Elliot

A few months back I had the opportunity to chat with Mona Ghadiri about what it takes to run modern SecOps programs, and we landed on what some would call a spicy take on the definition of resilience.

I tend to agree, but would love to know how others see it.

Developer-targeting campaign using malicious Next.js repositories | Microsoft Security Blog A developer-targeting campaign leveraged malicious Next.js repositories to trigger a covert RCE-to-C2 chain through standard build workflows. The activity demonstrates how staged command-and-control c...

New from Microsoft Threat Intelligence: Developer-targeting campaign using malicious Next.js repositories www.microsoft.com/en-us/securi...

Manipulating AI memory for profit: The rise of AI Recommendation Poisoning | Microsoft Security Blog That helpful “Summarize with AI” button? It might be secretly manipulating what your AI recommends.  Microsoft security researchers have discovered a growing trend of AI memory poisoning attacks used ...

Because most of these systems are designed to be confidently wrong unless you adjust the guardrails, it will be rather convincing and argue in bad faith. Read more and mitigation steps here www.microsoft.com/en-us/securi...

Part of the tactic involves dropping misleading or even malicious information into the thread, which sets a new rule in place to turn fiction into facts. Example: it could hide a rule that suggests vaccines cause autism and refuse to budge on that stance, confusing the user.

Yesterday we released a new report tied to what we are calling AI Recommendation Poisoning. It’s a novel tactic that is actively being abused to poison the memory of multiple AI platforms, contained within individual chat threads/instances.

Analysis of active exploitation of SolarWinds Web Help Desk | Microsoft Security Blog We are seeing exploitation of SolarWinds Web Help Desk via CVE‑2025‑40551 and CVE‑2025‑40536 that can lead to domain compromise; here is how to patch, hunt, and mitigate now.

Fresh IOCs and intel - Our team has identified an active campaign exploiting items associated with two CVEs tied to SolarWinds Web Help Desk (CVE‑2025‑40551 and CVE‑2025‑40536). www.microsoft.com/en-us/securi...

The Jekyll and Hyde code in openclaw

Just so you know, #openclaw contains a schedule-sensitive prompt injection hook called “soul-evil.ts” During “purge time,” it may randomly replace the system prompt with the contents of a “SOUL_EVIL.md” file

Turning threat reports into detection insights with AI | Microsoft Security Blog Security teams often spend days manually turning long incident reports and threat writeups into actionable detections by extracting TTPs. This blog post shows an AI-assisted workflow that does the sam...

And here is a solid piece for security engineers on using AI to turn threat reports into detections www.microsoft.com/en-us/securi...

Infostealers without borders: macOS, Python stealers, and platform abuse | Microsoft Security Blog How modern infostealers target macOS systems, leverage Python‑based stealers, and abuse trusted platforms and utilities to distribute credential‑stealing payloads.

Latest from our team on infostealers www.microsoft.com/en-us/securi...

Well, it is once again snowing in Charleston, a place it’s not really supposed to snow. Chicks don’t seem to mind.

Parent status:
Bluey 👍
Bebe Finn 👎🏻

Fact vs Hype: How Threat Actors Are Really Using AI Right Now In this episode of the Microsoft Threat Intelligence Podcast, host⁠ ⁠⁠⁠Sherrod DeGrippo⁠ is joined by security researcher Crane Hassold and Digital Defense Report lead Chloe Mesdaghi for a grounded, practitioner-led discussion on where artificial intelligence actually stands today. Moving beyond hype and fear-driven narratives, the conversation examines how AI is realistically being used by threat actors, where its impact is often overstated, and why defenders currently stand to gain the most from AI-driven tooling. The episode explores AI’s strengths in detection, triage, and workflow acceleration, the psychology and incentives that shape attacker behavior, and emerging risks such as prompt injection and AI systems becoming direct attack targets.

This special “AI hot takes” episode of the Microsoft Threat Intelligence Podcast explores where AI truly stands today, how it’s shaping cyber operations, and what security practitioners and threat intelligence analysts need to know and consider: msft.it/63324QGWWy

A new era of agents, a new era of posture  | Microsoft Security Blog AI agents are transforming how organizations operate, but their autonomy also expands the attack surface.

And unfortunately I take full responsibility for these terrible stock images until I can find something more suitable. www.microsoft.com/en-us/securi...

From runtime risk to real‑time defense: Securing AI agents  | Microsoft Security Blog Why securing AI agents at runtime is essential as attackers find new ways to exploit generative orchestration.

In addition to active campaigns we are sharing guidance on how to secure everything from emerging technology like AI, agents, and impact from quantum www.microsoft.com/en-us/securi...

Resurgence of a multi‑stage AiTM phishing and BEC campaign abusing SharePoint  | Microsoft Security Blog Microsoft Defender Researchers uncovered a multi‑stage AiTM phishing and business email compromise (BEC) campaign targeting multiple organizations in the energy sector.

This week Microsoft Threat Intelligence launched a new hub for threat insights and to research. Our goal is to ensure active campaigns get the necessary attention and mitigation steps out as broadly as possible.

www.microsoft.com/en-us/securi...

Resurgence of a multi‑stage AiTM phishing and BEC campaign abusing SharePoint  | Microsoft Security Blog Microsoft Defender Researchers uncovered a multi‑stage AiTM phishing and business email compromise (BEC) campaign targeting multiple organizations in the energy sector.

Just published from Microsoft Security - newly observed campaign and detections aka.ms/aitm-bec

Searching for breakfast

Pretty sure this means the copilot mascot, Mico, is actually Clippy.

Just tap it a few times on the consumer version of the app and you’ll find him.

Beyond immediate containment, Microsoft IR supports recovery, future planning, and building long-term resilience. According to Adrian Hill, lead investigator for Microsoft IR, “The customer needs to be successful. The only way to do that is to ensure that everyone is successful.”

By leading with empathy and collaboration, Microsoft IR unites vendors and internal teams to stabilize crises and uncover hidden threats, ensuring unified action. This approach means that every engagement restores the customer and simultaneously strengthens the broader security ecosystem.

The nature of incident response is its chaos, and the second chapter of our four-part Inside Microsoft Threat Intelligence miniseries displays how Microsoft’s IR team thrives amid disorder, stepping in when environments are compromised and confidence is shaken: msft.it/63322svfky

"Microsoft Threat Intelligence is fully focused on disrupting threat actor activity."

The first of a four-part Inside Microsoft Threat Intelligence miniseries gives behind-the-scenes look at how Microsoft's Digital Crimes Unit disrupted Storm-1152: msft.it/63327sWnGF

Full episode here www.microsoft.com/en-us/securi...

Each episode will offer an inside look at Microsoft Security's threat intelligence capability that is designed to reduce risk, improve resilience, and empower security teams across the globe.

This week we are releasing episode one of Inside Microsoft Threat Intelligence, a new series highlighting the power of our 10,000-strong security team.

The world of cybercrime is becoming commercialized, mercenaries for hire if you will, but Microsoft Threat Intelligence and our Digital Crimes Unit use intel to disrupt their actions.

The Rise of AI-Powered Interview Cheating From astroturfing Reddit to evading anti-cheating tools, InterviewHammer exposes a darker side of AI in hiring

Spidey senses ever go off during a remote interview with a candidate that they may be getting some AI assistance? Unfortunately there are new tools that make this even easier www.adoptingzerotrust.com/p/the-rise-o...

Yesterday at Black Hat we had an awesome lineup of experts ranging from Tom Gallagher, Travis Schack, Kendra Cooley, and Sherrod DeGrippo.

Going for round two, and having MSRC’s podcast takeover, Blain Hailemariam running KC7, and I’ll be moderating a few chats in between.

Kicked off our series of podcasts and interviews here at Black Hat. Come on by booth 2246.

Customers should apply the on-premises SharePoint Server security updates immediately and follow the detailed mitigation guidance in the blog. The latest updates include additional TTPs of the new activity, additional IOCs, and expanded mitigation, protection, and hunting guidance.