Threat intelligence, cloud security research & product updates
The Azure cyber threat landscape has shifted from opportunistic incidents to highly coordinated campaigns. During the Microsoft fiscal year 2025 (July 1, 2024 – June 30, 2025), Microsoft actively tracked over: 60 nation-state actors, 50 ransomware groups, 368 access brokers operating globally within the same year. We reviewed and analyzed Microsoft’s findings, technical writings and recommendations and here’s what we found.
The Azure cyber threat landscape has shifted from opportunistic incidents to highly coordinated campaigns. During the Microsoft fiscal year 2025 (July 1, 2024 – June 30, 2025), Microsoft actively tracked over:
We previously detailed how a pro-Iran hacktivist group compromised a single administrative account and weaponized legitimate Microsoft Intune features to remotely wipe over 200,000 devices across 79 countries. In this post we detail what admins can do to protect themselves and what loopholes they should be aware of.
The 2026 Stryker incident serves as a critical warning for organizations relying on cloud-based management planes.
On March 11, 2026, the medical technology giant Stryker fell victim to a massive, geopolitically motivated cyberattack that paralyzed its global operations. Claimed by the Iran-linked group Handala. The incident stands as a landmark case of a corporation’s own administrative tools being turned into a weapon.
On March 11, 2026, the medical technology giant
The device code phishing process occurs on legitimate Microsoft infrastructure. As a result, traditional security training that teaches users to check URLs for red flags often fails. Once the user enters the code and completes their MFA challenge, the attacker intercepts the resulting access and refresh tokens giving them long term access to the user's email, teams and other Azure services.
The device code flow was originally designed for "input-constrained devices", such as smart TVs, gaming consoles, or IoT printers, that lack a traditional keyboard or web browser. While it is a niche authentication method, threat actors have increasingly hijacked it to conduct high-powered
Microsoft Threat Intelligence has uncovered the inner workings of Tycoon2FA, a sophisticated Phishing-as-a-Service (PhaaS) platform that has targeted over 500,000 organizations monthly. Developed by the threat actor Storm-1747, this kit provides Adversary-in-the-Middle (AiTM) capabilities, allowing even low-skill attackers to bypass multifactor authentication (MFA) at scale.
Microsoft Threat Intelligence has uncovered the inner workings of
