Microsoft Malware Protection Center

Expert coverage of cybersecurity topics

URL: https://www.microsoft.com/en-us/security/blog/

Updated: 34 min 24 sec ago

Stopping attacks against on-premises Exchange Server and SharePoint Server with AMSI

Wed, 04/09/2025 - 1:00pm

Exchange Server and SharePoint Server are business-critical assets and considered crown jewels for many organizations, making them attractive targets for attacks. To help customers protect their environments and respond to these attacks, Exchange Server and SharePoint Server now integrate with the Windows Antimalware Scan Interface (AMSI), a versatile standard that enables applications and services to work seamlessly with any AMSI-compatible antimalware product. The integration of AMSI with SharePoint and Exchange Server provides an essential layer of protection by preventing harmful web requests from reaching backend endpoints.

Threat actors have consistently relied on outdated or misconfigured assets, exploiting vulnerabilities that enable them to gain a persistent foothold inside the target. For instance, in the case of Exchange Server, ProxyShell and ProxyNotShell vulnerabilities were widely exploited in attacks long after they were fixed by security updates in 2021 and 2022, respectively. In these attacks, threat actors abused a combination of server-side request forgery (SSRF) and privilege escalation flaws, allowing remote code execution. Successful compromise enabled threat actors to drop web shells, conduct lateral movement, and exfiltrate sensitive data, often evading detection for extended periods. More recently, attackers have shifted to NTLM relay and credential leakage techniques. Office documents and emails sent through Outlook serve as effective entry points for attackers to exploit NTLM coercion vulnerabilities, given their ability to embed UNC links within them. Attackers exploit NTLM authentication by relaying credentials to a vulnerable server, potentially resulting in target account compromise. Microsoft has released mitigation guidance against NTLM relay attacks.

SharePoint Server has also been a consistent target for attackers exploiting critical vulnerabilities to gain persistent and privileged access inside the target. In recent attacks, stealthy persistence tactics, such as replacing or appending web shell code into existing files like signout.aspx, installing remote monitoring and management (RMM) tools for broader access, and other malicious activities were observed.

While cloud-based software offers some inherent security advantages in software updates and high availability, some organizations’ requirements mean they need to run on-premises Exchange and SharePoint implementations. As cyber threats continue to grow in sophistication, it has never been more important to ensure that the on-premises infrastructure remains secure. This AMSI integration on SharePoint Server and Exchange Server becomes especially important when attackers attempt to exploit security vulnerabilities, particularly zero-days. With AMSI integrated, these malicious attempts are detected and blocked in real-time, offering a critical defense mechanism while organizations work on installing official patches and updates. AMSI detections are surfaced on the Microsoft Defender portal, enabling SecOps teams to investigate, correlate with other malicious activity in the environment, and remediate.

In this blog post, we discuss different types of attacks targeting Exchange and SharePoint, and demonstrate how AMSI is helping organizations protect against these attacks. We also share mitigation and protection guidance, as well as detection details and hunting queries.

AMSI integration

In both SharePoint Server and Exchange Server, AMSI is integrated as a security filter module within the IIS pipeline to inspect incoming HTTP requests before they are processed by the application. The filter is triggered at the onBeginRequest stage through the SPRequesterFilteringModule for SharePoint Server and HttpRequestFilteringModule for Exchange Server, allowing it to analyze incoming requests before they reach authentication and authorization phases. This integration ensures that potential threats are identified before they interact with internal processing, mitigating the risk of exploitation. On detecting a malicious request, the application returns a HTTP 400 Bad Request response.

Figure 1. Overview of AMSI Integration in SharePoint and Exchange Server Figure 2. AMSI protecting against mailbox exfiltration using public tool MailSniper Extending AMSI with request body scan

When AMSI was first integrated, it provided an important layer of defense by scanning incoming request headers. This was crucial for identifying malicious activity, particularly SSRF attempts. However, many modern attacks are now embedded within request bodies, rather than just in the headers. This meant that header-only scans were no longer enough to catch the full range of sophisticated threats.

To address this emerging risk, we added newer improvements in both products. The Exchange Server November release extended capabilities to include scanning of request bodies, ensuring broader protection. A similar improvement is added to SharePoint Server currently in public preview. These enhanced security controls are not enabled by default, making it crucial for organizations to assess for stronger protection.

Microsoft recommends evaluating and enabling these extended options for better protection and visibility. These enhancements are especially important for detecting and mitigating remote code execution vulnerabilities and particularly post-authentication vulnerabilities where SSRF may not be needed. The introduction of request body scanning is a critical step in our commitment to protect these crown jewels against more sophisticated, evasive threats. With the ability to inspect the full content of incoming requests, AMSI now detects a wider range of malicious activities.

Attacks targeting Exchange and SharePoint servers SSRF exploitation

Server-side request forgery (SSRF) can allow attackers to make unauthorized requests on behalf of the server, potentially accessing internal services, metadata endpoints, or even escalating privileges. Attackers can exploit SSRF to bypass authentication mechanisms by leveraging internal API calls. Additionally, by chaining SSRF with additional flaws, attackers could gain unauthorized access to the backend and perform arbitrary remote code execution within the environment.

One example is CVE-2023-29357, a critical authentication bypass vulnerability in SharePoint Server. This flaw allowed attackers to bypass authentication and gain elevated privileges by exploiting improper validation of security tokens. In attacks, this was combined with another vulnerability, CVE-2023-24955, to achieve unauthenticated remote code execution on vulnerable SharePoint servers.

Figure 3. AMSI logs for CVE-2023-29357 with spoofed X-PROOF_TOKEN and Authorization headers

Another example is CVE-2022-41040, an AutoDiscover SSRF vulnerability in Exchange Server. By targeting AutoDiscover, attackers exploited the trust relationships within Exchange to impersonate users and trigger backend functionality that normally requires authentication, laying the groundwork for remote code execution.

Figure 4. AMSI logs for CVE-2022-41040 with malformed Autodiscover Request

AMSI acted as first layer of defense against these incidents, protecting customers against thousands of SSRF attempts observed on a daily basis, thereby breaking the exploitation chain.

Suspicious access indicative of web shell interaction

In many intrusions, attackers drop web shells into public-facing directories. In one such Exchange server compromise, AMSI logged a suspicious .aspx file interaction. This was highlighted by Microsoft Defender for Endpoint simply because there is no .aspx file by that name in the said folder path:

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts\premium\.

Attackers often rename web shells to legitimate filenames seen in different folder to avoid suspicion. In this case, the filename getidtoken is a default shipped file but with .htm extension.

Figure 5. suspicious POST request logged in AMSI hinting at web shell interaction

Similar stealthy activities have also been observed for SharePoint. In one case, the attackers modified the legitimate signout.aspx file by appending web shell code. This allowed attackers to create a stealthy backdoor and maintain persistence without raising suspicion.

Figure 6. Modified signout.aspx with web shell code appended at the end

AMSI acts as a real-time inspection and defense layer similar to a web application firewall (WAF) and plays a critical role in detecting and responding to active compromises. AMSI inspects incoming requests, captures malicious web shell interactions, and logs them for analysis. This level of visibility enables Microsoft Defender for Endpoint to pinpoint the exact location of malicious files on disk, such as within Exchange’s Outlook Web Application (OWA), where attackers commonly stage web shells. By correlating AMSI network logs with suspicious activity, Microsoft Defender for Endpoint can locate and remove previously undetected files, effectively cleaning the infected server and mitigating further damage. Importantly, this capability provides durable protection, allowing defenders to monitor and react to threats even in post-compromise scenarios.

Figure 7. Legitimate signout.aspx with hijacked ’username’ parameter supplied with command Suspicious mailbox access through Exchange Web Services (EWS) abuse

Exchange Web Services (EWS) is a core component of Microsoft Exchange that allows programmatic access to mailboxes through SOAP-based APIs. While this is critical for legitimate operations such as Outlook integration, mobile sync, and third-party app, the service is also widely abused by threat actors. Notably, in incidents like CVE-2023-23397, EWS was used post-compromise to search mailboxes for sensitive content and exfiltrate emails over HTTPS, blending in with legitimate traffic.

Attackers leverage EWS’s deep access to perform mailbox searches, download entire inboxes, and set up hidden forwarding rules, often using stolen credentials or after gaining a foothold via another Exchange vulnerability. Attackers commonly abuse EWS APIs — GetFolder, FindItem, and GetItem — to stealthily search and exfiltrate sensitive emails from compromised mailboxes. GetFolder API maps the mailbox structure, which can be used to identify key folders like Inbox and Sent Items. FindItem API allows searching for emails containing specific keywords or supplied datetime filter to retrieve relevant results. Finally, GetItem API is used to view full email contents and attachments.

This API-driven abuse technique blends in with legitimate EWS traffic, making detection challenging without deep content inspection. AMSI addresses this with request body scanning, which enables real-time detection of suspicious search patterns, abnormal access, and targeted email theft. Below is a sequence of suspicious SOAP calls logged by AMSI when attackers attempt to exfiltrate emails.

Figure 8. AMSI logs showing suspicious sequence of SOAP operations seen during remote mailbox access Insecure deserialization leading to RCE

The PowerShell application pool is a privileged component that handles remote PowerShell sessions in Exchange, typically invoked by Exchange Control Panel (ECP) or Exchange Management Shell (EMS). It runs under SYSTEM or high-privileged service accounts, making it a prime target for misuse. After gaining access to backend PowerShell endpoints, attackers can pass crafted cmdlets and arguments that trigger operations such as arbitrary file writes and command execution. This method has been observed in major incidents like ProxyShell and ProxyNotShell, where attackers execute system-level commands via crafted PowerShell requests.

A common pattern seen in these attacks is the use of legitimate management cmdlets like Get-Mailbox, New-MailboxExportRequest, or Set- commands, but with crafted arguments or malicious serialization payloads that trigger code execution in the backend. AMSI now has complete visibility into all the backend PowerShell commands along with the passed arguments to inspect the request buffer for any suspicious API calls such as Process.Start, various file write APIs and Assembly.load.

Figure 9. AMSI logs showing the malicious argument to Get-Mailbox cmdlet. Web control abuse

Exploitation of vulnerabilities like CVE-2024-38094, CVE-2024-38024, and CVE-2024-38023 exemplify attacks that abuse Site owner privileges to execute arbitrary code on the SharePoint server. The exploitation leverages the Business Data Connectivity (BDC) feature and malicious use of the BDCMetadata.bdcm file. This XML-based file defines connections to external data sources but could be abused to reference dangerous .NET classes and methods. Once the malicious .bdcm file is uploaded and registered in SharePoint’s BDC service (using site owner permissions), the attacker can trigger execution by creating an External List or web part that interacts with the BDC model. SharePoint processes this model and reflectively loads and executes the specified method, leading to RCE as the SharePoint service account, which typically has high privileges. With body scan enabled, the complete payload is available for inspection and surfaces LobSystem type as DotNetAssembly hinting at code execution. AMSI’s deep integration enables visibility into the malicious Base64 buffer, which Microsoft Defender for Endpoint leverages to detect and block code execution attempts.

Figure 10. AMSI logs showing upload of malicious .bdcm file with the package content Mitigation and protection guidance

As these attacks show, SharePoint and Exchange servers are high-value targets. These attacks also tend to be advanced threats with highly evasive techniques. Keeping these servers safe from these advanced attacks is of utmost importance. Here are steps that organizations can take:

Activate AMSI on Exchange Server and SharePoint Server. AMSI is a versatile standard that allows applications and services to integrate with any AMSI-capable anti-malware product present on a device. Starting with SharePoint Server Subscription Edition Version 25H1, AMSI extends its scanning capabilities to include the bodies of HTTP requests. The Exchange AMSI body scanning feature was introduced with the Exchange Server November 2024 Security Update (SU). Microsoft recommends updating Exchange Server and SharePoint Server to these versions or later to take advantage of the new improved body scanning feature. This request body scan feature is critical for detecting and mitigating threats that may be embedded in request payloads, providing a more comprehensive security solution. Check prerequisites and learn how to configure AMSI in the following resources:
- AMSI integration with Exchange Server
- Configure AMSI integration with SharePoint Server
Apply the latest security updates. Identify and remediate vulnerabilities or misconfigurations in Exchange and SharePoint Server. Deploy the latest security updates as soon as they become available. Use threat and vulnerability management to audit these servers regularly for vulnerabilities, misconfigurations, and suspicious activity.
Keep antivirus and other protections enabled. It’s critical to protect SharePoint and Exchange servers with antivirus software and other security solutions like firewall protection and MFA. Turn on cloud-delivered protection and automatic sample submission to use artificial intelligence and machine learning to quickly identify and stop new and unknown threats. Use attack surface reduction rules to automatically block behaviors like credential theft and suspicious use of PsExec and WMI. Turn on tamper protection features to prevent attackers from stopping security services. If you are worried that these security controls will affect performance or disrupt operations, engage with IT pros to help determine the true impact of these settings. Security teams and IT pros should collaborate on applying mitigations and appropriate settings.
Review sensitive roles and groups. Review highly privileged groups like Administrators, Remote Desktop Users, and Enterprise Admins. Attackers add accounts to these groups to gain foothold on a server. Regularly review these groups for suspicious additions or removal. To identify Exchange/SharePoint -specific anomalies, review the list of users in sensitive roles.
Restrict access. Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Enforce strong randomized, just-in-time local administrator passwords and Enable MFA. Use tools like LAPS.
Prioritize alerts. The distinctive patterns of SharePoint and Exchange server compromise aid in detecting malicious behaviors and inform security operations teams to quickly respond to the initial stages of compromise. Pay attention to and immediately investigate alerts indicating suspicious activities. Catching attacks in the exploratory phase, the period in which attackers spend several days exploring the environment after gaining access, is key. Public facing application pools are commonly hijacked by attackers through web shell deployment. Prioritize alerts related to processes such as net.exe, cmd.exe, and powershell.exe originating from these pools or w3wp.exe in general.

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threats on SharePoint Server as the following malware:

Exploit:Script/SPLobSystemRCE.A
Exploit:Script/SPLobSystemRCE.B
Exploit:Script/SPAuthBypass.A

Microsoft Defender Antivirus detects threats on Exchange Server as the following malware:

Exploit:Script/SuspMailboxSearchEWS.A
Exploit:Script/SuspExchgSession.D
Exploit:Script/ExchgProxyRequest

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts might indicate activity related to this threats discussed in this blog. Note, however, that these alerts can be also triggered by unrelated threat activity.

Possible web shell installation
Possible IIS web shell
Suspicious processes indicative of a web shell
Possible IIS compromise
Suspicious Exchange Process Execution
Possible exploitation of Exchange Server vulnerabilities

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used by the threats discussed in this blog:

CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2022-41040, CVE-2022-41082, CVE-2019-0604, CVE-2024-21413, CVE-2023-23397, CVE-2023-36563, CVE-2023-29357, CVE-2023-24955, CVE-2024-38094, CVE-2024-38024, CVE-2024-38023

Microsoft Security Exposure Management

Microsoft Security Exposure Management (MSEM) provides enhanced visibility for important assets by offering customers predefined classification logics for high-value assets. This includes both managed (Microsoft Defender for Endpoint-onboarded) and unmanaged Exchange servers.

Customers can review the device inventory and the critical classification library to identify Exchange servers and consider applying the new security settings on them.

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

Incident investigation
Microsoft User analysis
Threat actor profile
Threat Intelligence 360 report based on MDTI article
Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Hunting queries Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Processes run by the IIS worker process

Broadly search for processes executed by the IIS worker process. Further investigation should be performed on any devices where the created process is indicative of reconnaissance.

DeviceProcessEvents | where InitiatingProcessFileName == 'w3wp.exe' | where InitiatingProcessCommandLine contains "MSExchange" or InitiatingProcessCommandLine contains "SharePoint" | where FileName !in~ ("csc.exe","cvtres.exe","conhost.exe","OleConverter.exe","wermgr.exe","WerFault.exe","TranscodingService.exe") | project FileName, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp

Chopper web shell command line

Chopper is one of the most widespread web shells targeting SharePoint and Exchange servers. Use this query to hunt for Chopper web shell activity:

DeviceProcessEvents | where InitiatingProcessFileName =~ "w3wp.exe" and FileName == "cmd.exe" | where ProcessCommandLine has "&cd&echo"

Suspicious files in SharePoint or Exchange directories

DeviceFileEvents | where Timestamp >= ago(7d) | where InitiatingProcessFileName == "w3wp.exe" | where FolderPath has "\\FrontEnd\\HttpProxy\\" or FolderPath has "\\TEMPLATE\\LAYOUTS\\ " or FolderPath has "\\aspnet_client\\" | where InitiatingProcessCommandLine contains "MSExchange" or InitiatingProcessCommandLine contains "Sharepoint" | project FileName,FolderPath,SHA256, InitiatingProcessCommandLine, DeviceId, Timestamp Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Our post on web shell threat hunting with Microsoft Sentinel also provides guidance on looking for web shells in general. The Exchange SSRF Autodiscover ProxyShell detection, which was created in response to ProxyShell, can be used for queries due to functional similarities with this threat. Also, the new Exchange Server Suspicious File Downloads and Exchange Worker Process Making Remote Call queries specifically look for suspicious downloads or activity in IIS logs. In addition to these, we have a few more that could be helpful in looking for post-exploitation activity:

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Stopping attacks against on-premises Exchange Server and SharePoint Server with AMSI appeared first on Microsoft Security Blog.

Categories: Microsoft

How cyberattackers exploit domain controllers using ransomware

Wed, 04/09/2025 - 12:00pm

In recent years, human-operated cyberattacks have undergone a dramatic transformation. These attacks, once characterized by sporadic and opportunistic attacks, have evolved into highly sophisticated, targeted campaigns aimed at causing maximum damage to organizations, with the average cost of a ransomware attack reaching $9.36 million in 2024.1 A key catalyst to this evolution is the rise of ransomware as a primary tool for financial extortion—an approach that hinges on crippling an organization’s operations by encrypting critical data and demanding a ransom for its release. Microsoft Defender for Endpoint disrupts ransomware attacks in an average of three minutes, only kicking in when more than 99.99% confident in the presence of a cyberattack.

Disrupt ransomware with Microsoft Defender for Endpoint The evolution of ransomware attacks

What is ransomware?

Learn more

Modern ransomware campaigns are meticulously planned. Cyberattackers understand that their chances of securing a ransom increase significantly if they can inflict widespread damage across a victim’s environment. The rationale is simple: paying the ransom becomes the most viable option when the alternative—restoring the environment and recovering data—is technically unfeasible, time-consuming, and costly.

This level of damage happens in minutes and even seconds, where bad actors embed themselves within an organization’s environment, laying the groundwork for a coordinated cyberattack that can encrypt dozens, hundreds, or even thousands of devices within minutes. To execute such a campaign, threat actors must overcome several challenges such as evading protection, mapping the network, maintaining their code execution ability, and preserving persistency in the environment, building their way to securing two major prerequisites necessary to execute ransomware on multiple devices simultaneously:

High-privilege accounts: Whether cyberattackers choose to drop files and encrypt the devices locally or perform remote operations over the network, they must obtain the ability to authenticate to a device. In an on-premises environment, cyberattackers usually target domain admin accounts or other high-privilege accounts, as those can authenticate to the most critical resources in the environment.
Access to central network assets: To execute the ransomware attack as fast and as wide as possible, threat actors aim to achieve access to a central asset in the network that is exposed to many endpoints. Thus, they can leverage the possession of high-privilege accounts and connect to all devices visible in their line of sight.

The role of domain controllers in ransomware campaigns

Domain controllers are the backbone of any on-premises environment, managing identity and access through Active Directory (AD). They play a pivotal role in enabling cyberattackers to achieve their goals by fulfilling two critical requirements:

1. Compromising highly privileged accounts

Domain controllers house the AD database, which contains sensitive information about all user accounts, including highly privileged accounts like domain admins. By compromising a domain controller, threat actors can:

Extract password hashes: Dumping the NTDS.dit file allows cyberattackers to obtain password hashes for every user account.
Create and elevate privileged accounts: Cyberattackers can generate new accounts or manipulate existing ones, assigning them elevated permissions, ensuring continued control over the environment.

With these capabilities, cyberattackers can authenticate as highly privileged users, facilitating lateral movement across the network. This level of access enables them to deploy ransomware on a scale, maximizing the impact of their attack.

2. Exploiting centralized network access

Domain controllers handle crucial tasks like authenticating users and devices, managing user accounts and policies, and keeping the AD database consistent across the network. Because of these important roles, many devices need to interact with domain controllers regularly to ensure security, efficient resource management, and operational continuity. That’s why domain controllers need to be central in the network and accessible to many endpoints, making them a prime target for cyberattackers looking to cause maximum damage with ransomware attacks.

Given these factors, it’s no surprise that domain controllers are frequently at the center of ransomware operations. Cyberattackers consistently target them to gain privileged access, move laterally, and rapidly deploy ransomware across an environment. We’ve seen in more than 78% of human-operated cyberattacks, threat actors successfully breach a domain controller. Additionally, in more than 35% of cases, the primary spreader device—the system responsible for distributing ransomware at scale—is a domain controller, highlighting its crucial role in enabling widespread encryption and operational disruption.

Case study: Ransomware attack using a compromised domain controller

In one notable case, a small-medium manufacturer fell victim to a well-known, highly skilled threat actor, commonly identified as Storm-0300, attempting to execute a widespread ransomware attack:

Pre domain-compromise activity

After gaining initial access, presumably through leveraging the customer’s VPN infrastructure, and prior to obtaining domain admin privileges, the cyberattackers initiated a series of actions focused on mapping potential assets and escalating privileges. A wide, remote execution of secrets dump is detected on Microsoft Defender for Endpoint-onboarded devices and User 1 (domain user) is contained by attack disruption.

Post domain-compromise activity

Once securing domain admin (User 2) credentials, potentially through leveraging the victim’s non-onboarded estate, the attacker immediately attempts to connect to the victim’s domain controller (DC1) using Remote Desktop Protocol (RDP) from the cyberattacker’s controlled device. When gaining access to DC1, the cyberattacker leverages the device to perform the following set of actions:

Reconnaissance—The cyberattacker leverages the domain controller’s wide network visibility and high privileges to map the network using different tools, focusing on servers and network shares.
Defense evasion—Leveraging the domain controller’s native group policy functionality, the cyberattacker attempts to tamper with the victim’s antivirus by modifying security-related group policy settings.
Persistence—The cyberattacker leverages the direct access to Active Directory, creating new domain users (User 3 and User 4) and adding them to the domain admin group, thus establishing a set of highly privileged users that would later on be used to execute the ransomware attack.

Encryption over the network

Once the cyberattacker takes control over a set of highly privileged users, this provides them access to any domain-joined resource, including comprehensive network access and visibility. It will also allow them to set up tools for the encryption phase of the cyberattack.

Assuming they’re able to validate a domain controller’s effectiveness, they begin by running the payload locally on the domain controller. Attack disruption detects the threat actor’s attempt to run the payload and contains User 2, User 3, and the cyberattacker-controlled device used to RDP to the domain controller.

After successfully containing Users 2 and 3, the cyberattacker proceeded to log in to the domain controller using User 4, who had not yet been utilized. After logging into the device, the cyberattacker attempted to encrypt numerous devices over the network from the domain controller, leveraging the access provided by User 4.

Attack disruption detects the initiation of encryption over the network and automatically granularly contains device DC1 and User 4, blocking the attempted remote encryption on all Microsoft Defender for Endpoint-onboarded and targeted devices.

Help secure endpoints with Microsoft Defender for Endpoint Protecting your domain controllers

Given the central role of domain controllers in ransomware attacks, protecting them is critical to preventing large-scale damage. However, securing domain controllers is particularly challenging due to their fundamental role in network operations. Unlike other endpoints, domain controllers must remain highly accessible to authenticate users, enforce policies, and manage resources across the environment. This level of accessibility makes it difficult to apply traditional security measures without disrupting business continuity. Hence, security teams constantly face the complex challenge of striking the right balance between security and operational functionality.

To address this challenge, Defender for Endpoint introduced contain high value assets (HVA), an expansion of our contain device capability designed to automatically contain HVAs like domain controllers in a granular manner. This feature builds on Defender for Endpoint’s capability to classify device roles and criticality levels to deliver a custom, role-based containment policy, meaning that if a sensitive device, such a domain controller, is compromised, it is immediately contained in less than three minutes, preventing the cyberattacker from moving laterally and deploying ransomware, while at the same time maintaining the operational functionality of the device. The ability of the domain controller to distinguish between malicious and benign behavior helps keep essential authentication and directory services up and running. This approach provides rapid, automated cyberattack containment without sacrificing business continuity, allowing organizations to stay resilient against sophisticated human-operated cyberthreats.

Now your organization’s domain controllers can leverage automatic attack disruption as an extra line of defense against malicious actors trying to overtake high value assets and exert costly ransomware attacks.

Learn more

Explore these resources to stay updated on the latest automatic attack disruption capabilities:

Learn more about Microsoft Defender for Endpoint.
Read about the new containment features.
Learn how attack disruption safeguards your domain controllers in this video.
Check out our latest infographic.
Read about automatic attack disruption.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

1Average cost per data breach in the United States 2006-2024, Ani Petrosyan. October 10, 2024.

The post How cyberattackers exploit domain controllers using ransomware appeared first on Microsoft Security Blog.

Categories: Microsoft

Exploitation of CLFS zero-day leads to ransomware activity

Tue, 04/08/2025 - 2:00pm

Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS) against a small number of targets. The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia. Microsoft released security updates to address the vulnerability, tracked as CVE-2025-29824, on April 8, 2025.

In addition to discovering the vulnerability, Microsoft also found that the exploit has been deployed by PipeMagic malware. Microsoft is attributing the exploitation activity to Storm-2460, which also used PipeMagic to deploy ransomware. Ransomware threat actors value post-compromise elevation of privilege exploits because these could enable them to escalate initial access, including handoffs from commodity malware distributors, into privileged access. They then use privileged access for widespread deployment and detonation of ransomware within an environment. Microsoft highly recommends that organizations prioritize applying security updates for elevation of privilege vulnerabilities to add a layer of defense against ransomware attacks if threat actors are able to gain an initial foothold.

This blog details Microsoft’s analysis of the observed CLFS exploit and related activity targeting our customers. This information is shared with our customers and industry partners to improve detection of these attacks and encourage rapid patching or other mitigations, as appropriate. A more comprehensive recommendations section, with indicators of compromise and detection details can be found at the end of the blog post.

CVE 2025-29824: A zero-day vulnerability in the Common Log File System (CLFS)

The exploit activity discovered by Microsoft targets a zero-day vulnerability in the Common Log File System (CLFS) kernel driver. Successful exploitation allows an attacker running as a standard user account to escalate privileges. The vulnerability is tracked as CVE-2025-29824 and was fixed on April 8, 2025.

Pre-exploitation activity

While Microsoft hasn’t determined the initial access vectors that led to the devices being compromised, there are some notable pre-exploitation behaviors by Storm-2460. In multiple cases, the threat actor used the certutil utility to download a file from a legitimate third-party website that was previously compromised to host the threat actor’s malware.

The downloaded file was a malicious MSBuild file, a technique described here, that carried an encrypted malware payload. Once the payload was decrypted and executed via the EnumCalendarInfoA API callback, the malware was found to be PipeMagic, which Kaspersky documented in October 2024. Researchers at ESET have also observed the use of PipeMagic in 2023 in connection with the deployment of a zero-day exploit for a Win32k vulnerability assigned CVE-2025-24983. A domain used by the PipeMagic sample was aaaaabbbbbbb.eastus.cloudapp.azure[.]com, which has now been disabled by Microsoft.

CLFS exploit activity

Following PipeMagic deployment, the attackers launched the CLFS exploit in memory from a dllhost.exe process.

The exploit targets a vulnerability in the CLFS kernel driver. It’s notable that the exploit first uses the NtQuerySystemInformation API to leak kernel addresses to user mode. However, beginning in Windows 11, version 24H2, access to certain System Information Classes within NtQuerySystemInformation became available only to users with SeDebugPrivilege, which typically only admin-like users can obtain. This meant that the exploit did not work on Windows 11, version 24H2, even if the vulnerability was present.

The exploit then utilizes a memory corruption and the RtlSetAllBits API to overwrite the exploit process’s token with the value 0xFFFFFFFF, enabling all privileges for the process, which allows for process injection into SYSTEM processes.

As part of the exploitation, a CLFS BLF file with the following path is created by the exploit’s dllhost.exe process: C:\ProgramData\SkyPDF\PDUDrv.blf.

Post-exploitation activity leads to ransomware activity

Upon successful exploitation, a payload is injected into winlogon.exe. This payload then injected the Sysinternals procdump.exe tool into another dllhost.exe and ran it with the following command line:

C:\Windows\system32\dllhost.exe -accepteula -r -ma lsass.exe c:\programdata\[random letters].

Having done this, the actor was able to dump the memory of LSASS and parse it to obtain user credentials.

Then, Microsoft observed ransomware activity on target systems. Files were encrypted and a random extension added, and a ransom note with the name !_READ_ME_REXX2_!.txt was dropped. Microsoft is tracking activity associated with this ransomware as Storm-2460.

Although we weren’t able to obtain a sample of ransomware for analysis, we’re including some notable events surrounding the activity to better help defenders:

Two .onion domains have been seen in the !_READ_ME_REXX2_!.txt ransom notes
- jbdg4buq6jd7ed3rd6cynqtq5abttuekjnxqrqyvk4xam5i7ld33jvqd.onion which has been tied to the RansomEXX ransomware family
- uyhi3ypdkfeymyf5v35pbk3pz7st3zamsbjzf47jiqbcm3zmikpwf3qd.onion
The ransomware is launched from dllhost.exe with the command line:

--do [path_to_ransom] (for example, C:\Windows\system32\dllhost.exe --do C:\foobar)

The file extension on the encrypted files is random per device, but the same for every file
Some typical ransomware commands that make recovery or analysis harder are executed, including:
- bcdedit /set {default} recoveryenabled no
- wbadmin delete catalog -quiet
- wevtutil cl Application
In one observed case the actor spawned notepad.exe as SYSTEM

Mitigation and protection guidance

Microsoft released security updates to address CVE 2025-29824 on April 8, 2025. Customers running Windows 11, version 24H2 are not affected by the observed exploitation, even if the vulnerability was present. Microsoft urges customers to apply these updates as soon as possible.

Microsoft recommends the following mitigations to reduce the impact of activity associated with Storm-2460:

Refer to our blog Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself for robust measures to defend against ransomware.
Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint. Ransomware attackers often identify unmanaged or legacy systems and use these blind spots to stage attacks.
Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. Use Microsoft Defender Vulnerability Management to assess your current status and deploy any updates that might have been missed.
Microsoft 365 Defender customers can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks:
Use advanced protection against ransomware

Microsoft Defender XDR detections

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threats associated with this activity as the following malware:

SilverBasket (Win64/Windows)
MSBuildInlineTaskLoader.C (Script/Windows)

Microsoft Defender for Endpoint

The following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

A process was injected with potentially malicious code
Potential Windows DLL process injection
Suspicious access to LSASS service
Sensitive credential memory read
Suspicious process injection observed
File backups were deleted
Ransomware behavior detected in the file system

Microsoft Security Copilot

Incident investigation
Microsoft User analysis
Threat actor profile
Threat Intelligence 360 report based on MDTI article
Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Hunting queries Microsoft Sentinel

Search for devices having CVE-2025-29814 exposure

DeviceTvmSoftwareVulnerabilities | where CveId in ("CVE-2025-29814") | project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion, CveId,VulnerabilitySeverityLevel | join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId | project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion, CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware

Detect CLFS BLF file creation after exploitation of CVE 2025-29824

DeviceFileEvents | where FolderPath has "C:\\ProgramData\\SkyPDF\\" and FileName endswith ".blf"

LSSASS process dumping activity

SecurityEvent | where EventID == 4688 | where CommandLine has("dllhost.exe -accepteula -r -ma lsass.exe") | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer

Ransomware process activity

let cmdlines = dynamic(["C:\\Windows\\system32\\dllhost.exe --do","bcdedit /set {default} recoveryenabled no","wbadmin delete catalog -quiet","wevtutil cl Application"]); DeviceProcessEvents | where ProcessCommandLine has_any (cmdlines) | project TimeGenerated, DeviceName, ProcessCommandLine, AccountDomain, AccountName

PipeMagic and RansomEXX fansomware domains

let domains = dynamic(["aaaaabbbbbbb.eastus.cloudapp.azure.com","jbdg4buq6jd7ed3rd6cynqtq5abttuekjnxqrqyvk4xam5i7ld33jvqd.onion","uyhi3ypdkfeymyf5v35pbk3pz7st3zamsbjzf47jiqbcm3zmikpwf3qd.onion"]); DeviceNetworkEvents | where RemoteUrl has_any (domains) | project TimeGenerated, DeviceId, DeviceName, Protocol, LocalIP, LocalIPType, LocalPort,RemoteIP, RemoteIPType, RemotePort, RemoteUrl Indicators of compromise IndicatorTypeDescriptionC:\ProgramData\SkyPDF\PDUDrv.blfPathDropped during CLFS exploitC:\Windows\system32\dllhost.exe –doCommand lineInjected dllhostbcdedit /set {default} recoveryenabled noCommand lineRansomware commandwbadmin delete catalog -quietCommand lineRansomware commandwevtutil cl ApplicationCommand lineRansomware commandaaaaabbbbbbb.eastus.cloudapp.azure[.]comDomainUsed by PipeMagic References

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

The post Exploitation of CLFS zero-day leads to ransomware activity appeared first on Microsoft Security Blog.

Categories: Microsoft

Meet the Deputy CISOs who help shape Microsoft’s approach to cybersecurity

Tue, 04/08/2025 - 12:00pm

Microsoft launched its Cybersecurity Governance Council in 2024, and with it, named a group of deputy chief information security officers that ensure comprehensive oversight of the company’s cybersecurity risk, defense, and compliance. These leaders work in tandem with product and engineering leaders across the company to create accountability and advance cybersecurity protection for Microsoft, our customers, and the industry.

In this series, we will introduce these leaders and share more about their background, their role, and their priorities.

Q: Tell us about your current role and responsibilities.

Igor Sakhnov: “As Microsoft’s Corporate Vice President of Engineering for Identity, I lead data and platform engineering along with business-facing initiatives. Since April 2024, I’ve also served as Deputy Chief Information Security Officer (CISO) focusing on identity-related security risks.”

Mark Russinovich: “In my role, I work with a large team to identify and resolve the security risks that come up and evolve under the Microsoft Azure umbrella, the core operating system itself, and the groups that make up the core engineering systems that the entire company depends on. In all these cases, we want the risk mitigations to be durable so once they’re done, the system stays secure and doesn’t have to be revisited every year.”

Yonatan Zunger: “My job is to try and think about all the different ways in which things involving AI can go wrong, make sure that we have good, thoughtful plans for each of those things, and develop the right tools so we can design and run the right incident response for AI issues.”

Q: How did you get your start in cybersecurity?

Igor Sakhnov: “It didn’t really start in cybersecurity. My journey began with a deep interest in understanding how systems work and how they interact and perform at scale. Inevitably, the hard question of security surfaces and the interesting aspects of detection and prevention become top of mind.”

Mark Russinovich: “I’ve always been interested in the way computers and operating systems work. In junior high I started working with computers and figuring out the internals, then went to college and graduate school in it. There was a natural intersection with cybersecurity and operating systems design since both involve understanding complex systems, and I started doing more with cybersecurity.”

Yonatan Zunger: “I started my career as a theoretical physicist. I joined Google, spent years building search and infrastructure, and in 2011 I became the Chief Technology Officer of social. This was a few months before the launch of Google Plus, and I discovered that the hard parts of the job had nothing to do with technology. Instead, all the hard parts were security and privacy, and those were interesting problems to me. It quickly became clear that using these technologies in the right or wrong way can have a huge impact on people’s lives. That stuck with me, and it caused me to genuinely fall in love with the field.”

Q: What does your team do, and how do you work with others across the company?

Igor Sakhnov: “My team is responsible for the work and innovation in the Identity space, building a large-scale enterprise identity system. Over the past year, the point about larger systems being identity-driven has really come to fruition, with the new efforts that leverage identity in the network flows.”

Mark Russinovich: “My team focuses on technical strategy, architecture, and security risk management for the Azure platform, engineering systems, and core operating systems. We work closely with teams across Microsoft to implement durable security measures. I collaborate with emerging technology teams to understand customer requirements and guide Azure’s development while ensuring security remains a priority in all decisions and implementations.”

Yonatan Zunger: “We’re a very horizontal team and our work has six core pillars: AI research, infrastructure, empowerment, evaluation and review, incident response, and policy and engagement. Within those pillars are a lot of people working on a lot of things, from doing safety and teaching it to people, to thoroughly testing and vetting every piece of generative AI software that goes out the door at Microsoft, to bringing AI expertise into incident responses, to engaging with all sorts of stakeholders across the world, and talking and sharing with them but also listening and learning.”

Learn more about Microsoft Incident Response Q: How do you balance the need for security with the need for innovation in your team?

Igor Sakhnov: “Balancing is important and hard. We strive to integrate security into the development process from the outset, shifting left and avoiding interruptions. No matter how innovative the product is, it will not get adapted if it is not secure or not reliable.”

Mark Russinovich: “I don’t think it’s an either or, but it is a balance. The second something may turn into a widget or service that people will depend on, you need security, but if you create such a hardened system that no one can use it, you’ve wasted time. We have a commitment to our customers that security is always in the driver’s seat, but innovation is holding the road map, and we’re delivering on that.”

Yonatan Zunger: “Engineering is the art of building systems to solve problems. If you’re building a system that isn’t safe and secure, you aren’t solving the customer’s problem, you’re building a system that will give them more problems.”

Q: What are some of the biggest cybersecurity misconceptions that you encounter?

Igor Sakhnov: “The desire to make the perfect solution. This is why ‘assume breach’ is the mindset I cultivated with my team. Yes, we must focus on the protection at all costs, and we should expect that any protection will be circumvented. How we detect, reduce the impact, and mitigate in the shortest time is top of mind.”

Mark Russinovich: “The assumption that unless you can prove to me something is not secure, it’s secure. You of course must invest in prevention, but Microsoft has said for close to a decade now that you have to assume any system can and will be breached, so you have to minimize the impact and increase how you detect and mitigate those breaches.”

Yonatan Zunger: “The idea that security, privacy, and safety are three distinct things. They’re not. If you’ve ever seen a security team, say, ‘That sounds like a privacy problem,’ and a privacy team say, ‘That sounds like a security problem,’ and nobody fixes it, you know where this story ends. Artificial boundaries like these are a factory of nasty incidents.”

Assume breach and verify each request with the Zero Trust model Q: What’s one piece of advice you would give to your younger self?

Igor Sakhnov: “Shift focus from the local improvements and invest heavily into the influence to shift larger organization for all to move in the needed direction. Microsoft’s Secure Future Initiative is a notable example where a central push supersedes all the local innovation we have done over the years.”

Mark Russinovich: “I don’t look back and think about things that I’ve done wrong, but for those that are just starting out in a career or in life, I’d say this: When you find an area that you’re passionate about, learn that area and the areas around it, and learn one level deeper than you think necessary to be effective. My father gave me that advice and it’s what inspired me to pursue computers.”

Yonatan Zunger: “If you ever find yourself in a relationship where you can’t fully be yourself…leave.”

Microsoft Secure

To see these innovations in action, join us on April 9, 2025 for Microsoft Secure, a digital event focused on security in the age of AI.

Across identity, cloud ecosystems, and privacy, these leaders have independently arrived at similar conclusions: security enables rather than restricts, perfect protection is impossible, but resilience is achievable, and everyone—from engineers to customers—plays a role in defense.

Microsoft’s security transformation isn’t just about technology. It’s about people like Igor Sakhnov, Mark Russinovich, and Yonatan Zunger who demonstrate the diverse leadership needed to strengthen Microsoft’s security posture for our customers and the industry.

Watch for more profiles in this series as we highlight additional deputy chief information security officers, including leaders overseeing cloud infrastructure, customer security, threat intelligence, and more.

RSAC 2025

Learn more about AI-first, end-to-end security at The Microsoft at RSAC Experience. From our signature Pre-Day to demos and networking, discover how Microsoft Security can give you the advantage you need in the era of AI.

The post Meet the Deputy CISOs who help shape Microsoft’s approach to cybersecurity appeared first on Microsoft Security Blog.

Categories: Microsoft

Tech Accelerator: Azure security and AI adoption

Mon, 04/07/2025 - 12:00pm

Are you looking for guidance on how to effectively integrate security best practices within your Azure and AI projects? We know the pace of technological innovation offers as many opportunities as it does challenges. However, security cannot be an afterthought as you create Azure deployments and accelerate AI solutions.

That’s why we’re inviting you to attend Tech Accelerator: Azure Security and AI Adoption on April 22. Designed for developers and cloud architects, this one-day virtual event will equip you with the essential guidance and resources you need to securely plan, build, manage, and optimize your Azure deployments and AI projects.

Why should you attend?

During this event, you will learn how to leverage Microsoft security guidance, products, and tooling throughout your cloud journey – from the time you consider Azure to the point that you’re regularly managing and optimizing workloads. Discover how Microsoft protects its platform, how to identify security risks in your Azure environments, protect your infrastructure from security threats, design secure AI environments, and build and protect your AI applications.

What can you expect?

During this event, you’ll have the opportunity to:

Learn from the experts: Get in-depth technical guidance from Microsoft experts to secure your Azure deployments and AI applications.
Engage with the community: Connect with fellow developers, cloud architects, and IT professionals.

Event details

Dates: April 22, 2025
Duration: 8:00-11:30 AM Pacific Time
Format: One keynote + six 25-minute sessions with technical guidance and demos

April 22, 2025: Session Time Security: An essential part of your Azure and AI journey (keynote) 8:00 AM PT Secure by design: Azure datacenter and hardware security 8:30 AM PT Azure platform security: Embedded features and use cases 9:00 AM PT Enhancing security for cloud migration 9:30 AM PT How to secure your AI environment 10:00 AM PT How to design and build secure AI projects 10:30 AM PT Safeguard AI applications with Microsoft Defender for Cloud 11:00 AM PT

All sessions will be streamed live on the Microsoft Tech Community platform with live Q&A during the event with the speakers and subject experts. Q&A will close at 12:00 PM PT on Friday, April 25, 2025. Sessions will be available on demand immediately, so you can watch at your convenience.

Registration is not required. On each session page, you can find an Add to calendar link. Click the Attend button on the page to receive reminders. Please post questions early and often; we’re here to help!

Please save the date and join us: https://aka.ms/AzureEssentialsEvent

The post Tech Accelerator: Azure security and AI adoption appeared first on Microsoft Security Blog.

Categories: Microsoft

Threat actors leverage tax season to deploy tax-themed phishing campaigns

Thu, 04/03/2025 - 12:00pm

As Tax Day approaches in the United States on April 15, Microsoft has observed several phishing campaigns using tax-related themes for social engineering to steal credentials and deploy malware. These campaigns notably use redirection methods such as URL shorteners and QR codes contained in malicious attachments and abuse legitimate services like file-hosting services and business profile pages to avoid detection. These campaigns lead to phishing pages delivered via the RaccoonO365 phishing-as-a-service (PhaaS) platform, remote access trojans (RATs) like Remcos, and other malware like Latrodectus, BruteRatel C4 (BRc4), AHKBot, and GuLoader.

Every year, threat actors use various social engineering techniques during tax season to steal personal and financial information, which can result in identity theft and monetary loss. These threat actors craft campaigns that mislead taxpayers into revealing sensitive information, making payments to fake services, or installing malicious payloads. Although these are well-known, longstanding techniques, they could still be highly effective if users and organizations don’t use advanced anti-phishing solutions and conduct user awareness and training.

In this blog, we share details on the different campaigns observed by Microsoft in the past several months leveraging the tax season for social engineering. This also includes additional recommendations to help users and organizations defend against tax-centric threats. Microsoft Defender for Office 365 blocks and identifies the malicious emails and attachments used in the observed campaigns. Microsoft Defender for Endpoint also detects and blocks a variety of threats and malicious activities related but not limited to the tax threat landscape. Additionally, the United States Internal Revenue Service (IRS) does not initiate contact with taxpayers by email, text messages or social media to request personal or financial information.

BruteRatel C4 and Latrodectus delivered in tax and IRS-themed phishing emails

On February 6, 2025, Microsoft observed a phishing campaign that involved several thousand emails targeting the United States. The campaign used tax-themed emails that attempted to deliver the red-teaming tool BRc4 and Latrodectus malware. Microsoft attributes this campaign to Storm-0249, an access broker active since 2021 and known for distributing, at minimum, BazaLoader, IcedID, Bumblebee, and Emotet malware. The following lists the details of the phishing emails used in the campaign:

Example email subjects:

Notice: IRS Has Flagged Issues with Your Tax Filing
Unusual Activity Detected in Your IRS Filing
Important Action Required: IRS Audit

Example PDF attachment names:

lrs_Verification_Form_1773.pdf
lrs_Verification_Form_2182.pdf
lrs_Verification_Form_222.pdf

The emails contained a PDF attachment with an embedded DoubleClick URL that redirected users to a Rebrandly URL shortening link. That link in turn redirected the browser to a landing site that displayed a fake DocuSign page hosted on a domain masquerading as DocuSign. When users clicked the Download button on the landing page, the outcome depended on whether their system and IP address were allowed to access the next stage based on filtering rules set up by the threat actor:

If access was permitted, the user received a JavaScript file from Firebase, a platform sometimes misused by cybercriminals to host malware. If executed, this JavaScript file downloaded a Microsoft Software Installer (MSI) containing BRc4 malware, which then installed Latrodectus, a malicious tool used for further attacks.
If access was restricted, the user received a benign PDF file from royalegroupnyc[.]com. This served as a decoy to evade detection by security systems.

Figure 1. Sample phishing email that claims to be from the IRS Figure 2. PDF attachment masquerading as a DocuSign document

Latrodectus is a loader primarily used for initial access and payload delivery. It features dynamic command-and-control (C2) configurations, anti-analysis features such as minimum process count and network adapter check, C2 check-in behavior that splits POST data between the Cookie header and POST data. Latrodectus 1.9, the malware’s latest evolution first observed in February 2025, reintroduced scheduled tasks for persistence and added the ability to run Windows commands via the command prompt.

BRc4 is an advanced adversary simulation and red-teaming framework designed to bypass modern security defenses, but it has also been exploited by threat actors for post-exploitation activities and C2 operations.

Phishing email with QR code in a PDF links to RaccoonO365 infrastructure

Between February 12 and 28, 2025, tax-themed phishing emails were sent to over 2,300 organizations, mostly in the United States in the engineering, IT, and consulting sectors. The emails had an empty body but contained a PDF attachment with a QR code and subjects indicating that the documents needed to be signed by the recipient. The QR code pointed to a hyperlink associated with a RaccoonO365 domain: shareddocumentso365cloudauthstorage[.]com. The URL included the recipient email as a query string parameter, so the PDF attachments were all unique. RaccoonO365 is a PhaaS platform that provides phishing kits that mimic Microsoft 365 sign-in pages to steal credentials. The URL was likely a phishing page used to collect the targeted user’s credentials.

The emails were sent with a variety of display names, which are the names that recipients see in their inboxes, to make the emails appear as if they came from an official source. The following display names were observed in these campaigns:

EMPLOYEE TAX REFUND REPORT
Project Funding Request Budget Allocation
Insurance Payment Schedule Invoice Processing
Client Contract Negotiation Service Agreement
Adjustment Review Employee Compensation
Tax Strategy Update Campaign Goals
Team Bonus Distribution Performance Review
proposal request
HR|Employee Handbooks

Figure 3. Screenshot of the opened PDF with the QR code AHKBot delivered in IRS-themed phishing emails

On February 13, 2025, Microsoft observed a campaign using an IRS-themed email that targeted users in the United States. The email’s subject was IRS Refund Eligibility Notification and the sender was jessicalee@eboxsystems[.]com.

The email contained a hyperlink that directed users to download a malicious Excel file. The link (hxxps://business.google[.]com/website_shared/launch_bw[.]html?f=hxxps://historyofpia[.]com/Tax_Refund_Eligibility_Document[.]xlsm) abused an open redirector on what appeared to be a legitimate Google Business page. It redirected users to historyofpia[.]com, which was likely compromised to host the malicious Excel file. If the user opened the Excel file, they were prompted to enable macros, and if the user enabled macros, a malicious MSI file was downloaded and run.

The MSI file contained two files. The first file, AutoNotify.exe, is a legitimate copy of the executable used to run AutoHotKey script files. The second file, AutoNotify.ahk, is an AHKBot Looper script which is a simple infinite loop that receives and runs additional AutoHotKey scripts. The AHKBot Looper was in turn observed downloading the Screenshotter module, which includes code to capture screenshots from the compromised device. Both Looper and Screenshotter used the C2 IP address 181.49.105[.]59 to receive commands and upload screenshots.

Figure 4. Screenshot of the email showing the link to download a malicious Excel file Figure 5. Macro code to install the malicious MSI file from hxxps://acusense[.]ae/umbrella/ GuLoader and Remcos delivered in tax-themed phishing emails

On March 3, 2025, Microsoft observed a tax-themed phishing campaign targeting CPAs and accountants in the United States, attempting to deliver GuLoader and Remcos malware. The campaign, which consisted of less than 100 emails, began with a benign rapport-building email from a fake persona asking for tax filing services due to negligence by a previous CPA. If the recipient replied, they would then receive a second email with the malicious PDF. This technique increases the click rates on the malicious payloads due to the established rapport between attacker and recipient.

The malicious PDF attachment contained an embedded URL. If the attachment was opened and the URL clicked, a ZIP file was downloaded from Dropbox. The ZIP file contained various .lnk files set up to mimic tax documents. If launched by the user, the .lnk file uses PowerShell to download a PDF and a .bat file. The .bat file in turn downloaded the GuLoader executable, which then installed Remcos.

Figure 6. Sample phishing email shows the original benign request for tax filing services, followed by another email containing a malicious PDF attachment if the target replies. Figure 7. The PDF attachment contains a prominent blue “Download” button that links to download of the malicious payload. The button is overlaid over a blurred background mimicking a “W-2” tax form, which further contributes to the illusion of the attachment being a legitimate tax file.

GuLoader is a highly evasive malware downloader that leverages encrypted shellcode, process injection, and cloud-based hosting services to deliver various payloads, including RATs and infostealers. It employs multiple anti-analysis techniques, such as sandbox detection and API obfuscation, to bypass security defenses and ensure successful payload execution.

Remcos is a RAT that provides attackers with full control over compromised systems through keylogging, screen capturing, and process manipulation while employing stealth techniques to evade detection.

Mitigation and protection guidance

Microsoft recommends the following mitigations to reduce the impact of this threat.

Educate users about protecting personal and business information in social media, filtering unsolicited communication, identifying lure links in phishing emails, and reporting reconnaissance attempts and other suspicious activity.
Turn on Zero-hour auto purge (ZAP) in Defender for Office 365 to quarantine sent mail in response to newly-acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
Pilot and deploy phishing-resistant authentication methods for users.
Enforce multifactor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly require MFA from all devices in all locations at all times.
Implement Entra ID Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites including phishing sites, scam sites, and sites that contain exploits and host malware.
Educate users about using the browser URL navigator to validate that upon clicking a link in search results they have arrived at an expected legitimate domain.
Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow and time-of-click verification of URLs and links in email messages, other Microsoft Office applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
Enable investigation and remediation in full automated mode to allow Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
Run endpoint detection and response (EDR) in block mode, so that Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts detected post-breach.

Microsoft Defender XDR detections

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components used in the campaigns shared in this blog as the following:

Microsoft Defender for Endpoint

The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

Possible Latrodectus activity
Brute Ratel toolkit related behavior
A file or network connection related to ransomware-linked actor Storm-0249 detected
Suspicious phishing activity detected

Microsoft Defender for Office 365

Microsoft Defender for Office 365 offers enhanced solutions for blocking and identifying malicious emails. These alerts, however, can be triggered by unrelated threat activity.

A potentially malicious URL click was detected
Email messages containing malicious URL removed after delivery
Email messages removed after delivery
A user clicked through to a potentially malicious URL
Suspicious email sending patterns detected
Email reported by user as malware or phish

Defender for Office 365 also detects the malicious PDF attachments used in the phishing campaign launched by Storm-0249.

Microsoft Security Copilot

Incident investigation
Microsoft User analysis
Threat actor profile
Threat Intelligence 360 report based on MDTI article
Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries Microsoft Sentinel

Furthermore, listed below are some sample queries utilizing Sentinel ASIM Functions for threat hunting across both Microsoft first-party and third-party data sources.

Hunt normalized Network Session events using the ASIM unifying parser _Im_NetworkSession for IOCs:

let lookback = 7d; let ioc_ip_addr = dynamic(["181.49.105.59 "]); _Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now()) | where DstIpAddr in (ioc_ip_addr) | summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor

Hunt normalized File events using the ASIM unifying parser imFileEvent for IOCs:

let ioc_sha_hashes=dynamic(["fe0b2e0fe7ce26ae398fe6c36dae551cb635696c927761738f040b581e4ed422","bb3b6262a288610df46f785c57d7f1fa0ebc75178c625eaabf087c7ec3fccb6a","9728b7c73ef25566cba2599cb86d87c360db7cafec003616f09ef70962f0f6fc", "3c482415979debc041d7e4c41a8f1a35ca0850b9e392fecbdef3d3bc0ac69960","165896fb5761596c6f6d80323e4b5804e4ad448370ceaf9b525db30b2452f7f5","a31ea11c98a398f4709d52e202f3f2d1698569b7b6878572fc891b8de56e1ff7", "a1b4db93eb72a520878ad338d66313fbaeab3634000fb7c69b1c34c9f3e17727","0b22a0d84afb8bc4426ac3882a5ecd2e93818a2ea62d4d5cbae36d942552a36a","4d5839d70f16e8f4f7980d0ae1758bb5a88b061fd723ea4bf32b4b474c222bec","9bffe9add38808b3f6021e6d07084a06300347dd5d4b7e159d97e949735cff1e"]); imFileEvent | where SrcFileSHA256 in (ioc_sha_hashes) or TargetFileSHA256 in (ioc_sha_hashes) | extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0]) | extend AlgorithmType = "SHA256"

Hunt normalized Web Session events using the ASIM unifying parser _Im_WebSession for IOCs:

let lookback = 7d; let ioc_domains = dynamic(["slgndocline.onlxtg.com ", "cronoze.com ", "muuxxu.com ", "proliforetka.com ", "porelinofigoventa.com ", "shareddocumentso365cloudauthstorage.com", "newsbloger1.duckdns.org"]); _Im_WebSession (starttime=ago(lookback), eventresult='Success', url_has_any=ioc_domains) | summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor

In addition to the above, Sentinel users can also leverage the following queries, which may be relevant to the content of this blog.

Indicators of compromise

BruteRatel C4 and Lactrodectus infection chain

IndicatorTypeDescription9bffe9add38808b3f6021e6d07084a06300347dd5d4b7e159d97e949735cff1eSHA-256lrs_Verification_Form_1730.pdf0b22a0d84afb8bc4426ac3882a5ecd2e93818a2ea62d4d5cbae36d942552a36aSHA-256Irs_verif_form_2025_214859.js4d5839d70f16e8f4f7980d0ae1758bb5a88b061fd723ea4bf32b4b474c222becSHA-256bars.msia1b4db93eb72a520878ad338d66313fbaeab3634000fb7c69b1c34c9f3e17727SHA-256BRc4, filename: nvidiamast.dllhxxp://rebrand[.]ly/243eaaDomain nameURL shortener to load fake DocuSign pageslgndocline.onlxtg[.]comDomain nameDomain used to host fake DocuSign pagecronoze[.]comDomain nameBRc4 C2muuxxu[.]comDomain nameBRc4 C2proliforetka[.]comDomain nameLatrodectus C2porelinofigoventa[.]comDomain nameLatrodectus C2hxxp://slgndocline.onlxtg[.]com/87300038978/URLFake DocuSign URLhxxps://rosenbaum[.]live/bars.phpURLJavaScript downloading MSI

RaccoonO365

IndicatorTypeDescriptionshareddocumentso365cloudauthstorage[.]comDomain nameRaccoonO365 domain

AHKBot

IndicatorTypeDescriptiona31ea11c98a398f4709d52e202f3f2d1698569b7b6878572fc891b8de56e1ff7SHA-256Tax_Refund_Eligibility_Document.xlsm165896fb5761596c6f6d80323e4b5804e4ad448370ceaf9b525db30b2452f7f5SHA-256umbrella.msi3c482415979debc041d7e4c41a8f1a35ca0850b9e392fecbdef3d3bc0ac69960SHA-256AutoNotify.ahk9728b7c73ef25566cba2599cb86d87c360db7cafec003616f09ef70962f0f6fcSHA-256AHKBot Screenshotter modulehxxps://business.google[.]com/website_shared/launch_bw.html?f=hxxps://historyofpia[.]com/Tax_Refund_Eligibility_Document.xlsmURLURL redirecting to URL hosting malicious Excel filehxxps://historyofpia[.]com/Tax_Refund_Eligibility_Document.xlsmURLURL hosting malicious Excel filehxxps://acusense[.]ae/umbrella/URLURL in macro that hosted the malicious MSI file181.49.105[.]59IP addressAHKBot C2

Remcos

IndicatorTypeDescriptionbb3b6262a288610df46f785c57d7f1fa0ebc75178c625eaabf087c7ec3fccb6aSHA-2562024 Tax Document_Copy (1).pdffe0b2e0fe7ce26ae398fe6c36dae551cb635696c927761738f040b581e4ed422SHA-2562024 Tax Document.ziphxxps://www.dropbox[.]com/scl/fi/ox2fv884k4mhzv05lf4g1/2024-Tax-Document.zip?rlkey=fjtynsx5c5ow59l4zc1nsslfi&st=gvfamzw3&dl=1URLURL in PDFnewsbloger1.duckdns[.]orgDomain nameRemcos C2 References

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

The post Threat actors leverage tax season to deploy tax-themed phishing campaigns appeared first on Microsoft Security Blog.

Categories: Microsoft

Transforming public sector security operations in the AI era

Tue, 04/01/2025 - 12:00pm

The cyberthreat landscape is evolving at an unprecedented pace, becoming increasingly dangerous and complex. Nation-state threat actors and cybercriminals are employing advanced tactics and generative AI to execute highly sophisticated attacks. This situation is further compounded by outdated technology and systems, shortage of cybersecurity talent, and antiquated processes, which are inefficient in handling the scale, complexity, and ever-evolving nature of these cyberattacks. With 62% of all cyberattacks targeting public sector organizations, it is crucial for these sectors to leverage state-of-the-art technology, powered by generative AI, to transform their cyber defense and stay ahead of these evolving threats.1

Microsoft’s Unified Security Operations for Public Sector

Discover how Microsoft helps public sectors modernize security operations to enhance cyber defense and streamline processes.

Read the datasheet Microsoft’s unified security operations for public sector

Embracing modern security technology, processes, and continuous skill development is vital for protecting public sector organizations. By leveraging innovations powered by generative AI, unparalleled threat intelligence, and best practices, public sectors can transform their security operations to effectively defend against emerging cyberthreats.

AI-powered security operations: Microsoft delivers innovations to effectively protect against today’s complex threat landscape. The AI-powered unified security operations platform offers an enhanced and streamlined approach to security operations by integrating security information and event management (SIEM), security orchestration, automation, and response (SOAR), extended detection and response (XDR), posture and exposure management, cloud security, threat intelligence, and AI into a single, cohesive experience, eliminating silos and providing end-to-end security operations (SecOps). The unified platform boosts analyst efficiency, reduces context switching, and delivers quicker time to value with less integration work.

Microsoft is committed to helping public sector customers accelerate threat detection and response through improved security posture across organizations with richer insights, multi-tenant management, early warnings, and increased efficiency through automation and generative AI. Through automatic attack disruption, Microsoft Defender XDR utilizes robust threat intelligence, advanced AI and machine learning to detect and contain sophisticated cyberattacks in real time, significantly reducing their impact. This high-fidelity detection and protection capability disrupts more than 40,000 incidents each month, like identity threats and human-operated cyberattacks, while maintaining a false positive rate below 1%.

“Speed is an important factor against adversaries, and gaining situational awareness across a complex landscape of threats is therefore key.”

—Customer in the healthcare industry

People and process modernization: Public-private partnerships play a vital role in fostering the exchange of best practices and developing standardized processes that drive efficiency in incident response and threat intelligence sharing. For example, adapting the threat triage process to leverage generative AI agents can enable teams to scale significantly with agents autonomously analyzing and triaging vast volumes of alerts in real time, prioritize critical cyberthreats, and recommend specific remediation steps based on historical patterns. These collaborations also empower organizations to build teams equipped with cutting-edge skills and a comprehensive understanding of generative AI capabilities, helping them stay ahead of emerging cyberthreats.

Collective cyber defense and threat intelligence: Using Microsoft’s global threat intelligence insights, public sector organizations can collaborate with each other and across other sectors to share deeper cyberthreat insights efficiently. This partnership enables public sector organizations to exchange threat intelligence in a standardized manner within a region or country.

“Collective defense collaborations are driven by mutual interests with industry peers and cybersecurity alliances on improving security postures and responding more effectively to emerging threats.”

—Customer in the transport industry

The power of generative AI in cyber operations

Generative AI brings several transformative benefits to cybersecurity, making it a cornerstone for public sector security operations center (SOC) modernization.

Enhanced threat detection and response: Generative AI has the potential to sift through data from firewalls, endpoints, and cloud workloads, surfacing actionable cyberthreats that might go unnoticed in manual reviews. Unlike traditional rule-based detection methods, generative AI can identify attack patterns, adapt to emerging cyberthreats, and prioritize incidents based on risk severity, helping security teams focus on the most critical issues. Generative AI can go beyond simply surfacing cyberthreats; it can contextualize attack signals, predict potential breaches, and recommend guided responses for remediation strategies, reducing the burden on security analysts. Microsoft Security Copilot is already covering a range of use cases and is expanding rapidly to seize the full potential of generative AI. By providing guided incident investigation and response, Security Copilot helps security operations center (SOC) teams to detect and respond to cyberthreats more effectively. It can help teams to learn about malicious actors and campaigns, provide rapid summaries, and even contact the user to check for suspicious behavior. Adoption is associated with 30% reduction in security incident mean time to resolution (MTTR).2

Reduced operational overheads: By automating routine tasks, generative AI can free analysts from repetitive processes like alert triage or patch validation, enabling them to focus on advanced threat hunting. Security teams can already leverage Security Copilot to translate complex scripts into natural language, highlighting and explaining key parts to enhance team skills and reduce investigation time for advanced investigations as much as by 85%, helping security teams operate at scale.3

“Increased support from AI is critical given the significant capacity challenge in the public sector: a shortage of talent, an influx of threats, and an ever-increasing volume of data, assets, and organizations.”

—National SOC customer

Building a resilient digital future together

As nation-state threat actors and cybercriminals increasingly employ generative AI in their cyberattacks, public sector organizations can no longer rely on fragmented, manual defenses. The path forward lies in public-private collaboration, centered on co-designing and innovating solutions tailored to the public sector’s unique needs.

By adopting Microsoft Security solutions, public sector organizations can leverage combined resources, expertise, and cutting-edge technology to fortify critical infrastructure, safeguard citizen data, and strengthen public trust.

Now is the time to act: Modernize your cyber defense in the AI era to collectively forge a more secure and resilient digital future for government and public sector operations.

Learn more

Learn more about the AI-Powered Security Operations Platform for more details on the unified Security Operations platform.

Learn more about Microsoft Sentinel.

1Microsoft Digital Defense Report 2024

2Generative AI and Security Operations Center Productivity: Evidence from Live Operations, Microsoft study. James Bono, Alec Xu, Justin Grana. November 24, 2024.

3Forrester Total Economic Impact™ of Microsoft Sentinel. The Total Economic Impact(TM) Of Microsoft Sentinel, a commissioned study conducted by Forrester Consulting, March 2024. Results are based on a composite organization representative of interviewed customers.

The post Transforming public sector security operations in the AI era appeared first on Microsoft Security Blog.

Categories: Microsoft

Analyzing open-source bootloaders: Finding vulnerabilities faster with AI

Mon, 03/31/2025 - 12:00pm

By leveraging Microsoft Security Copilot to expedite the vulnerability discovery process, Microsoft Threat Intelligence uncovered several vulnerabilities in multiple open-source bootloaders, impacting all operating systems relying on Unified Extensible Firmware Interface (UEFI) Secure Boot as well as IoT devices. The vulnerabilities found in the GRUB2 bootloader (commonly used as a Linux bootloader) and U-boot and Barebox bootloaders (commonly used for embedded systems), could allow threat actors to gain and execute arbitrary code.

Using Security Copilot, we were able to identify potential security issues in bootloader functionalities, focusing on filesystems due to their high vulnerability potential. This approach saved our team approximately a week’s worth of time that would have otherwise been spent manually reviewing the content. Through a series of prompts, we identified and refined security issues, ultimately uncovering an exploitable integer overflow vulnerability. Copilot also assisted in finding similar patterns in other files, ensuring comprehensive coverage and validation of our findings. This efficient process allowed us to confirm several additional vulnerabilities and extend our analysis to other bootloaders like U-boot and Barebox, which share code with GRUB2. We’re sharing this research as an example of the increased efficiency, streamlined workflows, and improved capabilities that AI solutions like Security Copilot can deliver for defenders, security researchers, and SOC analysts. As AI continues to emerge as a key tool in the cybersecurity community, Microsoft emphasizes the importance of vendors and researchers maintaining their focus on information sharing. This approach ensures that AI’s advantages in rapid vulnerability discovery, remediation, and accelerated security operations can effectively counter malicious actors’ attempts to use AI to scale common attack tactics, techniques, and procedures (TTPs).

While threat actors would likely require physical device access to exploit the U-boot or Barebox vulnerabilities, in the case of GRUB2, the vulnerabilities could further be exploited to bypass Secure Boot and install stealthy bootkits or potentially bypass other security mechanisms, such as BitLocker. The implications of installing such bootkits are significant, as this can grant threat actors complete control over the device, allowing them to control the boot process and operating system, compromise additional devices on the network, and pursue other malicious activities. Furthermore, it could result in persistent malware that remains intact even after an operating system reinstallation or a hard drive replacement.

We disclosed these vulnerabilities with the GRUB2, U-boot, and Barebox maintainers and worked with the GRUB2 maintainers to contribute fixes for the discovered vulnerabilities. To address the issues, the GRUB2 maintainers released security updates on February 18, 2025, and both the U-boot and Barebox maintainers released updates on February 19, 2025. We thank the GRUB2, U-boot, and Barebox maintainers as well as the open-source community for their quick response and collaborative efforts in addressing these issues, and we advise users to ensure their instances are up to date. We would also like to thank the RedHat support team for their assistance in disclosing these issues to manufacturers. The respective vulnerabilities are summarized in the following table:

BootloaderVulnerabilityGRUB2CVE-2024-56737GRUB2CVE-2024-56738GRUB2CVE-2025-0677GRUB2CVE-2025-0678GRUB2CVE-2025-0684GRUB2CVE-2025-0685GRUB2CVE-2025-0686GRUB2CVE-2025-0689GRUB2CVE-2025-0690GRUB2CVE-2025-1118GRUB2CVE-2025-1125U-bootCVE-2025-26726U-bootCVE-2025-26727U-bootCVE-2025-26728U-bootCVE-2025-26729BareboxCVE-2025-26721BareboxCVE-2025-26722BareboxCVE-2025-26723BareboxCVE-2025-26724BareboxCVE-2025-26725

In this blog, we detail how Secure Boot and GRUB2 function, explain how the GRUB2 vulnerabilities could have been exploited, and provide information on the vulnerabilities found in other open-source bootloaders to highlight the risks associated with unknowingly sharing vulnerable code among different open-source projects. As the boot process involves multiple components spanning different manufacturers and vendors, updates and fixes to the Secure Boot process can be particularly complex and run the risk of rendering a device unusable. As such, we are also sharing these findings with the security community to emphasize the importance of responsible disclosure and collaboration in the effort to enhance protection technologies and security across different devices and platforms.

Secure Boot and GRUB2

Before 2006, Intel-based computers booted into startup firmware code commonly known as the BIOS (Basic Input/Output System), which was responsible for hardware initialization and setup of common services to later be used by a bootloader. Ultimately, the BIOS would transfer control to a bootloader coded in real mode, which would commonly load an operating system (OS).

With time, attackers realized there is no root-of-trust verification of bootloaders by the firmware, thus began the era of bootkits, which are bootloader-based rootkits. To standardize the boot process, a unified firmware schema to replace BIOS was introduced in 2006, which is currently known as the Unified Extensible Firmware Interface (UEFI).

UEFI also helped combat bootkits, as it offers services that validate bootloaders and its own extensible modules by means of digital signatures. That protocol is known as Secure Boot and is essential to establishing a root of trust for the boot process, in which the firmware verifies UEFI drivers and OS modules with a platform key or a Key Exchange Key, and bootloaders verify the loaded operating system.

Trust is then achieved with the help of equipment manufacturers, which can sign code trusted by Secure Boot, by means of Certificate Authorities (CA). Essentially, manufacturers sign code with their private key, and their public key is signed with a root CA, commonly Microsoft’s UEFI CA. This is also essential to supporting non-Windows bootloaders such as GRUB2 (which commonly boots Linux) and allowing third party operating systems to benefit from Secure Boot. Since GRUB2 is fully open-sourced, vendors install a small program called a shim, which is signed by Microsoft’s UEFI CA and is responsible for validating the integrity of GRUB2. The shim can further consult a mechanism called Secure Boot Advanced Targeting (SBAT) for further revocation and management options as SBAT is used by the shim to provide a way to track and revoke individual software components based on metadata rather than cryptographic signatures alone.

Figure 1. GRUB2 loading schema The dangers of a GRUB2

Since bootloaders run before operating systems run, they mostly have UEFI-provided services as APIs to rely on. Therefore, bootloaders do not benefit from modern operating system security features, such as:

No-Execute (NX): Known in Windows as Data Execution Prevention (DEP), and enforces memory page execute protections. Before the introduction of NX, attackers could override return addresses (which are maintained in-memory) and jump to arbitrary code (commonly a shellcode) that could be placed using the provided input.
Address Space Layout Randomization (ASLR): This feature randomizes the base address of modules, which makes return address overrides and function pointer overrides highly unreliable since attackers do not know where usable code might be found.
Safe dynamic allocators: Dynamic allocations are a favorite target for attackers, and modern operating systems harden their heap allocators with various techniques, including Safe Unlinking, type-safety, Pointer Authentication, and others.
Stack cookies / Canaries: These are randomly generated values pushed between the return address and local variables on the stack, with the intent of detecting changes in their values before using the return address (commonly in a RET instruction).

Additionally, GRUB2 offers complex logic to implement various features, including:

Image file parsers (PNG, TGA, and JPEG)
Font parsing and support (PF2 file format)
Network support (HTTP, FTP, DNS, ICMP, etc.)
Various filesystem supportability (FAT, NTFS, EXT, JFS, HFS, ReiserFS, etc.)
Bash-like command-line utility
Extensible dynamic module loading capabilities

Furthermore, GRUB2 is coded in C, which is considered a memory-unsafe language, and as mentioned, does not benefit from any modern security mitigation. Considering the implication of defeating Secure Boot and strategically assessing the project (such as with Google’s Rule of 2), it is evident why GRUB2 may be of interest to vulnerability researchers.

Several memory corruption vulnerabilities have been uncovered in the past and are evident of the risks that we have mentioned. Noteworthy examples include:

VulnerabilitySubsystem(s)DescriptionCVE-2020-10713Configuration fileThe vulnerability was published under the name “Boot Hole”, consisted of a buffer overflow in the parsing of the GRUB2 configuration file (grub.cfg).CVE-2021-3695
CVE-2021-3696
CVE-2021-3697Image parsingSeveral buffer overflow vulnerabilities were discovered when parsing images.CVE-2022-28733
CVE-2022-28734NetworkVarious buffer overflow vulnerabilities when parsing IP or HTTP packets.CVE-2022-28735ShimIt was discovered that non-kernel files could be loaded and execute arbitrary code.CVE-2023-4692NTFS (filesystem)A heap out-of-bounds was discovered in the NTFS filesystem implementation for GRUB2. Findings

Through a combination of static code analysis tools (such as CodeQL), fuzzing the GRUB2 emulator (grub-emu) with AFL++, manual code analysis, and using Microsoft Security Copilot, we have uncovered several vulnerabilities.

Using Security Copilot, we initially explored which functionalities in a bootloader have the most potential for vulnerabilities, with Copilot identifying network, filesystems, and cryptographic signatures as key areas of interest. Given our ongoing analysis of network vulnerabilities and the fact that cryptography is largely handled by UEFI, we decided to focus on filesystems.

Using the JFFS2 filesystem code as an example, we prompted Copilot to find all potential security issues, including exploitability analysis. Copilot identified multiple security issues, which we refined further by requesting Copilot to identify and provide the five most pressing of these issues. In our manual review of the five identified issues, we found three were false positives, one was not exploitable, and the remaining issue, which warranted our attention and further investigation, was an integer overflow vulnerability.

Figure 2. Security Copilot spotting an integer overflow vulnerability and suggesting a fix

We used Security Copilot to successfully identify similar patterns in other GRUB2 files. Assuming the possibility of false negatives, we performed thorough validation and review of GRUB2 to avoid overlooking any issues, allowing us to confirm several additional vulnerabilities were present relating to the integer overflow.

Through this research, we have disclosed the following vulnerabilities:

ModuleVulnerabilityCVEUFS (filesystem)Buffer overflow in symbolic link handling due to an integer overflow in allocation.CVE-2025-0677Squash4 (filesystem)Buffer overflow in file reads due to an integer overflow in allocation.CVE-2025-0678ReiserFS (filesystem)Buffer overflow in symbolic link handling due to an integer overflow in allocation.CVE-2025-0684JFS (filesystem)Buffer overflow in symbolic link handling due to an integer overflow in allocation.CVE-2025-0685RomFS (filesystem)Buffer overflow in symbolic link handling due to an integer overflow in allocation.CVE-2025-0686UDF (filesystem)Buffer overflow in block reads of UDF due to an out-of-bounds operation.CVE-2025-0689HFS (filesystem)Buffer overflow in filesystem mounting due to wild strcpy function on a non-NUL-terminated string.CVE-2024-56737HFS (filesystem) compressionBuffer overflow in file opens due to an integer overflow in allocation.CVE-2025-1125Crypto (cryptography)Cryptographic side-channel attack due to non-constant time memory comparison.CVE-2024-56738Read (commands)The read command is intended to read a line from the keyboard and assign its text to a variable and is susceptible to a signed integer overflow and an out-of-bounds write.CVE-2025-0690Dump (commands)While the memory reading commands (such as read_byte) are disabled in production, the dump command was left enabled and can be used to read arbitrary memory addresses.CVE-2025-1118

Most of those vulnerabilities are simple memory corruption vulnerabilities. As an example, let us examine the JFS symbolic link resolution function:

Figure 3. Vulnerable symbolic link resolution code in JFS

The vulnerability is an overflow of the size variable:

The size variable is declared as grub_size_t, which is ultimately defined as a 64-bit unsigned integer (uint64_t).
The function grub_le_to_cpu64 converts a Little-Endian 64-bit value to the CPU’s native Endianess. Since x86-64 is already Little-Endian, it does nothing (on Big-Endian systems it reverses the byte-order of the 64-bit input value).
Note the input data and its inode are fully attacker-controlled, since they supply the filesystem image. Therefore, size can get an arbitrary value, including the very large value 0xFFFFFFFFFFFFFFFF (which is the maximum value an unsigned 64-bit integer can get).
The linknest checks are irrelevant for the vulnerability, but they assure the number of nested symbolic links to not exceed a limit (defined as 8).
The size+1 calculation is an integer overflow—if size is 0xFFFFFFFFFFFFFFFF then size+1 is now 0. Note grub_malloc happily allocates a 0-byte chunk and returns it to the variable symlink.
At this point, symlink is being written to by the function grub_jfs_read_file. The contents are arbitrarily set by the attacker, and while this function will never be able to read 0xFFFFFFFFFFFFFFFF bytes, an attacker would still be able to override important data beyond the limit of the symlink variable with an arbitrary payload.

It seems GRUB2 maintainers were aware of other types of integer overflow issues in the past and therefore introduced functions such as grub_add and grub_mul to handle addition and multiplication overflows safely. However, it seems there are quite a few places where those functions have not been considered.

Figure 4. Proper symbolic link resolution in EXT2 filesystem—note how grub_add is used to check for overflows

The other vulnerabilities we’ve reported had similar out-of-bounds or integer overflow issues. In addition, we have reported a cryptographic side-channel attack issue, in which the function grub_crypto_memcmp does not perform its memory comparison in constant-time. The vulnerability is quite similar to one we disclosed on Netgear routers in the past.

Variant analysis and extensions to other bootloaders

After the discovery of the GRUB2 filesystem vulnerabilities and validating their exploitability, we concluded it is very likely other bootloaders might be affected by similar vulnerabilities, potentially as a result of the practice of copy-pasting filesystem parsing code between different open-source projects.

To test this hypothesis, we asked Security Copilot to find similar code in GitHub based on GRUB2’s filesystem implementations. This approach initially found many GRUB2 forks, so we continued to refine the search and manually review the results. Within those results, the U-boot and Barebox bootloaders, which are both commonly used for embedded systems, were identified as having shared code with GRUB2. Further investigation led us to identify similar vulnerabilities in both bootloaders, as detailed in the table below.

BootloaderVulnerabilityDescriptionU-bootCVE-2025-26726SquashFS directory table parsing buffer overflowU-bootCVE-2025-26727SquashFS inode parsing buffer overflowU-bootCVE-2025-26728SquashFS nested file reading buffer overflowU-bootCVE-2025-26729EroFS symlink resolution buffer overflowBareboxCVE-2025-26721Buffer overflow in the persistent storage for file creationBareboxCVE-2025-26722Buffer overflow in SquashFS symlink resolutionBareboxCVE-2025-26723Buffer overflow in EXT4 symlink resolutionBareboxCVE-2025-26724Buffer overflow in CramFS symlink resolutionBareboxCVE-2025-26725Buffer overflow in JFFS2 dirent parsing

To exploit those in an embedded system context, attackers would most likely require physical access to those devices.

Enhancing security beyond Microsoft with research and threat intelligence sharing

As our research demonstrates, the discovered vulnerabilities can impact a wide range of systems and devices with varying impact. The vulnerabilities in GRUB2 can be exploited to bypass Secure Boot and allow threat actors to gain arbitrary code execution in the context of GRUB2, install stealthy bootkits and persistent malware, and compromise additional devices on the network. Additionally, there are further consequences to bypassing Secure Boot as it undermines the security mechanism designed to protect the boot process. Secure Boot bypasses can lead to threat actors loading untrusted software and malicious code during the boot process, evading detection by security solutions, and gaining full control of the system for potential widespread impact across operating systems relying on UEFI Secure Boot. While the vulnerabilities impacting U-boot and Barebox may be more difficult to exploit for threat actors by requiring physical device access, the issues still underscore the dangers of sharing susceptible code across multiple open-source projects.

This research also demonstrates the necessity of responsible vulnerability disclosure, threat intelligence sharing, and partner collaboration in addressing these issues to safeguard users against current and future threats. Given the complexity of the boot process, which involves multiple components from different manufacturers, coupled with the fact that updates to Secure Boot can run the risk of rendering a device unusable, responsible disclosure of these vulnerabilities is necessary to prevent threat actor exploitation and give teams time to effectively coordinate and collaborate on mitigation measures.

To address the discovered issues, the GRUB2 maintainers updated the vulnerable versions in SBAT while working with manufacturers to update DBX database entries as well as their shims to improve Secure Boot revocation management, particularly for bootloaders like shim that act as an intermediary between firmware Secure Boot verification and Linux distributions boot processes. In addition to deploying patches to address the vulnerabilities, the GRUB2 maintainers disabled some of the OS modules when Secure Boot is enabled to help ensure only trusted and verified code executes during the boot process, further reducing the attack surface. We would like to again thank the GRUB2 team and open-source community for their efforts in addressing these issues, as well as the U-boot and Barebox maintainers for quickly releasing fixes.

Leveraging AI like Security Copilot was invaluable in our research, saving us approximately a week’s worth of time by efficiently identifying and refining security issues in bootloader functionalities, ultimately allowing us to uncover several vulnerabilities. Identifying, disclosing, and contributing fixes for vulnerabilities, such as those mentioned in this blog post, is part of our ongoing commitment to enhance security at Microsoft and beyond. Microsoft is dedicated to improving security through research-driven protections and collaboration with customers, partners, and industry experts. Microsoft security researchers discover vulnerabilities and threats, translating this knowledge into enhanced solutions that protect users daily, and by expanding our research, we also contribute to the security of devices worldwide across all platforms.

Jonathan Bar Or

Microsoft 365 Defender Research Team

References

Learn more

Security Copilot customers can use the standalone experience to create their own prompts or run pre-built promptbooks to automate incident response or investigation tasks related to this threat.

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

The post Analyzing open-source bootloaders: Finding vulnerabilities faster with AI appeared first on Microsoft Security Blog.

Categories: Microsoft

New innovations in Microsoft Purview for protected, AI-ready data

Mon, 03/31/2025 - 11:00am

The Microsoft Fabric and Microsoft Purview teams are excited to be in Las Vegas from March 31 to April 2, 2025, for the second annual and highly anticipated Microsoft Fabric Community Conference. With more than 200 sessions, 13 focused tracks, 21 hands-on workshops, and two keynotes, attendees can expect an engaging and informative experience. The conference offers a unique opportunity for the community to connect and exchange insights on key topics such as data and AI.

Microsoft Purview: Built to safeguard your AI innovation

AI innovation is impacting every industry, business process, and individual. About 75% of knowledge workers today are currently using some sort of AI in their day to day.1 At the same time, the regulatory landscape is evolving at an unprecedented pace. Around the world, at least 69 countries have proposed more than 1,000 AI-related policy initiatives and legal frameworks to address public concerns around AI safety and governance.2 With the need to adhere to regulations and policy frameworks for AI transformation, a comprehensive solution is needed to address security, governance, and privacy concerns. Additionally, with the convergence of the responsibilities of cybersecurity and data teams, customers are asking for a solution that turns data security and data governance into a team sport to address issues such data discovery, data classification, data loss prevention, and data quality in a unified way. Microsoft Purview delivers a comprehensive set of solutions that address these needs, helping customers seamlessly secure and confidently activate their data in the era of AI.

We are excited to announce new innovations that help security and data teams accelerate their organization’s AI transformation:

Enhancing Microsoft Purview Data Loss Prevention (Purview DLP) support for lakehouse in Microsoft Fabric to help prevent sensitive data loss by restricting access.
Expanding Purview DLP policy support for additional Fabric items such as KQL databases and Mirrored databases to send users notification through policy tips when they are working with sensitive data.
Microsoft Purview integration with Copilot in Fabric, specifically for Power BI.
Data Observability within the Microsoft Purview Unified Catalog.

Seamlessly secure data

Microsoft Purview is extending its proven data security value delivered to millions of Microsoft 365 users worldwide, to the Microsoft data platform. This helps users drive consistency across their multicloud and multiplatform data estate and simplify risks related to data leaks, oversharing, and risky user behavior as more users are managing and handling data in the era of AI.

1. Enhancing Microsoft Purview Data Loss Prevention (DLP) support for lakehouse in Fabric to help prevent sensitive data loss by restricting access

Microsoft Purview Data Security capabilities are used by hundreds of thousands of customers for their integration with Microsoft 365 data. Since last year’s Microsoft Fabric Community Conference, Microsoft Purview has extended Microsoft Purview Information Protection and Purview DLP policy tip value across the data estate, including Fabric. Currently, Purview DLP supports the ability to show users notifications for when they are working with sensitive data in lakehouse. We are excited to share that we are enhancing the DLP value in lakehouse to prevent sensitive data leakage to guest users by restricting access. Data Security admins can configure policies and limit access to only internal users or data owners based on the sensitive data found. This control is valuable for when a Fabric tenant includes guest users and domain owners want to limit access to internal proprietary data in their lakehouses.

Figure 1. DLP policy restricting access for guest users into lakehouse due to personally identifiable information (PII) data discovered

Learn more about Microsoft Purview Data Loss Prevention 2. Expanding DLP policy support for additional Fabric items such as KQL databases and Mirrored databases to show users notification through policy tips when they are working with sensitive data

A key part of securing sensitive data is to provide visibility to your users on where and how they are interacting with sensitive data. Purview DLP policies can help notify users when they are working with sensitive data through policy tips in lakehouse in Fabric. We are excited to announce that we are extending policy tips support for additional Fabric items—KQL databases and Mirrored databases in preview. (Mirrored Database sources include Azure Cosmos DB, Azure SQL Database, Azure SQL Managed Instance, Azure Databricks Unity Catalog, and Snowflake, with more sources available soon). KQL databases are the only databases used for real-time analytics so detecting sensitive data that comes through real-time analytics is huge for Fabric customers. Purview DLP for Mirrored databases reduces the security risk of sensitive data leakage when data is transferred in Fabric. We are happy to extend Purview DLP value to more data sources, providing end-to-end protection for customers within their Fabric environments, all to prepare for the safe deployment of AI.

Figure 2. Policy tip triggered by Purview DLP due to PII being discovered in KQL databases.

Figure 3. Policy tip triggered by Purview DLP due to PII being discovered in Mirrored databases.

3. Microsoft Purview for Copilot in Fabric

As organizations adopt AI, implementing data controls and a Zero Trust approach is crucial to mitigate risks like data oversharing and leakage, and potential non-compliant usage in AI. We are excited to announce Microsoft Purview capabilities in preview for Copilot in Fabric, starting with Copilot for Power BI. By combining Microsoft Purview and Copilot for Power BI, users can:

Discover data risks such as sensitive data in user prompts and responses and receive recommended actions in their Microsoft Purview Data Security Posture Management (DSPM) dashboard to reduce these risks.
Identify risky AI usage with Microsoft Purview Insider Risk Management to investigate risky AI usage, such as an inadvertent user who has neglected security best practices and shared sensitive data in AI or a departing employee using AI to find sensitive data and exfiltrating the data through a USB device.
Govern AI usage with Microsoft Purview Audit, Microsoft Purview eDiscovery, retention policies, and non-compliant usage detection.

Figure 4. Purview DSPM for AI provides admins with comprehensive reports on Copilot in Fabric’s user activities, as well as data entered and shared within the copilot.

Confidently activate data 4. Data observability, now in preview, within Microsoft Purview Unified Catalog

Within the Unified Catalog in Microsoft Purview, users can easily identify the root cause of data quality issues by visually investigating the relationship between governance domains, data products, glossary terms, and data assets associated with them through its lineage. Data assets and their respective data quality are visible across your multicloud, hybrid data estate. Maintaining high data quality is core to driving trustworthy AI innovation forward, and with the new data observability capabilities in Microsoft Purview, users can now improve how fast they can investigate and resolve root cause issues to improve data quality and respond to regulatory reporting requirements.

Figure 5. Lineage view of data assets that showcases data quality within a Data Product.

Microsoft Purview and Microsoft Fabric can help secure and activate data

As your organization continues to implement AI, Microsoft Fabric and Microsoft Purview will serve as key solutions to safely activate your data for AI. Stay tuned for even more exciting innovations to come and check out the Fabric blog to read more about the innovations in Fabric.

Learn more about Microsoft Purview Learn more

Explore these resources to stay updated on our product innovations in security and governance for your data:

Learn how to secure and govern your entire data estate with Microsoft Purview.
Learn more about Microsoft Purview Data Governance.
Get started with Microsoft Fabric.

1Work Trends Index

2AI Regulations around the World – 2025

The post New innovations in Microsoft Purview for protected, AI-ready data appeared first on Microsoft Security Blog.

Categories: Microsoft

Biographical Information Summary - This is Just a Summary Joe Pearce
About Joe Pearce joeintenn
Links Joe Pearce
Flounder's Keylime Pie is the Best in the World, At Least I Think So... Joe Pearce
Harley Ride Joe Pearce
Cobra with New Cover Joe Pearce
Mustang Cobra After Ceramic Coating Joe Pearce
Carter County Cruise In Joe Pearce
2003 Ford Mustang SVT Cobra Convertible NAPA Auto Car Show Top 10 Joe Pearce
Ponies in the Smokies - Mustang Trophy Joe Pearce

Microsoft Malware Protection Center

Stopping attacks against on-premises Exchange Server and SharePoint Server with AMSI

How cyberattackers exploit domain controllers using ransomware

Exploitation of CLFS zero-day leads to ransomware activity

Meet the Deputy CISOs who help shape Microsoft’s approach to cybersecurity

Tech Accelerator: Azure security and AI adoption

Threat actors leverage tax season to deploy tax-themed phishing campaigns

Transforming public sector security operations in the AI era

Analyzing open-source bootloaders: Finding vulnerabilities faster with AI

New innovations in Microsoft Purview for protected, AI-ready data

Welcome to Joe Pearce's Home Page.

Web page offered by Joe Pearce © 2004 - 2025 - All rights reserved.

Thanks to the ETSU Computer and Information Sciences Department.

Thanks to the NSTCC Computer and Information Sciences and Computer Engineering Technologies Department.

This is my Favicon.

You are here

Microsoft Malware Protection Center

Welcome to Joe Pearce's Home Page.

Web page offered by Joe Pearce © 2004 - 2025 - All rights reserved.

Thanks to the ETSU Computer and Information Sciences Department.

Thanks to the NSTCC Computer and Information Sciences and Computer Engineering Technologies Department.

This is my Favicon.