Microsoft Defender for Endpoint Archives | Microsoft Security Blog

3 min read Original article ↗
  • 24 min read

    The Gentlemen ransomware: Dissecting a self-propagating Go encryptor

    Microsoft Threat Intelligence presents a comprehensive analysis of The Gentlemen, a Go-based ransomware deployed by affiliates of Storm-2697 that combines per-file ephemeral key encryption with an aggressive self-propagation module to deploy itself across an entire network using series of simultaneous lateral movement techniques per target.

  • 9 min read

    Exposing Fox Tempest: A malware-signing service operation

    Fox Tempest is a financially motivated threat actor operating a malware‑signing‑as‑a‑service (MSaaS) used by other cybercriminals, including Vanilla Tempest and Storm groups, to more effectively distribute malicious code, including ransomware.

  • 11 min read

    Undermining the trust boundary: Investigating a stealthy intrusion through third-party compromise

    Microsoft Incident Response investigated an attack operated through legitimate and trusted administrative mechanisms to blend seamlessly into routine operations and remain undetected demonstrating that intrusions have increasingly avoided using noisy exploits, obvious malware, or custom tooling, instead leveraging systems that organizations already trust within their environments.

  • 15 min read

    Email threat landscape: Q1 2026 trends and insights

    In early 2026, email threats increased with a rise in credential phishing, QR code phishing, and CAPTCHA-gated campaigns, highlighted by Microsoft’s disruption of the Tycoon2FA phishing platform which led to a 15% volume decrease and shifts in threat actor tactics.

  • 29 min read

    Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise

    The Microsoft Defender Security Research Team uncovered a sophisticated macOS intrusion campaign attributed to the North Korean threat actor Sapphire Sleet that abuses user driven execution and social engineering to bypass macOS security protections and steal credentials, cryptocurrency assets, and sensitive data.