Security Insider
Threat intelligence and actionable insights to stay ahead
Announcing a new Security Insider: Find more analysis, insights, and perspectives for CISOs coming this later this month.
AI
Microsoft Guide for Securing the AI-Powered Enterprise: Getting Started
The first in a new series of guides that explore potential risks to AI applications—data leakage, emerging threats, and compliance challenges—along with unique risks of agentic AI. Get practical advice on building a secure foundation for AI with a phased approach.
Latest News
Microsoft Digital Defense Report
10 essential insights from the Microsoft Digital Defense Report 2024
Cybercrime
Egypt-based cybercriminal supplier’s websites seized
Event
Join Microsoft Security experts at Black Hat USA 2025
Threat actor insights
Microsoft Threat Intelligence is actively tracking threat actors across observed nation state, ransomware, and criminal activities. These insights represent publicly published activity from Microsoft threat researchers and provide a centralized catalog of actor profiles from the referenced blogs.
Mint Sandstorm
Mint Sandstorm (formerly PHOSPHORUS) is an Iran-affiliated activity group, active since at least 2013.
Manatee Tempest
Manatee Tempest (formerly DEV-0243) is a threat actor that is a part of the ransomware as a service (RaaS) economy, partnering with other threat actors to provide custom Cobalt Strike loaders.
Wine tempest
Wine Tempest (formerly PARINACOTA) typically uses human-operated ransomware for attacks, mostly deploying the Wadhrama ransomware. They are resourceful, changing tactics to match their needs and have used compromised machines for various purposes, including cryptocurrency mining, sending spam emails, or proxying for other attacks.
Smoke sandstorm
Smoke Sandstorm (formerly BOHRIUM/DEV-0056) compromised email accounts at a Bahrain-based IT integration company in September 2021. This company works on IT integration with Bahrain Government clients, who were likely Smoke Sandstorm’s ultimate target.
Storm-0530
A group of actors originating from North Korea that Microsoft tracks as Storm-0530 (formerly DEV-0530) has been developing and using ransomware in attacks since June 2021.
Silk Typhoon
In 2021, Silk Typhoon (formerly HAFNIUM) is a nation-state activity group based out of China.
Forest Blizzard
Forest Blizzard (formerly STRONTIUM) uses a variety of initial access techniques including exploiting vulnerable to web facing applications and, to obtain credentials, spear phishing and the deployment of an automated password spray/brute force tool operating through TOR
Midnight Blizzard
The actor that Microsoft tracks as Midnight Blizzard (NOBELIUM) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR.
Volt Typhoon
The actor that Microsoft tracks as Volt Typhoon is a nation-state activity group based out of China. Volt Typhoon focuses on espionage, data theft, and credential access.
Plaid Rain
Since February 2022, Plaid Rain (formerly POLONIUM) has been observed primarily targeting organizations in Israel with a focus on critical manufacturing, IT, and Israel’s defense industry.
Hazel Sandstorm
Hazel Sandstorm (formerly EUROPIUM) has been publicly linked to Iran’s Ministry of Intelligence and Security (MOIS). Microsoft assessed with high confidence that on July 15, 2022, actors sponsored by the Iranian government conducted a destructive cyberattack against the Albanian government, disrupting government websites and public services.
Cadet Blizzard
Microsoft tracks Cadet Blizzard (formerly DEV-0586) as a Russian GRU-sponsored threat group that Microsoft began tracking following disruptive and destructive events occurring at multiple government agencies in Ukraine in mid-January 2022.
Pistachio Tempest
Pistachio Tempest (formerly DEV-0237) is a group associated with impactful ransomware distribution. Microsoft has observed Pistachio Tempest use varied ransomware payloads over time as the group experiments with new ransomware as a service (RaaS) offerings, from Ryuk and Conti to Hive, Nokoyawa, and, most recently, Agenda and Mindware.
Periwinkle Tempest
Periwinkle Tempest (formerly DEV-0193) is responsible for developing, distributing, and managing many different payloads, including Trickbot, Bazaloader, and AnchorDNS.
Caramel Tsunami
Caramel Tsunami (formerly SOURGUM) generally sells cyberweapons, usually malware and zero-day exploits, as a part of a hacking-as-a-service package sold to government agencies and other malicious actors.
Aqua Blizzard
Aqua Blizzard (formerly ACTINIUM) is a nation-state activity group based out of Russia. The Ukrainian government has publicly attributed this group to the Russian Federal Security Service (FSB).
Nylon Typhoon
Nylon Typhoon (formerly NICKEL) uses exploits against unpatched systems to compromise remote access services and appliances. Upon successful intrusion, they have used credential dumpers or stealers to obtain legitimate credentials, which they then used to gain access to victim accounts and to gain access to higher value systems.
Crimson Sandstorm
Crimson Sandstorm (formerly CURIUM) actors have been observed leveraging a network of fictitious social media accounts to build trust with targets and deliver malware to ultimately exfiltrate data.
Diamond Sleet
The actor Microsoft tracks as Diamond Sleet is a North Korea-based activity group known to target media, defense, and information technology (IT) industries globally. Diamond Sleet focuses on espionage, theft of personal and corporate data, financial gain, and corporate network destruction.
Gray Sandstorm
Gray Sandstorm (formerly DEV-0343) conducts extensive password spraying emulating a Firefox browser and using IPs hosted on a Tor proxy network. They typically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each account from dozens to thousands of times.
Plaid Rain
Since February 2022, Plaid Rain (formerly POLONIUM) has been observed primarily targeting organizations in Israel with a focus on critical manufacturing, IT, and Israel’s defense industry.
Volt Typhoon
The actor that Microsoft tracks as Volt Typhoon is a nation-state activity group based out of China. Volt Typhoon focuses on espionage, data theft, and credential access.
Mint Sandstorm
Mint Sandstorm (formerly PHOSPHORUS) is an Iran-affiliated activity group, active since at least 2013.
Silk Typhoon
In 2021, Silk Typhoon (formerly HAFNIUM) is a nation-state activity group based out of China.
Forest Blizzard
Forest Blizzard (formerly STRONTIUM) uses a variety of initial access techniques including exploiting vulnerable to web facing applications and, to obtain credentials, spear phishing and the deployment of an automated password spray/brute force tool operating through TOR
Midnight Blizzard
The actor that Microsoft tracks as Midnight Blizzard (NOBELIUM) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR.
Plaid Rain
Since February 2022, Plaid Rain (formerly POLONIUM) has been observed primarily targeting organizations in Israel with a focus on critical manufacturing, IT, and Israel’s defense industry.
Aqua Blizzard
Aqua Blizzard (formerly ACTINIUM) is a nation-state activity group based out of Russia. The Ukrainian government has publicly attributed this group to the Russian Federal Security Service (FSB).
Crimson Sandstorm
Crimson Sandstorm (formerly CURIUM) actors have been observed leveraging a network of fictitious social media accounts to build trust with targets and deliver malware to ultimately exfiltrate data.
Gray Sandstorm
Gray Sandstorm (formerly DEV-0343) conducts extensive password spraying emulating a Firefox browser and using IPs hosted on a Tor proxy network. They typically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each account from dozens to thousands of times.
Silk Typhoon
In 2021, Silk Typhoon (formerly HAFNIUM) is a nation-state activity group based out of China.
Forest Blizzard
Forest Blizzard (formerly STRONTIUM) uses a variety of initial access techniques including exploiting vulnerable to web facing applications and, to obtain credentials, spear phishing and the deployment of an automated password spray/brute force tool operating through TOR
Volt Typhoon
The actor that Microsoft tracks as Volt Typhoon is a nation-state activity group based out of China. Volt Typhoon focuses on espionage, data theft, and credential access.
Periwinkle Tempest
Periwinkle Tempest (formerly DEV-0193) is responsible for developing, distributing, and managing many different payloads, including Trickbot, Bazaloader, and AnchorDNS.
Caramel Tsunami
Caramel Tsunami (formerly SOURGUM) generally sells cyberweapons, usually malware and zero-day exploits, as a part of a hacking-as-a-service package sold to government agencies and other malicious actors.
Cadet Blizzard
Microsoft tracks Cadet Blizzard (formerly DEV-0586) as a Russian GRU-sponsored threat group that Microsoft began tracking following disruptive and destructive events occurring at multiple government agencies in Ukraine in mid-January 2022.
Plaid Rain
Since February 2022, Plaid Rain (formerly POLONIUM) has been observed primarily targeting organizations in Israel with a focus on critical manufacturing, IT, and Israel’s defense industry.
Mint Sandstorm
Mint Sandstorm (formerly PHOSPHORUS) is an Iran-affiliated activity group, active since at least 2013.
Smoke sandstorm
Smoke Sandstorm (formerly BOHRIUM/DEV-0056) compromised email accounts at a Bahrain-based IT integration company in September 2021. This company works on IT integration with Bahrain Government clients, who were likely Smoke Sandstorm’s ultimate target.
Forest Blizzard
Forest Blizzard (formerly STRONTIUM) uses a variety of initial access techniques including exploiting vulnerable to web facing applications and, to obtain credentials, spear phishing and the deployment of an automated password spray/brute force tool operating through TOR
Midnight Blizzard
The actor that Microsoft tracks as Midnight Blizzard (NOBELIUM) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR.
Volt Typhoon
The actor that Microsoft tracks as Volt Typhoon is a nation-state activity group based out of China. Volt Typhoon focuses on espionage, data theft, and credential access.
Plaid Rain
Since February 2022, Plaid Rain (formerly POLONIUM) has been observed primarily targeting organizations in Israel with a focus on critical manufacturing, IT, and Israel’s defense industry.
Hazel Sandstorm
Hazel Sandstorm (formerly EUROPIUM) has been publicly linked to Iran’s Ministry of Intelligence and Security (MOIS). Microsoft assessed with high confidence that on July 15, 2022, actors sponsored by the Iranian government conducted a destructive cyberattack against the Albanian government, disrupting government websites and public services.
Cadet Blizzard
Microsoft tracks Cadet Blizzard (formerly DEV-0586) as a Russian GRU-sponsored threat group that Microsoft began tracking following disruptive and destructive events occurring at multiple government agencies in Ukraine in mid-January 2022.
Caramel Tsunami
Caramel Tsunami (formerly SOURGUM) generally sells cyberweapons, usually malware and zero-day exploits, as a part of a hacking-as-a-service package sold to government agencies and other malicious actors.
Aqua Blizzard
Aqua Blizzard (formerly ACTINIUM) is a nation-state activity group based out of Russia. The Ukrainian government has publicly attributed this group to the Russian Federal Security Service (FSB).
Nylon Typhoon
Nylon Typhoon (formerly NICKEL) uses exploits against unpatched systems to compromise remote access services and appliances. Upon successful intrusion, they have used credential dumpers or stealers to obtain legitimate credentials, which they then used to gain access to victim accounts and to gain access to higher value systems.
Crimson Sandstorm
Crimson Sandstorm (formerly CURIUM) actors have been observed leveraging a network of fictitious social media accounts to build trust with targets and deliver malware to ultimately exfiltrate data.
Silk Typhoon
In 2021, Silk Typhoon (formerly HAFNIUM) is a nation-state activity group based out of China.
Midnight Blizzard
The actor that Microsoft tracks as Midnight Blizzard (NOBELIUM) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR.
Pistachio Tempest
Pistachio Tempest (formerly DEV-0237) is a group associated with impactful ransomware distribution. Microsoft has observed Pistachio Tempest use varied ransomware payloads over time as the group experiments with new ransomware as a service (RaaS) offerings, from Ryuk and Conti to Hive, Nokoyawa, and, most recently, Agenda and Mindware.
Periwinkle Tempest
Periwinkle Tempest (formerly DEV-0193) is responsible for developing, distributing, and managing many different payloads, including Trickbot, Bazaloader, and AnchorDNS.
Aqua Blizzard
Aqua Blizzard (formerly ACTINIUM) is a nation-state activity group based out of Russia. The Ukrainian government has publicly attributed this group to the Russian Federal Security Service (FSB).
Silk Typhoon
In 2021, Silk Typhoon (formerly HAFNIUM) is a nation-state activity group based out of China.
Volt Typhoon
The actor that Microsoft tracks as Volt Typhoon is a nation-state activity group based out of China. Volt Typhoon focuses on espionage, data theft, and credential access.
Plaid Rain
Since February 2022, Plaid Rain (formerly POLONIUM) has been observed primarily targeting organizations in Israel with a focus on critical manufacturing, IT, and Israel’s defense industry.
Volt Typhoon
The actor that Microsoft tracks as Volt Typhoon is a nation-state activity group based out of China. Volt Typhoon focuses on espionage, data theft, and credential access.
Caramel Tsunami
Caramel Tsunami (formerly SOURGUM) generally sells cyberweapons, usually malware and zero-day exploits, as a part of a hacking-as-a-service package sold to government agencies and other malicious actors.
Manatee Tempest
Manatee Tempest (formerly DEV-0243) is a threat actor that is a part of the ransomware as a service (RaaS) economy, partnering with other threat actors to provide custom Cobalt Strike loaders.
Smoke sandstorm
Smoke Sandstorm (formerly BOHRIUM/DEV-0056) compromised email accounts at a Bahrain-based IT integration company in September 2021. This company works on IT integration with Bahrain Government clients, who were likely Smoke Sandstorm’s ultimate target.
Storm-0530
A group of actors originating from North Korea that Microsoft tracks as Storm-0530 (formerly DEV-0530) has been developing and using ransomware in attacks since June 2021.
Mint Sandstorm
Mint Sandstorm (formerly PHOSPHORUS) is an Iran-affiliated activity group, active since at least 2013.
Silk Typhoon
In 2021, Silk Typhoon (formerly HAFNIUM) is a nation-state activity group based out of China.
Midnight Blizzard
The actor that Microsoft tracks as Midnight Blizzard (NOBELIUM) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR.
Aqua Blizzard
Aqua Blizzard (formerly ACTINIUM) is a nation-state activity group based out of Russia. The Ukrainian government has publicly attributed this group to the Russian Federal Security Service (FSB).
Nylon Typhoon
Nylon Typhoon (formerly NICKEL) uses exploits against unpatched systems to compromise remote access services and appliances. Upon successful intrusion, they have used credential dumpers or stealers to obtain legitimate credentials, which they then used to gain access to victim accounts and to gain access to higher value systems.
Aqua Blizzard
Aqua Blizzard (formerly ACTINIUM) is a nation-state activity group based out of Russia. The Ukrainian government has publicly attributed this group to the Russian Federal Security Service (FSB).
Silk Typhoon
In 2021, Silk Typhoon (formerly HAFNIUM) is a nation-state activity group based out of China.
Caramel Tsunami
Caramel Tsunami (formerly SOURGUM) generally sells cyberweapons, usually malware and zero-day exploits, as a part of a hacking-as-a-service package sold to government agencies and other malicious actors.
Caramel Tsunami
Caramel Tsunami (formerly SOURGUM) generally sells cyberweapons, usually malware and zero-day exploits, as a part of a hacking-as-a-service package sold to government agencies and other malicious actors.
Aqua Blizzard
Aqua Blizzard (formerly ACTINIUM) is a nation-state activity group based out of Russia. The Ukrainian government has publicly attributed this group to the Russian Federal Security Service (FSB).
Diamond Sleet
The actor Microsoft tracks as Diamond Sleet is a North Korea-based activity group known to target media, defense, and information technology (IT) industries globally. Diamond Sleet focuses on espionage, theft of personal and corporate data, financial gain, and corporate network destruction.
Forest Blizzard
Forest Blizzard (formerly STRONTIUM) uses a variety of initial access techniques including exploiting vulnerable to web facing applications and, to obtain credentials, spear phishing and the deployment of an automated password spray/brute force tool operating through TOR
Midnight Blizzard
The actor that Microsoft tracks as Midnight Blizzard (NOBELIUM) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR.
Volt Typhoon
The actor that Microsoft tracks as Volt Typhoon is a nation-state activity group based out of China. Volt Typhoon focuses on espionage, data theft, and credential access.
Plaid Rain
Since February 2022, Plaid Rain (formerly POLONIUM) has been observed primarily targeting organizations in Israel with a focus on critical manufacturing, IT, and Israel’s defense industry.
Cadet Blizzard
Microsoft tracks Cadet Blizzard (formerly DEV-0586) as a Russian GRU-sponsored threat group that Microsoft began tracking following disruptive and destructive events occurring at multiple government agencies in Ukraine in mid-January 2022.
Crimson Sandstorm
Crimson Sandstorm (formerly CURIUM) actors have been observed leveraging a network of fictitious social media accounts to build trust with targets and deliver malware to ultimately exfiltrate data.
Diamond Sleet
The actor Microsoft tracks as Diamond Sleet is a North Korea-based activity group known to target media, defense, and information technology (IT) industries globally. Diamond Sleet focuses on espionage, theft of personal and corporate data, financial gain, and corporate network destruction.
Gray Sandstorm
Gray Sandstorm (formerly DEV-0343) conducts extensive password spraying emulating a Firefox browser and using IPs hosted on a Tor proxy network. They typically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each account from dozens to thousands of times.
Silk Typhoon
In 2021, Silk Typhoon (formerly HAFNIUM) is a nation-state activity group based out of China.
Forest Blizzard
Forest Blizzard (formerly STRONTIUM) uses a variety of initial access techniques including exploiting vulnerable to web facing applications and, to obtain credentials, spear phishing and the deployment of an automated password spray/brute force tool operating through TOR
Midnight Blizzard
The actor that Microsoft tracks as Midnight Blizzard (NOBELIUM) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR.
Diamond Sleet
The actor Microsoft tracks as Diamond Sleet is a North Korea-based activity group known to target media, defense, and information technology (IT) industries globally. Diamond Sleet focuses on espionage, theft of personal and corporate data, financial gain, and corporate network destruction.
Silk Typhoon
In 2021, Silk Typhoon (formerly HAFNIUM) is a nation-state activity group based out of China.
Volt Typhoon
The actor that Microsoft tracks as Volt Typhoon is a nation-state activity group based out of China. Volt Typhoon focuses on espionage, data theft, and credential access.
Plaid Rain
Since February 2022, Plaid Rain (formerly POLONIUM) has been observed primarily targeting organizations in Israel with a focus on critical manufacturing, IT, and Israel’s defense industry.
Gray Sandstorm
Gray Sandstorm (formerly DEV-0343) conducts extensive password spraying emulating a Firefox browser and using IPs hosted on a Tor proxy network. They typically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each account from dozens to thousands of times.
Midnight Blizzard
The actor that Microsoft tracks as Midnight Blizzard (NOBELIUM) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR.
Volt Typhoon
The actor that Microsoft tracks as Volt Typhoon is a nation-state activity group based out of China. Volt Typhoon focuses on espionage, data theft, and credential access.
Smoke sandstorm
Smoke Sandstorm (formerly BOHRIUM/DEV-0056) compromised email accounts at a Bahrain-based IT integration company in September 2021. This company works on IT integration with Bahrain Government clients, who were likely Smoke Sandstorm’s ultimate target.
Silk Typhoon
In 2021, Silk Typhoon (formerly HAFNIUM) is a nation-state activity group based out of China.
Forest Blizzard
Forest Blizzard (formerly STRONTIUM) uses a variety of initial access techniques including exploiting vulnerable to web facing applications and, to obtain credentials, spear phishing and the deployment of an automated password spray/brute force tool operating through TOR
Midnight Blizzard
The actor that Microsoft tracks as Midnight Blizzard (NOBELIUM) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR.
Volt Typhoon
The actor that Microsoft tracks as Volt Typhoon is a nation-state activity group based out of China. Volt Typhoon focuses on espionage, data theft, and credential access.
Plaid Rain
Since February 2022, Plaid Rain (formerly POLONIUM) has been observed primarily targeting organizations in Israel with a focus on critical manufacturing, IT, and Israel’s defense industry.
Hazel Sandstorm
Hazel Sandstorm (formerly EUROPIUM) has been publicly linked to Iran’s Ministry of Intelligence and Security (MOIS). Microsoft assessed with high confidence that on July 15, 2022, actors sponsored by the Iranian government conducted a destructive cyberattack against the Albanian government, disrupting government websites and public services.
Cadet Blizzard
Microsoft tracks Cadet Blizzard (formerly DEV-0586) as a Russian GRU-sponsored threat group that Microsoft began tracking following disruptive and destructive events occurring at multiple government agencies in Ukraine in mid-January 2022.
Aqua Blizzard
Aqua Blizzard (formerly ACTINIUM) is a nation-state activity group based out of Russia. The Ukrainian government has publicly attributed this group to the Russian Federal Security Service (FSB).
Nylon Typhoon
Nylon Typhoon (formerly NICKEL) uses exploits against unpatched systems to compromise remote access services and appliances. Upon successful intrusion, they have used credential dumpers or stealers to obtain legitimate credentials, which they then used to gain access to victim accounts and to gain access to higher value systems.
Crimson Sandstorm
Crimson Sandstorm (formerly CURIUM) actors have been observed leveraging a network of fictitious social media accounts to build trust with targets and deliver malware to ultimately exfiltrate data.
Diamond Sleet
The actor Microsoft tracks as Diamond Sleet is a North Korea-based activity group known to target media, defense, and information technology (IT) industries globally. Diamond Sleet focuses on espionage, theft of personal and corporate data, financial gain, and corporate network destruction.
Gray Sandstorm
Gray Sandstorm (formerly DEV-0343) conducts extensive password spraying emulating a Firefox browser and using IPs hosted on a Tor proxy network. They typically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each account from dozens to thousands of times.
Manatee Tempest
Manatee Tempest (formerly DEV-0243) is a threat actor that is a part of the ransomware as a service (RaaS) economy, partnering with other threat actors to provide custom Cobalt Strike loaders.
Wine tempest
Wine Tempest (formerly PARINACOTA) typically uses human-operated ransomware for attacks, mostly deploying the Wadhrama ransomware. They are resourceful, changing tactics to match their needs and have used compromised machines for various purposes, including cryptocurrency mining, sending spam emails, or proxying for other attacks.
Smoke sandstorm
Smoke Sandstorm (formerly BOHRIUM/DEV-0056) compromised email accounts at a Bahrain-based IT integration company in September 2021. This company works on IT integration with Bahrain Government clients, who were likely Smoke Sandstorm’s ultimate target.
Pistachio Tempest
Pistachio Tempest (formerly DEV-0237) is a group associated with impactful ransomware distribution. Microsoft has observed Pistachio Tempest use varied ransomware payloads over time as the group experiments with new ransomware as a service (RaaS) offerings, from Ryuk and Conti to Hive, Nokoyawa, and, most recently, Agenda and Mindware.
Periwinkle Tempest
Periwinkle Tempest (formerly DEV-0193) is responsible for developing, distributing, and managing many different payloads, including Trickbot, Bazaloader, and AnchorDNS.
Caramel Tsunami
Caramel Tsunami (formerly SOURGUM) generally sells cyberweapons, usually malware and zero-day exploits, as a part of a hacking-as-a-service package sold to government agencies and other malicious actors.
Caramel Tsunami
Caramel Tsunami (formerly SOURGUM) generally sells cyberweapons, usually malware and zero-day exploits, as a part of a hacking-as-a-service package sold to government agencies and other malicious actors.
Silk Typhoon
In 2021, Silk Typhoon (formerly HAFNIUM) is a nation-state activity group based out of China.
Browse by topic
AI
Security is only as good as your threat intelligence
Business email compromise
Breaking down business email compromise
Ransomware
Protect your organization from ransomware
Meet the Experts
The Microsoft Threat Intelligence Podcast
Hear stories from the Microsoft Threat Intelligence community as they navigate the ever-evolving threat landscape - uncovering APTs, cybercrime gangs, malware, vulnerabilities, and more in the world of cyber threats.
Meet the experts
AI
Emerging AI tactics in use by threat actors
Expert profile
Defending against SIM swapping, AI-driven social engineering
Expert profile
Meet the experts tracking Storm-0539 gift card fraud
Explore intelligence reports
Microsoft Digital Defense Report
The latest edition of the Microsoft Digital Defense Report explores the evolving threat landscape and walks through opportunities and challenges as we become cyber resilient.
Maintain practical cyber defense
AI
The AI-powered CISO: Enabling better strategy with threat intelligence insights
Cyber hygiene
Basic cyber hygiene prevents 99% of attacks
Cybercrime
Stopping cybercriminals from abusing security tools
Learn more
Microsoft Threat Intelligence Blog
Get more of the latest insights from the Microsoft Threat Intelligence Blog covering the latest threats and guidance to help protect customers.
Hunt for threats
Cyber challenge series from Microsoft and KC7
In this cybersecurity detective game, play the role of a threat analyst and learn how to investigate realistic intrusions.
Follow Microsoft Security