Description: GitHub repositories were compromised, leading to the exposure of install action tokens which fortunately had a limited 24-hour lifespan, thus reducing the risk of widespread exploitation. Endor Labs found that other sensitive credentials like those for Docker, npm, and AWS were also leaked, although many repositories adhered to security best practices by referencing commit SHA values rather than mutable tags, mitigating the potential damage. Despite the reduced impact, due to the potential for threat actors to leverage GitHub Actions, users are advised to implement stricter file and folder access controls to enhance security measures and prevent similar incidents in the future.

Description: The GitVenom campaign has aggressively targeted gamers and crypto investors, utilizing GitHub as a platform for hosting malicious projects. With a multitude of fake repositories that contained harmful code, the campaign has deceived users with seemingly legitimate automation tools and crypto bots. The impact of GitVenom included credential theft, unauthorized cryptocurrency transactions, and remote system control through backdoors. The damage extended to personal data compromise and financial losses for the affected users, while also tarnishing GitHub's reputation as a safe space for developers to share code.

Description: An unknown attacker is using stolen OAuth user tokens to download data from private repositories on Github. The attacker has already accessed and stolen data from dozens of victim organizations. Github immediately took action and started notifying all the impacted users and organizations about the security breach.

Description: A network named Stargazer Goblin manipulated GitHub to promote malware and phishing links, impacting the platform's integrity by boosting malicious repositories' popularity using ghost accounts. These activities aimed to deceive users seeking free software into downloading ransomware and info-stealer malware, compromising user data and potentially causing financial and reputational harm to both GitHub and its users. GitHub’s response was to disable accounts in violation of their policies and continue efforts to detect and remove harmful content.

Description: The **Banana Squad** threat group, active since April 2023, compromised over **60 GitHub repositories** by trojanizing them with **malicious Python-based hacking kits**. These repositories masqueraded as legitimate hacking tools but contained **hidden backdoor payloads**, designed to deceive developers and security researchers into downloading and executing them. The attack leveraged **supply-chain compromise tactics**, exploiting GitHub’s open-source ecosystem to distribute malware under the guise of trusted repositories. The campaign, uncovered by **ReversingLabs**, revealed that the fake repositories mimicked well-known tools, embedding **stealthy backdoor logic** that could grant attackers unauthorized access to systems, exfiltrate data, or deploy further payloads. While the **direct financial or operational damage to GitHub itself remains undisclosed**, the incident poses **severe reputational risks** to the platform, eroding trust among developers who rely on GitHub for secure code sharing. Additionally, **downstream victims**—developers or organizations that unknowingly integrated the trojanized tools—face potential **data breaches, system compromises, or lateral attacks** stemming from the malicious payloads. The attack underscores vulnerabilities in **open-source supply chains**, where threat actors exploit **typosquatting and repository spoofing** to distribute malware. Though no **large-scale data leaks or ransomware demands** were reported, the **deception-based nature of the attack** and its potential to enable **follow-on cyber intrusions** classify it as a **high-severity reputational and operational threat** to GitHub’s ecosystem.

Description: The **GhostAction attack** compromised **327 GitHub accounts**, leading to the theft of **3,325 secrets**, including **PyPI, npm, DockerHub, GitHub tokens, Cloudflare, and AWS keys**. The attack began with the hijacking of the **FastUUID project**, where the maintainer’s account was breached to inject a malicious **GitHub Actions workflow** named *‘Add Github Actions Security workflow’*—designed to exfiltrate sensitive credentials. GitGuardian detected the campaign, reported it to GitHub, and disrupted the operation by rendering the exfiltration server unresponsive. While **100 of 817 affected repositories** reverted malicious changes, **573 repositories** were alerted via issue notifications (others were deleted or had issues disabled). The attack exposed **API keys, access tokens, and deployment secrets**, risking downstream supply-chain compromises. A separate but unrelated **NPM-based *s1ngularity* attack** hit **2,000 accounts** concurrently, though no overlap was found between victims.

Description: The North Korean-linked Famous Chollima APT group exploited GitHub's infrastructure to distribute malicious NPM packages, targeting job seekers and organizations. By posing as legitimate recruiters, they tricked victims into downloading malware disguised as technical evaluation tools. The attack involved the InvisibleFerret backdoor, which established encrypted command-and-control communication, enabling data exfiltration and remote access. The campaign compromised software developers and IT professionals, leveraging their access to sensitive organizational resources. This breach highlights vulnerabilities in supply chain security and social engineering defenses within development communities.

Description: GitHub, a prominent code-hosting platform, experienced manipulation of its pages through the use of 'ghost' accounts, as uncovered by Check Point researchers. The cybercriminal known as 'Stargazer Goblin' managed a network of approximately 3,000 fake accounts to promote malware and phishing links by artificially boosting the popularity of malicious repositories. This deceptive action not only jeopardized the integrity of GitHub's community tools but also posed risks to users by distributing malware and info-stealers, like the Atlantida Stealer, under the guise of legitimate software offerings. The platform's extensive user base heightened the potential damage, leading to GitHub's intervention to disable accounts that breach its Acceptable Use Policies.

Description: GitHub was hit by a major DDoS attack that made the website unavailable to many users for several hours. The attackers injected malicious JavaScript code into the pages of those websites that were responsible for the hijacking of their visitors to Github. Github investigated the incident and removed several repositories to secure its servers.

Description: A sophisticated **typosquatting attack** targeted GitHub via a malicious npm package **‘@acitons/artifact’** (mimicking the legitimate **‘@actions/artifact’**), accumulating **206,000+ downloads** before removal. The attack exploited developers mistyping dependency names, deploying a **post-install hook** that executed obfuscated malware undetected by antivirus tools (0/60 on VirusTotal at discovery). The malware, compiled via **Shell Script Compiler (shc)**, checked for **GitHub-specific environment variables** (e.g., build tokens) and exfiltrated **authentication tokens** from GitHub Actions workflows. These tokens could enable attackers to **publish malicious artifacts under GitHub’s identity**, risking a **cascading supply chain compromise**. The campaign used **hardcoded expiry dates** (Nov 6–7, 2023) and **AES-encrypted exfiltration** via a GitHub App endpoint, evading detection. The attack directly threatened **GitHub’s CI/CD infrastructure**, with potential downstream risks to **repositories, developers, and enterprise customers** relying on GitHub Actions. While GitHub removed the malicious packages and users, the incident highlights critical vulnerabilities in **dependency trust models** and the escalating threat of **supply chain attacks** (OWASP Top 10 2025).

Description: The GitHub Desktop for Mac and Atom programs, GitHub confirmed that threat actors exfiltrated encrypted code signing certificates. Customer data was not affected, the company claimed, because it was not kept in the affected repositories. According to the business, there is no proof that the threat actor was able to use or decrypt these certificates. According to the business, neither GitHub.com nor any of its other services have been affected by the security compromise.

Description: GitHub, the top software development platform in the world, made some users reset their passwords after discovering an issue that resulted in credentials being recorded in plain text in internal logs. A routine corporate audit uncovered the problem, which involved some users sharing on Twitter the email correspondence that the organisation had received. The business promptly stated that user data was safe and that none of its systems had been compromised. The business further stated that the plaintext passwords were not publicly available and could only be seen by a limited number of its IT workers through internal log files.

Description: GitHub experienced a ransomware attack which include at least 392 GitHub repositories. Some users who fell victim to this hacker have admitted to using weak passwords for their GitHub, GitLab, and Bitbucket accounts. However, all evidence suggests that the hacker has scanned the entire internet for Git config files, extracted credentials, and then used these logins to access and ransom accounts at Git hosting services. It was found that Hundreds of developers have had Git source code repositories wiped and replaced with a ransom demand.

Description: A critical vulnerability in Git CLI enables arbitrary file writes on Linux and macOS systems, allowing attackers to achieve remote code execution through maliciously crafted repositories when users execute git clone –recursive commands. This vulnerability, assigned a CVSS severity score of 8.1/10, exploits a flaw in Git's handling of configuration values and carriage return characters. Public proof-of-concept exploits are available, and urgent remediation is required across development environments.

Description: GitHub’s **Copilot Chat**, an AI-powered coding assistant, was found vulnerable to a critical flaw named **CamoLeak** (CVSS 9.6), allowing attackers to exfiltrate secrets, private source code, and unpublished vulnerability details from repositories. The exploit leveraged GitHub’s invisible markdown comments in pull requests or issues—content hidden from human reviewers but parsed by Copilot Chat. By embedding malicious prompts, attackers tricked the AI into searching for sensitive data (e.g., API keys, tokens, zero-day descriptions) and encoding it as sequences of 1x1 pixel images via GitHub’s **Camo image-proxy service**. The attack bypassed GitHub’s **Content Security Policy (CSP)** by mapping characters to pre-generated Camo URLs, enabling covert data reconstruction through observed image fetch patterns. Proof-of-concept demonstrations extracted **AWS keys, security tokens, and private zero-day exploit notes**—material that could be weaponized for further attacks. GitHub mitigated the issue by disabling image rendering in Copilot Chat (August 14) and blocking Camo-based exfiltration, but the incident highlights risks of AI-assisted workflows expanding attack surfaces. Unauthorized access to proprietary code and vulnerability research poses severe threats to intellectual property and supply-chain security.

Description: A vulnerability within GitHub's CodeQL, a security analysis tool, was uncovered that had the potential to be exploited, potentially affecting a vast number of public and private repositories. Despite there being no evidence of actual misuse, the flaw could have allowed for the exfiltration of source code and secrets, jeopardizing the security of internal networks including GitHub's own systems. The vulnerability, which involved the exposure of a GitHub token, was quickly addressed by the GitHub team, showcasing their rapid and impressive response.

Description: Microsoft faced privacy concerns regarding their newly launched AI feature named Recall. Recall captures screenshots every five seconds to assist users in retrieving online activities such as recipes or documents. However, despite safety measures, it was discovered that Recall could capture sensitive information such as credit card numbers and Social Security numbers, even with the 'filter sensitive information' setting active. There were gaps identified when sensitive data was entered into a Notepad window or a loan application PDF within Microsoft Edge, which raised alarm within the privacy and security community, leading to significant scrutiny and potential loss of trust from users.

Description: Microsoft's Azure DevOps server was compromised in an attack by the Lapsus$ hacking group. The attackers leaked about a 9 GB zip archive containing the source code for Bing, Cortana, and other projects. Some of the compromised data contain emails and documentation that were clearly used internally by Microsoft engineers.

Description: Some of the sensitive information of Microsoft customers was exposed by a misconfigured Microsoft server accessible over the Internet in September 2022. The exposed information includes names, email addresses, email content, company name, and phone numbers, as well as files linked to business between affected customers and Microsoft or an authorized Microsoft partner. However, the leak was caused by the "unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem" but the SOCRadar claimed to link this sensitive information to more than 65,000 entities from 111 countries stored in files dated from 2017 to August 2022.

Description: A significant security breach has compromised Microsoft’s PlayReady Digital Rights Management (DRM) system, exposing critical certificates that protect premium streaming content across major platforms including Netflix, Amazon Prime Video, and Disney+. The leak involved the unauthorized disclosure of both SL2000 and SL3000 certificates, with SL3000 representing a particularly severe security concern. These certificates utilize advanced hardware-based security measures designed to protect the highest quality content, including 4K and Ultra High Definition releases. The compromise undermines the fundamental trust model upon which DRM systems operate, posing a critical threat to the entire digital entertainment ecosystem. TorrentFreak researchers noted that the leaked SL3000 certificates could facilitate large-scale content redistribution networks, significantly escalating piracy capabilities.

Description: Microsoft's AI-powered Copilot exposed to security vulnerabilities where a hacker could access sensitive information such as employee salaries by bypassing file reference protections. Attackers can also manipulate AI to provide their own bank details, glean insights from upcoming financial reports, and trick users into visiting phishing websites. The exploitation of post-compromise AI introduces new risks since it aids attackers in bypassing controls and extracting internal system prompts, leading to unauthorized data access and operations.

Description: A hack targeting Microsoft's SharePoint software was likely carried out by a single bad actor, according to researchers. This incident highlights the vulnerabilities in widely used enterprise software and the potential for significant disruption to businesses relying on such platforms. The attack did not compromise data, but it underscores the need for robust cybersecurity measures to protect against similar threats in the future.

Description: Microsoft mitigated a record-breaking **15.72 Tbps** distributed denial-of-service (DDoS) attack in late October 2023, the largest ever recorded against its Azure cloud platform. The multivector assault, peaking at **3.64 billion packets per second**, originated from the **Aisuru botnet**, exploiting compromised home routers and IoT cameras across **500,000+ source IPs** globally. While the attack targeted a single Australian endpoint, Azure’s DDoS Protection infrastructure successfully filtered and redirected traffic, preventing service disruption or data compromise. No customer workloads were affected, and operations continued uninterrupted.The attack was part of a broader surge in DDoS activity linked to Aisuru and related **TurboMirai botnets**, which had previously executed **20+ Tbps 'demonstration attacks'** primarily against internet gaming organizations. Microsoft attributed the escalation to rising residential internet speeds and the proliferation of connected devices, enabling attackers to scale attacks proportionally with global infrastructure growth. Though no data was breached or systems compromised, the incident underscored the evolving threat landscape of hyper-scale DDoS attacks leveraging vulnerable IoT ecosystems.

Description: Microsoft’s Azure network was targeted by the **Aisuru botnet**, a Turbo Mirai-class IoT botnet exploiting vulnerabilities in routers, IP cameras, and Realtek chips. The attack peaked at **15.72 Tbps** (terabits per second) with **3.64 billion packets per second**, originating from over **500,000 compromised IP addresses**—primarily residential devices in the U.S. and other regions. The DDoS assault leveraged **UDP floods** with minimal spoofing, targeting a public IP in Australia. While Azure mitigated the attack, the botnet’s scale and persistence posed significant risks to service availability, network integrity, and customer trust. The same botnet was linked to prior record-breaking attacks (e.g., **22.2 Tbps** against Cloudflare in September 2025), demonstrating its evolving threat capability. The incident also revealed Aisuru’s manipulation of Cloudflare’s DNS rankings by flooding its **1.1.1.1 service** with malicious queries, distorting domain popularity metrics. Though no data breach or financial loss was confirmed, the attack’s sheer volume threatened **operational disruption**, potential **reputation damage**, and **infrastructure strain**, underscoring the escalating sophistication of IoT-based cyber threats.

Description: Microsoft suffered severe outages for some of its services, including Outlook email, OneDrive file-sharing apps, and Azure's cloud computing infrastructure. The DDoS attacks that targeted the business's services were allegedly carried out by a group going by the name of Anonymous Sudan (also known as Storm-1359). In a report titled Microsoft Response to Layer 7 Distributed Denial of Service (DDoS) assaults, the IT giant later acknowledged it had been the target of DDoS assaults. Still, he did not disclose further information regarding the outage. The business emphasized that they had not found proof of unauthorized access to or compromise of client data.

Description: Microsoft detected Chinese threat actors employing the Quad7 botnet, also known as CovertNetwork-1658 or xlogin, in sophisticated password-spray attacks aimed at stealing credentials. These attacks targeted SOHO devices and VPN appliances, exploiting vulnerabilities to gain unauthorized access to Microsoft 365 accounts. The botnet, which includes compromised TP-Link routers, relayed brute-force attacks and enabled further network exploitation. Affected sectors include government, law, defense, and NGOs in North America and Europe. The attackers, identified as Storm-0940, utilized low-volume password sprays to evade detection and maintained persistence within victims' networks for potential datapoints exfiltration.

Description: A large botnet, composed of over 130,000 devices and attributed to a Chinese-affiliated hacking group, has been targeting Microsoft 365 (M365) accounts through password spraying attacks. By exploiting the use of basic authentication, the botnet bypassed multi-factor authentication (MFA), leveraging stolen credentials. The breach has been ongoing since at least December 2024 and poses significant risks as it operates undetected by exploiting Non-Interactive Sign-In logs. Security teams usually overlook these logs, which conceal the high-volume password spraying attempts. These attacks have had widespread global impacts across numerous M365 tenants, leading to potential compromises in user account security and organizational data integrity.

Description: Microsoft Teams, a globally adopted collaboration platform, has become a prime target for cybercriminals and state-sponsored actors exploiting its messaging, calls, meetings, and screen-sharing features. Threat actors leverage open-source tools (e.g., **TeamFiltration, TeamsEnum, MSFT-Recon-RS**) to enumerate users, tenants, and misconfigurations, enabling reconnaissance and initial access. Social engineering tactics—such as **tech support scams (Storm-1811, Midnight Blizzard), deepfake impersonations, and malvertising (fake Teams installers)**—trick users into granting remote access, deploying ransomware (e.g., **3AM/BlackSuit, DarkGate**), or stealing credentials via **device code phishing (Storm-2372)** and **MFA bypass (Octo Tempest)**. Post-compromise, attackers escalate privileges by abusing **Teams admin roles**, exfiltrate data via **Graph API (GraphRunner) or OneDrive/SharePoint links**, and maintain persistence through **guest user additions, token theft, and malicious Teams apps**. State-sponsored groups like **Peach Sandstorm** and financially motivated actors (**Sangria Tempest, Storm-1674**) exploit cross-tenant trust relationships for lateral movement, while tools like **ConvoC2** and **BRc4** enable C2 over Teams channels. Extortion tactics include **taunting messages to victims (Octo Tempest)** and disrupting operations by targeting high-value data (e.g., **employee/customer PII, patents, or financial records**). The attacks undermine organizational trust, risk **regulatory penalties**, and enable **supply-chain compromises** via federated identities. Microsoft’s mitigations (e.g., **Entra ID Protection, Defender XDR alerts**) highlight the platform’s systemic vulnerabilities, with ransomware and data leaks posing existential threats to targeted entities.

Description: Microsoft experienced a widespread Azure outage impacting various services including Microsoft 365 products like Office and Outlook. This incident was confirmed by Microsoft as a cyberattack, specifically a distributed denial of service (DDoS), disrupting operations by overloading the infrastructure with excessive traffic. The attack lasted around eight hours and affected customers globally. Microsoft's swift identification and response to the attack minimized the direct impact on end-users, but the service interruption highlights the ever-present threat of cyberattacks and the importance of robust cybersecurity measures.

Description: Microsoft disrupted **RaccoonO365**, a phishing-as-a-service operation led by Joshua Ogundipe, which stole **at least 5,000 Microsoft 365 credentials** across **94 countries** since July 2024. The service, sold via Telegram (850+ members), offered subscriptions ($335–$999) to bypass MFA, harvest credentials, and maintain persistent access—enabling **financial fraud, ransomware, and larger cyberattacks**. The stolen data was resold to criminals, while Ogundipe profited **$100,000+ in crypto**. Targets included **2,300+ US organizations** (tax-themed phishing) and **20+ healthcare providers**, prompting Health-ISAC to join Microsoft’s lawsuit. Though 338 domains were seized and Cloudflare dismantled the infrastructure, Ogundipe (Nigeria-based) remains at large. The operation’s **AI-powered scaling (RaccoonO365 AI-MailCheck)** and capacity to process **9,000 email targets/day** amplified risks of **data breaches, extortion, and supply-chain attacks** leveraging compromised Microsoft accounts.

Description: Microsoft has warned that hackers are exploiting **Microsoft Teams** as a high-value attack vector, targeting everyday users beyond corporate networks. Cybercriminals and state-backed actors use Teams to conduct **reconnaissance** (probing for weak settings, public profiles, or external meeting links), **impersonation** (posing as IT admins, coworkers, or Microsoft reps via fake profiles), and **malware delivery** (sending phishing links or files disguised as security updates or account verifications). Once access is gained, attackers maintain **persistence** by altering permissions, adding guest accounts, or abusing admin tools to move laterally across Teams, OneDrive, and cloud-stored personal files. Advanced groups like **Octo Tempest** have weaponized Teams for **ransomware attacks**, sending demands directly via chat while taunting victims. The attacks compromise **personal and corporate data**, including passwords, financial details, and sensitive communications. The breach leverages Teams’ trusted interface to bypass traditional defenses, exploiting **zero-day vulnerabilities** and social engineering. Users—whether on work laptops or personal devices—face risks of **data theft, account lockouts, and systemic infiltration**, with potential cascading effects on organizational security. Microsoft’s alert underscores the platform’s shift from a collaboration tool to a **critical attack surface** for large-scale cyber operations.

Description: In 2026, a low-level breach in Microsoft’s cloud infrastructure—part of the global computing backbone—was exploited by threat actors, cascading into a large-scale disruption. The attack targeted a widely deployed firewall vulnerability, compromising SaaS platforms that power critical enterprise ecosystems. This led to a domino effect, exposing sensitive data across one-eighth of the world’s networks, including financial records, proprietary business intelligence, and government-linked communications. The breach triggered outages in cloud services relied upon by Fortune 500 companies, halting operations for banks, healthcare providers, and logistics firms. While no direct ransomware was deployed, the incident eroded public trust, prompted regulatory investigations, and forced Microsoft to implement emergency patches. The economic fallout included contractual penalties, lost revenue from service downtime, and a surge in cyber insurance premiums for affected partners. Analysts warned that the attack highlighted the risks of concentrated infrastructure dependency, with nation-state actors suspected of probing for future escalations.

Description: The database that drives m.careersatmicrosoft.com was handled by a mobile web development company that Microsoft relied on, and it was accessible without any authentication for a few weeks. All signs pointed to the database, which was a MongoDB instance, not being write-protected. Therefore, an attacker may have altered the database and, as a result, the HTML code of the job listing pages throughout the disclosed time period. Everything was secured once Chris Vickery informed Punchkick and Microsoft of the issue.

Description: Microsoft experienced massive data breach affecting anonymized data held on its customer support database. The data breach affected up to 250 million people as a result of the tech giant failing to implement proper protections. The information compromised included email addresses, IP addresses and support case details.

Description: A massive dump of Microsoft's proprietary internal builds for Windows 10 has been published online, along with the source codes for proprietary software. This is the largest leak affecting Windows products; the data in the dump were probably stolen from Microsoft computers in March. Microsoft's Shared Source Kit, which comprises the source code for the Microsoft PnP and base Windows 10 hardware drivers as well as storage drivers, USB and Wi-Fi stacks, and ARM-specific OneCore kernel code, has been released. Top-secret versions of Windows 10 and Windows Server 2016 that have never been made public are included in the dump.

Description: Cybersecurity researchers identified a malicious **Visual Studio Code (VS Code) extension** named *susvsex*, uploaded by a suspicious user (*suspublisher18*) on **November 5, 2025**. The extension, described as a 'test,' automatically executed ransomware-like functionality upon installation or VS Code launch. It **zipped, exfiltrated, and encrypted files** from predefined test directories (`C:\Users\Public\testing` or `/tmp/testing`), though the target path was non-critical. However, the attacker could easily update the directory via a **GitHub-based C2 channel**, where commands were fetched from a private repository (*aykhanmv*) and results logged in *requirements.txt*. The extension **accidentally exposed decryption tools, C2 server code, and GitHub access tokens**, risking C2 takeover by third parties. While Microsoft **removed the extension within 24 hours**, the incident highlights supply-chain risks in open-source ecosystems. The attacker’s use of **AI-generated ('vibe-coded') malware**—with sloppy comments and placeholder variables—suggests a low-effort but potentially scalable threat. Though the immediate impact was minimal due to the test directory, the **exfiltration + encryption capability** and **C2 infrastructure** pose severe risks if repurposed for critical systems.

Description: The VSCode Marketplace, operated by Microsoft, suffered a security lapse when two extensions embedding in-development ransomware bypassed the review process. These extensions, downloaded by a handful of users, aimed to encrypt files within a specific test folder and demanded a ransom in ShibaCoin. While the impact was minimal due to the ransomware's limited scope, it revealed significant gaps in Microsoft's review system. This incident sheds light on potential vulnerabilities within widely used developer platforms and highlights the importance of stringent security measures to prevent such breaches.

Description: The **Rhysida ransomware gang** exploited **malvertising** to impersonate **Microsoft Teams** in search engine ads (Bing), tricking users into downloading a fake installer laced with **OysterLoader malware** (also known as Broomstick/CleanUpLoader). The campaign, active since **June 2024**, used **typosquatting** and **code-signing certificates** (over 40 in the latest wave) to bypass antivirus detection, with some malware samples evading **VirusTotal** for days. Once executed, the loader deployed **Rhysida ransomware**, encrypting systems and exfiltrating data for extortion. Rhysida operates as a **RaaS (Ransomware-as-a-Service)**, with affiliates conducting attacks under the core group’s infrastructure. Since **2023**, they’ve leaked data from **~200 organizations** (27 in 2024 alone), targeting those refusing ransom payments. Microsoft revoked **200+ malicious certificates** tied to this campaign, but the gang’s **obfuscation techniques** (packing tools, delayed AV detection) ensured persistent infections. The attack chain—from **fake ads to ransomware deployment**—demonstrates a **highly coordinated, evolving threat** leveraging **trust in Microsoft’s brand** to compromise enterprises globally.

Description: A vulnerability known as BadSuccessor in Windows Server 2025’s delegated Managed Service Account (dMSA) feature has been weaponized by a proof-of-concept exploit tool called SharpSuccessor. This tool allows attackers with minimal Active Directory permissions to escalate privileges to the domain administrator level, raising serious security concerns for enterprise environments worldwide. The vulnerability leverages the dMSA migration mechanism and requires only CreateChild permissions over any Organizational Unit (OU) to function. Exploiting this vulnerability could lead to unauthorized access and potential data breaches within organizations.

Description: In June 2025, Microsoft addressed **CVE-2025-33073**, a critical **SMB (Server Message Block) vulnerability** affecting older versions of **Windows 10, Windows 11, and Windows Server**. The flaw, stemming from **improper access controls**, allows attackers to execute a **malicious script** that coerces a victim’s machine to authenticate with an attacker-controlled system via SMB, potentially granting **system-level privileges**.The vulnerability was added to **CISA’s Known Exploited Vulnerabilities (KEV) list** in October 2025, confirming active exploitation. While Microsoft released a patch in June, unpatched systems remain at risk. The bug’s **CVSS score of 8.8** underscores its severity, as successful exploitation could lead to **unauthorized access, lateral movement within networks, or full system compromise**.Mitigations include **applying the June 2025 Patch Tuesday update**, monitoring for **unusual outbound SMB traffic**, and **restricting SMB exposure to trusted networks**. Researchers from **Google’s Project Zero, CrowdStrike, and Vicarius** contributed to its discovery, with Vicarius providing a **detection script** to assess vulnerability status and SMB signing configuration.Failure to patch exposes organizations to **privilege escalation, data breaches, or network infiltration**, though no confirmed large-scale breaches have been reported yet. The risk is heightened for enterprises relying on **legacy Windows systems** or those with **unrestricted SMB protocols**.

Description: A critical race condition vulnerability (CVE-2025-55680) in Microsoft Windows Cloud Minifilter (cldflt.sys) allowed attackers to exploit a time-of-check time-of-use (TOCTOU) weakness during placeholder file creation in cloud synchronization services like OneDrive. By manipulating filenames in memory between validation and file creation, attackers could bypass security checks and write arbitrary files—including malicious DLLs—to restricted system directories (e.g., *C:\Windows\System32*). This enabled privilege escalation to **SYSTEM-level access**, permitting arbitrary code execution.The flaw stemmed from inadequate filename validation in the *HsmpOpCreatePlaceholders()* function, a regression linked to a prior patch (CVE-2020-17136). Exploitation required only basic user privileges, posing severe risks to multi-user environments. Microsoft addressed the issue in the **October 2025 security updates**, but unpatched systems remained vulnerable to attacks leveraging DLL side-loading techniques. Organizations using cloud sync services with configured sync root directories were at heightened risk, as these were prerequisites for successful exploitation. The vulnerability carried a **CVSS 3.1 score of 7.8 (High)** and threatened system integrity, confidentiality, and availability through unauthorized privilege escalation.

Description: Microsoft encountered a security challenge when EncryptHub, also known as SkorikARI, a threat actor emerged with skills in vulnerability research. The actor, credited by Microsoft for uncovering two Windows security issues, could potentially compromise users' safety and data. The vulnerabilities, identified as high-severity CVE-2025-24061 and medium-severity CVE-2025-24071, raised concerns over the Mark of the Web security feature and Windows File Explorer, respectively. EncryptHub's background in ransomware and vishing, combined with these recent activities, signifies a mixed threat profile. Although policies and user vigilance can mitigate risks, the presence of these vulnerabilities unveiled by EncryptHub poses a direct threat to Microsoft's systems and its vast user base.

Description: Cybersecurity researchers at **Check Point** uncovered four critical vulnerabilities in **Microsoft Teams** (tracked as **CVE-2024-38197**, CVSS 6.5) that enabled attackers to manipulate conversations, impersonate high-profile executives (e.g., C-suite), and forge sender identities in messages, calls, and notifications. The flaws allowed malicious actors—both external guests and insiders—to alter message content without the 'Edited' label, modify display names in chats/calls, and exploit notifications to deceive victims into clicking malicious links or disclosing sensitive data. While Microsoft patched some issues between **August 2024 and October 2025**, the vulnerabilities eroded trust in Teams as a collaboration tool, turning it into a vector for **social engineering, data leaks, and unauthorized access**. The attack chain leveraged Teams’ messaging, calls, and screen-sharing features, enabling threat actors (including cybercriminals and state-sponsored groups) to bypass traditional defenses by exploiting **human trust** rather than technical breaches. Though no confirmed data breaches were reported, the risks included **credential theft, financial fraud, and reputational damage**—particularly if employees or customers fell victim to impersonation scams. Microsoft acknowledged Teams’ high-value target status due to its global adoption, warning that such spoofing attacks could escalate into broader **phishing campaigns or lateral movement** within corporate networks.

Description: The Cybersecurity and Infrastructure Security Agency (CISA) identified **CVE-2025-59230**, a critical **privilege escalation vulnerability** in **Windows Remote Access Connection Manager**, being actively exploited in real-world attacks. This flaw allows threat actors with limited system access to **elevate privileges**, execute malicious code with administrative rights, **exfiltrate sensitive data**, and move laterally across networks. While no direct data breach or ransomware linkage has been confirmed, the vulnerability poses severe risks if chained with other exploits—potentially enabling **full system compromise**, unauthorized data access, or disruption of operations. CISA mandated federal agencies to patch within **three weeks**, emphasizing the urgency due to active exploitation. Organizations failing to remediate risk **unauthorized access to confidential information**, **operational disruptions**, or **follow-on attacks** like data theft or ransomware deployment. The flaw’s exploitation could lead to **financial fraud, reputational damage, or regulatory penalties** if sensitive data is exposed or systems are hijacked for malicious purposes.

Description: Microsoft disclosed **CVE-2025-59499**, a critical **SQL injection vulnerability** in **SQL Server** that enables authenticated attackers to escalate privileges remotely over a network. The flaw (CWE-89) arises from improper neutralization of SQL commands, risking unauthorized administrative access to enterprise databases. With a **CVSS 3.1 score of 7.7–8.8**, it poses a high-risk threat due to its **network-based attack vector**, low exploitation complexity, and lack of user interaction requirements. Successful exploitation could lead to **data manipulation, exfiltration, or deletion**, compromising confidentiality, integrity, and availability. Although Microsoft assesses exploitation as *‘Less Likely’* currently, the vulnerability’s **high-impact potential**—coupled with its appeal to insider threats or credential-compromised actors—demands urgent patching. Organizations handling **sensitive or critical data** in SQL Server environments are particularly exposed. The absence of public PoC exploits or confirmed wild attacks does not mitigate the risk, as sophisticated adversaries may weaponize it once technical details emerge. Microsoft advises **immediate patching**, access control reviews, and monitoring for suspicious privilege escalation attempts to prevent database takeovers.

Description: A newly developed offensive security tool, **Indirect-Shellcode-Executor**, exploits a previously overlooked vulnerability in the **Windows API**—specifically within the `ReadProcessMemory` function—to bypass modern **Endpoint Detection and Response (EDR)** and **Antivirus (AV)** systems. The tool manipulates the `[out]` pointer parameter (`*lpNumberOfBytesRead`), originally intended to report read data size, to instead **write malicious shellcode into process memory** without triggering traditional detection mechanisms that monitor functions like `WriteProcessMemory` or `memcpy`.The **Rust-based Proof of Concept (PoC)**, created by researcher **Mimorep**, enables **remote payload execution** (fetching shellcode from a C2 server disguised in files like PNGs), **terminal injection** (direct shellcode input via CLI), and **file-based execution** (extracting payloads from local documents). This technique creates a **blind spot** for security vendors, as it evades heuristic analysis by constructing payloads byte-by-byte under the guise of a legitimate API call.The vulnerability, initially discovered by **Jean-Pierre LESUEUR (DarkCoderSc)**, underscores a systemic risk: **legitimate Windows API functions can be weaponized** for stealthy attacks. Security teams are urged to **reassess API monitoring rules**, particularly for `ReadProcessMemory` calls targeting executable memory sections. The open-source release of the tool amplifies the threat, as adversaries may adopt it for **real-world exploits**, compromising defensive postures across enterprises relying on Windows systems.

Description: Microsoft faced a cyberattack where the CVE-2024-21412 vulnerability in the Defender SmartScreen was exploited to deliver information stealers such as ACR Stealer, Lumma, and Meduza, affecting users in Spain, Thailand, and the US. Attackers utilized crafted links to bypass security features and install malware that stole data and targeted specific regions. Despite Microsoft releasing a patch for the vulnerability, the attack compromised personal and potentially sensitive information. Organizational cybersecurity defenses were challenged by the innovative methods used by the attackers, underscoring the criticality of awareness and proactive security measures.

Description: Microsoft has released a critical security update for Edge Stable Channel on July 1, 2025, addressing a severe vulnerability (CVE-2025-6554) that cybercriminals have actively exploited. The vulnerability affects the underlying Chromium engine that powers Microsoft Edge, potentially allowing attackers to execute arbitrary code or gain unauthorized access to sensitive user data. This highlights the urgency of applying the security update immediately to protect against sophisticated attacks that could compromise personal information, corporate data, or system integrity.

Description: In May, Microsoft introduced Recall, an AI that takes screenshots every five seconds for user convenience. However, concerns were raised about privacy and security, leading to delayed launch and modifications. Despite these changes, Tom's Hardware testing revealed the 'filter sensitive information' feature failed to prevent gathering sensitive data. Specifically, Recall captured credit card numbers, social security numbers, and other personal data while filling out a Notepad window and a loan application PDF, compromising users' financial information and privacy.

Description: The number of companies and organizations compromised by a security vulnerability in Microsoft Corp.’s SharePoint servers is increasing rapidly, with the tally of victims soaring more than six-fold in a few days, according to one research firm. Hackers have breached about 400 government agencies, corporations, and other groups, with most victims in the US, followed by Mauritius, Jordan, South Africa, and the Netherlands. The hacks are among the latest major breaches that Microsoft has blamed, at least in part, on China.

Description: Zscaler ThwartLabz uncovered **CVE-2025-50165**, a critical **Remote Code Execution (RCE)** vulnerability in the **Windows Graphics Component** (CVSS 9.8), affecting **windowscodecs.dll**—a core library used by applications like **Microsoft Office**. The flaw allows attackers to embed malicious JPEG images in documents, triggering arbitrary code execution when opened, requiring **minimal user interaction**. Exploitation leverages **uninitialized memory pointer dereference** and **heap spraying with ROP**, bypassing **Control Flow Guard (CFG)** in 32-bit systems by default. While the 64-bit version demands additional bypass techniques, both architectures remain vulnerable.The vulnerability impacts **Windows 11 24H2 (x64/ARM64), Windows Server 2025, and Server Core installations**, exposing **millions of systems** to potential **full system compromise**, including **data theft, lateral movement, or ransomware deployment**. Microsoft released an emergency patch (build **10.0.26100.4946**), but unpatched systems face **immediate risk** of mass exploitation due to the **low attack complexity** and **widespread use of Office/Windows**. Organizations failing to patch within **48 hours** risk **large-scale breaches**, operational disruption, or **supply-chain attacks** via weaponized documents.

Description: Microsoft disclosed a critical **remote code execution (RCE) vulnerability (CVE-2025-59287, CVSS 9.8)** in its **Windows Server Update Service (WSUS)**, actively exploited in the wild since at least **October 24, 2025**. The flaw stems from **unsafe deserialization of untrusted data** in WSUS’s `GetCookie()` endpoint, where malicious `AuthorizationCookie` objects—decrypted via **AES-128-CBC** and deserialized using the deprecated **BinaryFormatter**—enable attackers to execute arbitrary code with **SYSTEM privileges** on vulnerable servers. Exploitation involves sending a crafted event to trigger deserialization, bypassing authentication.A **proof-of-concept (PoC) exploit** was publicly released, accelerating attacks. Observed payloads include a **.NET executable** that fetches commands from an HTTP header (`aaaa`) and executes them via `cmd.exe`, evading logs. The **Dutch NCSC** and **Eye Security** confirmed in-the-wild abuse, with attackers dropping Base64-encoded malware on an unnamed victim. Microsoft issued an **out-of-band patch** for affected Windows Server versions (2012–2025) and recommended **disabling WSUS** or **blocking ports 8530/8531** as mitigations. **CISA added the flaw to its KEV catalog**, mandating federal agencies to patch by **November 14, 2025**.The vulnerability poses severe risks: **unauthenticated remote takeover of WSUS servers**, potential **lateral movement within enterprise networks**, and **supply-chain attacks** via compromised update mechanisms. Organizations failing to patch risk **full system compromise**, **data breaches**, or **operational disruption** if WSUS is used for internal updates.

Description: A critical **token validation failure (CVE-2025-55241, CVSS 10.0)** in **Microsoft Entra ID (formerly Azure AD)** was discovered by researcher **Dirk-jan Mollema**, enabling attackers to **impersonate any user—including Global Administrators—across any tenant** without exploitation evidence. The flaw stemmed from **improper tenant validation in the deprecated Azure AD Graph API** and misuse of **S2S actor tokens**, allowing **cross-tenant access** while bypassing **MFA, Conditional Access, and logging**.An attacker exploiting this could **create admin accounts, exfiltrate sensitive data (user info, BitLocker keys, tenant settings, Azure subscriptions), and fully compromise services** like **SharePoint Online, Exchange Online, and Azure-hosted resources**. The **legacy API’s lack of logging** meant **no traces** of intrusion would remain. Microsoft patched it on **July 17, 2025**, but the **deprecated API’s retirement (August 31, 2025)** left lingering risks for un migrated apps.Security firms like **Mitiga** warned of **full tenant takeover risks**, emphasizing how **misconfigurations in cloud identity systems** (e.g., OAuth, Intune, APIM) could lead to **lateral movement, privilege escalation, and persistent access**—exposing **enterprise data, financial records, and operational control** to silent, high-impact breaches.

Description: The **CVE-2025-59287** vulnerability in **Windows Server Update Services (WSUS)** is under active exploitation by threat actors, including a newly identified group (**UNC6512**). The flaw, stemming from **insecure deserialization of untrusted data**, allows **unauthenticated remote code execution (RCE)** on vulnerable systems running WSUS (Windows Server 2012–2025). Despite Microsoft’s emergency patch, attackers continue exploiting it, with **~100,000 exploitation attempts detected in a week** and **~500,000 internet-facing WSUS servers at risk**. Attackers leverage exposed WSUS instances (ports **8530/HTTP, 8531/HTTPS**) to execute **PowerShell reconnaissance commands** (e.g., `whoami`, `net user /domain`, `ipconfig /all`) and **exfiltrate system data** via Webhook.site. While current attacks focus on **initial access and internal network mapping**, experts warn of **downstream risks**, including **malicious software distribution via WSUS updates** to enterprise systems. The flaw’s **low attack complexity** and **publicly available PoC** make it a prime target for opportunistic threat actors. Microsoft’s **failed initial patch** (October Patch Tuesday) and delayed acknowledgment of active exploitation exacerbate risks, leaving organizations vulnerable to **large-scale compromises**. The potential for **supply-chain attacks** via WSUS—used to push updates to thousands of endpoints—poses **catastrophic downstream effects**, though full-scale damage remains unquantified.

Description: A zero-day remote code execution vulnerability named 'Follina' in Microsoft Office discovered recently has the potential for code execution if a victim opens a malicious document in Word. The vulnerability abuses the ability of MSDT to load other assistants “wizards” in Windows, which in turn have the ability to execute arbitrary code from a remote location. It can also allow the attacker to view and edit files, install programs and create new user accounts to the limit of the compromised user’s access rights. The initial versions spotted in the wild required the target to open the malicious document in Word, but the recently discovered variant uses Rich Text Format (.RTF) works only if the user simply selects the file in Windows Explorer. Microsoft has yet not issued a patch but has suggested disabling the MSDT URL Protocol to cut off the attack sequence.

Description: A critical zero-day vulnerability in Microsoft SharePoint servers, dubbed 'ToolShell', has exposed over 17,000 servers to internet-based attacks. At least 840 servers are vulnerable to CVE-2025-53770, with 20 confirmed to have active webshells. Attributed to Chinese threat actors, the attacks have compromised over 400 organizations, including government agencies, healthcare, finance, and education sectors. The breach allows unauthenticated attackers to execute arbitrary code remotely, with Storm-2603 deploying Warlock ransomware on compromised systems. The attack's stealthy nature suggests a higher actual number of victims.

Description: Security researchers uncovered a **max-severity vulnerability** in **Microsoft Entra ID (formerly Azure Active Directory)** that enables attackers to **impersonate any user—including Global Administrators—across any tenant without triggering Multi-Factor Authentication (MFA), Conditional Access, or leaving audit logs**. The flaw, discovered by red-teamer **Dirk-jan Mollema**, exploits **‘Actor tokens’**, an internal Microsoft delegation mechanism, by abusing a **legacy API that fails to validate the originating tenant**. An attacker in a low-privilege environment could **request an Actor token** and use it to **assume the identity of a high-privileged user in a completely separate organization**. Once impersonating a **Global Admin**, the attacker could **create rogue accounts, escalate permissions, or exfiltrate sensitive corporate and customer data** without detection. The vulnerability poses a **critical risk of large-scale account takeover, unauthorized access to enterprise systems, and potential data breaches** across organizations relying on **Entra ID/Azure AD for identity management**. While no active exploitation has been confirmed, the flaw’s **stealthy nature**—bypassing logging and security controls—makes it a prime target for **advanced persistent threats (APTs), ransomware operators, or state-sponsored actors** seeking to compromise cloud environments. Microsoft has since addressed the issue, but organizations are urged to **review suspicious admin activities and enforce stricter token validation policies** to mitigate residual risks.

Description: In March 2021, Microsoft encountered a massive security breach that affected over 30,000 organizations in the U.S., ranging from businesses to government agencies. This attack was notably significant due to its broad impact and the exploitation of vulnerabilities within Microsoft's Exchange Server software. The attackers were able to gain access to email accounts, and also install additional malware to facilitate long-term access to victim environments. Given the scale and the method of attack—exploiting software vulnerabilities—the incident highlighted critical concerns regarding software security and the necessity for timely updates and patches. The breach not only compromised sensitive information but also eroded trust in Microsoft's security measures, pushing the company to swiftly address the vulnerabilities and enhance their security posture to prevent future incidents. The repercussions of the attack underscored the importance of robust cybersecurity defenses and the need for constant vigilance in a landscape where threats are continuously evolving.

Description: Microsoft's Windows Explorer is affected by RenderShock, a zero-click attack that exploits passive file preview and indexing behaviors. This vulnerability allows attackers to execute malicious payloads without user interaction, potentially leading to credential theft, remote access, and data leaks. The attack methodology leverages built-in system automation features, making it difficult to detect and mitigate. Security teams are advised to disable preview panes and block SMB traffic to prevent such attacks.

Description: Microsoft's Windows Key Distribution Center (KDC) Proxy service experienced a significant remote code execution vulnerability, tracked as CVE-2024-43639, which could have allowed unauthenticated attackers to execute arbitrary code on affected servers. The flaw, due to an integer overflow from missing length checks on Kerberos response handling, was patched in November 2024. Had it been exploited, attackers could have gained full control over compromised systems, underlining the critical importance of quick patch deployment in enterprise security.

Description: The Microsoft AI research division unintentionally published 38TB of critical information while posting a container of open-source training data on GitHub, according to cybersecurity company Wiz. Secrets, private keys, passwords, and more than 30,000 internal Microsoft Teams communications were discovered in a disk backup of the workstations of two workers that was made public by the disclosed data. Wiz emphasized that because Microsoft does not offer a centralized method to manage SAS tokens within the Azure interface, it is difficult to track them. Microsoft claimed that the data lead did not reveal customer data, that no customer data was leaked, and that this vulnerability did not put any internal services at risk.

Description: A critical vulnerability in Microsoft's Azure Automation service could have permitted unauthorized access to other Azure customer accounts. By exploiting the bug, the attacker could get full control over resources and data belonging to the targeted account, depending on the permissions assigned by the customer. Several companies including a telecommunications company, two car manufacturers, a banking conglomerate, and big four accounting firms, among others, the Israeli cloud infrastructure security company were targeted by exploiting this vulnerability. However, the issue was identified and was remediated in a patch pushed in December 2021.

Description: Microsoft mitigated a security flaw affecting Azure Synapse and Azure Data Factory that could lead to Any malicious actor could have weaponized the bug to acquire the Azure Data Factory service certificate and access another tenant's Integration Runtimes to gain access to sensitive information. However, no evidence of misuse or malicious activity associated with the vulnerability in the wild was reported yet.