Content by Microsoft Defender Security Research Team (29)

The Microsoft Defender Security Research Team reports on “Dirty Frag,” an actively exploited Linux local privilege escalation technique targeting kernel networking components, and shares practical interim mitigations plus Microsoft Defender detection coverage to help teams reduce post-compromise risk.

Microsoft Defender Security Research Team breaks down updated ClickFix-style macOS social engineering that tricks users into running Terminal commands, leading to multi-stage infostealers. The post covers three campaign variants, what they steal, how they persist, and how to detect and mitigate the activity with Microsoft Defender and hunting queries.

The Microsoft Defender Security Research Team breaks down CVE-2026-31431 (“Copy Fail”), a high-severity Linux kernel local privilege escalation that can lead to root access and container escape in cloud and Kubernetes environments, and provides mitigation steps plus Microsoft Defender XDR detection and hunting guidance.

Microsoft Defender Security Research Team explains how Microsoft Sentinel UEBA enriches AWS CloudTrail logs with simple true/false behavioral signals and built-in anomalies, helping detection engineers write simpler KQL, reduce false positives, and triage suspicious AWS activity faster.

The Microsoft Defender Security Research Team breaks down a cross-tenant Microsoft Teams helpdesk-impersonation intrusion chain, from Quick Assist remote access through WinRM lateral movement to Rclone-based data exfiltration, with concrete mitigations and Defender XDR hunting queries.

The Microsoft Defender Security Research Team walks through a real-world Active Directory domain compromise and shows how Microsoft Defender XDR’s predictive shielding (automatic attack disruption) used exposure-based containment to slow credential abuse and limit lateral movement until the attacker lost momentum.

The Microsoft Defender Security Research Team analyzes a severe Android intent-redirection flaw in the EngageSDK that could let a malicious app abuse another app’s identity to reach protected components and data, and explains what developers should update and review to avoid similar SDK-driven risks.

The Microsoft Defender Security Research Team breaks down an AI-enabled device code phishing campaign abusing the OAuth device code flow to steal tokens at scale, then using Microsoft Graph for reconnaissance and inbox rules for persistence. It includes a phase-by-phase attack chain plus concrete mitigations across Entra ID, Defender, and Sentinel.

The Microsoft Defender Security Research Team breaks down a stealthy PHP webshell technique where HTTP cookies act as the control channel, enabling dormant execution and cron-based persistence in Linux hosting environments, and maps practical hunting and mitigation guidance to Microsoft Defender capabilities.

The Microsoft Defender Security Research Team breaks down a WhatsApp-delivered VBScript campaign that renames legitimate Windows tools, pulls next-stage payloads from cloud storage, tampers with UAC for persistence, and finishes by deploying unsigned MSI installers; the post includes mitigations, Defender detections, and hunting queries.

The Microsoft Defender Security Research Team explains how Microsoft Defender uses high-value asset (HVA) context and Microsoft Security Exposure Management to improve detection and prevention, illustrated with real-world scenarios like domain controller credential theft and Exchange/IIS webshell remediation.

The Microsoft Defender Security Research Team breaks down the Trivy supply-chain compromise affecting GitHub Actions and official binaries, explains how credentials were harvested from CI/CD runners, and provides concrete Microsoft Defender detections plus hardening steps (like pinning actions to commit SHAs) to reduce repeat incidents.

The Microsoft Defender Security Research Team walks through a real human-operated ransomware case where attackers abused Group Policy Objects (GPOs) to disable defenses and distribute payloads, and shows how Defender predictive shielding (GPO hardening + attack disruption) proactively blocked the GPO-based encryption path across ~700 devices.

The Microsoft Defender Security Research Team analyzes how malicious AI-themed browser extensions harvest LLM chat histories and enterprise data, highlighting significant security risks.

Microsoft Defender Security Research Team explores how attackers are abusing stolen EV certificates and trusted workplace app branding to deliver RMM backdoors via phishing. The article details infection chains, hunting, mitigations, and provides practical security guidance.

Authored by the Microsoft Defender Security Research Team, this article explores how OAuth redirection mechanisms are exploited to deliver phishing and malware, offering technical insight and actionable defense strategies.

The Microsoft Defender Security Research Team examines the unique security risks of self-hosted agents like OpenClaw, detailing how identity, isolation, and runtime controls are critical for safe deployment.

Microsoft Defender Security Research Team provides a detailed overview of the top 10 security risks in Copilot Studio agent deployments, offering practical detection and mitigation strategies for secure use of AI-powered business workflows.

Microsoft Defender Security Research Team explores how AI systems, including Microsoft 365 Copilot, are vulnerable to AI memory poisoning attacks—where malicious prompts manipulate AI recommendations. The article details attack vectors, detection methods, and defenses against this growing threat.

Microsoft Defender Security Research Team presents a technical walkthrough of a multi-stage attack exploiting SolarWinds Web Help Desk, with actionable defensive guidance and hunting tips.

The Microsoft Defender Security Research Team dissects the CrashFix variant of ClickFix, revealing how it combines malicious browser extensions, PowerShell obfuscation, and a portable Python-based RAT to compromise and persist on high-value Windows systems.

The Microsoft Defender Security Research Team analyzes how modern infostealer malware campaigns, including those targeting macOS and Python-based attacks, are evolving. This piece provides actionable security insights and is essential reading for security professionals.

The Microsoft Defender Security Research Team details the LangGrinch (CVE-2025-68664) vulnerability affecting AI supply chains, with actionable guidance for enterprise security using Microsoft Defender tools.

The Microsoft Defender Security Research Team explains how security analysts can use AI to extract and validate TTPs from threat reports. Authored by the Defender Research Team, this workflow streamlines detection analysis while keeping experts in the loop.

The Microsoft Defender Security Research Team shares in-depth guidance on securing Microsoft Copilot Studio AI agents at runtime, demonstrating how Defender’s real-time protection thwarts malicious prompt injections and data exfiltration attempts.

Microsoft Defender Security Research Team investigates a sophisticated AiTM phishing and BEC attack campaign leveraging SharePoint, providing in-depth insights, detection analytics, and actionable defense strategies for security practitioners.

The Microsoft Defender Security Research Team examines security challenges arising from autonomous AI agents and demonstrates how Microsoft Defender helps secure these systems. Key strategies and posture management capabilities for multi-cloud environments are highlighted.

Microsoft Defender Security Research Team delivers expert analysis of the React2Shell vulnerability (CVE-2025-55182) in React Server Components, providing mitigation strategies and Defender integration guidance for securing enterprise systems.

Microsoft Defender Security Research Team presents an in-depth analysis of the Shai-Hulud 2.0 attack, offering actionable detection, investigation, and defense guidance for developers and security professionals in cloud-native environments.