A report on NOBELIUM’s unprecedented nation-state attack
In the final post of a four-part series on the NOBELIUM nation-state attack, we explore key findings from the after-action report on the attack.
Behind the unprecedented effort to protect customers against the NOBELIUM nation-state attack
In the third of a four-part series on the NOBELIUM nation-state attack, we share how Microsoft product teams built new detections into products to better protect customers.
How to investigate service provider trust chains in the cloud
This blog outlines DART’s recommendations for incident responders to investigate potential abuse of these delegated admin permissions, independent of the threat actor.
Protect your business from password sprays with Microsoft DART recommendations
This blog discusses DART’s investigation techniques and approach to responding to password spray attacks while outlining recommendations for protecting against them.
A guide to combatting human-operated ransomware: Part 2
In this post, we will tackle the risks of human-operated ransomware and detail DART’s security recommendations for tactical containment actions and post-incident activities in the event of an attack.
A guide to combatting human-operated ransomware: Part 1
As human-operated ransomware is on the rise, Microsoft’s Detection and Response Team (DART) shares how they investigate these attacks and what to consider when faced with a similar event in your organization.
Microsoft open sources CodeQL queries used to hunt for Solorigate activity
We are sharing the CodeQL queries that we used to analyze our source code at scale and rule out the presence of the code-level indicators of compromise (IoCs) and coding patterns associated with Solorigate so that other organizations may perform a similar analysis.
Web shell attacks continue to rise
A year ago, we reported the steady increase in the use of web shells in attacks worldwide. The latest Microsoft 365 Defender data shows that this trend not only continued, it accelerated. Read our investigation into the escalating prevalence of web shells.
Advice for incident responders on recovery from systemic identity compromises
Customers across the globe are asking for guidance on recovering their infrastructure after being impacted by Solorigate. DART walks you through remediation steps as well as some longer term mitigations.
Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers
We, along with the security industry and our partners, continue to investigate the extent of the Solorigate attack. While investigations are underway, we want to provide the defender community with intel to understand the scope and impact, remediation guidance, and detections and protections we have built as a result.