All news with #microsoft tag

🔍 Matt Kiely of Huntress Labs urges Microsoft 365 administrators to audit OAuth applications across their tenants and provides a pragmatic starting tool, Cazadora. The research shows both abused legitimate apps (Traitorware) and bespoke malicious apps (Stealthware) can persist for years and that Azure’s default user-consent model enables these abuses. Operators should check Enterprise Applications and Application Registrations for suspicious names, anomalous reply URLs (notably a localhost loopback with port 7823), and other anomalous attributes, then take remediation steps.

🔒 A foreign threat actor exploited unpatched Microsoft SharePoint vulnerabilities to infiltrate the Kansas City National Security Campus (KCNSC), which produces most non‑nuclear components for U.S. nuclear weapons. Honeywell FM&T, which manages the site for the NNSA, and the Department of Energy did not respond to requests for comment. Federal responders, including the NSA, were onsite in early August after Microsoft issued fixes on July 19. Attribution remains disputed between Chinese-linked groups and possible Russian actors; there is no public evidence that classified information was taken.

✅ Microsoft removed two safeguard holds blocking Windows 11 24H2 installs. The April hold affecting systems using SenseShield's sprotect.sys driver—which could trigger BSODs—was lifted after a security.sys driver update; the feature update will be offered within 48 hours. The September 2024 hold for wallpaper customization apps that caused display and virtual-desktop issues was removed on October 15, 2025; affected devices may see a warning and must confirm before upgrading. Microsoft advises updating or uninstalling problematic apps or contacting their developers for support.

🔒 Microsoft patched a critical HTTP request smuggling vulnerability (CVE-2025-55315) in the Kestrel ASP.NET Core web server, which Microsoft described as the highest-severity ASP.NET Core flaw ever. An authenticated attacker could smuggle an additional HTTP request to hijack other users' credentials, bypass front-end security controls, or impact integrity and availability. Microsoft released updates for Visual Studio 2022, ASP.NET Core 2.3, 8.0 and 9.0 and advised developers to apply updates, recompile where required, and restart or redeploy affected applications.

🔧 Microsoft has fixed a known issue that broke HTTP/2 connections to localhost (127.0.0.1) and caused IIS sites to fail after recent Windows security updates. Affected systems included Windows 11 and Windows Server 2025, producing errors like “ERR_CONNECTION_RESET” and “ERR_HTTP2_PROTOCOL_ERROR”. Microsoft recommends checking Windows Update and restarting; it also enabled a Known Issue Rollback (KIR) for most home and non-managed devices, while enterprise admins can deploy a KIR group policy until a permanent update ships.

⚠️Microsoft patched a critical ASP.NET Core vulnerability in the built‑in Kestrel web server and assigned it a CVSS score of 9.9, the highest rating the vendor has ever issued. Tracked as CVE-2025-55315, the flaw enables authenticated attackers to use HTTP request smuggling to bypass security checks and could allow actions such as logging in as another user, bypassing CSRF protections, or performing injection attacks. Microsoft advises updating affected runtimes or rebuilding and redeploying self‑contained apps, while noting that reverse proxies or gateways may already mitigate exposure.

🔒 Microsoft disclosed it revoked more than 200 certificates after a threat actor tracked as Vanilla Tempest used them to fraudulently sign malicious binaries, including fake Microsoft Teams installers that delivered the Oyster backdoor and led to Rhysida ransomware deployments. The activity was detected in late September 2025 and disrupted earlier this month, and Microsoft has updated security solutions to flag the associated signatures. The actor abused SEO poisoning and bogus download domains impersonating Teams to distribute trojanized installers. Users are advised to download software only from verified sources and to avoid suspicious links or ads.

⚠️ Microsoft’s October Windows 11 updates (notably KB5066835 and the September preview KB5065789) have disrupted HTTP/2 connections to localhost (127.0.0.1), preventing local services and developer tools from completing requests. Users report errors such as "ERR_CONNECTION_RESET" and "ERR_HTTP2_PROTOCOL_ERROR" when applications attempt to connect to the loopback interface. Affected software includes Visual Studio debugging, SSMS Entra ID authentication, and Duo Desktop; community workarounds include disabling HTTP/2 via Registry entries or uninstalling the problematic updates.

🔒 Microsoft has been recognized as a Leader in the 2025 Gartner® Magic Quadrant for Security Information and Event Management (SIEM). The announcement highlights Microsoft Sentinel as a cloud- and AI-powered SIEM that centralizes security data via a purpose-built data lake and supports agentic AI through the Model Context Protocol (MCP) server. The platform emphasizes cost optimization, SOC automation, and integrated SOAR, UEBA, and threat intelligence to accelerate detection and response.

🔒 Microsoft disrupted a campaign by the financially motivated group Vanilla Tempest (also tracked as VICE SPIDER/Vice Society) after revoking over 200 code signing certificates used to sign malicious Microsoft Teams installers. The attackers used malvertising and SEO-poisoned domains mimicking Teams to distribute fake MSTeamsSetup.exe files that deployed the Oyster backdoor. The intervention curtailed a wave of Rhysida ransomware launches.

⚠️ Microsoft has reminded customers that Office 2016 and Office 2019 reached the end of extended support on October 14, 2025. These releases will continue to operate but will no longer receive security updates, bug fixes, or technical support, increasing exposure to threats and compliance issues. Microsoft recommends migrating to Microsoft 365 Apps or newer perpetual releases such as Office 2024 or Office LTSC 2024, and notes that Visio, Project, and Skype for Business 2016/2019 are also out of support.

🔒 Microsoft's 2025 Digital Defense Report finds that most attacks aim to steal data for profit, with extortion and ransomware responsible for over 52% of incidents while espionage accounts for only about 4%. Covering July 2024–June 2025, the report highlights rising use of AI, automation, and off‑the‑shelf tools that enable scalable phishing, malware, and identity theft. Microsoft urges adoption of phishing‑resistant MFA, AI‑driven defenses, and strengthened cross‑sector collaboration to protect critical public services and build resilience.

🛡️ The Microsoft Digital Defense Report 2025 reveals Microsoft systems analyze more than 100 trillion security signals every day and warns that AI now underpins both defense and attack. The report describes adversaries using generative AI to automate phishing, scale social engineering and discover vulnerabilities faster, while autonomous malware adapts tactics in real time. Identity compromise is the leading vector—phishing and social engineering caused 28% of breaches—and although MFA blocks over 99% of unauthorized access attempts, adoption remains uneven. Microsoft urges board-level attention, phishing-resistant MFA, cloud workload mapping and monitoring, intelligence sharing and immediate AI and quantum risk planning.

⚙️ Microsoft is introducing Copilot Actions, a Windows 11 Copilot feature that allows AI agents to operate on local files and applications by clicking, typing, scrolling and using vision and advanced reasoning to complete multi-step tasks. The capability will roll out to Windows Insiders in Copilot Labs, extending earlier web-based actions introduced in May. Agents run in isolated Agent Workspaces tied to standard Windows accounts, are cryptographically signed, and the feature is off by default.

🤖 Microsoft has added the "Hey Copilot" wake word to Windows 11, letting users initiate conversations with the AI-powered Copilot assistant hands-free. The feature is opt-in and must be enabled in the Copilot app's Settings under Voice mode; when active a chime sounds and a microphone icon appears above the taskbar. Wake word detection uses an on-device 10-second audio buffer stored locally and never recorded, while request processing requires internet access. Copilot Vision can analyze screen content for troubleshooting and guidance, and optional connectors let Copilot generate Office documents and access third-party accounts.

🔍 Cyber criminals continue to favor familiar brands, with Microsoft used in 40% of all brand impersonation attempts in Q3 2025, according to Check Point Research’s Brand Phishing Report. Google represented 9% and Apple 6%, and together these tech giants comprised more than half of brand-related phishing activity. The findings highlight persistent targeting of the technology sector and underscore the need for stronger defenses and user awareness.

🔐 Microsoft Deputy CISO Raji Dani outlines the importance of hardening customer support tools and identities to reduce the risk of lateral movement and data exposure. The post recommends dedicated, isolated support identities protected by Privileged Role MFA and strict device controls. It advocates case-based RBAC with just-in-time and just-enough access, minimizing service-to-service trust, and deploying robust telemetry to speed detection and response. These layered controls apply to in-house teams and third-party providers.

⚠️ Microsoft confirmed that the September 2025 security updates are causing Active Directory synchronization problems on Windows Server 2025, affecting applications that use the DirSync control such as Microsoft Entra Connect Sync. The issue can result in incomplete synchronization of large AD security groups exceeding 10,000 members. Microsoft recommends a registry workaround (DWORD 2362988687 = 0) while engineers work on a fix, and warns about risks of editing the registry.

🔒 Microsoft’s October Patch Tuesday delivers updates for 172 vulnerabilities, including six classed as zero-days. Three of those zero-days are being actively exploited, affecting the Windows Remote Access Connection Manager (CVE-2025-59230), an Agere modem kernel driver, and a secure-boot bypass in IGEL OS (CVE-2025-47827). Microsoft has removed the legacy Agere driver rather than patch it, citing risks in modifying unsupported code. This release also marks the final free Patch Tuesday for Windows 10; continued updates will require the Extended Security Updates (ESU) program.

🔒 Microsoft released updates addressing 183 vulnerabilities across its products, including three flaws now known to be exploited in the wild. Two Windows zero-days — CVE-2025-24990 (Agere modem driver, ltmdm64.sys) and CVE-2025-59230 (RasMan) — can grant local elevation of privilege; Microsoft plans to remove the legacy Agere driver rather than patch it. A third exploited issue bypasses Secure Boot in IGEL OS (CVE-2025-47827). With Windows 10 support ending unless enrolled in ESU, organizations should prioritize these fixes; CISA has added the three to its KEV catalog and set a federal remediation deadline.