rem;\r\n width: 100%;\r\n zoom: 1;\r\n &:first-child {\r\n padding-left: 0;\r\n @media only screen and (max-width: 1083px) {\r\n padding-left: 0.75rem;\r\n }\r\n }\r\n @media only screen and (min-width: 540px) and (max-width: 1082px) {\r\n width: 33.33333%;\r\n }\r\n @media only screen and (min-width: 1083px) {\r\n width: 16.6666666667%;\r\n }\r\n ul.custom_widget_MicrosoftFooter_c-list_qp4x5_155.custom_widget_MicrosoftFooter_f-bare_qp4x5_155 {\r\n font-size: 0.6875rem;\r\n line-height: 1rem;\r\n margin-top: 0;\r\n margin-bottom: 0;\r\n padding-left: 0;\r\n list-style-type: none;\r\n li {\r\n word-break: break-word;\r\n padding: 0.5rem 0;\r\n margin: 0;\r\n }\r\n }\r\n }\r\n }\r\n}\r\n.custom_widget_MicrosoftFooter_c-uhff-base_qp4x5_187 {\r\n background: #f2f2f2;\r\n margin: 0 auto;\r\n max-width: calc(100rem + 10%);\r\n padding: 1.875rem 5% 1rem;\r\n &:before,\r\n &:after {\r\n content: ' ';\r\n display: table;\r\n }\r\n &:after {\r\n clear: both;\r\n }\r\n a.custom_widget_MicrosoftFooter_c-uhff-ccpa_qp4x5_213,\r\n a.custom_widget_MicrosoftFooter_c-uhff-consumer_qp4x5_215 {\r\n display: flex;\r\n float: left;\r\n font-size: 0.6875rem;\r\n line-height: 1rem;\r\n padding: 0.25rem 1.5rem 0 0;\r\n }\r\n a.custom_widget_MicrosoftFooter_c-uhff-ccpa_qp4x5_213:hover,\r\n a.custom_widget_MicrosoftFooter_c-uhff-consumer_qp4x5_215:hover {\r\n text-decoration: underline;\r\n }\r\n ul.custom_widget_MicrosoftFooter_c-list_qp4x5_155 {\r\n font-size: 0.6875rem;\r\n line-height: 1rem;\r\n float: right;\r\n margin: 0.1875rem 0;\r\n color: #616161;\r\n li {\r\n padding: 0 1.5rem 0.25rem 0;\r\n display: inline-block;\r\n }\r\n }\r\n .custom_widget_MicrosoftFooter_c-list_qp4x5_155.custom_widget_MicrosoftFooter_f-bare_qp4x5_155 {\r\n padding-left: 0;\r\n list-style-type: none;\r\n }\r\n @media only screen and (max-width: 1083px) {\r\n display: flex;\r\n flex-wrap: wrap;\r\n padding: 1.875rem 1.5rem 1rem;\r\n }\r\n}\r\n.custom_widget_MicrosoftFooter_social-share_qp4x5_281 {\r\n position: fixed;\r\n top: 60%;\r\n transform: translateY(-50%);\r\n left: 0;\r\n z-index: 1000;\r\n}\r\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 {\r\n list-style: none;\r\n padding: 0;\r\n margin: 0;\r\n display: block;\r\n flex-direction: column;\r\n background-color: white;\r\n width: 3.125rem;\r\n border-radius: 0 0.4375rem 0.4375rem 0;\r\n}\r\n.custom_widget_MicrosoftFooter_linkedin-icon_qp4x5_317 {\r\n border-top-right-radius: 7px;\r\n}\r\n.custom_widget_MicrosoftFooter_linkedin-icon_qp4x5_317:hover {\r\n border-radius: 0;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-email-image_qp4x5_331:hover {\r\n border-radius: https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 38 of 44 0;\r\n}\r\n.custom_widget_MicrosoftFooter_social-link-footer_qp4x5_339:hover .custom_widget_MicrosoftFooter_linkedin-icon_qp4x5_317 {\r\n border-radius: 0;\r\n}\r\n.custom_widget_MicrosoftFooter_social-link-footer_qp4x5_339:hover .custom_widget_MicrosoftFooter_social-share-email-image_qp4x5_331 {\r\n border-radius: 0;\r\n}\r\n.custom_widget_MicrosoftFooter_social-link-footer_qp4x5_339 img {\r\n width: 1.875rem;\r\n height: auto;\r\n transition: filter 0.3s ease;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list_qp4x5_365 {\r\n width: 3.125rem;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-rss-image_qp4x5_371 {\r\n width: 1.875rem;\r\n height: auto;\r\n transition: filter 0.3s ease;\r\n}\r\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li {\r\n width: 3.125rem;\r\n height: 3.125rem;\r\n padding: 0.5rem;\r\n box-sizing: border-box;\r\n border: 2px solid white;\r\n display: inline-block;\r\n text-align: center;\r\n opacity: 1;\r\n visibility: visible;\r\n transition: border 0.3s ease; /* Smooth transition effect */\r\n border-left: none;\r\n border-bottom: none; /* Apply bottom border to only last item */\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list-linkedin_qp4x5_411 {\r\n background-color: #0474b4;\r\n border-top-right-radius: 5px; /* Rounded top right corner of first item*/\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list-facebook_qp4x5_419 {\r\n background-color: #3c5c9c;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list-xicon_qp4x5_425 {\r\n background-color: #000;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list-reddit_qp4x5_431 {\r\n background-color: #fc4404;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list-bluesky_qp4x5_437 {\r\n background-color: #f0f2f5;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list-rss_qp4x5_443 {\r\n background-color: #ec7b1c;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list-mail_qp4x5_449 {\r\n background-color: #848484;\r\n border-bottom-right-radius: 5px; /* Rounded bottom right corner of last item*/\r\n}\r\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li.custom_widget_MicrosoftFooter_social-share-list-mail_qp4x5_449 {\r\n border-bottom: 2px solid white; /* Add bottom border only to the last item */\r\n height: 3.25rem; /* Increase last child height to make in align with the hover label */\r\n}\r\n.custom_widget_MicrosoftFooter_x-icon_qp4x5_465 {\r\n filter: invert(100%);\r\n transition: filter 0.3s ease;\r\n width: 1.25rem !important;\r\n height: auto;\r\n padding-top: 0.3125rem !important;\r\n}\r\n.custom_widget_MicrosoftFooter_bluesky-icon_qp4x5_479 {\r\n filter: invert(20%) sepia(100%) saturate(3000%) hue-rotate(180deg);\r\n transition: filter 0.3s ease;\r\n padding-top: 0.3125rem !important;\r\n width: 1.5625rem !important;\r\n}\r\n.custom_widget_MicrosoftFooter_share-icon_qp4x5_493 {\r\n border: 2px solid transparent;\r\n display: inline-block;\r\n position: relative;\r\n}\r\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li:hover {\r\n border: 2px solid white;\r\n border-left: none;\r\n border-bottom: none;\r\n border-radius: 0;\r\n}\r\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li.custom_widget_MicrosoftFooter_social-share-list-mail_qp4x5_449:hover {\r\n border-bottom: 2px solid white; /* Add bottom border only to the last item */\r\n}\r\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li:hover .custom_widget_MicrosoftFooter_label_qp4x5_525 {\r\n opacity: 1;\r\n visibility: visible;\r\n border: 2px solid white;\r\n box-sizing: border-box;\r\n border-left: none;\r\n}\r\n.custom_widget_MicrosoftFooter_label_qp4x5_525 {\r\n position: absolute;\r\n left: 100%;\r\n white-space: nowrap;\r\n opacity: 0;\r\n visibility: hidden;\r\n transition: all 0.2s ease;\r\n color: white;\r\n border-radius: 0 10 0 0.625rem;\r\n top: 50%;\r\n transform: translateY(-50%);\r\n height: 3.25rem;\r\n display: flex;\r\n align-items: center;\r\n justify-content: center;\r\n padding: 0.625rem 0.75rem 0.9375rem 0.5rem;\r\n border: 2px solid white;\r\n}\r\n.custom_widget_MicrosoftFooter_linkedin_qp4x5_317 {\r\n background-color: #0474b4;\r\n border-top-right-radius: 5px; /* Rounded top right corner of first item*/\r\n}\r\n.custom_widget_MicrosoftFooter_facebook_qp4x5_585 {\r\n background-color: #3c5c9c;\r\n}\r\n.custom_widget_MicrosoftFooter_twitter_qp4x5_591 {\r\n background-color: black;\r\n color: white;\r\n}\r\n.custom_widget_MicrosoftFooter_reddit_qp4x5_599 {\r\n background-color: #fc4404;\r\n}\r\n.custom_widget_MicrosoftFooter_mail_qp4x5_605 {\r\n background-color: #848484;\r\n border-bottom-right-radius: 5px; /* Rounded bottom right corner of last item*/\r\n}\r\n.custom_widget_MicrosoftFooter_bluesky_qp4x5_479 {\r\n background-color: #f0f2f5;\r\n color: black;\r\n}\r\n.custom_widget_MicrosoftFooter_rss_qp4x5_621 {\r\n background-color: #ec7b1c;\r\n}\r\n@media (max-width: 991px) {\r\n .custom_widget_MicrosoftFooter_social-share_qp4x5_281 {\r\n display: none;\r\n }\r\n}\r\n","tokens": {"context-uhf":"custom_widget_MicrosoftFooter_context-uhf_qp4x5_1","c-uhff-link":"custom_widget_MicrosoftFooter_c-uhff-link_qp4x5_23","c-uhff":"custom_widget_MicrosoftFooter_c-uhff_qp4x5_23","c-uhff-nav":"custom_widget_MicrosoftFooter_c-uhff-nav_qp4x5_69","c-heading-4":"custom_widget_MicrosoftFooter_c-heading-4_qp4x5_97","c-uhff-nav-row":"custom_widget_MicrosoftFooter_c-uhff-nav-row_qp4x5_113","c-uhff-nav-group":"custom_widget_MicrosoftFooter_c-uhff-nav-group_qp4x5_115","c-list":"custom_widget_MicrosoftFooter_c-list_qp4x5_155","f-bare":"custom_widget_MicrosoftFooter_f-bare_qp4x5_155","c-uhff-base":"custom_widget_MicrosoftFooter_c-uhff-base_qp4x5_187","c-uhff-ccpa":"custom_widget_MicrosoftFooter_c-uhff-ccpa_qp4x5_213","c-uhff-consumer":"custom_widget_MicrosoftFooter_c-uhff-consumer_qp4x5_215","social-share":"custom_widget_MicrosoftFooter_social-share_qp4x5_281","sharing-options":"custom_widget_MicrosoftFooter_sharing-options_qp4x5_297","linkedin-icon":"custom_widget_MicrosoftFooter_linkedin-icon_qp4x5_317","social-share-email-image":"custom_widget_MicrosoftFooter_social-share-email-image_qp4x5_331","social-link-footer":"custom_widget_MicrosoftFooter_social-link-footer_qp4x5_339","social-share-list":"custom_widget_MicrosoftFooter_social-share-list_qp4x5_365","social-share-rss-image":"custom_widget_MicrosoftFooter_social-share-rss-image_qp4x5_371","social-share-list-linkedin":"custom_widget_MicrosoftFooter_social-share-list-linkedin_qp4x5_411","social-share-list-facebook":"custom_widget_MicrosoftFooter_social-share-list-facebook_qp4x5_419","social-share-list-xicon":"custom_widget_MicrosoftFooter_social-share-list-xicon_qp4x5_425","social-share-list-https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 39 of 44 reddit":"custom_widget_MicrosoftFooter_social-share-list-reddit_qp4x5_431","social-share-list-bluesky":"custom_widget_MicrosoftFooter_social-share-list-bluesky_qp4x5_437","social-share-list-rss":"custom_widget_MicrosoftFooter_social-share-list-rss_qp4x5_443","social-share-list-mail":"custom_widget_MicrosoftFooter_social-share-list-mail_qp4x5_449","x-icon":"custom_widget_MicrosoftFooter_x-icon_qp4x5_465","bluesky-icon":"custom_widget_MicrosoftFooter_bluesky-icon_qp4x5_479","share-icon":"custom_widget_MicrosoftFooter_share-icon_qp4x5_493","label":"custom_widget_MicrosoftFooter_label_qp4x5_525","linkedin":"custom_widget_MicrosoftFooter_linkedin_qp4x5_317","faceb components/community/Breadcrumb-1775111750899":{"__typename":"CachedAsset","id":"text:en_US-components/community/Breadcrumb-1775111750899","value":{"navLabel":"Breadcrumbs","dropdown":"Additional parent page navigation"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageBanner-1775111750899":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageBanner-1775111750899","value":{"messageMarkedAsSpam":"This post has been marked as spam","messageMarkedAsSpam@board:TKB":"This article has been marked as spam","messageMarkedAsSpam@board:BLOG":"This post has been marked as spam","messageMarkedAsSpam@board:FORUM":"This discussion has been marked as spam","messageMarkedAsSpam@board:OCCASION":"This event has been marked as spam","messageMarkedAsSpam@board:IDEA":"This idea has been marked as spam","manageSpam":"Manage Spam","messageMarkedAsAbuse":"This post has been marked as abuse","messageMarkedAsAbuse@board:TKB":"This article has been marked as abuse","messageMarkedAsAbuse@board:BLOG":"This post has been marked as abuse","messageMarkedAsAbuse@board:FORUM":"This discussion has been marked as abuse","messageMarkedAsAbuse@board:OCCASION":"This event has been marked as abuse","messageMarkedAsAbuse@board:IDEA":"This idea has been marked as abuse","preModCommentAuthorText":"This comment will be published as soon as it is approved","preModCommentModeratorText":"This comment is awaiting moderation","messageMarkedAsOther":"This post has been rejected due to other reasons","messageMarkedAsOther@board:TKB":"This article has been rejected due to other reasons","messageMarkedAsOther@board:BLOG":"This post has been rejected due to other reasons","messageMarkedAsOther@board:FORUM":"This discussion has been rejected due to other reasons","messageMarkedAsOther@board:OCCASION":"This event has been rejected due to other reasons","messageMarkedAsOther@board:IDEA":"This idea has been rejected due to other reasons","messageArchived":"This post was archived on {date}","relatedUrl":"View Related Content","relatedContentText":"Showing related content","archivedContentLink":"View Archived Content"},"localOverride":false},"Category:category:Exchange": {"__typename":"Category","id":"category:Exchange","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:Outlook": {"__typename":"Category","id":"category:Outlook","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:Community-Info-Center": {"__typename":"Category","id":"category:Community-Info-Center","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:EducationSector": {"__typename":"Category","id":"category:EducationSector","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:DrivingAdoption": {"__typename":"Category","id":"category:DrivingAdoption","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:Azure": {"__typename":"Category","id":"category:Azure","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:Windows-Server": {"__typename":"Category","id":"category:Windows-Server","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftTeams": {"__typename":"Category","id":"category:MicrosoftTeams","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:PublicSector": {"__typename":"Category","id":"category:PublicSector","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoft365": {"__typename":"Category","id":"category:microsoft365","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:IoT": {"__typename":"Category","id":"category:IoT","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:HealthcareAndLifeSciences": {"__typename":"Category","id":"category:HealthcareAndLifeSciences","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 40 of 44 {"__typename":"PolicyResult","failureReason":null}}},"Category:category:ITOpsTalk": {"__typename":"Category","id":"category:ITOpsTalk","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftMechanics": {"__typename":"Category","id":"category:MicrosoftMechanics","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftforNonprofits": {"__typename":"Category","id":"category:MicrosoftforNonprofits","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:PartnerCommunity": {"__typename":"Category","id":"category:PartnerCommunity","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:Microsoft365Copilot": {"__typename":"Category","id":"category:Microsoft365Copilot","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:Windows": {"__typename":"Category","id":"category:Windows","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:Content_Management": {"__typename":"Category","id":"category:Content_Management","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:CommunityNewsDesk": {"__typename":"Category","id":"category:CommunityNewsDesk","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoft-learn-for-educators": {"__typename":"Category","id":"category:microsoft-learn-for-educators","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:mvp": {"__typename":"Category","id":"category:mvp","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoftintune": {"__typename":"Category","id":"category:microsoftintune","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoft-global-community-initiative": {"__typename":"Category","id":"category:microsoft-global-community-initiative","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:usergroups": {"__typename":"Category","id":"category:usergroups","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:skills-hub": {"__typename":"Category","id":"category:skills-hub","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Blog:board:skills-hub-blog": {"__typename":"Blog","id":"board:skills-hub-blog","blogPolicies":{"__typename":"BlogPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"CachedAsset:text:en_US-components/community/Navbar-1775111750899":{"__typename":"CachedAsset","id":"text:en_US-components/community/Navbar-1775111750899","value":{"community":"Community Home","inbox":"Inbox","manageContent":"Manage Content","tos":"Terms of Service","forgotPassword":"Forgot Password","themeEditor":"Theme Editor","edit":"Edit Navigation Bar","skipContent":"Skip to content","gxcuf89792":"Tech Community","windows-server":"Windows Server","ms-learn-ext-security":"Microsoft Security","Common_Enntvz-i-t-ops-talk-link":"ITOps Talk","education-sector":"Education Sector","Common-external-link-9":"Microsoft 365","Common-external-link-8":"Dynamics 365","Common-external-link-7":"Skilling Room Directory","Common-external-link-6":"Events","Common-external-link-5":"Blogs","Common-external-link-4":"View All","Common-gxcuf89792-community":"Community","Common-external-link-3":"Topics","microsoft365":"Microsoft 365","Common_Enntvz-community-news-desk-link":"Community News Desk","Common_Enntvz-azure-link":"Azure","Common-community-info-center-link":"Lounge","azure":"Azure","Common_Enntvz-windows-link":"Windows","Common_Enntvz-education-sector-link":"Education Sector","Common-windows-server-link":"Windows Server","products-link":"Products","Common_Enntvz-partner-community-link":"Microsoft Partner Community","microsoft-learn-blog":"Blog","Common-external-link-2":"View All","community-hub-link":"Community Hubs","Common-mvp-link":"Microsoft MVP Program","community-info-center":"Lounge","microsoft-endpoint-manager":"Microsoft Intune","startupsat-microsoft":"Startups at Microsoft","ms-learn-ext-azure":"Azure","Common_Enntvz-content_management-link":"Content Management","ms-learn-ext-github":"Github","Common-microsoft365- link":"Microsoft 365","Common-i-t-ops-talk-link":"ITOps Talk","Common_Enntvz-view-all-products-link":"View All","Common-microsoft-global-community-initiative-link":"Microsoft Global Community Initiative (MGCI)","all-events-https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 41 of 44 link":"Events","Common_Enntvz-microsoft-learn-for-educators-link":"Microsoft Learn for Educators","Common-external-link":"Community Hubs","Common-partner-community-link":"Microsoft Partner Community","Common-microsoft-learn-for-educators-link":"Microsoft Learn for Educators","Common_Enntvz-microsoft-teams-link":"Microsoft Teams","driving-adoption":"Driving Adoption","microsoft-learn":"Microsoft Learn","Common-healthcare-and-life-sciences-link":"Healthcare and Life Sciences","planner":"Outlook","Common_Enntvz-exchange-link":"Exchange","healthcare-and-life-sciences":"Healthcare and Life Sciences","Common-external-link-10":"View All","Common-driving-adoption-link":"Driving Adoption","ms-learn-ext-pp":"Power Platform","Common_Enntvz-windows-server-link":"Windows Server","Common-io-t-link":"Internet of Things (IoT)","Skills-Hub":"Skills Hub","microsoft-teams":"Microsoft Teams","Common-outlook-link":"Outlook","Common_Enntvz-public-sector-link":"Public Sector","Common-windows-link":"Windows","all-blogs-link":"Blogs","communities":"Products","Common_Enntvz-usergroups-link":"User Groups","Common_Enntvz-microsoft-global-community-initiative-link":"Microsoft Global Community Initiative (MGCI)","Skills-Hub-link":"Community","Common_Enntvz-io-t-link":"Internet of Things (IoT)","ms-learn-ext-m365":"Microsoft 365","Common_Enntvz-microsoft-mechanics-link":"Microsoft Mechanics","microsoft-learn-community":"Community","partner-community":"Microsoft Partner Community","Common-microsoft-mechanics-link":"Microsoft Mechanics","Common_Enntvz-healthcare-and-life-sciences-link":"Healthcare and Life Sciences","microsoft-mechanics":"Microsoft Mechanics","Common-microsoft-security-link":"Microsoft Security","Common-education-sector-link":"Education Sector","Skills-Hub-Blog":"Blog","i-t-ops-talk":"ITOps Talk","microsoft-securityand-compliance":"Microsoft Security","Common_Enntvz-microsoftintune-link":"Microsoft Intune","Common-azure-link":"Azure","Common-microsoftintune-link":"Microsoft Intune","Common_Enntvz-view-all-topics-link":"View All","Common-usergroups-link":"User Groups","Common-public-sector-link":"Public Sector","Common_Enntvz-microsoft-security-link":"Microsoft Security","Common_Enntvz-outlook-link":"Outlook","Common_Enntvz-mvp-link":"Microsoft MVP Program","exchange":"Exchange","topics-link":"Topics","io-t":"Internet of Things (IoT)","Common-microsoft365-copilot-link":"Microsoft 365 Copilot","Common-microsoft-teams-link":"Microsoft Teams","s-m-b":"Nonprofit Community","Common_Enntvz-community-info-center-link":"Lounge","Common_Enntvz-microsoft365-copilot-link":"Microsoft 365 Copilot","Common_Enntvz-microsoftfor-nonprofits-link":"Nonprofit Community","Common_Enntvz-microsoft365-link":"Microsoft 365","Common-content_management-link":"Content Management","ms-learn-ext-teams":"Teams","s-q-l-server":"Content Management","products-services":"Products","Common-community-news-desk-link":"Community News Desk","ms-learn-ext-LD":"Skilling Room Directory","Common-exchange-link":"Exchange","Common-gxcuf89792-link":"Tech Community","windows":"Windows","public-sector":"Public Sector","Common_Enntvz-driving-adoption-link":"Driving Adoption","Common-microsoftfor-nonprofits-link":"Nonprofit Community","ms-learn-ext-net":".NET","ms-learn-ext-dynamics":"Dynamics 365","a-i":"AI and Machine Learning","outlook":"Microsoft 365 Copilot"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarHamburgerDropdown-1775111750899":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarHamburgerDropdown-1775111750899","value":{"hamburgerLabelOpen":"Open Side Menu","hamburgerLabelClose":"Close Side Menu"},"localOverride":false},"CachedAsset:text:en_US-components/community/BrandLogo-1775111750899": {"__typename":"CachedAsset","id":"text:en_US-components/community/BrandLogo-1775111750899","value": {"logoAlt":"Khoros","themeLogoAlt":"Brand Logo","linkAriaLabel":"Go to community home page"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarTextLinks-1775111750899": {"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarTextLinks-1775111750899","value": {"more":"More"},"localOverride":false},"CachedAsset:text:en_US-components/search/SpotlightSearchIcon-1775111750899":{"__typename":"CachedAsset","id":"text:en_US-components/search/SpotlightSearchIcon-1775111750899","value":{"search":"Search"},"localOverride":false},"CachedAsset:text:en_US-components/authentication/AuthenticationLink-1775111750899":{"__typename":"CachedAsset","id":"text:en_US-components/authentication/AuthenticationLink-1775111750899","value":{"title.login":"Sign In","title.registration":"Register","title.forgotPassword":"Forgot Password","title.multiAuthLogin":"Sign In"},"localOverride":false},"CachedAsset:text:en_US-components/nodes/NodeLink-1775111750899": {"__typename":"CachedAsset","id":"text:en_US-components/nodes/NodeLink-1775111750899","value":{"place":"Go back to {name}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageView/MessageViewStandard-1775111750899":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageView/MessageViewStandard-1775111750899","value": {"anonymous":"Anonymous","author":"{messageAuthorLogin}","authorBy":"{messageAuthorLogin}","board":" {messageBoardTitle}","replyToUser":" to {parentAuthor}","showMoreReplies":"Show More","replyText":"Reply","repliesText":"Replies","markedAsSolved":"Marked as Solution","messageStatus":"Status: ","statusChanged":"Status changed: {previousStatus} to {currentStatus}","statusAdded":"Status added: {status}","statusRemoved":"Status removed: {status}","labelExpand":"expand replies","labelCollapse":"collapse replies","unhelpfulReason.reason1":"Content is outdated","unhelpfulReason.reason2":"Article is missing information","unhelpfulReason.reason3":"Content is for a different Product","unhelpfulReason.reason4":"Doesn't match what I was searching for"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageReplyCallToAction-1775111750899":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageReplyCallToAction-1775111750899","value":{"leaveReply":"Leave a reply...","leaveReply@board:BLOG@message:root":"Leave a comment...","leaveReply@board:TKB@message:root":"Leave a comment...","leaveReply@board:IDEA@message:root":"Leave a https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 42 of 44 comment...","leaveReply@board:OCCASION@message:root":"Leave a comment...","repliesTurnedOff.FORUM":"Replies are turned off for this topic","repliesTurnedOff.BLOG":"Comments are turned off for this topic","repliesTurnedOff.TKB":"Comments are turned off for this topic","repliesTurnedOff.IDEA":"Comments are turned off for this topic","repliesTurnedOff.OCCASION":"Comments are turned off for this topic","infoText":"Stop poking me!"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1775111750899":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarDropdownToggle-1775111750899","value":{"ariaLabelClosed":"Press the down arrow to open the menu"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageCoverImage-1775111750899": {"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageCoverImage-1775111750899","value": {"coverImageTitle":"Cover Image"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeTitle-1775111750899":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeTitle-1775111750899","value":{"nodeTitle":"{nodeTitle, select, community {Community} other {{nodeTitle}}} "},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageTimeToRead-1775111750899":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageTimeToRead-1775111750899","value":{"minReadText":"{min} MIN READ"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageSubject-1775111750899": {"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageSubject-1775111750899","value": {"noSubject":"(no subject)"},"localOverride":false},"CachedAsset:text:en_US-components/users/UserLink-1775111750899":{"__typename":"CachedAsset","id":"text:en_US-components/users/UserLink-1775111750899","value": {"authorName":"View Profile: {author}","anonymous":"Anonymous","ariaLabel.rank":"Rank: {rankName}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/users/UserRank-1775111750899":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/users/UserRank-1775111750899","value":{"rankName":"{rankName}","userRank":"Author rank {rankName}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageTime-1775111750899": {"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageTime-1775111750899","value": {"postTime":"Published: {time}","lastPublishTime":"Last Update: {time}","conversation.lastPostingActivityTime":"Last posting activity time: {time}","conversation.lastPostTime":"Last post time: {time}","moderationData.rejectTime":"Rejected time: {time}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageBody-1775111750899": {"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageBody-1775111750899","value": {"showMessageBody":"Show More","mentionsErrorTitle":"{mentionsType, select, board {Board} user {User} message {Message} other {}} No Longer Available","mentionsErrorMessage":"The {mentionsType} you are trying to view has been removed from the community.","videoProcessing":"Video is being processed. Please try again in a few minutes.","bannerTitle":"Video provider requires cookies to play the video. Accept to continue or {url} it directly on the provider's site.","buttonTitle":"Accept","urlText":"watch"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageCustomFields-1775111750899":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageCustomFields-1775111750899","value":{"CustomField.default.label":"Value of {name}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageRevision-1775111750899": {"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageRevision-1775111750899","value": {"lastUpdatedDatePublished":"{publishCount, plural, one{Published} other{Updated}} {date}","lastUpdatedDateDraft":"Created {date}","version":"Version {major}. {minor}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1775111750899":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/QueryHandler-1775111750899","value":{"title":"Query Handler"},"localOverride":false},"CachedAsset:text:en_US-components/tags/TagList-1775111750899":{"__typename":"CachedAsset","id":"text:en_US-components/tags/TagList-1775111750899","value":{"showMoreFor":"Show more for {title}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageReplyButton-1775111750899":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageReplyButton-1775111750899","value":{"repliesCount":" {count}","title":"Reply","title@board:BLOG@message:root":"Comment","title@board:TKB@message:root":"Comment","title@board:IDEA@message: components/messages/MessageAuthorBio-1775111750899":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageAuthorBio-1775111750899","value":{"sendMessage":"Send Message","actionMessage":"Follow this blog board to get notified when there's new activity","coAuthor":"CO-PUBLISHER","contributor":"CONTRIBUTOR","userProfile":"View Profile","iconlink":"Go to {name} {type}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1775111750899": {"__typename":"CachedAsset","id":"text:en_US-shared/client/components/users/UserAvatar-1775111750899","value": {"altText":"{login}'s avatar","altTextGeneric":"User's avatar"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1775111750899":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/ranks/UserRankLabel-1775111750899","value":{"altTitle":"Icon for {rankName} rank"},"localOverride":false},"CachedAsset:text:en_US-components/tags/TagView/TagViewChip-1775111750899": {"__typename":"CachedAsset","id":"text:en_US-components/tags/TagView/TagViewChip-1775111750899","value": {"tagLabelName":"Tag name {tagName}"},"localOverride":false},"CachedAsset:text:en_US-components/users/UserRegistrationDate-1775111750899":{"__typename":"CachedAsset","id":"text:en_US-components/users/UserRegistrationDate-1775111750899","value":{"noPrefix":"{date}","withPrefix":"Joined {date}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeAvatar-1775111750899": {"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeAvatar-1775111750899","value": https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 43 of 44 {"altTitle":"Node avatar for {nodeTitle}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeDescription-1775111750899":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeDescription-1775111750899","value":{"description":" {description}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1775111750899":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeIcon-1775111750899","value":{"contentType":"Content Type {style, select, FORUM {Forum} BLOG {Blog} TKB {Knowledge Base} IDEA {Ideas} OCCASION {Events} other {}} icon"},"localOverride":false}}}},"page":"/blogs/BlogMessagePage/BlogMessagePage","query": {"boardId":"microsoftsecurityexperts","messageSubject":"phish-click-breach-hunting-for-a-sophisticated-cyber-attack","messageId":"4267916"},"buildId":"VXuOn2D5MfObWEiRanLQ9","runtimeConfig": {"buildInformationVisible":false,"logLevelApp":"info","logLevelMetrics":"info","surveysEnabled":true,"openTelemetry": {"clientEnabled":false,"configName":"o365","serviceVersion":"26.1.0","universe":"prod","collector":"http://localhost:4318","logLevel":"error","routeCha ["components_community_Navbar_NavbarWidget","components_community_Breadcrumb_BreadcrumbWidget","components_customComponent_Custo [{"id":"analytics","src":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/pagescripts/1751476272000/analytics.js? page.id=BlogMessagePage&entity.id=board%3Amicrosoftsecurityexperts&entity.id=message%3A4267916","strategy":"afterInteractive"}]} Source: https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916 Page 44 of 44