Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Microsoft. Show all posts
Microsoft account breach
AI Driven Cyber Attacks AI phishing campaign Cloud Accounts Cyber Phishing Data Breach Microsoft Microsoft 365 phishing Microsoft account breach

AI-Driven Phishing Campaign Exploits Railway to Breach Microsoft Cloud Accounts at Scale

 

Security experts at Huntress report a fast-changing phishing operation using AI tools and cloud systems to breach Microsoft accounts in hundreds of companies. This activity ties back to improper use of Railway, a service that helps people launch apps and websites swiftly. Running on automated workflows, the attack adapts quickly, slipping past common defenses. Instead of relying on old methods, it shifts tactics constantly, making detection harder. Through compromised credentials, access spreads quietly within corporate networks. Investigators found backend processes hosted remotely, fueling repeated login attempts. 

Unlike typical scams, this one uses synthetic voices and generated text to mimic real communication. Some messages appear personalized, increasing their chances of success. Early warnings came from irregular traffic patterns tied to authentication requests. Organizations affected span multiple industries without geographic concentration. Researchers stress monitoring unusual API behavior as a sign of intrusion. Detection now depends more on behavioral anomalies than known threat signatures. 

Starting in early 2026, the attack started quietly before rapidly growing in intensity. Come March, signs showed a sharp rise - dozens of groups breached each day. Though linked to an obscure group using few internet addresses, its impact spread fast. Hundreds of confirmed victims fell within weeks, likely many more worldwide.  

Something different here? The integration of AI to craft phishing bait. Typical assaults lean on reused message formats; by contrast, this one generates unique, tailored texts - some with QR symbols, others embedding shared-file URLs or fake alerts mimicking real platforms. Because each message looks unlike the last, standard filters struggle. Pattern-based defenses fail when there is no clear pattern to catch. 

Not every login attempt follows the usual path. Some intruders step in through a backdoor built for gadgets like printers or streaming boxes. A fake prompt appears, nudging users to approve what seems like a routine connection. Once granted, digital keys are handed out - no password cracking needed. With those credentials, unauthorized entry lasts nearly three months. Security checks such as two-step verification simply do not apply.  

Across sectors like finance, healthcare, and government, effects are widespread. Though Huntress says it stopped further attacks for some customers, the company notes its data probably captures just a small portion of those impacted. Huntress moved quickly, rolling out urgent fixes to about 60,000 Microsoft cloud customers after spotting risky traffic linked to Railway domains. Although unintended, misuse of the platform did occur - Railway admitted this, then paused harmful user profiles while cutting off connected web addresses. Security adjustments limited entry points before further harm could unfold. 

The way bad actors craft digital traps now involves artificial intelligence, running through vast online computing resources. With such technology at hand, launching widespread fake message attacks happens faster than before. Experts observing these shifts note a troubling trend: simpler methods achieving stronger results. What once required skill can now be managed by nearly anyone willing to try. Speed grows. Scale expands. Risk rises accordingly.
Read more »
Scams
Alert Cyber Security Fake Login Google Microsoft Scams

Security Alerts or Scams? How to Spot Fake Login Warnings and Protect Your Accounts

 

Your phone buzzes with a notification: “Unusual login activity detected on your account.” It’s enough to make anyone uneasy. But is it a genuine alert about a hacking attempt, or could the message itself be a trap?

Notifications from major platforms like Google, Microsoft, Amazon, or even your bank can be both helpful and risky. While they act as an early warning system against unauthorized access, cybercriminals often exploit this sense of urgency. Fake alerts are designed to trick users into clicking on malicious links and entering sensitive information on fraudulent login pages. Acting impulsively in such moments can unintentionally give attackers access to your accounts.

Understanding Security Alerts

Not every alert signals a compromised account. Many platforms rely on advanced monitoring systems that flag unusual behaviour before any real damage occurs.

These systems may detect:
  • Multiple failed login attempts from different locations
  • Automated attacks using leaked credentials
  • Logins from unfamiliar devices or IP addresses
In many cases, a blocked login attempt simply means the system is working as intended—not that your account has already been breached.

The 3-Second Test: Spotting Real vs Fake Messages

Before clicking on any alert, pause and verify. Even AI-generated phishing emails often fail basic checks:

1. The Sender Check
Always look beyond the display name. Verify the actual email address and domain. Fraudsters often use slight variations like “amazon-support.co.uk” or “service@paypal-hilfe.com
” to appear legitimate.

2. The Hover Trick
On a computer, hover your cursor over any link without clicking. The true destination URL will appear. If it doesn’t match the official website, delete the email immediately.

3. Watch for Panic Tactics
Be cautious of urgent messages such as:
“Act within 10 minutes or your account will be irrevocably deleted!”
Legitimate companies don’t pressure users this way—urgency is a common scam tactic.

Golden Rule: Never click directly from the email. Instead, open your browser, manually type the official website, and log in. If there’s a real issue, it will be visible in your account dashboard.

Using the same password across multiple platforms increases risk. A breach on one website can trigger a domino effect, allowing attackers to access other accounts using the same credentials

The Role of Password Managers

Password managers offer a simple yet powerful solution:

  1. Unique Passwords: They generate strong, complex passwords for each account, ensuring one breach doesn’t compromise everything.
  2. Built-in Phishing Protection: These tools only autofill credentials on legitimate websites, helping you avoid fake login pages.

Tools like Dashlane provide a comprehensive password management experience with seamless autofill and secure password generation. Meanwhile, Bitwarden stands out as a reliable open-source option with robust free features.

Security alerts aren’t always bad news, they often indicate that protective systems are doing their job. The real risk lies in reacting without verification.

By using a password manager and enabling two-factor authentication, you can significantly strengthen your defenses and keep your digital identity secure
Read more »
Xbox One
Cyber Security glitch Hacking Hardware Microsoft Operating system ROM Xbox One

“Unhackable” No More: Researcher Demonstrates Hardware-Level Exploit on Xbox One







For years, the Xbox One was widely viewed as one of the few gaming systems that had resisted successful hacking. That perception has now changed after a new hardware-based attack method was publicly demonstrated.

At the RE//verse 2026 event, security researcher Markus Gaasedelen introduced a technique called the “Bliss” double glitch. This method relies on manipulating electrical voltage at precise moments to interfere with the console’s startup process, effectively bypassing its built-in protections.

This marks the first known instance where the Xbox One’s hardware defenses have been broken in a way that others can replicate. The achievement is being compared to the Reset Glitch Hack that affected the Xbox 360, although this newer approach operates at a deeper level. Instead of targeting software vulnerabilities, it directly interferes with the boot ROM, a core component embedded in the console’s chip. By doing so, the exploit grants complete control over the system, including its most secure layers such as the hypervisor.

When the Xbox One was introduced in 2013, Microsoft designed it with an unusually strong security model. The system relied on multiple layers of encryption and authentication, linking firmware, the operating system, and game files into a tightly controlled verification chain. Within the company, it was even described as one of the most secure products Microsoft had ever built.

A substantial part of this design was its secure boot process. Unlike the Xbox 360, which was compromised through reset-line manipulation, the Xbox One removed such external entry points. It also incorporated a dedicated ARM-based security processor responsible for verifying every stage of the startup sequence. Without valid cryptographic signatures, no code was allowed to run. For many years, this approach appeared highly effective.

Rather than attacking these higher-level protections, the researcher focused on the physical behavior of the hardware itself. Traditional glitching techniques rely on disrupting timing signals, but the Xbox One’s architecture left little opportunity for that. Instead, the method used here involves voltage glitching, where the power supplied to the processor is briefly disrupted.

These momentary drops in voltage can cause the processor to behave unpredictably, such as skipping instructions or misreading operations. However, the timing must be extremely precise, as even a tiny variation can result in failure or system crashes.

To achieve this level of accuracy, specialized hardware tools were developed to monitor and control electrical signals within the system. This allowed the researcher to closely observe how the console behaves at the silicon level and identify the exact points where interference would be effective.

The resulting “Bliss” technique uses two carefully timed voltage disruptions during the startup process. The first interferes with memory protection mechanisms managed by the ARM Cortex subsystem. The second targets a memory-copy operation that occurs while the system is loading initial data. If both steps are executed correctly, the system is redirected to run code chosen by the attacker, effectively taking control of the boot process.

Unlike many modern exploits, this method does not depend on software flaws that can be corrected through updates. Instead, it targets the boot ROM, which is permanently embedded in the chip during manufacturing. Because this code cannot be modified, the vulnerability cannot be patched. As a result, the exploit allows unauthorized code execution across all system layers, including protected components.

With this level of access, it becomes possible to run alternative operating systems, extract encrypted firmware, and analyze internal system data. This has implications for both security research and digital preservation, as it enables deeper understanding of the console’s architecture and may support efforts to emulate its environment in the future.

Beyond research applications, the findings may also lead to practical tools. There is speculation that the technique could be adapted into hardware modifications similar to modchips, which automate the precise electrical conditions needed for the exploit. Such developments could revive longstanding debates around console modification and software control.

From a security perspective, the immediate impact on Microsoft may be limited, as the Xbox One is no longer the company’s latest platform. Newer systems have adopted updated security designs based on similar principles. However, the discovery serves a lesson for the industry: no system can be considered permanently secure, especially when attacks target the underlying hardware itself.

Read more »
Trojan
coding GitHub JavaScript macOS malware Microsoft Node.js North Korean Hackers Trojan

North Korean Hackers Turn VS Code Projects Into Silent Malware Triggers

 


Opening a project in a code editor is supposed to be routine. In this case, it is enough to trigger a full malware infection.

Security researchers have linked an ongoing campaign associated with North Korean actors, tracked as Contagious Interview or WaterPlum, to a malware family known as StoatWaffle. Instead of relying on software vulnerabilities, the group is embedding malicious logic directly into Microsoft Visual Studio Code (VS Code) projects, turning a trusted development tool into the starting point of an attack.

The entire mechanism is hidden inside a file developers rarely question: tasks.json. This file is typically used to automate workflows. In these attacks, it has been configured with a setting that forces execution the moment a project folder is opened. No manual action is required beyond opening the workspace.

Research from NTT Security shows that the embedded task connects to an external web application, previously hosted on Vercel, to retrieve additional data. The same task operates consistently regardless of the operating system, meaning the behavior does not change between environments even though most observed cases involve Windows systems.

Once triggered, the malware checks whether Node.js is installed. If it is not present, it downloads and installs it from official sources. This ensures the system can execute the rest of the attack chain without interruption.

What follows is a staged infection process. A downloader repeatedly contacts a remote server to fetch additional payloads. Each stage behaves in the same way, reaching out to new endpoints and executing the returned code as Node.js scripts. This creates a recursive chain where one payload continuously pulls in the next.

StoatWaffle is built as a modular framework. One component is designed for data theft, extracting saved credentials and browser extension data from Chromium-based browsers and Mozilla Firefox. On macOS systems, it also targets the iCloud Keychain database. The collected information is then sent to a command-and-control server.

A second module functions as a remote access trojan, allowing attackers to operate the infected system. It supports commands to navigate directories, list and search files, execute scripts, upload data, run shell commands, and terminate itself when required.

Researchers note that the malware is not static. The operators are actively refining it, introducing new variants and updating existing functionality.

The VS Code-based delivery method is only one part of a broader campaign aimed at developers and the open-source ecosystem. In one instance, attackers distributed malicious npm packages carrying a Python-based backdoor called PylangGhost, marking its first known propagation through npm.

Another campaign, known as PolinRider, involved injecting obfuscated JavaScript into hundreds of public GitHub repositories. That code ultimately led to the deployment of an updated version of BeaverTail, a malware strain already linked to the same threat activity.

A more targeted compromise affected four repositories within the Neutralinojs GitHub organization. Attackers gained access by hijacking a contributor account with elevated permissions and force-pushed malicious code. This code retrieved encrypted payloads hidden within blockchain transactions across networks such as Tron, Aptos, and Binance Smart Chain, which were then used to download and execute BeaverTail. Victims are believed to have been exposed through malicious VS Code extensions or compromised npm packages.

According to analysis from Microsoft, the initial compromise often begins with social engineering rather than technical exploitation. Attackers stage convincing recruitment processes that closely resemble legitimate technical interviews. Targets are instructed to run code hosted on platforms such as GitHub, GitLab, or Bitbucket, unknowingly executing malicious components as part of the assessment.

The individuals targeted are typically experienced professionals, including founders, CTOs, and senior engineers in cryptocurrency and Web3 sectors. Their level of access to infrastructure and digital assets makes them especially valuable. In one recent case, attackers unsuccessfully attempted to compromise the founder of AllSecure.io using this approach.

Multiple malware families are used across these attack chains, including OtterCookie, InvisibleFerret, and FlexibleFerret. InvisibleFerret is commonly delivered through BeaverTail, although recent intrusions show it being deployed after initial access is established through OtterCookie. FlexibleFerret, also known as WeaselStore, exists in both Go and Python variants, referred to as GolangGhost and PylangGhost.

The attackers continue to adjust their techniques. Newer versions of the malicious VS Code projects have moved away from earlier infrastructure and now rely on scripts hosted on GitHub Gist to retrieve additional payloads. These ultimately lead to the deployment of FlexibleFerret. The infected projects themselves are distributed through GitHub repositories.

Security analysts warn that placing malware inside tools developers already trust significantly lowers suspicion. When the code is presented as part of a hiring task or technical assessment, it is more likely to be executed, especially under time pressure.

Microsoft has responded to the misuse of VS Code tasks with security updates. In the January 2026 release (version 1.109), a new setting disables automatic task execution by default, preventing tasks defined in tasks.json from running without user awareness. This setting cannot be overridden at the workspace level, limiting the ability of malicious repositories to bypass protections.

Additional safeguards were introduced in February 2026 (version 1.110), including a second prompt that alerts users when an auto-run task is detected after workspace trust is granted.

Beyond development environments, North Korean-linked operations have expanded into broader social engineering campaigns targeting cryptocurrency professionals. These include outreach through LinkedIn, impersonation of venture capital firms, and fake video conferencing links. Some attacks lead to deceptive CAPTCHA pages that trick victims into executing hidden commands in their terminal, enabling cross-platform infections on macOS and Windows. These activities overlap with clusters tracked as GhostCall and UNC1069.

Separately, the U.S. Department of Justice has taken action against individuals involved in supporting North Korea’s fraudulent IT worker operations. Audricus Phagnasay, Jason Salazar, and Alexander Paul Travis were sentenced after pleading guilty in November 2025. Two received probation and fines, while one was sentenced to prison and ordered to forfeit more than $193,000 obtained through identity misuse.

Officials stated that such schemes enable North Korean operatives to generate revenue, access corporate systems, steal proprietary data, and support broader cyber operations. Separate research from Flare and IBM X-Force indicates that individuals involved in these programs undergo rigorous training and are considered highly skilled, forming a key part of the country’s strategic cyber efforts.


What this means

This attack does not depend on exploiting a flaw in software. It depends on exploiting trust.

By embedding malicious behavior into tools, workflows, and hiring processes that developers rely on every day, attackers are shifting the point of compromise. In this environment, opening a project can be just as risky as running an unknown program.

Read more »
RMW
Cyber Fraud IRS Microsoft Phishing scam RMW

Microsoft Alerts 29,000 Users Hit by IRS-Themed Phishing Wave

 

Microsoft is warning of a major IRS‑themed phishing wave that hit 29,000 users in a single day, using tax‑season panic to steal credentials and deploy remote access malware. The campaigns piggyback on the urgency of the U.S. tax season, sending emails that pretend to be refund notices, payroll forms, filing reminders, or messages from tax professionals to pressure recipients into acting quickly.

According to Microsoft Threat Intelligence and Defender researchers, some lures target regular taxpayers for financial data, while others focus on accountants and professionals who routinely handle sensitive tax documents and are used to receiving legitimate tax‑related mail.Many of these messages direct users either to phishing pages built on Phishing‑as‑a‑Service platforms like the Energy365 kit or to downloads that silently install remote monitoring and management (RMM) tools. 

In one large campaign unearthed on February 10, 2026, more than 29,000 users across 10,000 organizations were targeted in just a day, with about 95% of victims located in the U.S. The emails impersonated the Internal Revenue Service and claimed that irregular tax returns had been filed under the recipient’s Electronic Filing Identification Number, pushing them to urgently review those returns. Sectors hit hardest included financial services, technology and software, and retail and consumer goods, reflecting the high value of the data and access that successful compromises could deliver to attackers. 

Victims were instructed to download a supposed “IRS Transcript Viewer” via a button labeled “Download IRS Transcript View 5.1,” which actually redirected to smartvault[.]im, a domain posing as legitimate document platform SmartVault. The site used Cloudflare protections so that automated scanners saw a benign front, while real users received a maliciously packaged ScreenConnect installer that gave attackers remote access to their systems. Once installed, this RMM tooling enabled data theft, credential harvesting, and further post‑exploitation such as lateral movement or deploying additional malware. 

Microsoft also highlights related tax‑themed tactics: CPA‑style lures tied to the Energy365 phishing kit, bogus tax‑themed domains that push ScreenConnect, and cryptocurrency‑tax emails that impersonate the IRS and distribute ScreenConnect or SimpleHelp via malicious domains like “irs-doc[.]com” and “gov-irs216[.]net.” In some cases, attackers emailed accountants and organizations asking for help filing taxes, then funneled them to Datto RMM installers under the guise of sharing documentation. Collectively, these methods show a trend of abusing legitimate RMM platforms for stealthy, persistent access instead of relying solely on traditional malware. 

To defend against these threats, Microsoft advises organizations to enforce two‑factor authentication on all accounts, implement conditional access policies, and harden email security to better scan attachments, links, and visited websites. They also recommend blocking access to known malicious domains, monitoring networks and endpoints for unauthorized RMM tools like ScreenConnect, Datto, and SimpleHelp, and educating users—especially finance and tax staff—on spotting urgent, tax‑themed emails that request downloads or credentials.
Read more »
Windows 11
Cyber Security Digital Vulnerabilities hotpatch Microsoft system updates Windows 11

Microsoft Releases Hotpatch to Fix Windows 11 RRAS Remote Code Flaw



Microsoft has issued an out-of-band (OOB) security update to remediate critical vulnerabilities affecting a specific subset of Windows 11 Enterprise systems that rely on hotpatch updates instead of the conventional monthly Patch Tuesday cumulative updates.

The update, identified as KB5084597, was released to fix multiple security flaws in the Windows Routing and Remote Access Service (RRAS), a built-in administrative tool used for configuring and managing remote connectivity and routing functions within enterprise networks. According to Microsoft’s official advisory, these vulnerabilities could allow remote code execution if a system connects to a malicious or attacker-controlled server through the RRAS management interface.

Microsoft clarified that the risk is limited to narrowly defined scenarios. The exposure primarily impacts Enterprise client devices that are enrolled in the hotpatch update model and are actively used for remote server management. This means that the vulnerability does not broadly affect all Windows users, but rather a specific operational environment where administrative tools interact with external systems.

The vulnerabilities addressed in this update are tracked under three identifiers: CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111. These issues were initially resolved as part of Microsoft’s March 2026 Patch Tuesday updates, which were released on March 10. However, the original fixes required system reboots to be fully applied.

Microsoft’s technical description indicates that successful exploitation would require an attacker to already possess authenticated access within a domain. The attacker could then use social engineering techniques to trick a domain-joined user into initiating a connection request to a malicious server via the RRAS snap-in management tool. Once the connection is made, the vulnerability could be triggered, allowing the attacker to execute arbitrary code on the targeted system.

The KB5084597 hotpatch is cumulative in nature, meaning it incorporates all previously released fixes and improvements included in the March 2026 security update package. This ensures that systems receiving the hotpatch are brought up to the same security level as those that installed the full cumulative update.

A key reason for releasing this hotpatch separately is the operational challenge associated with system restarts. Many enterprise environments run mission-critical workloads where even brief downtime can disrupt services, impact business continuity, or affect essential infrastructure. Traditional cumulative updates require a reboot, making them less practical in such contexts.

Hotpatching addresses this challenge by applying security fixes directly into the memory of running processes. This allows vulnerabilities to be mitigated immediately without interrupting system operations. Simultaneously, the update also modifies the relevant files stored on disk so that the fixes remain effective after the next scheduled reboot, maintaining long-term system integrity.

Microsoft also noted that while fixes for these vulnerabilities had been released earlier, the hotpatch update was reissued to ensure more comprehensive protection across all affected deployment scenarios. This suggests that the company identified gaps in earlier coverage or aimed to standardize protection for systems using different update mechanisms.

It is important to note that this hotpatch is not distributed to all devices. It is only available to systems that are enrolled in Microsoft’s hotpatch update program and are managed through Windows Autopatch, a cloud-based service that automates update deployment for enterprise environments. Eligible systems will receive and apply the update automatically, without requiring user intervention or a system restart.

From a broader security standpoint, this development surfaces the increasing complexity of patch management in modern enterprise environments. As organizations adopt high-availability systems that must remain continuously operational, traditional update strategies are evolving to include alternatives such as hotpatching.

At the same time, vulnerabilities in administrative tools like RRAS demonstrate how trusted system components can become entry points for attackers when combined with social engineering and authenticated access. Even though exploitation requires specific conditions, the potential impact remains substantial due to the elevated privileges typically associated with administrative tools.

Security experts generally emphasize that organizations must go beyond simply applying patches. Continuous monitoring, strict access control policies, and user awareness training are essential to reducing the likelihood of such attack scenarios. Additionally, maintaining visibility into how administrative tools are used within a network can help detect unusual behavior before it leads to compromise.

Overall, Microsoft’s release of this hotpatch reflects both the urgency of addressing critical vulnerabilities and the need to adapt security practices to environments where uptime is as important as protection.

Read more »
Vulnerabilities and Exploits
Microsoft OAuth Phishing email Vulnerabilities and Exploits

Hackers Abuse OAuth Flaws for Microsoft Malware Delivery

 

Microsoft has warned that hackers are weaponizing OAuth error flows to redirect users from trusted Microsoft login pages to malicious sites that deliver malware. The campaigns, observed by Microsoft Defender researchers, primarily target government and public-sector organizations using phishing emails that appear to be legitimate Microsoft notifications or service messages. By abusing how OAuth 2.0 handles authorization errors and redirects, attackers are able to bypass many email and browser phishing protections that normally block suspicious URLs. This turns a standards-compliant identity feature into a powerful tool for malware distribution and account compromise. 

The attack begins with threat actors registering malicious OAuth applications in a tenant they control and configuring them with redirect URIs that point to attacker infrastructure. Victims receive phishing links that invoke Microsoft Entra ID authorization endpoints, which visually resemble legitimate sign-in flows, increasing user trust. The attackers craft these URLs with parameters for silent authentication and intentionally invalid scopes, which trigger an OAuth error instead of a normal sign-in. Rather than breaking the flow, this error causes the identity provider to follow the standard and redirect the user to the attacker-controlled redirect URI. 

Once redirected, victims may land on advanced phishing pages powered by attacker-in-the-middle frameworks such as EvilProxy, allowing threat actors to harvest valid session cookies and bypass multi-factor authentication. Microsoft notes that the attackers misuse the OAuth “state” parameter to automatically pre-fill the victim’s email address on the phishing page, making it look more authentic and reducing friction for the user. In other cases, the redirect leads to a “/download” path that automatically serves a ZIP archive containing malicious shortcut (LNK) files and HTML smuggling components. These variations show how the same redirection trick can support both credential theft and direct malware delivery. 

If a victim opens the malicious LNK file, it launches PowerShell to perform reconnaissance on the compromised host and stage the next phase of the attack. The script extracts components needed for DLL side-loading, where a legitimate executable is abused to load a malicious library. In this campaign, a rogue DLL named crashhandler.dll decrypts and loads the final payload crashlog.dat directly into memory, while a benign-looking binary (stream_monitor.exe) displays a decoy application to distract the user. This technique helps attackers evade traditional antivirus tools and maintain stealthy, in-memory persistence. 

Microsoft stresses that these are identity-based threats that exploit intended behaviors in the OAuth specification rather than exploiting a software vulnerability. The company recommends tightening permissions for OAuth applications, enforcing strong identity protections and Conditional Access policies, and applying cross-domain detection that correlates email, identity, and endpoint signals. Organizations should also closely monitor application registrations and unusual OAuth consent flows to spot malicious apps early. As this abuse of standards-compliant error handling is now active in real-world campaigns, defenders must treat OAuth flows themselves as a critical attack surface, not just a background authentication detail.
Read more »
Microsoft Security Response
Cyber Security Data protection Data Records data security Microsoft Microsoft 365 Security Microsoft Security Response

Windows Telemetry Explained: What Diagnostic Data Microsoft Collects and Why It Matters

 

Years after Windows 10 arrived, a single aspect keeps stirring conversation - telemetry. This data gathering, labeled diagnostic info by Microsoft, pulls details from machines without manual input. Its purpose? Keeping systems stable, secure, running smoothly. Yet reactions split sharply between everyday users and those watching privacy trends. 

Early on, after Windows 10 arrived, observers questioned whether its telemetry might double as monitoring. A few writers argued it collected large amounts of user detail while transmitting data to Microsoft machines. Still, analysts inspecting how the OS handles information report minimal proof backing such suspicions. 

Beginning in 2017, scrutiny from the Dutch Data Protection Authority revealed shortcomings in how Windows presented telemetry consent choices. Although designed to gather system performance details, the setup failed to align with regional privacy expectations due to unclear user permissions. 

Instead of defending the original design, Microsoft adjusted both interface wording and backend configurations. Following these updates, oversight bodies acknowledged improvements, noting no evidence emerged suggesting private information was gathered unlawfully. Independent analysts alongside regulatory teams had previously flagged the configuration, yet after revisions, compliance concerns faded gradually. 

What runs behind the scenes in Windows includes a mix of telemetry types - mainly split into essential and extra reporting layers. Most personal computers, especially those outside corporate control, turn on the basic tier automatically; there exists no standard menu option to switch it off entirely. This baseline layer gathers only what Microsoft claims is vital for stability and core operations. 

Though hidden from typical adjustments, its presence supports ongoing performance checks across devices. Basic troubleshooting relies on specific diagnostics tied to functions like Windows Update. Information might cover simple fault summaries, setup traits of hardware, software plus driver footprints, along with records tracking how updates succeed or fail. 

As noted by Microsoft, insights drawn support better stability fixes, safety patches, app alignment, and smoother running systems. Some diagnostic details go beyond basics, capturing patterns in app use or web habits. These insights might involve deeper system errors, performance signs, or hardware traits. 

While such data helps refine functionality, access remains under user control via Windows options. Those cautious about personal information often choose to turn this off. Control sits within settings, letting choices match comfort levels. Occasionally, memory dumps taken during system failures form part of Optional diagnostic data, according to experts. 

When a crash happens, pieces of active files might get saved inside these records. Because of this risk, certain groups managing confidential material prefer disabling the setting altogether. In 2018, Microsoft rolled out a feature named Diagnostic Data Viewer to boost openness. This tool gives people access to review what information their machine shares with the company, revealing specifics found in diagnostics and system summaries. 

One billion devices now operate on Windows 11 across the globe. Because of countless variations in hardware and software setups, Microsoft relies on telemetry data - this information reveals issues, shapes update improvements, yet supports consistent performance. While tracking user interactions might sound intrusive, it actually guides fixes without exposing personal details; instead, patterns emerge that steer engineering decisions behind the scenes. 

Even though some diagnostic details are essential for basic operations, those worried about personal data might choose to limit what gets sent by turning off non-essential diagnostics in device preferences. Still, full function depends on keeping certain reporting active.
Read more »
Microsoft
AI tools Copilot Data Breach Microsoft

New Copilot Setting May Access Activity From Other Microsoft Services. Here’s How Users Can Disable It

 



A recently noticed configuration inside Microsoft Copilot may allow the AI tool to reference activity from several other Microsoft platforms, prompting renewed discussion around data privacy and AI personalization. The option, which appears within Copilot’s settings, enables the assistant to use information connected to services such as Bing, MSN, and the Microsoft Edge browser. Users who are uncomfortable with this level of integration can switch the feature off.

Like many modern artificial intelligence systems, Copilot attempts to improve the usefulness of its responses by understanding more about the person interacting with it. The assistant normally does this by remembering past conversations and storing certain details that users intentionally share during chats. These stored elements help the AI maintain context across multiple interactions and generate responses that feel more tailored.

However, a specific configuration called “Microsoft usage data” expands that capability. According to reporting first highlighted by the technology outlet Windows Latest, this setting allows Copilot to reference information associated with other Microsoft services a user has interacted with. The option appears within the assistant’s Memory controls and is available through both the Copilot website and its mobile applications. Observers believe the setting was introduced recently as part of Microsoft’s effort to strengthen personalization features in its AI tools.

The Memory feature in Copilot is designed to help the assistant retain useful context. Through this system, the AI can recall earlier conversations, remember instructions or factual information shared by users, and potentially reference certain account-linked activity from other Microsoft products. The idea is that by understanding more about a user’s interests or previous discussions, the assistant can provide more relevant answers.

In practice, such capabilities can be helpful. For instance, a user who discussed a topic with Copilot previously may want to continue that conversation later without repeating the entire background. Similarly, individuals seeking guidance about personal or professional matters may receive more relevant suggestions if the assistant has some awareness of their preferences or circumstances.

Despite the convenience, the feature also raises questions about privacy. Some users may be concerned that allowing an AI assistant to accumulate information from multiple services could expose more personal data than expected. Others may want to know how that information is used beyond personalizing conversations.

Microsoft addresses these concerns in its official Copilot documentation. In its frequently asked questions section, the company states that user conversations are processed only for limited purposes described in its privacy policies. According to Microsoft, this information may be used to evaluate Copilot’s performance, troubleshoot operational issues, identify software bugs, prevent misuse of the service, and improve the overall quality of the product.

The company also says that conversations are not used to train AI models by default. Model training is controlled through a separate configuration, which users can choose to disable if they do not want their interactions contributing to AI development.

Microsoft further clarifies that Copilot’s personalization settings do not determine whether a user receives targeted advertisements. Advertising preferences are managed through a different option available in the Microsoft account privacy dashboard. Users who want to stop personalized advertising must adjust the Personalized ads and offers setting separately.

Even with these explanations, privacy concerns remain understandable, particularly because Microsoft documentation indicates that Copilot’s personalization features may already be activated automatically in some cases. When reviewing the settings on a personal device, these options were found to be switched on. Users who prefer not to allow Copilot to access broader usage data may therefore wish to disable them.

Checking these settings is straightforward. Users can open Copilot through its website or mobile application and ensure they are signed in with their Microsoft account. On the web interface, selecting the account name at the bottom of the left-hand panel opens the Settings menu, where the Memory section can be accessed. In the mobile application, the same controls are available through the side navigation menu by tapping the account name and choosing Memory.

Inside the Memory settings, users will see a general control labeled “Personalization and memory.” Two additional options appear beneath it: “Facts you’ve shared,” which stores information provided directly during conversations, and “Microsoft usage data,” which allows Copilot to reference activity from other Microsoft services.

To limit this behavior, users can switch off the Microsoft usage data toggle. They may also disable the broader Personalization and memory option if they prefer that the AI assistant does not retain contextual information about their interactions. Copilot also provides a “Delete all memory” function that removes all stored data from the system. If individual personal details have been recorded, they can be reviewed and deleted through the editing option next to “Facts you’ve shared.”

Security and privacy experts generally advise caution when sharing information with AI assistants, even when personalization features remain enabled. Sensitive or confidential details should not be entered into conversations. Microsoft itself recommends avoiding the disclosure of certain types of highly personal data, including information related to health conditions or sexual orientation.

The broader development reflects a growing trend in the technology industry. As AI assistants become integrated across multiple platforms and services, companies are increasingly using cross-service data to make these tools more helpful and personalized. While this approach can improve convenience and usability, it also underlines the grave necessity for transparent privacy controls so users remain aware of how their information is being used and can adjust those settings when necessary.

Read more »
Technlogy
AI Cloud Data GenAI Microsoft phishing Technlogy

Microsoft Report Reveals Hackers Exploit AI In Cyberattacks


According to Microsoft, hackers are increasingly using AI in their work to increase attacks, scale cyberattack activity, and limit technical barriers throughout all aspects of a cyberattack. 

Microsoft’s new Threat Intelligence report reveals that threat actors are using genAI tools for various tasks, such as phishing, surveillance, malware building, infrastructure development, and post-hack activity. 

About the report

In various incidents, AI helps to create phishing emails, summarize stolen information, debug malware, translate content, and configure infrastructure. “Microsoft Threat Intelligence has observed that most malicious use of AI today centers on using language models for producing text, code, or media. Threat actors use generative AI to draft phishing lures, translate content, summarize stolen data, generate or debug malware, and scaffold scripts or infrastructure,” the report said. 

"For these uses, AI functions as a force multiplier that reduces technical friction and accelerates execution, while human operators retain control over objectives, targeting, and deployment decisions,’ warns Microsoft.

AI in cyberattacks 

Microsoft found different hacking gangs using AI in their cyberattacks, such as North Korean hackers known as Coral Sleet (Storm-1877) and Jasper Sleet (Storm-0287), who use the AI in their remote IT worker scams. 

The AI helps to make realistic identities, communications, and resumes to get a job in Western companies and have access once hired. Microsoft also explained how AI is being exploited in malware development and infrastructure creation. Threat actors are using AI coding tools to create and refine malicious code, fix errors, and send malware components to different programming languages. 

The impact

A few malware experiments showed traces of AI-enabled malware that create scripts or configure behaviour at runtime. Microsoft found Coral Sleet using AI to make fake company sites, manage infrastructure, and troubleshoot their installations. 

When security analysts try to stop the use of AI in these attacks, Microsoft says hackers are using jailbreaking techniques to trick AI into creating malicious code or content. 

Besides generative AI use, the report revealed that hackers experiment with agentic AI to do tasks autonomously. The AI is mainly used for decision-making currently. As IT worker campaigns depend on the exploitation of authentic access, experts have advised organizations to address these attacks as insider risks. 

Read more »
User Privacy
Copilot Bug Data Breach Microsoft Outlook Emails User Privacy

Microsoft Copilot Bug Exposes Confidential Outlook Emails

 
























A critical bug in Microsoft 365 Copilot, tracked as CW1226324, allowed the AI assistant to access and summarize confidential emails in Outlook's Sent Items and Drafts folders, bypassing sensitivity labels and Data Loss Prevention (DLP) policies. Microsoft first detected the issue on January 21, 2026, with exposure lasting from late January until early to mid-February 2026. This flaw affected enterprise users worldwide, including organizations like the UK's NHS, despite protections meant to block AI from processing sensitive data.

 The vulnerability stemmed from a code error that ignored confidentiality labels on user-authored emails stored in desktop Outlook.When users queried Copilot Chat, it retrieved and summarized content from these folders, potentially including business contracts, legal documents, police investigations, and health records. Importantly, the bug did not grant unauthorized access; summaries only appeared to users already permitted to view the mailbox. However, feeding such data into a large language model raised fears of unintended processing or training data incorporation.

Microsoft swiftly responded by deploying a global configuration update in early February 2026, restoring proper exclusion of protected content from Copilot. The company continues monitoring rollout and contacting affected customers for verification, though no full remediation timeline or user impact numbers have been disclosed.As of late February, the patch was in place for most enterprise accounts, tagged as a limited-scope advisory.

This incident underscores persistent AI privacy risks in enterprise tools, marking the second Copilot-related email exposure in eight months—the prior EchoLeak involved prompt injection attacks. It highlights how even brief bugs can erode trust in AI assistants handling confidential workflows. Security experts urge organizations to audit DLP configurations and monitor AI behaviors closely.

For Microsoft 365 users, especially in high-stakes sectors like healthcare and finance, the event emphasizes the need for robust sensitivity labeling and regular Copilot audits. While fixed, expanded DLP enforcement across storage locations won't complete until late April 2026. Businesses should prioritize data governance to mitigate future AI flaws, ensuring productivity doesn't compromise security.
Read more »
White-Collar Jobs
AI Microsoft Technology White-Collar Jobs

Microsoft AI Chief: 18 Months to Automate White-Collar Jobs

 

Mustafa Suleyman, CEO of Microsoft AI, has issued a stark warning about the future of white-collar work. In a recent Financial Times interview, he predicted that AI will achieve human-level performance on most professional tasks within 18 months, automating jobs involving computer-based work like accounting, legal analysis, marketing, and project management. This timeline echoes concerns from AI leaders, comparing the shift to the pre-pandemic moment in early 2020 but far more disruptive. Suleyman attributes this to exponential growth in computational power, enabling AI to outperform humans in coding and beyond.

Suleyman's forecast revives 2025 predictions from tech executives. Anthropic's Dario Amodei warned AI could eliminate half of entry-level white-collar jobs, while Ford's Jim Farley foresaw a 50% cut in U.S. white-collar roles. Elon Musk recently suggested artificial general intelligence—AI surpassing human intelligence—could arrive this year. These alarms contrast with CEO silence earlier, likened by The Atlantic to ignoring a shark fin in the water. The drumbeat of disruption is growing louder amid rapid AI advances.

Current AI impact on offices remains limited despite hype. A 2025 Thomson Reuters report shows lawyers and accountants using AI for tasks like document review, yielding only marginal productivity gains without mass displacement. Some studies even indicate setbacks: a METR analysis found AI slowed software developers by 20%. Economic benefits are mostly in Big Tech, with profit margins up over 20% in Q4 2025, while broader indices like the Bloomberg 500 show no change.

Early job losses signal brewing changes. Challenger, Gray & Christmas reported 55,000 AI-related cuts in 2025, including Microsoft's 15,000 layoffs as CEO Satya Nadella pushed to "reimagine" for the AI era. Markets reacted sharply last week with a "SaaSpocalypse" selloff in software stocks after Anthropic and OpenAI launched agentic AI systems mimicking SaaS functions. Investors doubt AI will boost non-tech earnings, per Wall Street consensus.

Suleyman envisions customizable AI transforming every organization. He predicts users will design models like podcasts or blogs, tailored for any job, driving his push for Microsoft "superintelligence" and independent foundation models. As the "most important technology of our time," Suleyman aims to reduce reliance on partners like OpenAI. This could redefine the American Dream, once fueled by MBAs and law degrees, urging urgent preparation for AI's white-collar reckoning.
Read more »
Technology
AI AI prompt injection attack Copilot GitHub GitHub repositories breach Microsoft Technology

GitHub Fixes AI Flaw That Could Have Exposed Private Repository Tokens

 



A now-patched security weakness in GitHub Codespaces revealed how artificial intelligence tools embedded in developer environments can be manipulated to expose sensitive credentials. The issue, discovered by cloud security firm Orca Security and named RoguePilot, involved GitHub Copilot, the AI coding assistant integrated into Codespaces. The flaw was responsibly disclosed and later fixed by Microsoft, which owns GitHub.

According to researchers, the attack could begin with a malicious GitHub issue. An attacker could insert concealed instructions within the issue description, specifically crafted to influence Copilot rather than a human reader. When a developer launched a Codespace directly from that issue, Copilot automatically processed the issue text as contextual input. This created an opportunity for hidden instructions to silently control the AI agent operating within the development environment.

Security experts classify this method as indirect or passive prompt injection. In such attacks, harmful instructions are embedded inside content that a large language model later interprets. Because the model treats that content as legitimate context, it may generate unintended responses or perform actions aligned with the attacker’s objective.

Researchers also described RoguePilot as a form of AI-mediated supply chain attack. Instead of exploiting external software libraries, the attacker leverages the AI system integrated into the workflow. GitHub allows Codespaces to be launched from repositories, commits, pull requests, templates, and issues. The exposure occurred specifically when a Codespace was opened from an issue, since Copilot automatically received the issue description as part of its prompt.

The manipulation could be hidden using HTML comment tags, which are invisible in rendered content but still readable by automated systems. Within those hidden segments, an attacker could instruct Copilot to extract the repository’s GITHUB_TOKEN, a credential that provides elevated permissions. In one demonstrated scenario, Copilot could be influenced to check out a specially prepared pull request containing a symbolic link to an internal file. Through techniques such as referencing a remote JSON schema, the AI assistant could read that internal file and transmit the privileged token to an external server.

The RoguePilot disclosure comes amid broader concerns about AI model alignment. Separate research from Microsoft examined a reinforcement learning method called Group Relative Policy Optimization, or GRPO. While typically used to fine-tune large language models after deployment, researchers found it could also weaken safety safeguards, a process they labeled GRP-Obliteration. Notably, training on even a single mildly problematic prompt was enough to make multiple language models more permissive across harmful categories they had never explicitly encountered.

Additional findings stress upon side-channel risks tied to speculative decoding, an optimization technique that allows models to generate multiple candidate tokens simultaneously to improve speed. Researchers found this process could potentially reveal conversation topics or identify user queries with significant accuracy.

Further concerns were raised by AI security firm HiddenLayer, which documented a technique called ShadowLogic. When applied to agent-based systems, the concept evolves into Agentic ShadowLogic. This approach involves embedding backdoors at the computational graph level of a model, enabling silent modification of tool calls. An attacker could intercept and reroute requests through infrastructure under their control, monitor internal endpoints, and log data flows without disrupting normal user experience.

Meanwhile, Neural Trust demonstrated an image-based jailbreak method known as Semantic Chaining. This attack exploits limited reasoning depth in image-generation models by guiding them through a sequence of individually harmless edits that gradually produce restricted or offensive content. Because each step appears safe in isolation, safety systems may fail to detect the evolving harmful intent.

Researchers have also introduced the term Promptware to describe a new category of malicious inputs designed to function like malware. Instead of exploiting traditional code vulnerabilities, promptware manipulates large language models during inference to carry out stages of a cyberattack lifecycle, including reconnaissance, privilege escalation, persistence, command-and-control communication, lateral movement, and data exfiltration.

Collectively, these findings demonstrate that AI systems embedded in development platforms are becoming a new attack surface. As organizations increasingly rely on intelligent automation, safeguarding the interaction between user input, AI interpretation, and system permissions is critical to preventing misuse within trusted workflows.

Read more »
Microsoft Outlook security
Customer Data Cyber Attacks Cyber Phishing Data Theft Hijacking Microsoft Microsoft Outlook Microsoft Outlook security

Malicious Outlook Add-In Hijack Steals 4,000 Microsoft Credentials

 

A breach transformed the AgreeTo plug-in for Microsoft Outlook - once meant for organizing meetings - into a weapon that harvested over four thousand login details. Though built by a third-party developer and offered through the official Office Add-in Store starting in late 2022, it turned against its intended purpose. Instead of simplifying calendars, it funneled user data to attackers. What began as a practical tool ended up exploited, quietly capturing credentials under false trust. 

Not every tool inside Office apps runs locally - some pull data straight from web addresses. For AgreeTo, its feature lived online through a link managed via Vercel. That address stopped receiving updates when the creator walked away, even though people kept using it. With no one fixing issues, the software faded into silence. Yet Microsoft still displayed it as available for download. Later, someone with harmful intent took control of the unused webpage. From there, they served malicious material under the app’s trusted name. A login screen mimicking Microsoft’s design appeared where the real one should have been, according to analysts at Koi Security. 

Instead of authentic access points, users faced a counterfeit form built to harvest credentials. Hidden scripts ran alongside, silently sending captured data elsewhere. After approval in Microsoft’s marketplace, the add-in escaped further checks. The company examines just the manifest when apps are submitted - nothing beyond that gets verified later. Interface components and features load externally, pulled from servers run by developers themselves. 

Since AgreeTo passed initial review, its updated files came straight from machines now under malicious control. Oversight ended once publication was complete. From inside the attacker’s data pipeline, Koi Security found over 4,000 Microsoft login details already taken. Alongside these, information such as credit card records and responses to bank verification questions had also been collected. While analyzing activity, experts noticed live attempts using the breached logins unfolding in real time. 

Opening the harmful AgreeTo add-on in Outlook displayed a counterfeit Microsoft login screen within the sidebar rather than the expected calendar tool. Resembling an authentic authentication portal, this imitation proved hard to recognize as fraudulent. Once victims submitted their details, those credentials got sent through a Telegram bot interface. Following that transfer, individuals saw the genuine Microsoft sign-in page appear - helping mask what had just occurred. Despite keeping ReadWriteItem access, which enables viewing and editing messages, there's no proof the tool tampered with any emails. 

Behind the campaign, investigators spotted a single actor running several phishing setups aimed at financial services, online connectivity firms, and email systems. Notable because it lives inside Microsoft’s official store, AgreeTo stands apart from past threats that spread via spam, phishing, or malvertising. This marks the first time a verified piece of malware has appeared on the Microsoft Marketplace, according to Oren Yomtov at Koi. He also notes it is the initial harmful Outlook extension spotted actively used outside test environments. 

A removal of AgreeTo from the store was carried out by Microsoft. Anyone keeping the add-in should uninstall it without delay, followed by a password change. Attempts to reach Microsoft for input have been made; no reply came so far.
Read more »
Technology
AI Apple Data Google Internet Microsoft Techno Technology

Experts Find Malicious Browser Extensions, Chrome, Safari, and Edge Affected


Threat actors exploit extensions

Cybersecurity experts found 17 extensions for Chrome, Edge, and Firefox browsers which track user's internet activity and install backdoors for access. The extensions were downloaded over 840,000 times. 

The campaign is not new. LayerX claimed that the campaign is part of GhostPoster, another campaign first found by Koi Security last year in December. Last year, researchers discovered 17 different extensions that were downloaded over 50,000 times and showed the same monitoring behaviour and deploying backdoors. 

Few extensions from the new batch were uploaded in 2020, exposing users to malware for years. The extensions appeared in places like the Edge store and later expanded to Firefox and Chrome. 

Few extensions stored malicious JavaScript code in the PNG logo. The code is a kind of instruction on downloading the main payload from a remote server. 

The main payload does multiple things. It can hijack affiliate links on famous e-commerce websites to steal money from content creators and influencers. “The malware watches for visits to major e-commerce platforms. When you click an affiliate link on Taobao or JD.com, the extension intercepts it. The original affiliate, whoever was supposed to earn a commission from your purchase, gets nothing. The malware operators get paid instead,” said Koi researchers. 

After that, it deploys Google Analytics tracking into every page that people open, and removes security headers from HTTP responses. 

In the end, it escapes CAPTCHA via three different ways, and deploy invisible iframes that do ad frauds, click frauds, and tracking. These iframes disappear after 15 seconds.

Besides this, all extensions were deleted from the repositories, but users shoul also remove them personally. 

This staged execution flow demonstrates a clear evolution toward longer dormancy, modularity, and resilience against both static and behavioral detection mechanisms,” said LayerX. 

The PNG steganography technique is employed by some. Some people download JavaScript directly and include it into each page you visit. Others employ bespoke ciphers to encode the C&C domains and use concealed eval() calls. The same assailant. identical servers. many methods of delivery. This appears to be testing several strategies to see which one gets the most installs, avoids detection the longest, and makes the most money.

This campaign reflects a deliberate shift toward patience and precision. By embedding malicious code in images, delaying execution, and rotating delivery techniques across identical infrastructure, the attackers test which methods evade detection longest. The strategy favors longevity and profit over speed, exposing how browser ecosystems remain vulnerable to quietly persistent threats.

Read more »
Technology
AI Scanner Business Security LLM Microsoft Technology

Microsoft Unveils Backdoor Scanner for Open-Weight AI Models

 

Microsoft has introduced a new lightweight scanner designed to detect hidden backdoors in open‑weight large language models (LLMs), aiming to boost trust in artificial intelligence systems. The tool, built by the company’s AI Security team, focuses on subtle behavioral patterns inside models to reliably flag tampering without generating many false outcomes. By targeting how specific trigger inputs change a model’s internal operations, Microsoft hopes to offer security teams a practical way to vet AI models before deployment.

The scanner is meant to address a growing problem in AI security: model poisoning and backdoored models that act as “sleeper agents.” In such attacks, threat actors manipulate model weights or training data so the model behaves normally in most scenarios, but switches to malicious or unexpected behavior when it encounters a carefully crafted trigger phrase or pattern. Because these triggers are narrowly defined, the backdoor often evades normal testing and quality checks, making detection difficult. Microsoft notes that both the model’s parameters and its surrounding code can be tampered with, but this tool focuses primarily on backdoors embedded directly into the model’s weights.

To detect these covert modifications, Microsoft’s scanner looks for three practical signals that indicate a poisoned model. First, when given a trigger prompt, compromised models tend to show a distinctive “double triangle” attention pattern, focusing heavily on the trigger itself and sharply reducing the randomness of their output. Second, backdoored LLMs often leak fragments of their own poisoning data, including trigger phrases, through memorization rather than generalization. Third, a single hidden backdoor may respond not just to one exact phrase, but to multiple “fuzzy” variations of that trigger, which the scanner can surface during analysis.

The detection workflow starts by extracting memorized content from the model, then analyzing that content to isolate suspicious substrings that could represent hidden triggers. Microsoft formalizes the three identified signals as loss functions, scores each candidate substring, and returns a ranked list of likely trigger phrases that might activate a backdoor. A key advantage is that the scanner does not require retraining the model or prior knowledge of the specific backdoor behavior, and it can operate across common GPT‑style architectures at scale. This makes it suitable for organizations evaluating open‑weight models obtained from third parties or public repositories.

However, the company stresses that the scanner is not a complete solution to all backdoor risks. It requires direct access to model files, so it cannot be used on proprietary, fully hosted models. It is also optimized for trigger‑based backdoors that produce deterministic outputs, meaning more subtle or probabilistic attacks may still evade detection. Microsoft positions the tool as an important step toward deployable backdoor detection and calls for broader collaboration across the AI security community to refine defenses. In parallel, the firm is expanding its Secure Development Lifecycle to address AI‑specific threats like prompt injection and data poisoning, acknowledging that modern AI systems introduce many new entry points for malicious inputs.
Read more »
phishing
Credential Theft Data Breach Data Theft Emails IP Address Microsoft Microsoft SharePoint phishing

Attackers Hijack Microsoft Email Accounts to Launch Phishing Campaign Against Energy Firms

 


Cybercriminals have compromised Microsoft email accounts belonging to organizations in the energy sector and used those trusted inboxes to distribute large volumes of phishing emails. In at least one confirmed incident, more than 600 malicious messages were sent from a single hijacked account.

Microsoft security researchers explained that the attackers did not rely on technical exploits or system vulnerabilities. Instead, they gained access by using legitimate login credentials that were likely stolen earlier through unknown means. This allowed them to sign in as real users, making the activity harder to detect.

The attack began with emails that appeared routine and business-related. These messages included Microsoft SharePoint links and subject lines suggesting formal documents, such as proposals or confidentiality agreements. To view the files, recipients were asked to authenticate their accounts.

When users clicked the SharePoint link, they were redirected to a fraudulent website designed to look legitimate. The site prompted them to enter their Microsoft login details. By doing so, victims unknowingly handed over valid usernames and passwords to the attackers.

After collecting credentials, the attackers accessed the compromised email accounts from different IP addresses. They then created inbox rules that automatically deleted incoming emails and marked messages as read. This step helped conceal the intrusion and prevented account owners from noticing unusual activity.

Using these compromised inboxes, the attackers launched a second wave of phishing emails. These messages were sent not only to external contacts but also to colleagues and internal distribution lists. Recipients were selected based on recent email conversations found in the victim’s inbox, increasing the likelihood that the messages would appear trustworthy.

In this campaign, the attackers actively monitored inbox responses. They removed automated replies such as out-of-office messages and undeliverable notices. They also read replies from recipients and responded to questions about the legitimacy of the emails. All such exchanges were later deleted to erase evidence.

Any employee within an energy organization who interacted with the malicious links was also targeted for credential theft, allowing the attackers to expand their access further.

Microsoft confirmed that the activity began in January and described it as a short-duration, multi-stage phishing operation that was quickly disrupted. The company did not disclose how many organizations were affected, identify the attackers, or confirm whether the campaign is still active.

Security experts warn that simply resetting passwords may not be enough in these attacks. Because attackers can interfere with multi-factor authentication settings, they may maintain access even after credentials are changed. For example, attackers can register their own device to receive one-time authentication codes.

Despite these risks, multi-factor authentication remains a critical defense against account compromise. Microsoft also recommends using conditional access controls that assess login attempts based on factors such as location, device health, and user role. Suspicious sign-ins can then be blocked automatically.

Additional protection can be achieved by deploying anti-phishing solutions that scan emails and websites for malicious activity. These measures, combined with user awareness, are essential as attackers increasingly rely on stolen identities rather than software flaws.


Read more »
Microsoft
Bitlocker BitLocker encryption CPU CPU vulnerabilities Cyber Security Hardware Hardware Encryption Microsoft

Microsoft Introduces Hardware-Accelerated BitLocker to Boost Windows 11 Security and Performance

 

Microsoft is updating Windows 11 with hardware-accelerated BitLocker to improve both data security and system performance. The change enhances full-disk encryption by shifting cryptographic work from the CPU to dedicated hardware components within modern processors, helping systems run more efficiently while keeping data protected. 

BitLocker is Windows’ built-in encryption feature that prevents unauthorized access to stored data. During startup, it uses the Trusted Platform Module to manage encryption keys and unlock drives after verifying system integrity. While this method has been effective, Microsoft says faster storage technologies have made the performance impact of software-based encryption more noticeable, especially during demanding tasks. 

As storage speeds increase, BitLocker’s encryption overhead can slow down activities like gaming and video editing. To address this, Microsoft is offloading encryption tasks to specialized hardware within the processor that is designed for secure and high-speed cryptographic operations. This reduces reliance on the CPU and improves overall system responsiveness. 

With hardware acceleration enabled, large encryption workloads no longer heavily tax the CPU. Microsoft reports that testing showed about 70% fewer CPU cycles per input-output operation compared to software-based BitLocker, although actual gains depend on hardware configurations. 

On supported devices with NVMe drives and compatible processors, BitLocker will default to hardware-accelerated encryption using the XTS-AES-256 algorithm. This applies to automatic device encryption, manual activation, policy-based deployment, and script-driven setups, with some exceptions. 

The update also strengthens security by keeping encryption keys protected within hardware, reducing exposure to memory or CPU-based attacks. Combined with TPM protections, this moves BitLocker closer to eliminating key handling in general system memory.  

Hardware-accelerated BitLocker is available in Windows 11 version 24H2 with September updates installed and will also be included in version 25H2. Initial support is limited to Intel vPro systems with Intel Core Ultra Series 3 (Panther Lake) processors, with broader system-on-a-chip support planned. 

Users can confirm whether hardware acceleration is active by running the “manage-bde -status” command. Microsoft notes BitLocker will revert to software encryption if unsupported algorithms or key sizes are used, certain enterprise policies apply, or FIPS mode is enabled on hardware without certified cryptographic offloading.
Read more »
Subscribe to: Comments (Atom)