Microsoft Threat Intelligence

Microsoft Defender has published analysis, detection insights, and mitigation recommendations for CVE-2026-31431 (also known as “Copy Fail”), a high-severity local privilege escalation vulnerability affecting multiple major Linux distributions: msft.it/6015vJcbT

Microsoft Defender detected and protected customers against a new software supply chain compromise affecting the "pytorch-lightning" package and immediately reported the issue to the repository maintainers for takedown: msft.it/6013vJisb. At the time the compromised packages were identified and distributed, Microsoft Defender had proactive detections that blocked the malicious files as Trojan:JS/ShaiWorm.DQ!MTB. For protected environments, Microsoft Defender for Endpoint raised the alert "ShaiWorm malware was prevented". Our assessment indicates that Microsoft continues to provide strong protection coverage and has prevented observed activity indicating attempts to install the modified packages. Microsoft Defender continues to monitor for potential follow-on activity, including suspicious use of potentially exposed cloud credentials across major cloud platforms. Observed activity remains limited to a small number of devices and appear contained to a narrow set of environments. We are also investigating container-based telemetry and registry-related signals that may indicate potential compromise in some scenarios. Microsoft continues to monitor and investigate the issue, with layered protections, broad prevention coverage, and ongoing hunting efforts in place. We will share updates as more information becomes available.

Evolving techniques, including device code phishing and underground offerings like EvilTokens, reflect continued innovation in credential theft even at lower volumes, signaling areas defenders should monitor closely. Get detections and guidance from this Microsoft Threat Intelligence blog post.

Threat actors increasingly favored link-based credential phishing over payload delivery, reflecting a shift toward hosted phishing infrastructure. At the same time, credential phishing remained the dominant objective, while BEC activity persisted through low effort, generic outreach tactics.

In the first quarter of 2026, Microsoft Threat Intelligence detected approximately 8.3 billion email-based phishing threats, with QR code phishing more than doubling within the period and CAPTCHA gated campaigns evolving rapidly across delivery methods. msft.it/6012vy9q8

With the expansion of Microsoft Sentinel User and Entity Behavior Analytics (UEBA) into new data sources spanning multi-cloud, identity providers, and authentication logs, defenders can detect behavioral anomalies across hybrid environments from a single place. msft.it/6011vHEZW Microsoft Sentinel UEBA enriches raw AWS logs with simple binary behavioral insights (true/false) derived from baseline user, peer, and device behavior patterns such as first-time geography, uncommon ISP, unusual action, and abnormal operation volume. Read the latest blog from the Microsoft Defender Research Team to learn more about Microsoft Sentinel UEBA and binary feature stacking, which uses clear binary signals to help establish behavioral context and inform investigation and detection decisions.

New research ready to share? Submit to BlueHat Asia by June 15: aka.ms/BlueHatAsiaCFP

The cybercrime-as-a-service stack makes phishing kits, bulletproof hosting, and more available to even low-skill threat actors. Listen to learn how blockchain intelligence, industry collaboration, and disruptions counter attacks.

Host Sherrod DeGrippo, Maurice Mason from Microsoft's Digital Crimes Unit, and Jackie Burns-Koven from Chainalysis discuss how the initial access broker market has industrialized, lowering the barrier to entry for attacks. Disrupting initial access is now a core strategy for defenders.

The same underground ecosystem that fuels ransomware, cybercrime, and fraud is increasingly being leveraged by nation-state actors for espionage, profit, or both. The latest Microsoft Threat Intelligence Podcast explores this convergence: msft.it/6019vDdBR

The latest blog from Microsoft Defender Research Team shows how signals from HR SaaS platforms can be used with cross-domain visibility in Microsoft Defender XDR and Microsoft Defender for Cloud Apps to detect and hunt for suspicious activity from potential hires or newly onboarded employees.

Like legitimate job applicants, threat actors like Jasper Sleet apply, get screened, and even onboarded through HR SaaS platforms. Since 2020, Microsoft has tracked a global operation in which skilled IT workers apply for remote job opportunities: msft.it/6010v8UHw

Increasing reliance on online identity verification and remote access in hiring and onboarding processes raises the risk of targeting by threat actors who pose as remote IT workers to gain trusted access, generate revenue, and enable follow-on activity: msft.it/6019v8UHZ

Attackers are using cross-tenant helpdesk impersonation to trick users into granting remote access. Read this Microsoft Defender Research blog to learn how these attacks work and how layered defenses and user awareness reduce risk: msft.it/6013v6SnH

In identity-based intrusions, threat actors seek to compromise domain-level credentials on first access and abuse them almost immediately, highlighting the importance of disrupting and containing credential-based attacks as they happen. msft.it/6016v6DNs Proactive shielding in Microsoft Defender’s automatic attack disruption capability uses high-confidence signals of credential theft activity to proactively restrict accounts that might have been exposed, helping stop attacks before stolen credentials are fully operationalized. The latest blog from Microsoft Defender Research uses a case study to demonstrate how proactive shielding protects organizations in the real world.

Microsoft shared details of this activity with Apple, and Apple has since implemented updates to help detect and block the malware and infrastructure associated with this campaign. Get Microsoft Defender detections, mitigation, and hunting guidance from this Microsoft Threat Intelligence blog post.

This activity demonstrates how convincing user prompts and trusted system utilities can be misused to operate outside traditional macOS security protections, enabling credential theft, persistent backdoor access, and large‑scale exfiltration of sensitive data, including cryptocurrency-related info.

Microsoft identified a campaign by North Korean state actor Sapphire Sleet employing new combinations of macOS execution patterns and techniques, enabling the actor to compromise systems through social engineering rather than software exploitation. msft.it/6016QhX1g