Read about Microsoft and OpenAI’s joint investigation into API misuse and get guidance to defend against threats like SesameOp: msft.it/6014tCBfA.

Learn more about Storm-0501’s continuous evolution to using cloud-based ransomware tactics: msft.it/6016tCB24.

Together, these cases highlight how modern attackers adapt faster by borrowing trust instead of breaking it. Hear more from Anna Seitz and Jonathan Checchi on this Microsoft Threat Intelligence Podcast episode, hosted by Sherrod DeGrippo.

A similar tactic appears in SesameOp, a backdoor that uses an AI platform as its C2 infrastructure. By operating within legitimate API usage, SesameOp maintains long-term persistence through policy-compliant abuse, making malicious activity difficult to distinguish from normal behavior.

Storm‑0501 illustrates how ransomware has evolved beyond on‑premises operations into hybrid and cloud environments, leveraging identity systems, federation, and control planes to destroy data, wipe backups, and lock victims out—often without deploying traditional malware.

Microsoft tracks the operator of RedVDS as Storm‑2470. The scale of operations supported by RedVDS demonstrates how invisible, scalable infrastructure can significantly amplify cybercrime, and why coordinated disruptions and technical defenses are critical.

Today, Microsoft announced a coordinated legal action to disrupt RedVDS, part of a broader joint operation with international law enforcement that allowed Microsoft and partners to seize key malicious infrastructure and take the RedVDS marketplace offline. msft.it/6017t7J5W

Microsoft has also observed this technique leveraged in financial scams. Tenants with Microsoft Exchange mail exchanger (MX) records pointing directly to Office 365 aren’t affected due to built‑in spoofing detections. Learn more in our latest Microsoft Threat Intelligence blog post.

This vector—which has seen increased visibility and use since May 2025—has enabled credential phishing campaigns tied to phishing-as-a-service (PhaaS) platforms like Tycoon2FA, using lures such as voicemails, shared documents, HR updates, and password resets.

By analyzing packet sizes and timing patterns, their simulations found that attackers can identify conversations about certain topics. The more data an actor collects, the more accurate their inferences become, and these attacks could be performed offline on previously captured traffic.

They share that their investigation began with the question of how side-channel attacks might apply in the context of generative AI. Their findings demonstrate that streaming responses, in which LLMs send replies token-by-token to make chatbots feel more conversational, create an attack surface.

In this episode of the Microsoft Threat Intelligence Podcast, security researchers Geoff McDonald and Jonathan Bar Or talk to Sherrod DeGrippo about their discovery and research into WhisperLeak: msft.it/63320tUG2n

In this blog, Microsoft Defender researchers share insights and detailed analysis of observed exploitation, mitigation, detection, and hunting guidance. Further investigation into providing stronger protections is in progress, and the blog will be updated when more information is available.

This pre-authentication remote code execution (RCE) vulnerability (also referred to as React2Shell and includes CVE-2025-66478, which was merged into it) could allow attackers to execute arbitrary code on vulnerable servers through a single malicious HTTP request.

Sherrod and Matt also discuss how AI is lowering the barrier for OT-focused attacks, the importance of foundational security, collaboration, and large-scale grid exercises, and the need for continuous information sharing among utilities and government partners.

In the latest Microsoft Threat Intelligence Podcast episode, Sherrod DeGrippo speaks to Matt Duncan about threats facing the North American power grid. They discuss the grid’s resilience against attacks from nation-state threat actors, cybercriminals, and hacktivists.