Young red tailed hawk going for the kill… on a garden hose.

Our latest blog has our analysis of the attack, additional mitigation recommendations, and Microsoft Defender detection and hunting guidance.

Organizations affected by this attack are urged to roll back to safe versions (1.14.0 or 0.30.3 or earlier), rotate secrets and credentials that are exposed to compromised systems, and disable auto-updates.

Mitigating the Axios npm supply chain compromise | Microsoft Security Blog On March 31, 2026, the popular HTTP client Axios experienced a supply chain attack, causing two newly published npm packages for version updates (1.14.1 and 0.30.4) to download from command and contro...

Microsoft Threat Intelligence has attributed the Axios npm supply chain attack to North Korean state actor Sapphire Sleet. Malicious npm packages for updated versions of Axios (1.14.1 and 0.30.4) downloaded payloads from command and control attributed to Sapphire Sleet. msft.it/6018QLPF6

Elliot V. posted on LinkedIn Elliot V. posted a video on LinkedIn

Psst, streaming live from Microsoft Security’s hub at RSAC www.linkedin.com/posts/elliot...

Microsoft Security’s annual RSAC pre-day had landed.

A few months back I had the opportunity to chat with Mona Ghadiri about what it takes to run modern SecOps programs, and we landed on what some would call a spicy take on the definition of resilience.

I tend to agree, but would love to know how others see it.

Developer-targeting campaign using malicious Next.js repositories | Microsoft Security Blog A developer-targeting campaign leveraged malicious Next.js repositories to trigger a covert RCE-to-C2 chain through standard build workflows. The activity demonstrates how staged command-and-control c...

New from Microsoft Threat Intelligence: Developer-targeting campaign using malicious Next.js repositories www.microsoft.com/en-us/securi...

Manipulating AI memory for profit: The rise of AI Recommendation Poisoning | Microsoft Security Blog That helpful “Summarize with AI” button? It might be secretly manipulating what your AI recommends.  Microsoft security researchers have discovered a growing trend of AI memory poisoning attacks used ...

Because most of these systems are designed to be confidently wrong unless you adjust the guardrails, it will be rather convincing and argue in bad faith. Read more and mitigation steps here www.microsoft.com/en-us/securi...

Part of the tactic involves dropping misleading or even malicious information into the thread, which sets a new rule in place to turn fiction into facts. Example: it could hide a rule that suggests vaccines cause autism and refuse to budge on that stance, confusing the user.

Yesterday we released a new report tied to what we are calling AI Recommendation Poisoning. It’s a novel tactic that is actively being abused to poison the memory of multiple AI platforms, contained within individual chat threads/instances.

Analysis of active exploitation of SolarWinds Web Help Desk | Microsoft Security Blog We are seeing exploitation of SolarWinds Web Help Desk via CVE‑2025‑40551 and CVE‑2025‑40536 that can lead to domain compromise; here is how to patch, hunt, and mitigate now.

Fresh IOCs and intel - Our team has identified an active campaign exploiting items associated with two CVEs tied to SolarWinds Web Help Desk (CVE‑2025‑40551 and CVE‑2025‑40536). www.microsoft.com/en-us/securi...

The Jekyll and Hyde code in openclaw

Just so you know, #openclaw contains a schedule-sensitive prompt injection hook called “soul-evil.ts” During “purge time,” it may randomly replace the system prompt with the contents of a “SOUL_EVIL.md” file

Turning threat reports into detection insights with AI | Microsoft Security Blog Security teams often spend days manually turning long incident reports and threat writeups into actionable detections by extracting TTPs. This blog post shows an AI-assisted workflow that does the sam...

And here is a solid piece for security engineers on using AI to turn threat reports into detections www.microsoft.com/en-us/securi...

Infostealers without borders: macOS, Python stealers, and platform abuse | Microsoft Security Blog How modern infostealers target macOS systems, leverage Python‑based stealers, and abuse trusted platforms and utilities to distribute credential‑stealing payloads.

Latest from our team on infostealers www.microsoft.com/en-us/securi...

Well, it is once again snowing in Charleston, a place it’s not really supposed to snow. Chicks don’t seem to mind.

Parent status:
Bluey 👍
Bebe Finn 👎🏻

Fact vs Hype: How Threat Actors Are Really Using AI Right Now In this episode of the Microsoft Threat Intelligence Podcast, host⁠ ⁠⁠⁠Sherrod DeGrippo⁠ is joined by security researcher Crane Hassold and Digital Defense Report lead Chloe Mesdaghi for a grounded, practitioner-led discussion on where artificial intelligence actually stands today. Moving beyond hype and fear-driven narratives, the conversation examines how AI is realistically being used by threat actors, where its impact is often overstated, and why defenders currently stand to gain the most from AI-driven tooling. The episode explores AI’s strengths in detection, triage, and workflow acceleration, the psychology and incentives that shape attacker behavior, and emerging risks such as prompt injection and AI systems becoming direct attack targets.

This special “AI hot takes” episode of the Microsoft Threat Intelligence Podcast explores where AI truly stands today, how it’s shaping cyber operations, and what security practitioners and threat intelligence analysts need to know and consider: msft.it/63324QGWWy

A new era of agents, a new era of posture  | Microsoft Security Blog AI agents are transforming how organizations operate, but their autonomy also expands the attack surface.

And unfortunately I take full responsibility for these terrible stock images until I can find something more suitable. www.microsoft.com/en-us/securi...

From runtime risk to real‑time defense: Securing AI agents  | Microsoft Security Blog Why securing AI agents at runtime is essential as attackers find new ways to exploit generative orchestration.

In addition to active campaigns we are sharing guidance on how to secure everything from emerging technology like AI, agents, and impact from quantum www.microsoft.com/en-us/securi...

Resurgence of a multi‑stage AiTM phishing and BEC campaign abusing SharePoint  | Microsoft Security Blog Microsoft Defender Researchers uncovered a multi‑stage AiTM phishing and business email compromise (BEC) campaign targeting multiple organizations in the energy sector.

This week Microsoft Threat Intelligence launched a new hub for threat insights and to research. Our goal is to ensure active campaigns get the necessary attention and mitigation steps out as broadly as possible.

www.microsoft.com/en-us/securi...

Resurgence of a multi‑stage AiTM phishing and BEC campaign abusing SharePoint  | Microsoft Security Blog Microsoft Defender Researchers uncovered a multi‑stage AiTM phishing and business email compromise (BEC) campaign targeting multiple organizations in the energy sector.

Just published from Microsoft Security - newly observed campaign and detections aka.ms/aitm-bec

Searching for breakfast

Pretty sure this means the copilot mascot, Mico, is actually Clippy.

Just tap it a few times on the consumer version of the app and you’ll find him.

Beyond immediate containment, Microsoft IR supports recovery, future planning, and building long-term resilience. According to Adrian Hill, lead investigator for Microsoft IR, “The customer needs to be successful. The only way to do that is to ensure that everyone is successful.”

By leading with empathy and collaboration, Microsoft IR unites vendors and internal teams to stabilize crises and uncover hidden threats, ensuring unified action. This approach means that every engagement restores the customer and simultaneously strengthens the broader security ecosystem.

The nature of incident response is its chaos, and the second chapter of our four-part Inside Microsoft Threat Intelligence miniseries displays how Microsoft’s IR team thrives amid disorder, stepping in when environments are compromised and confidence is shaken: msft.it/63322svfky

"Microsoft Threat Intelligence is fully focused on disrupting threat actor activity."

The first of a four-part Inside Microsoft Threat Intelligence miniseries gives behind-the-scenes look at how Microsoft's Digital Crimes Unit disrupted Storm-1152: msft.it/63327sWnGF

Full episode here www.microsoft.com/en-us/securi...

Each episode will offer an inside look at Microsoft Security's threat intelligence capability that is designed to reduce risk, improve resilience, and empower security teams across the globe.