Microsoft Threat Intelligence Podcast

In this episode of the Microsoft Threat Intelligence Podcast, host Sherrod DeGrippo is joined by security researchers Anna Seitz and Sarah Pfabe to dive into the activities of the Russian-aligned threat actor, Star Blizzard. Active since 2022, Star Blizzard recently shifted tactics by using WhatsApp for spear-phishing campaigns targeting government officials, NGOs, and academics. The team discusses how this change in approach may be a response to previous exposure of their tactics. They also explore the resilience of Star Blizzard, highlighting Microsoft's disruption of their operations, including the seizure of domains, and the ongoing threat posed by this actor despite legal actions. In this episode you’ll learn:      Why threat actors like Star Blizzard are highly resilient and quickly adapting What steps users take to avoid falling victim to mobile malware Challenges of monitoring WhatsApp activity and why this platform has become a target Some questions we ask:      What role do QR codes play in Star Blizzard’s phishing campaigns? Why do you think phishing continues to be the number one access vector? How resilient is Star Blizzard when facing disruptions like domain seizures or legal actions? Resources: View Sarah Pfabe on LinkedIn View Anna Seitz on LinkedIn View Sherrod DeGrippo on LinkedIn Related Microsoft Podcasts:                   Afternoon Cyber Tea with Ann Johnson The BlueHat Podcast Uncovering Hidden Risks     Discover and follow other Microsoft podcasts at microsoft.com/podcasts Get the latest threat intelligence insights and guidance at Microsoft Security InsiderThe Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network. 

In this special episode marking 50 years of Microsoft, host Sherrod DeGrippo is joined by Charlie Bell, Stephanie Calabrese, John Lambert, and Scott Woodgate to take a deeper look at Microsoft’s incredible journey in cybersecurity. They share their experiences and reflections on how the company has grown over the last five decades, from the early days of proprietary systems to the transformative rise of cloud computing and AI. As they celebrate this milestone, the conversation dives into the evolution of security practices, the development of key initiatives like the Microsoft Threat Intelligence Center and the Secure Future Initiative, and the culture of collaboration that has always been at the heart of Microsoft’s approach to tackling cybersecurity challenges. In this episode you’ll learn:      How Microsoft evolved to lead the charge in cloud computing and AI Why Microsoft's security efforts have influenced the broader tech industry The evolution of Microsoft’s security, from XP Service Pack 2 to the Secure Future Initiative Some questions we ask:     How did the company’s culture and products impact you early on?  How have you seen Microsoft’s prioritization toward cybersecurity create change?  Resources: View Charlie Bell on LinkedIn View Stephanie Calabrese on LinkedIn View John Lambert on LinkedIn View Scott Woodgate on LinkedIn View Sherrod DeGrippo on LinkedIn Related Microsoft Podcasts:                   Afternoon Cyber Tea with Ann Johnson The BlueHat Podcast Uncovering Hidden Risks     Discover and follow other Microsoft podcasts at microsoft.com/podcasts Get the latest threat intelligence insights and guidance at Microsoft Security InsiderThe Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network.

In this episode of the Microsoft Threat Intelligence Podcast, host Sherrod DeGrippo is joined by ransomware experts Allan Liska from Recorded Future and Jonathan Braley, Director of Threat Intelligence for IT-ISAC, to get a pulse check on the current state of ransomware.  They discuss how ransomware has shifted from simple attacks, like Locky, to more sophisticated, high-stakes campaigns targeting entire networks and demanding millions of dollars. Allan and Jonathan also highlight the rise of ransomware-as-a-service, the emergence of big game hunting attacks, and the increasingly professionalized criminal ecosystem surrounding ransomware. The conversation further explores the psychological aspects of cybercrime, focusing on the mindset of ransomware operators—particularly in Eastern Europe and Russia—where the line between crime and business can often be blurred. In this episode you’ll learn:       Why attackers now target entire networks instead of just single machines  How cybercriminal groups turned ransomware into a profitable business model  The unique challenges healthcare employees face during ransomware attacks  Findings from IT-ISAC's recent ransomware reports   Some questions we ask:        How did the Colonial Pipeline attack lead to real-world actions?  Will paying the ransom restore the organization's data and operations?  What are the differences between ransomware from 10-12 years ago and ransomware today?   Resources:   View Allan Liska on LinkedIn   View Jonathan Braley on LinkedIn   View Sherrod DeGrippo on LinkedIn     IT-ISAC Ransomware report  Food and AG-ISAC Ransomware report  Related Microsoft Podcasts:                    Afternoon Cyber Tea with Ann Johnson  The BlueHat Podcast  Uncovering Hidden Risks       Discover and follow other Microsoft podcasts at microsoft.com/podcasts   Get the latest threat intelligence insights and guidance at Microsoft Security Insider   The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network.  

Kajhon Soyini, a Senior Microsoft Security Researcher at Defender Experts, discusses the Luma Stealer cryptocurrency mining campaign. He uncovers the intricate attack chain involving DLLs and clipboard malware that impacted nearly one million devices globally. Kajhon explains how attackers leverage techniques like registry modifications and obfuscation to evade detection. They also touch on the overlap between Luma Stealer and other malware families and Microsoft's efforts to combat these evolving threats.

In this episode of the Microsoft Threat Intelligence Podcast, host Sherrod DeGrippo is joined by two Microsoft security researchers to analyze the latest Russian nation-sponsored cyber threat activity. They discuss how Russian threat actors—collectively referred to by Microsoft with the Blizzard suffix—are primarily targeting Ukraine and NATO member states, focusing on espionage, influence operations, and cyber disruption. The conversation covers Russia’s reliance on cybercrime infrastructure, the vulnerabilities of academic and IT supply chains, and the evolving tactics of groups like Secret Blizzard and Seashell Blizzard.   In this episode you’ll learn:       Why 90% of Russian cyber-attacks target Ukraine and NATO member states  How Russian threat actors exploit academic identities to infiltrate government networks  The role of cybercriminal marketplaces in supplying tools and access to nation-state actors   Some questions we ask:        How does Secret Blizzard leverage infrastructure from other threat groups?  Is there evidence of collaboration between different Russian cyber groups?  Why is identity security such a critical factor in cyber defense?    Resources:   Attending RSAC? Connect with Sherrod and Microsoft  View Sherrod DeGrippo on LinkedIn    Related Microsoft Podcasts:                    Afternoon Cyber Tea with Ann Johnson  The BlueHat Podcast  Uncovering Hidden Risks       Discover and follow other Microsoft podcasts at microsoft.com/podcasts   Get the latest threat intelligence insights and guidance at Microsoft Security Insider   The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network.  

In this episode of the Microsoft Threat Intelligence Podcast, host Sherrod DeGrippo is joined by two expert guests to explore critical challenges in today’s evolving threat landscape. First, Sherrod sits down with Kelly Bissell, CVP of Fraud at Microsoft, to discuss the complexities of combating fraud and product abuse. Kelly digs into the unique challenges Microsoft faces, highlighting prevalent schemes such as crypto mining, tech support scams, and the exploitation of deepfakes. Kelly also shares insights into Microsoft’s proactive approach, including recent Azure policy changes and efforts to detect and prevent fraud across its services, especially those attempting to use the compute power for crypto mining. Later, Sherrod is joined by Priyanka Ramesha, Senior Threat Researcher on the Defender Experts team, to examine the rising risks of cloud-native attacks. They unpack why threat actors are increasingly targeting the cloud, exploiting its complexity, scalability, and common misconfigurations. Priyanka explains how attackers gain initial access through tactics like phishing, API exploitation, and OAuth abuse, and outlines their methods for credential theft, lateral movement, and data exfiltration. In this episode you’ll learn:       What crypto mining looks like in Azure and how Microsoft detects and prevents it  The five main areas of fraud and product abuse that Microsoft focuses on  How attackers exploit the complexity and misconfigurations in cloud infrastructures   Some questions we ask:        How long do crypto mining operations run unnoticed in a customer's environment?  What changes did Microsoft make to its policy regarding crypto mining?  Why are legitimate apps sometimes compromised and used in attacks?   Resources:  View Kelly Bissell on LinkedIn   View Priyanka Ramesha on LinkedIn  View Sherrod DeGrippo on LinkedIn   Related Microsoft Podcasts:                    Afternoon Cyber Tea with Ann Johnson  The BlueHat Podcast  Uncovering Hidden Risks       Discover and follow other Microsoft podcasts at microsoft.com/podcasts   Get the latest threat intelligence insights and guidance at Microsoft Security Insider  The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network.  

In this episode of the Microsoft Threat Intelligence Podcast, host Sherrod DeGrippo is joined by security researchers Elise Eldridge and Anna Seitz to discuss the most recent notable developments across the threat landscape.  The threat actor, also known as Sandworm or APT44, has also been observed resuming the use of the wrappers WalnutWipe and SharpWipe, and expanded the use of the Prickly Pear malware downloader.The team highlights the geopolitical implications of these attacks, particularly in the context of Russia's influence on energy and global events. Sherrod also touches on the history of wipers in cyber operations and transitions to a discussion with Elise about trends in North Korean cyber activity, emphasizing Microsoft's ongoing efforts to analyze and mitigate these threats. In this episode you’ll learn:       Why recent attacks have targeted the European energy sector  How Seashell Blizzard’s attacks in 2024 involved spear-phishing campaigns  Why North Korean hackers infiltrate companies through remote IT job programs   Some questions we ask:        How has Seashell Blizzard returned to using wipers, and what might explain this shift?  After sending out crafted spear-phishing emails, what happens next in the attack chain?  How might global geopolitics impact Seashell Blizzard's campaigns?    Resources:  View Elise Eldridge LinkedIn  View Anna Seitz on LinkedIn  View Sherrod DeGrippo on LinkedIn   Related Microsoft Podcasts:                    Afternoon Cyber Tea with Ann Johnson  The BlueHat Podcast  Uncovering Hidden Risks       Discover and follow other Microsoft podcasts at microsoft.com/podcasts   Get the latest threat intelligence insights and guidance at Microsoft Security Insider   The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network.  

In this episode of the Microsoft Threat Intelligence Podcast, host Sherrod DeGrippo is joined by security researchers Caitlin Hopkins, Diana Duvieilh, and Anna Seitz to discuss the latest trends in cybersecurity threats.  The team explores OSINT observations around Remote Monitoring and Management (RMM) tools like Screen Connect by nation-state actors and reveals how they are used to deploy malware like AsyncRAT, ransomware, and execute phishing scams. They also uncover alarming tactics, such as North Korean IT workers posing as legitimate coders to infiltrate organizations, who steal cryptocurrency and use it to fund their regime. Since 2017 they have contributed to the theft of more than $3 billion. In this episode you’ll learn:       The role of tech support scam websites in tricking victims into allowing remote access  How cybercriminal and nation-state actors are increasingly exploiting remote monitoring  Why the financial services sector is a major target for cyberattacks   Some questions we ask:        What is Screen Connect, and why is it attractive to threat actors?  How long have RMM tools been used in C2 frameworks?  Why are remote management tools being used in command-and-control systems?   Resources:  View Caitlin Hopkins on LinkedIn  View Diana Duvieilh on LinkedIn  View Anna Seitz on LinkedIn  View Sherrod DeGrippo on LinkedIn   Related Microsoft Podcasts:                    Afternoon Cyber Tea with Ann Johnson  The BlueHat Podcast  Uncovering Hidden Risks       Discover and follow other Microsoft podcasts at microsoft.com/podcasts   Get the latest threat intelligence insights and guidance at Microsoft Security Insider   The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network.

In this episode of the Microsoft Threat Intelligence Podcast host Sherrod DeGrippo is joined by Christian Dameff and Jeff Tully, co-directors from the UCSD Center for Healthcare Cybersecurity, and contributors to our recent Healthcare Ransomware report.  They discuss their unique backgrounds as doctors and hackers, focusing on healthcare cybersecurity, and the growing risks of hospital ransomware attacks. Christian shares his journey from hacking as a teenager to combining his passion for medicine and cybersecurity, particularly the risks posed to patient safety by vulnerable medical devices. Jeff adds his perspective, highlighting the parallels between medicine and hacking, and their efforts at UCSD to bring evidence-based research to healthcare cybersecurity. The conversation explores the challenges and importance of protecting critical healthcare systems from cyber threats, aiming to improve patient safety and outcomes. In this episode you’ll learn:       How medical device vulnerabilities reveal the impact of cybersecurity on patient care  The lack of comprehensive data on healthcare ransomware attacks  When ransomware-induced disruptions can delay life-saving procedures   Some questions we ask:        As healthcare providers, what stands out to you about ransomware in healthcare?  What does the UCSD Center for Healthcare Cybersecurity do?  What ransomware attacks are common in healthcare, and how do they differ from other industries?   Resources:  View Jeff Tully on LinkedIn  View Christian Dameff on LinkedIn  View Sherrod DeGrippo on LinkedIn  Healthcare Ransomware Report  Related Microsoft Podcasts:                    Afternoon Cyber Tea with Ann Johnson  The BlueHat Podcast  Uncovering Hidden Risks       Discover and follow other Microsoft podcasts at microsoft.com/podcasts   Get the latest threat intelligence insights and guidance at Microsoft Security Insider   The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network.  

In this episode of the Microsoft Threat Intelligence Podcast host Sherrod DeGrippo is joined by Microsoft’s Dinesh Natarajan, Senior Threat Hunter, and Thomas Ball, Senior Security Researcher. They unpack recent findings around AsyncRAT, a remote access Trojan (RAT) used for keylogging, data exfiltration, and deploying further malware.   Dinesh explains how attackers are now using screen-sharing tools, like Screen Connect, as part of a new infection chain that makes the malware delivery process more deceptive. Thomas then shares insights on SectopRAT, another threat targeting browser data and crypto wallets. Uniquely, this RAT creates a second desktop, allowing attackers to operate undetected.   Next, Sherrod talks with Microsoft’s Senior Director of Diplomacy, Kaja Ciglic, about the UN’s proposed cybercrime treaty. Originally spearheaded by Russia, the treaty aims to create a global framework for prosecuting cybercrime, but critics worry about its potential impact on freedom of expression and human rights.  In this episode you’ll learn:       How tech support scam emails lead to AsyncRAT installations on different devices  The importance of leveraging tools like Microsoft Defender's SmartScreen for protection  The treaty encourages cooperation but may let governments exploit unclear cybercrime definitions   Some questions we ask:     How does social engineering through email play a role in these attacks?  What capabilities does AsyncRat have, and why is it so concerning?  How do we ensure the treaty doesn't impact freedom of expression or human rights?   Resources:  View Dinesh Natarajan on LinkedIn View Thomas Ball on LinkedIn View Kaja Ciglic on LinkedIn  View Sherrod DeGrippo on LinkedIn   Related Microsoft Podcasts:                    Afternoon Cyber Tea with Ann Johnson  The BlueHat Podcast  Uncovering Hidden Risks       Discover and follow other Microsoft podcasts at microsoft.com/podcasts   Get the latest threat intelligence insights and guidance at Microsoft Security Insider   The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network.