Token theft News and Insights | Microsoft Security Blog (original) (raw)

• Defending against evolving identity attack techniques

Threat actors continue to develop and leverage various techniques that aim to compromise cloud identities.

• File hosting services misused for identity phishing

Since mid-April 2024, Microsoft has observed an increase in defense evasion tactics used in campaigns abusing file hosting services like SharePoint, OneDrive, and Dropbox.

• Threat actors misuse OAuth applications to automate financially driven attacks

Microsoft Threat Intelligence presents cases of threat actors misusing OAuth applications as automation tools in financially motivated attacks.

• Microsoft Incident Response lessons on preventing cloud identity compromise

In real-world customer engagements, Microsoft IR sees combinations of issues and misconfigurations that could lead to attacker access to customers’ Microsoft Entra ID tenants.

• Defending new vectors: Threat actors attempt SQL Server to cloud lateral movement

Microsoft security researchers recently identified an attack where attackers attempted to move laterally to a cloud environment through a SQL Server instance.

• Midnight Blizzard conducts targeted social engineering over Microsoft Teams

Microsoft Threat Intelligence has identified highly targeted social engineering attacks using credential theft phishing lures sent as Microsoft Teams chats by the threat actor that Microsoft tracks as Midnight Blizzard (previously tracked as NOBELIUM).

• Analysis of Storm-0558 techniques for unauthorized email access

Analysis of the techniques used by the threat actor tracked as Storm-0558 (now tracked as Antique Typhoon) for obtaining unauthorized access to email data, tools, and unique infrastructure characteristics.

• Detecting and mitigating a multi-stage AiTM phishing and BEC campaign

Microsoft Defender Experts observed a multi-stage adversary-in-the-middle (AiTM) and business email compromise (BEC) attack targeting banking and financial services organizations over two days.

• Token tactics: How to prevent, detect, and respond to cloud token theft

As organizations increase their coverage of multifactor authentication (MFA), threat actors have begun to move to more sophisticated techniques to allow them to compromise corporate resources without needing to satisfy MFA.

• Exposing POLONIUM activity and infrastructure targeting Israeli organizations

Microsoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM.

• Tarrask malware uses scheduled tasks for defense evasion

Microsoft Detection and Response Team (DART) researchers have uncovered malware that creates “hidden” scheduled tasks as a defense evasion technique.

• NOBELIUM targeting delegated administrative privileges to facilitate broader attacks

The Microsoft Threat Intelligence Center (MSTIC) has detected nation-state activity associated with the threat actor tracked as NOBELIUM, attempting to gain access to downstream customers of multiple cloud service providers (CSP), managed service providers (MSP), and other IT services organizations.