Today, most organizations use multiple identity systems and multiple network access solutions from multiple vendors. This happens, either intentionally or organically, when different areas of a company choose different tools, creating a fragmented environment that leaves weaknesses that cyberattackers are quick to weaponize.
Simply adding more tools isn’t enough. No matter how many you have, when identity systems and network security systems don’t work together, visibility drops, gaps form, and risks skyrocket. A unified, adaptive approach to access security, in contrast, can better ensure that only the right users are accessing your data and resources from the right places.
When identity and network access work in concert, sharing signals and amplifying each other’s strengths through a unified policy engine, they create a dynamic safety net—an Access Fabric—that continuously evaluates trust at the authentication and network levels throughout every session and enforces risk-based access decisions in real-time, not just at first sign-in.
AI is amplifying the risk of defensive seams and gaps
Access isn’t a single wall between your organizational resources and cyberthreats. It’s a lattice of decisions about people, devices, applications, agents, and networks. With multiple tools, management becomes patchwork: identity controls in this console, network controls over there, endpoint rules somewhere else, and software as a service (SaaS) configurations scattered across dozens of admin planes. Although each solution strives to do the right thing, the overall experience is disjointed, the signals are incomplete, and the policies are rarely consistent.
In the age of AI, this fragmentation is dangerous. In fact, 79% of organizations that use six or more identity and network solutions reported an increase in significant breaches.1 Threat actors are using AI to get better at finding and exploiting weaknesses in defenses. For example, our data shows that threat actors are using AI to make phishing campaigns four and a half times more effective and to automate intrusion vectors at scale.2
The best strategy moving forward is to remove seams and close gaps that cyberattackers target. This is what an Access Fabric does. It isn’t a product or platform but a unified approach to access security across AI and SaaS apps, internet traffic, and private resources to protect every identity, access point, session, and resource with the same adaptive controls.
An Access Fabric solution continuously decides who can access what, from where, and under what conditions—in real time. It reduces complexity and closes the gaps that cyberattackers look for, because the same adaptive controls protect human users, devices, and even AI agents as they move between locations and networks.
Why a unified approach to access security is better than a fragmented one
Let’s use an everyday example to illustrate the difference between an access security approach that uses fragmented tools versus one that uses an Access Fabric solution.
It’s a typical day at the office. After signing into your laptop and opening your confidential sales report, it hits you: You need coffee. There’s a great little cafe just in your building, so you pop downstairs with your laptop and connect to its public wireless network.
Unfortunately, disconnected identity and security systems won’t catch that you just switched from a secure network to a public one. This means that the token issued while you were connected to your secure network will stay valid until it expires. In other words, until the token times out, you can still connect to sensitive resources, like your sales report. What’s more, anything you access is now exposed over the cafe’s public wireless network to anyone nearby—even to AI-empowered cyberattackers stalking the public network, just waiting to pounce.
The system that issued your token worked exactly as designed. It simply had no mechanism to receive a signal from your laptop that you had switched to an insecure network mid-session.
Now let’s revise this scenario. This time you, your device, your applications, and your data are wrapped in the protection of an Access Fabric solution that connects identity, device, and network signals. You still need coffee and you still go down to the cafe. This time, however, your laptop sends a signal the moment you connect to the cafe’s public wireless network, triggering a policy that immediately revokes access to your confidential sales report.
The Access Fabric solution doesn’t simply trust a “one-and-done” sign-in but applies the Zero Trust principles of “never trust, always verify” and “assume breach” to keep checking: Is this still really you? Is your device still healthy? Is this network trustworthy? How sensitive is the app or data you’re trying to access?
Anything that looks off, like a change in network conditions, triggers a policy that automatically tightens or even pauses your access to sensitive resources. You don’t have to think about it. The safety net is always there, weaving identity and network signals together, updating risk scores, and continuously re-evaluating access to keep your data safe, wherever you are.
By weaving protection into every connection and every node at the authentication and network levels—an approach that integrates identity, networking, device, application, and data access solutions—and continuously responding to risk signals in real time, an Access Fabric solution transforms access security from disconnected tools into a living system of trust that adapts as threats, user scenarios, and digital environments evolve.
What makes an Access Fabric solution effective
For an Access Fabric solution to secure access in hybrid work environments effectively, it must be contextual, connected, and continuous.
Contextual: Instead of granting a human user, device, or autonomous agent access based on a password or one-time authentication token, a rich set of signals across identity, device posture, network telemetry, and business context inform every access decision. If context changes, the policy engine re-evaluates conditions and reassesses risk in real-time.
Connected: Instead of operating independently, identity and network controls share signals and apply consistent policies across applications, endpoints, and network edges. When identity and network telemetry reinforce one another, access decisions become comprehensive and dynamic instead of disjointed and episodic. This unified approach simplifies governance for security teams, who can set policies in one place.
Continuous: Verification at the authentication and network levels is ongoing throughout every session—not just at sign-in—as users, devices, and agents interact with resources. The policy engine at the heart of the solution is always learning and adapting. If risk levels change in response to a shift in device health, network activity, or suspicious behavior, the system responds instantly to mitigate cyberthreats before they escalate.
With an Access Fabric solution, life gets more secure for everyone. Identity and network access teams can configure comprehensive policies, review granular logs, and take coordinated action in one place. They can deliver better security while employees get a more consistent and intuitive experience, which improves security even more. Organizations can experiment with AI more safely because their Access Fabric solution will ensure that machine identities and AI agents play by the same smart rules as people.
By moving beyond static identity checks to real-time, context-aware access decisions, an Access Fabric solution delivers stronger access security and a smoother user experience wherever and however work happens.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
CVE-2025-55182 (also referred to as React2Shell and includes CVE-2025-66478, which was merged into it) is a critical pre-authentication remote code execution (RCE) vulnerability affecting React Server Components, Next.js, and related frameworks. With a CVSS score of 10.0, this vulnerability could allow attackers to execute arbitrary code on vulnerable servers through a single malicious HTTP request.
Exploitation activity related to this vulnerability was detected as early as December 5, 2025. Most successful exploits originated from red team assessments; however, we also observed real-world exploitation attempts by threat actors delivering multiple subsequent payloads, majority of which are coin miners. Both Windows and Linux environments have been observed to be impacted.
The React Server Components ecosystem is a collection of packages, frameworks, and bundlers that enable React 19 applications to run parts of their logic on the server rather than the browser. It uses the Flight protocol to communicate between client and server. When a client requests data, the server receives a payload, parses this payload, executes server-side logic, and returns a serialized component tree. The vulnerability exists because affected React Server Components versions fail to validate incoming payloads. This could allow attackers to inject malicious structures that React accepts as valid, leading to prototype pollution and remote code execution.
This vulnerability presents a significant risk because of the following factors:
Default configurations are vulnerable, requiring no special setup or developer error.
Public proof-of-concept exploits are readily available with near-100% reliability.
Exploitation can happen without any user authentication since this is a pre-authentication vulnerability.
The vulnerability could be exploited using a single malicious HTTP request.
In this report, Microsoft Defender researchers share insights from observed attacker activity exploiting this vulnerability. Detailed analyses, detection insights, as well as mitigation recommendations and hunting guidance are covered in the next sections. Further investigation towards providing stronger protection measures is in progress, and this report will be updated when more information becomes available.
Analyzing CVE-2025-55182 exploitation activity
React is widely adopted in enterprise environments. In Microsoft Defender telemetry, we see tens of thousands of distinct devices across several thousand organizations running some React or React-based applications. Some of the vulnerable applications are deployed inside containers, and the impact on the underlying host is dependent on the security configurations of the container.
We identified several hundred machines across a diverse set of organizations compromised using common tactics, techniques, and procedures (TTPs) observed with web application RCE. To exploit CVE-2025-55182, an attacker sends a crafted input to a web application running React Server Components functions in the form of a POST request. This input is then processed as a serialized object and passed to the backend server, where it is deserialized. Due to the default trust among the components, the attacker-provided input is then deserialized and the backend runs attacker-provided code under the NodeJS runtime.
Figure 1: Attack diagram depicting activity leading to action on objectives
Post-exploitation, attackers were observed to run arbitrary commands, such as reverse shells to known Cobalt Strike servers. To achieve persistence, attackers added new malicious users, utilized remote monitoring and management (RMM) tools such as MeshAgent, modified authorized_keys file, and enabled root login. To evade security defenses, the attackers downloaded from attacker-controlled CloudFlare Tunnel endpoints (for example, *.trycloudflare.com) and used bind mounts to hide malicious processes and artifacts from system monitoring tools.
The malware payloads seen in campaigns investigated by Microsoft Defender vary from remote access trojans (RATs) like VShell and EtherRAT, the SNOWLIGHT memory-based malware downloader that enabled attackers to deploy more payloads to target environments, ShadowPAD, and XMRig cryptominers. The attacks proceeded by enumerating system details and environment variables to enable lateral movement and credential theft.
Credentials that were observed to be targeted included Azure Instance Metadata Service (IMDS) endpoints for Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and Tencent Cloud to acquire identity tokens, which could be used to move laterally to other cloud resources. Attackers also deployed secret discovery tools such as TruffleHog and Gitleaks, along with custom scripts to extract several different secrets. Attempts to harvest AI and cloud-native credentials, such as OpenAI API keys, Databricks tokens, and Kubernetes service‑account credentials were also observed. Azure Command-Line Interface (CLI) (az) and Azure Developer CLI (azd) were also used to obtain tokens.
Figure 2: Example of reverse shell observed in one of the campaigns
Mitigation and protection guidance
Microsoft recommends customers to act on these mitigation recommendations:
Manual identification guidance
Until full in-product coverage is available, you can manually assess exposure on servers or containers:
Navigate to your project directory and open the node_modules folder.
Review installed packages and look for:
react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack
next
Validate versions against the known affected range:
If any of these packages match the affected versions, remediation is required. Prioritize internet-facing assets first, especially those identified by Defender as externally exposed.
Mitigation best practices
Patch immediately
React and Next.js have released fixes for the impacted packages. Upgrade to one of the following patched versions (or later within the same release line):
Because many frameworks and bundlers rely on these packages, make sure your framework-level updates also pull in the corrected dependencies.
Prioritize exposed services
Patch all affected systems, starting with internet-facing workloads.
Use Microsoft Defender Vulnerability Management (MDVM) to surface vulnerable package inventory and to track remediation progress across your estate.
Monitor for exploit activity
Review MDVM dashboards and Defender alerts for indicators of attempted exploitation.
Correlate endpoint, container, and cloud signals for higher confidence triage.
Invoke incident response process to address any related suspicious activity stemming from this vulnerability.
Add WAF protections where appropriate
Apply Azure Web Application Firewall (WAF) custom rules for Application Gateway and Application Gateway for Containers to help block exploit patterns while patching is in progress. Microsoft has published rule guidance and JSON examples in the Azure Network Security Blog, with ongoing updates as new attack permutations are identified.
Recommended customer action checklist
Identify affected React Server Components packages in your applications and images.
Upgrade to patched versions. Refer to the React page for patching guidance.
Prioritize internet-facing services for emergency change windows.
Enable and monitor Defender alerts tied to React Server Components exploitation attempts.
Use MDVM to validate coverage and confirm risk reduction post-update.
CVE-2025-55182 represents a high-impact, low-friction attack path against modern React Server Components deployments. Rapid patching combined with layered Defender monitoring and WAF protections provides the strongest short-term and long-term risk reduction strategy.
Microsoft Defender XDR detections
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
Tactic
Observed activity
Microsoft Defender coverage
Initial Access /Execution
Suspicious process launched by Node
Microsoft Defender for Endpoint – Possible exploitation of React Server Components vulnerability (2 detectors)
Execution of suspicious commands initiated by the next-server parent process to probe for command execution capabilities.
Microsoft Defender for Cloud – Potential React2Shell command injection detected on a Kubernetes cluster – Potential React2Shell command injection detected on Azure App Service
Microsoft Defender for Endpoint – Suspicious process executed by a network service – Suspicious Node.js script execution – Suspicious Node.js process behavior
In many cases subsequent activity post exploitation was detected and following alerts were triggered on the victim devices. Note that the following alerts below can also be triggered by unrelated threat activity.
Tactic
Observed activity
Microsoft Defender coverage
Execution
Suspicious downloads, encoded execution, anomalous service/process creation, and behaviors indicative of a reverse shell and crypto-mining
Microsoft Defender for Endpoint – Suspicious PowerShell download or encoded command execution – Possible reverse shell – Suspicious service launched – Suspicious anonymous process created using memfd_create – Possible cryptocurrency miner
Defense Evasion
Unauthorized code execution through process manipulation, abnormal DLL loading, and misuse of legitimate system tools
Microsoft Defender for Endpoint – A process was injected with potentially malicious code – An executable file loaded an unexpected DLL file – Use of living-off-the-land binary to run malicious code
Credential Access
Unauthorized use of Kerberos tickets to impersonate accounts and gain unauthorized access
Microsoft Defender for Endpoint – Pass-the-ticket attack
Credential Access
Suspicious access to sensitive files such as cloud and GIT credentials
Microsoft Defender for Cloud – Possible secret reconnaissance detected
Lateral movement
Attacker activity observed in multiple environments
Microsoft Defender for Endpoint – Hands-on-keyboard attack involving multiple devices
Automatic attack disruption through Microsoft Defender for Endpoint alerts
To better support customers in the event of exploitation, we are expanding our detection framework to identify and alert on CVE-2025-55182 activity across all operating systems for Microsoft Defender for Endpoint customers. These detections are integrated with automatic attack disruption.
When these alerts, combined with other signals, provide high confidence of active attacker behavior, automatic attack disruption can initiate autonomous containment actions to help stop the attack and prevent further progression.
Microsoft Defender Vulnerability Management and Microsoft Defender for Cloud
Microsoft Defender for Cloud rolled out support to surface CVE-2025-55182 with agentless scanning across containers and cloud virtual machines (VMs). Follow the documentation on how to enable agentless scanning:
Microsoft Defender Vulnerability Management (MDVM) can surface impacted Windows, Linux, and macOS devices. In addition, MDVM and Microsoft Defender for Cloud dashboards can surface:
Identification of exposed assets in the organization
Clear remediation guidance tied to your affected assets and workloads
Microsoft Security Copilot
Security Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:
Incident investigation
Microsoft User analysis
Threat actor profile
Threat Intelligence 360 report based on MDTI article
Vulnerability impact assessment
Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.
Threat intelligence reports
Microsoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.
Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.
Hunting queries and recommendations
Microsoft Defender XDR
Microsoft Defender XDR customers can run the following query to find related activity in their networks:
CloudAuditEvents
| where (ProcessCommandLine == "/bin/sh -c (whoami)" and (ParentProcessName == "node" or ParentProcessName has "next-server"))
or (ProcessCommandLine has_any ("echo","powershell") and ProcessCommandLine matches regex @'(echo\s+\$\(\(\d+\*\d+\)\)|powershell\s+-c\s+"\d+\*\d+")')
| project Timestamp, KubernetesPodName, KubernetesNamespace, ContainerName, ContainerId, ContainerImageName, FileName, ProcessName, ProcessCommandLine, ProcessCurrentWorkingDirectory, ParentProcessName, ProcessId, ParentProcessId, AccountName
Identify encoded PowerShell attempts
let lookback = 10d;
DeviceProcessEvents
| where Timestamp >= ago(lookback)
| where InitiatingProcessParentFileName has "node"
| where InitiatingProcessCommandLine has_any ("next start", "next-server") or ProcessCommandLine has_any ("next start", "next-server")
| summarize make_set(InitiatingProcessCommandLine), make_set(ProcessCommandLine) by DeviceId, Timestamp
//looking for powershell activity
| where set_ProcessCommandLine has_any ("cmd.exe","powershell")
| extend decoded_powershell_1 = replace_string(tostring(base64_decode_tostring(tostring(split(tostring(split(set_ProcessCommandLine.[0],"EncodedCommand ",1).[0]),'"',0).[0]))),"\0","")
| extend decoded_powershell_1b = replace_string(tostring(base64_decode_tostring(tostring(split(tostring(split(set_ProcessCommandLine.[0],"Enc ",1).[0]),'"',0).[0]))),"\0","")
| extend decoded_powershell_2 = replace_string(tostring(base64_decode_tostring(tostring(split(tostring(split(set_ProcessCommandLine.[0],"enc ",1).[0]),'"',0).[0]))),"\0","")
| extend decoded_powershell_3 = replace_string(tostring(base64_decode_tostring(tostring(split(tostring(split(set_ProcessCommandLine.[0],"ec ",1).[0]),'"',0).[0]))),"\0","")
| where set_ProcessCommandLine !has "'powershell -c "
| extend decoded_powershell = iff( isnotempty( decoded_powershell_1),decoded_powershell_1,
iff(isnotempty( decoded_powershell_2), decoded_powershell_2,
iff(isnotempty( decoded_powershell_3), decoded_powershell_3,decoded_powershell_1b)))
| project-away decoded_powershell_1, decoded_powershell_1b, decoded_powershell_2,decoded_powershell_3
| where isnotempty( decoded_powershell)
Identify execution of suspicious commands initiated by the next-server parent process post-exploitation
let lookback = 10d;
DeviceProcessEvents
| where Timestamp >= ago(lookback)
| where InitiatingProcessFileName =~ "node.exe" and InitiatingProcessCommandLine has ".js"
| where FileName =~ "cmd.exe"
| where (ProcessCommandLine has_any (@"\next\", @"\npm\npm\node_modules\", "\\server.js")
and (ProcessCommandLine has_any ("powershell -c \"", "curl", "wget", "echo $", "ipconfig", "start msiexec", "whoami", "systeminfo", "$env:USERPROFILE", "net user", "net group", "localgroup administrators", "-ssh", "set-MpPreference", "add-MpPreference", "rundll32", "certutil", "regsvr32", "bitsadmin", "mshta", "msbuild")
or (ProcessCommandLine has "powershell" and
(ProcessCommandLine has_any ("Invoke-Expression", "DownloadString", "DownloadFile", "FromBase64String", "Start-Process", "System.IO.Compression", "System.IO.MemoryStream", "iex ", "iex(", "Invoke-WebRequest", "iwr ", ".UploadFile", "System.Net.WebClient")
or ProcessCommandLine matches regex @"[-/–][Ee^]{1,2}[NnCcOoDdEeMmAa^]*\s[A-Za-z0-9+/=]{15,}"))))
or ProcessCommandLine matches regex @'cmd\.exe\s+/d\s+/s\s+/c\s+"powershell\s+-c\s+"[0-9]+\*[0-9]+""'
Identify execution of suspicious commands initiated by the next-server parent process post-exploitation
let lookback = 10d;
DeviceProcessEvents
| where Timestamp >= ago(lookback)
| where InitiatingProcessFileName == "node"
| where InitiatingProcessCommandLine has_any (" server.js", " start", "/server.js")
| where ProcessCommandLine has_any ("| sh", "openssl,", "/dev/tcp/", "| bash", "|sh", "|bash", "bash,", "{sh,}", "SOCK_STREAM", "bash -i", "whoami", "| base64 -d", "chmod +x /tmp", "chmod 777")
| where ProcessCommandLine !contains "vscode" and ProcessCommandLine !contains "/.claude/" and ProcessCommandLine !contains "/claude"
Microsoft Defender XDR’s blast radius analysis capability, incorporated into the incident investigation view, allows security teams to visualize and understand the business impact of a security compromise by showing potential propagation paths towards the organization’s critical assets before it escalates into a full blown incident. This capability merges pre-breach estate understanding with post-breach views allowing security teams to map their interconnected assets and highlights potential paths teams can prioritize for remediation efforts based on the criticality of assets and their interconnectivity to the compromised entities.
Microsoft Defender for Cloud
Microsoft Defender for Cloud customers can use security explorer templates to locate exposed containers running vulnerable container images and vulnerable virtual machines. Template titled Internet exposed containers running container images vulnerable to React2Shell vulnerability CVE-2025-55182 and Internet exposed virtual machines vulnerable to React2Shell vulnerability CVE-2025-55182 are added to the gallery.
Figure 3. Microsoft Defender for Cloud security explorer templates related to CVE-2025-55182
Microsoft Security Exposure Management
Microsoft Security Exposure Management’s automated attack path analysis maps out potential threats by identifying exposed resources and tracing the routes an attacker might take to compromise critical assets. This analysis highlights vulnerable cloud compute resources, such as virtual machines and Kubernetes containers, that are susceptible to remote code execution vulnerabilities, including React2Shell CVEs. It also outlines possible lateral movement steps an adversary might take within the environment. The attack paths are presented for all supported cloud environments, including Azure, AWS, and GCP.
To view these paths, filter the view in Microsoft Security Exposure Management, filter by entry point type:
Kubernetes container
Virtual Machine
AWS EC2 instance
GCP compute instance.
Alternatively, in Microsoft Defender for Cloud, customers can filter by titles such as:
Internet exposed container with high severity vulnerabilities
Internet exposed Azure VM with RCE vulnerabilities
Internet exposed GCP compute instance with RCE vulnerabilities
Internet exposed AWS EC2 instance with RCE vulnerabilities
Microsoft Sentinel
Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.
Detect network IP and domain indicators of compromise using ASIM
//IP list and domain list- _Im_NetworkSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["194.69.203.32", "162.215.170.26", "216.158.232.43", "196.251.100.191", "46.36.37.85", "92.246.87.48"]);
let ioc_domains = dynamic(["anywherehost.site", "xpertclient.net", "superminecraft.net.br", "overcome-pmc-conferencing-books.trycloudflare.com", "donaldjtrmp.anondns.net", "labubu.anondns.net", "krebsec.anondns.net", "hybird-accesskey-staging-saas.s3.dualstack.ap-northeast-1.amazonaws.com", "ghostbin.axel.org", "194.69.203.32:81", "194.69.203.32:81", "194.69.203.32:81", "162.215.170.26:3000", "216.158.232.43:12000", "overcome-pmc-conferencing-books.trycloudflare.com", "donaldjtrmp.anondns.net:1488", "labubu.anondns.net:1488", "krebsec.anondns.net:2316/dong", "hybird-accesskey-staging-saas.s3.dualstack.ap-northeast-1.amazonaws.com", "ghostbin.axel.org"]);n_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())n| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)
| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),
EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor
Detect Web Sessions IP and file hash indicators of compromise using ASIM
//IP list - _Im_WebSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["194.69.203.32", "162.215.170.26", "216.158.232.43", "196.251.100.191", "46.36.37.85", "92.246.87.48"]);
let ioc_sha_hashes =dynamic(["c2867570f3bbb71102373a94c7153239599478af84b9c81f2a0368de36f14a7c", "9e9514533a347d7c6bc830369c7528e07af5c93e0bf7c1cd86df717c849a1331", "b63860cefa128a4aa5d476f300ac45fd5d3c56b2746f7e72a0d27909046e5e0f", "d60461b721c0ef7cfe5899f76672e4970d629bb51bb904a053987e0a0c48ee0f", "d3c897e571426804c65daae3ed939eab4126c3aa3fa8531de5e8f0b66629fe8a", "d71779df5e4126c389e7702f975049bd17cb597ebcf03c6b110b59630d8f3b4d", "b5acbcaccc0cfa54500f2bbb0745d4b5c50d903636f120fc870082335954bec8", "4cbdd019cfa474f20f4274310a1477e03e34af7c62d15096fe0df0d3d5668a4d", "f347eb0a59df167acddb245f022a518a6d15e37614af0bbc2adf317e10c4068b", "661d3721adaa35a30728739defddbc72b841c3d06aca0abd4d5e0aad73947fb1", "876923709213333099b8c728dde9f5d86acfd0f3702a963bae6a9dde35ba8e13", "2ebed29e70f57da0c4f36a9401a7bbd36e6ddd257e0920aa4083240afa3a6457", "f1ee866f6f03ff815009ff8fd7b70b902bc59b037ac54b6cae9b8e07beb854f7", "7e90c174829bd4e01e86779d596710ad161dbc0e02a219d6227f244bf271d2e5"]);b_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())b| where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)
| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),
EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor
Detect domain and URL indicators of compromise using ASIM
Detect files hashes indicators of compromise using ASIM
// file hash list - imFileEvent
let ioc_sha_hashes = dynamic(["c2867570f3bbb71102373a94c7153239599478af84b9c81f2a0368de36f14a7c", "9e9514533a347d7c6bc830369c7528e07af5c93e0bf7c1cd86df717c849a1331", "b63860cefa128a4aa5d476f300ac45fd5d3c56b2746f7e72a0d27909046e5e0f", "d60461b721c0ef7cfe5899f76672e4970d629bb51bb904a053987e0a0c48ee0f", "d3c897e571426804c65daae3ed939eab4126c3aa3fa8531de5e8f0b66629fe8a", "d71779df5e4126c389e7702f975049bd17cb597ebcf03c6b110b59630d8f3b4d", "b5acbcaccc0cfa54500f2bbb0745d4b5c50d903636f120fc870082335954bec8", "4cbdd019cfa474f20f4274310a1477e03e34af7c62d15096fe0df0d3d5668a4d", "f347eb0a59df167acddb245f022a518a6d15e37614af0bbc2adf317e10c4068b", "661d3721adaa35a30728739defddbc72b841c3d06aca0abd4d5e0aad73947fb1", "876923709213333099b8c728dde9f5d86acfd0f3702a963bae6a9dde35ba8e13", "2ebed29e70f57da0c4f36a9401a7bbd36e6ddd257e0920aa4083240afa3a6457", "f1ee866f6f03ff815009ff8fd7b70b902bc59b037ac54b6cae9b8e07beb854f7", "7e90c174829bd4e01e86779d596710ad161dbc0e02a219d6227f244bf271d2e5"]);dimFileEventd| where SrcFileSHA256 in (ioc_sha_hashes) or
TargetFileSHA256 in (ioc_sha_hashes)
| extend AccountName = tostring(split(User, @'')[1]),
AccountNTDomain = tostring(split(User, @'')[0])
| extend AlgorithmType = "SHA256"
Find use of reverse shells
This query looks for potential reverse shell activity initiated by cmd.exe or PowerShell. It matches the use of reverse shells in this attack: reverse-shell-nishang.
Indicators of compromise
The list below is non-exhaustive and does not represent all indicators of compromise observed in the known campaigns:
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
The guidance provided in this blog post represents general best practices and is intended for informational purposes only. Customers remain responsible for evaluating and implementing security measures appropriate for their environments.
Today, we are proud to share that Microsoft has been recognized as an overall leader in the KuppingerCole Leadership Compass for Generative AI Defense (GAD),an independent report from a leading European analyst firm. This recognition reinforces the work we’ve been doing to deliver enterprise-ready Security and Governance capabilities for AI, and reflects our commitment to helping customers secure AI at scale.
Figure 1: KuppingerCole Generative AI Defense Leadership Compass chart highlighting Microsoft as the top Overall Leader, with other vendors including Palo Alto Networks, Cisco, F5, NeuralTrust, IBM, and others positioned as challengers or followers.
At Microsoft, our approach to Generative AI Defense is grounded in a simple principle: security is a core primitive which must be embedded everywhere – across AI apps, agents, platforms, and infrastructure. Microsoft delivers this through a comprehensive and integrated approach that provides visibility, protection, and governance across the full AI stack.
Our capabilities and controls help organizations address the most pressing challenges CISOs and security leaders face as AI adoption accelerates. We protect against agent sprawl and resource access with identity-first controls like Entra Agent ID and lifecycle governance, alongside network-layer controls that surface hidden shadow AI risks. We prevent sensitive data leaks with Microsoft Purview’s real-time data loss prevention, classification, and inference safeguards. We defend against new AI threats and vulnerabilities with Microsoft Defender’s runtime protection, posture management, and AI-driven red teaming. Finally, we help organizations stay in compliance with evolving AI regulations with built-in support for frameworks like the EU AI Act, NIST AI RMF, and ISO 42001, so teams can confidently innovate while meeting governance requirements. Foundational security is also built into Microsoft 365 Copilot and Microsoft Foundry, with identity controls, data safeguards, threat protection, and compliance integrated from the start.
Guidance for Security Leaders and CISOs
For CISOs enabling their organizations to accelerate their AI transformation journeys, the following priorities are essential to building a secure, governed, and scalable AI foundation. This guidance reflects a combination of key recommendations from KuppingerCole and Microsoft’s perspective on how we deliver on those recommendations:
CISO Guidance
What It Means
How Microsoft Delivers
Map AI usage across the enterprise
Establish full visibility into every AI tool, agent, and model in use to understand risk exposure and security requirements.
Agent365 provides a unified registry for AI agents with full lifecycle governance. Foundry Control Plane gives developers full observability and governance of their entire AI fleet across clouds. And with integrated security signals and controls from signals from Microsoft Entra, Purview, and Defender, Security Dashboard for AI brings posture, configuration, and risk insights together into a single, comprehensive view of your AI estate.
Adopt identity-first controls
Manage agents and other identities with the same rigor as privileged accounts, enforcing strong authentication, least privilege, and continuous monitoring.
Microsoft Entra Agent ID assigns secure, unique identities to agents, applies conditional access policies, and enforces lifecycle controls to prevent agent sprawl and eliminate over-permissioned access.
Enforce data governance and DLP for AI interactions
Protect sensitive information to both inputs and outputs, applying consistent policies that align with evolving regulatory and compliance requirements.
Microsoft Purview delivers real-time DLP for AI prompts and outputs, preserves sensitivity label, applies insider risk controls for agents, and provides compliance templates aligned with the EU AI Act, NIST AI RMF, ISO 42001, and more.
Build a layered GAD architecture
Combine prompt security, model integrity monitoring, output filtering, and runtime protection instead of relying on any single control.
Microsoft Defender provides runtime protection for agents, correlates threat signals, including those from Microsoft Foundry’s Prompt Shields, with threat intelligence, and strengthens security through posture management and attack path analysis for AI workloads.
Prioritize integrated, enterprise-ready solutions
Choose platforms that unify policy enforcement, monitoring, and compliance across environments to reduce operational complexity and improve security outcomes.
Microsoft Security integrates capabilities across Microsoft Entra, Purview, and Defender, deeply integrated with Microsoft 365, Copilot Studio, and Foundry, providing centralized governance, consistent policy enforcement, and operationalized oversight across your AI ecosystem.
What differentiates Microsoft is the comprehensive set of security capabilities woven into the Microsoft AI agents, apps, and platform. Shared capabilities across Microsoft Entra, Purview, and Defender deliver consistent protection for IT, developers, and security teams, while tools such as Microsoft Agent 365, Foundry Control Plane, and Security Dashboard for AI integrate security and observability directly where AI applications and agents are built, deployed, and governed. Together, these capabilities, including our latest capabilities from Ignite, help organizations deploy AI securely, reduce operational complexity, and strengthen trust across their environment.
Closing Thoughts
Agentic AI is transforming how organizations work, and with that shift comes a new security frontier. As AI becomes embedded across business processes, taking a proactive approach to defense-in-depth, governance, and integrated AI security is essential. Organizations that act early will be better positioned to innovate confidently and maintain trust.
At Microsoft, we recognize that securing AI requires purpose-built, enterprise-ready protection. With Microsoft Security for AI, organizations can safeguard sensitive data, protect against emerging AI threats, detect and remediate vulnerabilities, maintain compliance with evolving regulations, and strengthen trust as AI adoption accelerates. In this rapidly evolving landscape, AI defense is not optional, it is foundational to protecting innovation and ensuring enterprise readiness.
Login
