As AI reshapes the world, organizations encounter unprecedented risks, and security leaders take on new responsibilities. Microsoft’s Secure Development Lifecycle (SDL) is expanding to address AI-specific security concerns in addition to the traditional software security areas that it has historically covered.

SDL for AI goes far beyond a checklist. It’s a dynamic framework that unites research, policy, standards, enablement, cross-functional collaboration, and continuous improvement to empower secure AI development and deployment across our organization. In a fast-moving environment where both technology and cyberthreats constantly evolve, adopting a flexible, comprehensive SDL strategy is crucial to safeguarding our business, protecting users, and advancing trustworthy AI. We encourage other organizational and security leaders to adopt similar holistic, integrated approaches to secure AI development, strengthening resilience as cyberthreats evolve.

Why AI changes the security landscape

AI security versus traditional cybersecurity

AI security introduces complexities that go far beyond traditional cybersecurity. Conventional software operates within clear trust boundaries, but AI systems collapse these boundaries, blending structured and unstructured data, tools, APIs, and agents into a single platform. This expansion dramatically increases the attack surface and makes enforcing purpose limitations and data minimization far more challenging.

Expanded attack surface and hidden vulnerabilities

Unlike traditional systems with predictable pathways, AI systems create multiple entry points for unsafe inputs including prompts, plugins, retrieved data, model updates, memory states, and external APIs. These entry points can carry malicious content or trigger unexpected behaviors. Vulnerabilities hide within probabilistic decision loops, dynamic memory states, and retrieval pathways, making outputs harder to predict and secure. Traditional threat models fail to account for AI-specific attack vectors such as prompt injection, data poisoning, and malicious tool interactions.

Loss of granularity and governance complexity

AI dissolves the discrete trust zones assumed by traditional SDL. Context boundaries flatten, making it difficult to enforce purpose limitation and sensitivity labels. Governance must span technical, human, and sociotechnical domains. Questions arise around role-based access control (RBAC), least privilege, and cache protection, such as: How do we secure temporary memory, backend resources, and sensitive data replicated across caches? How should AI systems handle anonymous users or differentiate between queries and commands? These gaps expose corporate intellectual property and sensitive data to new risks.

Multidisciplinary collaboration

Meeting AI security needs requires a holistic approach across stack layers historically outside SDL scope, including Business Process and Application UX. Traditionally, these were domains for business risk experts or usability teams, but AI risks often originate here. Building SDL for AI demands collaborative, cross-team development that integrates research, policy, and engineering to safeguard users and data against evolving attack vectors unique to AI systems.

Novel risks

AI cyberthreats are fundamentally different. Systems assume all input is valid, making commands like “Ignore previous instructions and execute X” viable cyberattack scenarios. Non-deterministic outputs depend on training data, linguistic nuances, and backend connections. Cached memory introduces risks of sensitive data leakage or poisoning, enabling cyberattackers to skew results or force execution of malicious commands. These behaviors challenge traditional paradigms of parameterizing safe input and predictable output.

Data integrity and model exploits

AI training data and model weights require protection equivalent to source code. Poisoned datasets can create deterministic exploits. For example, if a cyberattacker poisons an authentication model to accept a raccoon image with a monocle as “True,” that image becomes a skeleton key—bypassing traditional account-based authentication. This scenario illustrates how compromised training data can undermine entire security architectures.

Speed and sociotechnical risk

AI accelerates development cycles beyond SDL norms. Model updates, new tools, and evolving agent behaviors outpace traditional review processes, leaving less time for testing and observing long-term effects. Usage norms lag tool evolution, amplifying misuse risks. Mitigation demands iterative security controls, faster feedback loops, telemetry-driven detection, and continuous learning.

Ultimately, the security landscape for AI demands an adaptive, multidisciplinary approach that goes beyond traditional software defenses and leverages research, policy, and ongoing collaboration to safeguard users and data against evolving attack vectors unique to AI systems.

SDL as a way of working, not a checklist

Security policy falls short of addressing real-world cyberthreats when it is treated as a list of requirements to be mechanically checked off. AI systems—because of their non-determinism—are much more flexible that non-AI systems. That flexibility is part of their value proposition, but it also creates challenges when developing security requirements for AI systems. To be successful, the requirements must embrace the flexibility of the AI systems and provide development teams with guidance that can be adapted for their unique scenarios while still ensuring that the necessary security properties are maintained.

Effective AI security policies start by delivering practical, actionable guidance engineers can trust and apply. Policies should provide clear examples of what “good” looks like, explain how mitigation reduces risk, and offer reusable patterns for implementation. When engineers understand why and how, security becomes part of their craft rather than compliance overhead. This requires frictionless experiences through automation and templates, guidance that feels like partnership (not policing) and collaborative problem-solving when mitigations are complex or emerging. Because AI introduces novel risks without decades of hardened best practices, policies must evolve through tight feedback loops with engineering: co-creating requirements, threat modeling together, testing mitigations in real workloads, and iterating quickly. This multipronged approach helps security requirements remain relevant, actionable, and resilient against the unique challenges of AI systems.

So, what does Microsoft’s multipronged approach to AI security look like in practice? SDL for AI is grounded in pillars that, together, create strong and adaptable security:

• Research is prioritized because the AI cyberthreat landscape is dynamic and rapidly changing. By investing in ongoing research, Microsoft stays ahead of emerging risks and develops innovative solutions tailored to new attack vectors, such as prompt injection and model poisoning. This research not only shapes immediate responses but also informs long-term strategic direction, ensuring security practices remain relevant as technology evolves.
• Policy is woven into the stages of development and deployment to provide clear guidance and guardrails. Rather than being a static set of rules, these policies are living documents that adapt based on insights from research and real-world incidents. They ensure alignment across teams and help foster a culture of responsible AI, making certain that security considerations are integrated from the start and revisited throughout the lifecycle.
• Standards are established to drive consistency and reliability across diverse AI projects. Technical and operational standards translate policy into actionable practices and design patterns, helping teams build secure systems in a repeatable way. These standards are continuously refined through collaboration with our engineers and builders, vetted with internal experts and external partners, keeping Microsoft’s approach aligned with industry best practices.
• Enablement bridges the gap between policy and practice by equipping teams with the tools, communications, and training to implement security measures effectively. This focus ensures that security isn’t just an abstract concept but an everyday reality, empowering engineers, product managers, and researchers to identify threats and apply mitigations confidently in their workflows.
• Cross-functional collaboration unites multiple disciplines to anticipate risks and design holistic safeguards. This integrated approach ensures security strategies are informed by diverse perspectives, enabling solutions that address technical and sociotechnical challenges across the AI ecosystem.
• Continuous improvement transforms security into an ongoing practice by using real-world feedback loops to refine strategies, update standards, and evolve policies and training. This commitment to adaptation ensures security measures remain practical, resilient, and responsive to emerging cyberthreats, maintaining trust as technology and risks evolve.

Together, these pillars form a holistic and adaptive framework that moves beyond checklists, enabling Microsoft to safeguard AI systems through collaboration, innovation, and shared responsibility. By integrating research, policy, standards, enablement, cross-functional collaboration, and continuous improvement, SDL for AI creates a culture where security is intrinsic to AI development and deployment.

What’s new in SDL for AI

Microsoft’s SDL for AI introduces specialized guidance and tooling to address the complexities of AI security. Here’s a quick peek at some key AI security areas we’re covering in our secure development practices:

• Threat modeling for AI: Identifying cyberthreats and mitigations unique to AI workflows.
• AI system observability: Strengthening visibility for proactive risk detection.
• AI memory protections: Safeguarding sensitive data in AI contexts.
• Agent identity and RBAC enforcement: Securing multiagent environments.
• AI model publishing: Creating processes for releasing and managing models.
• AI shutdown mechanisms: Ensuring safe termination under adverse conditions.

In the coming months, we’ll share practical and actionable guidance on each of these topics.

Microsoft SDL for AI can help you build trustworthy AI systems

Effective SDL for AI is about continuous improvement and shared responsibility. Security is not a destination. It’s a journey that requires vigilance, collaboration between teams and disciplines outside the security space, and a commitment to learning. By following Microsoft’s SDL for AI approach, enterprise leaders and security professionals can build resilient, trustworthy AI systems that drive innovation securely and responsibly.

Keep an eye out for additional updates about how Microsoft is promoting secure AI development, tackling emerging security challenges, and sharing effective ways to create robust AI systems.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post Microsoft SDL: Evolving security practices for an AI-powered world appeared first on Microsoft Security Blog.

Infostealer threats are rapidly expanding beyond traditional Windows-focused campaigns, increasingly targeting macOS environments, leveraging cross-platform languages such as Python, and abusing trusted platforms and utilities to silently deliver credential-stealing malware at scale. Since late 2025, Microsoft Defender Experts has observed macOS targeted infostealer campaigns using social engineering techniques—including ClickFix-style prompts and malicious DMG installers—to deploy macOS-specific infostealers such as DigitStealer, MacSync, and Atomic macOS Stealer (AMOS). 

These campaigns leverage fileless execution, native macOS utilities, and AppleScript automation to harvest credentials, session data, secrets from browsers, keychains, and developer environments. Simultaneously, Python-based stealers are being leveraged by attackers to rapidly adapt, reuse code, and target heterogeneous environments with minimal overhead. Other threat actors are abusing trusted platforms and utilities—including WhatsApp and PDF converter tools—to distribute malware like Eternidade Stealer and gain access to financial and cryptocurrency accounts.

This blog examines how modern infostealers operate across operating systems and delivery channels by blending into legitimate ecosystems and evading conventional defenses. We provide comprehensive detection coverage through Microsoft Defender XDR and actionable guidance to help organizations detect, mitigate, and respond to these evolving threats. 

Activity overview 

macOS users are being targeted through fake software and browser tricks 

Mac users are encountering deceptive websites—often through Google Ads or malicious advertisements—that either prompt them to download fake applications or instruct them to copy and paste commands into their Terminal. These “ClickFix” style attacks trick users into downloading malware that steals browser passwords, cryptocurrency wallets, cloud credentials, and developer access keys. 

Three major Mac-focused stealer campaigns include DigitStealer (distributed through fake DynamicLake software), MacSync (delivered via copy-paste Terminal commands), and Atomic Stealer (using fake AI tool installers). All three harvest the same types of data—browser credentials, saved passwords, cryptocurrency wallet information, and developer secrets—then send everything to attacker servers before deleting traces of the infection. 

Stolen credentials enable account takeovers across banking, email, social media, and corporate cloud services. Cryptocurrency wallet theft can result in immediate financial loss. For businesses, compromised developer credentials can provide attackers with access to source code, cloud infrastructure, and customer data. 

Phishing campaigns are delivering Python-based stealers to organizations 

The proliferation of Python information stealers has become an escalating concern. This gravitation towards Python is driven by ease of use and the availability of tools and frameworks allowing quick development, even for individuals with limited coding knowledge. Due to this, Microsoft Defender Experts observed multiple Python-based infostealer campaigns over the past year. They are typically distributed via phishing emails and collect login credentials, session cookies, authentication tokens, credit card numbers, and crypto wallet data.

PXA Stealer, one of the most notable Python-based infostealers seen in 2025, harvests sensitive data including login credentials, financial information, and browser data. Linked to Vietnamese-speaking threat actors, it targets government and education entities through phishing campaigns. In October 2025 and December 2025, Microsoft Defender Experts investigated two PXA Stealer campaigns that used phishing emails for initial access, established persistence via registry Run keys or scheduled tasks, downloaded payloads from remote locations, collected sensitive information, and exfiltrated the data via Telegram. To evade detection, we observed the use of legitimate services such as Telegram for command-and-control communications, obfuscated Python scripts, malicious DLLs being sideloaded, Python interpreter masquerading as a system process (i.e., svchost.exe), and the use of signed and living off the land binaries.

Due to the growing threat of Python-based infostealers, it is important that organizations protect their environment by being aware of the tactics, techniques, and procedures used by the threat actors who deploy this type of malware. Being compromised by infostealers can lead to data breaches, unauthorized access to internal systems, business email compromise (BEC), supply chain attacks, and ransomware attacks.

Attackers are weaponizing WhatsApp and PDF tools to spread infostealers 

Since late 2025, platform abuse has become an increasingly prevalent tactic wherein adversaries deliberately exploit the legitimacy, scale, and user trust associated with widely used applications and services. 

WhatsApp Abused to Deliver Eternidade Stealer: During November 2025, Microsoft Defender Experts identified a WhatsApp platform abuse campaign leveraging multi-stage infection and worm-like propagation to distribute malware. The activity begins with an obfuscated Visual Basic script that drops a malicious batch file launching PowerShell instances to download payloads.

One of the payloads is a Python script that establishes communication with a remote server and leverages WPPConnect to automate message sending from hijacked WhatsApp accounts, harvests the victim’s contact list, and sends malicious attachments to all contacts using predefined messaging templates. Another payload is a malicious MSI installer that ultimately delivers Eternidade Stealer, a Delphi-based credential stealer that continuously monitors active windows and running processes for strings associated with banking portals, payment services, and cryptocurrency exchanges including Bradesco, BTG Pactual, MercadoPago, Stripe, Binance, Coinbase, MetaMask, and Trust Wallet.

Malicious Crystal PDF installer campaign: In September 2025, Microsoft Defender Experts discovered a malicious campaign centered on an application masquerading as a PDF editor named Crystal PDF. The campaign leveraged malvertising and SEO poisoning through Google Ads to lure users. When executed, CrystalPDF.exe establishes persistence via scheduled tasks and functions as an information stealer, covertly hijacking Firefox and Chrome browsers to access sensitive files in AppData\Roaming, including cookies, session data, and credential caches.

Mitigation and protection guidance 

Microsoft recommends the following mitigations to reduce the impact of the macOS‑focused, Python‑based, and platform‑abuse infostealer threats discussed in this report. These recommendations draw from established Defender blog guidance patterns and align with protections offered across Microsoft Defender XDR. 

Organizations can follow these recommendations to mitigate threats associated with this threat:             

Strengthen user awareness & execution safeguards 

• Educate users on social‑engineering lures, including malvertising redirect chains, fake installers, and ClickFix‑style copy‑paste prompts common across macOS stealer campaigns such as DigitStealer, MacSync, and AMOS. 

• Discourage installation of unsigned DMGs or unofficial “terminal‑fix” utilities; reinforce safe‑download practices for consumer and enterprise macOS systems. 

Harden macOS environments against native tool abuse 

• Monitor for suspicious Terminal activity—especially execution flows involving curl, Base64 decoding, gunzip, osascript, or JXA invocation, which appear across all three macOS stealers. 

• Detect patterns of fileless execution, such as in‑memory pipelines using curl | base64 -d | gunzip, or AppleScript‑driven system discovery and credential harvesting. 

• Leverage Defender’s custom detection rules to alert on abnormal access to Keychain, browser credential stores, and cloud/developer artifacts, including SSH keys, Kubernetes configs, AWS credentials, and wallet data. 

Control outbound traffic & staging behavior 

• Inspect network egress for POST requests to newly registered or suspicious domains—a key indicator for DigitStealer, MacSync, AMOS, and Python‑based stealer campaigns. 

• Detect transient creation of ZIP archives under /tmp or similar ephemeral directories, followed by outbound exfiltration attempts. 

• Block direct access to known C2 infrastructure where possible, informed by your organization’s threat‑intelligence sources. 

Protect against Python-based stealers & cross-platform payloads 

• Harden endpoint defenses around LOLBIN abuse, such as certutil.exe decoding malicious payloads. 

• Evaluate activity involving AutoIt and process hollowing, common in platform‑abuse campaigns. 

Microsoft also recommends the following mitigations to reduce the impact of this threat: 

• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. 

• Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. 

• Enable network protection and web protection in Microsoft Defender for Endpoint to safeguard against malicious sites and internet-based threats. 

• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. 

• Allow investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. 

• Turn on tamper protection features to prevent attackers from stopping security services. Combine tamper protection with the DisableLocalAdminMerge setting to prevent attackers from using local administrator privileges to set antivirus exclusions. 

• Microsoft Defender XDR customers can also implement the following attack surface reduction rules to harden an environment against LOLBAS techniques used by threat actors: 
  • Block execution of potentially obfuscated scripts 
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion 
  • Block JavaScript or VBScript from launching downloaded executable content 

Microsoft Defender XDR detections 

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog. 

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.  

Threat intelligence reports 

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments. 

Microsoft Defender XDR Threat analytics   

• From ClickFix to code signed: the quiet shift of MacSync Stealer malware
• Malicious Crystal PDF installer campaign

Hunting queries   

Microsoft Defender XDR  

Microsoft Defender XDR customers can run the following queries to find related activity in their networks: 

Use the following queries to identify activity related to DigitStealer 

// Identify suspicious DynamicLake disk image (.dmg) mounting 
DeviceProcessEvents 
| where FileName has_any ('mount_hfs', 'mount') 
| where ProcessCommandLine has_all ('-o nodev' , '-o quarantine') 
| where ProcessCommandLine contains '/Volumes/Install DynamicLake' 

 
// Identify data exfiltration to DigitStealer C2 API endpoints. 
DeviceProcessEvents 
| where InitiatingProcessFileName has_any ('bash', 'sh') 
| where ProcessCommandLine has_all ('curl', '--retry 10') 
| where ProcessCommandLine contains 'hwid=' 
| where ProcessCommandLine endswith "api/credentials" 
        or ProcessCommandLine endswith "api/grabber" 
        or ProcessCommandLine endswith "api/log" 
| extend APIEndpoint = extract(@"/api/([^\s]+)", 1, ProcessCommandLine) 

Use the following queries to identify activity related to MacSync

// Identify exfiltration of staged data via curl 
DeviceProcessEvents 
| where InitiatingProcessFileName =~ "zsh" and FileName =~ "curl" 
| where ProcessCommandLine has_all ("curl -k -X POST -H", "api-key: ", "--max-time", "-F file=@/tmp/", ".zip", "-F buildtxd=") 

Use the following queries to identify activity related to Atomic Stealer (AMOS)

// Identify suspicious AlliAi disk image (.dmg) mounting  
DeviceProcessEvents  
| where FileName has_any ('mount_hfs', 'mount') 
| where ProcessCommandLine has_all ('-o nodev', '-o quarantine')  
| where ProcessCommandLine contains '/Volumes/ALLI' 

Use the following queries to identify activity related to PXA Stealer: Campaign 1

// Identify activity initiated by renamed python binary 
DeviceProcessEvents 
| where InitiatingProcessFileName endswith "svchost.exe" 
| where InitiatingProcessVersionInfoOriginalFileName == "pythonw.exe" 

// Identify network connections initiated by renamed python binary 
DeviceNetworkEvents 
| where InitiatingProcessFileName endswith "svchost.exe" 
| where InitiatingProcessVersionInfoOriginalFileName == "pythonw.exe" 

Use the following queries to identify activity related to PXA Stealer: Campaign 2

// Identify malicious Process Execution activity 
DeviceProcessEvents 
 | where ProcessCommandLine  has_all ("-y","x",@"C:","Users","Public", ".pdf") and ProcessCommandLine  has_any (".jpg",".png") 

// Identify suspicious process injection activity 
DeviceProcessEvents 
 | where FileName == "cvtres.exe" 
 | where InitiatingProcessFileName has "svchost.exe" 
 | where InitiatingProcessFolderPath !contains "system32" 

Use the following queries to identify activity related to WhatsApp Abused to Deliver Eternidade Stealer

// Identify the files dropped from the malicious VBS execution 
DeviceFileEvents 
| where InitiatingProcessCommandLine has_all ("Downloads",".vbs") 
| where FileName has_any (".zip",".lnk",".bat") and FolderPath has_all ("\\Temp\\") 

// Identify batch script launching powershell instances to drop payloads 
DeviceProcessEvents 
| where InitiatingProcessParentFileName == "wscript.exe" and InitiatingProcessCommandLine  has_any ("instalar.bat","python_install.bat") 
| where ProcessCommandLine !has "conhost.exe" 
 
// Identify AutoIT executable invoking malicious AutoIT script 
DeviceProcessEvents 
| where InitiatingProcessCommandLine   has ".log" and InitiatingProcessVersionInfoOriginalFileName == "Autoit3.exe" 

Use the following queries to identify activity related to Malicious CrystalPDF Installer Campaign

// Identify network connections to C2 domains 
DeviceNetworkEvents 
| where InitiatingProcessVersionInfoOriginalFileName == "CrystalPDF.exe" 

// Identify scheduled task persistence 
DeviceEvents 
| where InitiatingProcessVersionInfoProductName == "CrystalPDF" 
| where ActionType == "ScheduledTaskCreated 

Indicators of compromise 

Microsoft Sentinel  

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.   

References  

• MacSync Stealer Evolves: From ClickFix to Code-Signed Swift Malware — Jamf Threat Labs  
• Infostealers Strike Again: Malicious Installers Pass Through EDRs Undetected 
• SpiderLabs IDs New Banking Trojan Distributed Through WhatsApp 
• A Vietnamese threat actor’s shift from PXA Stealer to PureRAT | Huntress 
• Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem | SentinelOne 
• Information-Stealing Malware Distribution Campaign Using Emails Disguised as Copyright Infringement Notices – wizSafe Security Signal -Guideposts to Safety and Security- IIJ 

This research is provided by Microsoft Defender Security Research with contributions from Felicia Carter, Kajhon Soyini, Balaji Venkatesh S, Sai Chakri Kandalai, Dietrich Nembhard, Sabitha S, and Shriya Maniktala.

Learn more   

Review our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization.  

Learn more about securing Copilot Studio agents with Microsoft Defender 

Learn more about Protect your agents in real-time during runtime (Preview) – Microsoft Defender for Cloud Apps | Microsoft Learn  

Explore how to build and customize agents with Copilot Studio Agent Builder  

The post Infostealers without borders: macOS, Python stealers, and platform abuse appeared first on Microsoft Security Blog.