Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs




Today, Microsoft published its 2026 Environmental Sustainability Report. This report covers our fiscal year 2025, and measures progress against our 2020 baseline. You can read the foreword below and explore the report in its entirety here.
As we enter a new era for AI, Microsoft’s environmental sustainability work is entering a new phase—defined not only by ambition, but by how we deliver in a period of rapid technological change. In our pursuit of becoming a carbon negative, water positive, and zero waste company that protects ecosystems, the context has evolved, and so must our approach.
The global shift toward AI is reshaping economies, accelerating innovation, and becoming foundational to how technology is built and used. It is also increasing demand for the energy, water, land, and materials required to support that growth. As a company at the forefront of this transition, Microsoft has a responsibility to help ensure that technology strengthens, rather than strains, the systems and communities on which it depends. This imperative is reshaping the context for our work.
We are approaching this moment with clarity and conviction. We believe AI can deliver broad societal, economic, and environmental benefits, but innovation at this scale must be matched by responsibility at the same scale. For Microsoft, this means designing, building, and operating infrastructure that is more efficient, more resilient, and more grounded in the realities of the communities where we operate.
We do not see these dynamics as a reason to step back. We see them as a mandate to lead differently. That requires greater operational rigor, stronger integration across our sustainability priorities, and a sharper focus on durable outcomes for the local communities where we work and the global value chains that make our work possible. It also requires being transparent about where progress is advancing, where it is more difficult, and where new approaches are needed.
The path forward will not be defined by simple tradeoffs or single solutions. It will depend on how effectively we align innovation with stewardship. The systems we build to support the future must also support the long-term health of the planet and the communities we serve. Our experience makes clear that this is possible, but only with even greater discipline, partnership, and a willingness to learn and adapt as conditions evolve.
YouTube Video
Our aim is to build technology that gives more than it uses. Lasting progress depends on how we build it and whether that growth strengthens the places where it takes root.
This thinking is reflected in our Community First AI Infrastructure approach, which is helping shape a more integrated model for community partnership, responsible operations, and environmental performance as we grow. In this way, sustainability is not separate from growth; it is part of how responsible growth is defined.
While AI infrastructure is driving demand for energy, water, land, and materials, sustainability solutions are not scaling fast enough to meet demand. This tension is real, and it is also productive.
It is forcing sharper questions: Where do we need to move faster, invest differently, or rethink our approach? Which assumptions still hold, which ones need to evolve? Five years into this work, we have more operational data, more direct experience, and a clearer view of what measurable planetary progress actually requires. That perspective helps keep us focused on outcomes rather than attached to any single pathway.
We want to be clear about what this means—and what it does not. It means being more precise about what sustainability requires for Microsoft, and more willing to refine our strategies as conditions change, data improves, and tradeoffs become clearer. It does not mean we are lowering our ambition.
Our results reflect both progress and pressure. As we scale the physical infrastructure required to power the AI economy, our emissions are shaped by the impact of that growth and the actions we are taking to manage it.
The visual that follows illustrates this dynamic by comparing our reported emissions with a modeled view of where emissions may have been in the absence of four specific interventions: carbon free electricity, sustainable fuels, XBOX console efficiency, and Surface device decarbonization. While these examples represent only a portion of our emissions reduction efforts, they highlight an important lesson from our work to date: that well-designed, targeted interventions can deliver measurable progress even as demand for infrastructure continues to rise.

In FY25, we matched 100% of our annual global electricity consumption with renewable energy[2]. Microsoft will continue to push for an expansive focus on adding all forms of carbon-free electricity (CFE) [3] to the grids where we operate, complementing and building on our portfolio of renewable energy resources. We recognize that the world’s rising electricity needs require a balanced, all-of-the-above decarbonization strategy to meet global economic growth and environmental goals, and we will continue to support this approach moving forward.
Our total emissions (Scopes 1, 2, and 3) increased 25% year over year, driven primarily by the expansion of our datacenter infrastructure and pausing our use of non-additional, unbundled renewable energy certificates as we prioritize investments that bring net new power to grids. While this decision increases our reported emissions in the near term, it enables us to increase the development of new CFE rather than relying on certificates alone. We believe this change will create more long-term sustainability benefits. Growth-related emissions pressure was expected. The more important signal is where that pressure is concentrated.
Scope 3 remains the largest share of our footprint overall, but one of the clearest changes this year was the growing contribution of Scope 2, which represents 13% of our total emissions—up from nearly 2% last year. This development highlights how important the energy systems across our supply chain are in shaping environmental outcomes.
This year’s results also made clear that progress now depends on adapting how we work.
Water is one of the clearest examples. In FY25, we replenished for the first time more water globally than we withdrew—more than 14 million cubic meters—marking a major milestone on our journey to become water positive. Reaching this point reflects years of work to improve water efficiency, expand replenishment efforts, and scale partnerships around the world.
We are proud of this achievement but also know that replenishing global volumes is not enough. The next phase of our work is increasingly local. As we move forward, we are placing greater focus on helping restore more water to the watersheds where we operate than we withdraw while strengthening long-term water resilience. We prioritize projects in water-stressed regions that are locally relevant and designed in partnership with communities, delivering benefits not only for water availability, but also for ecosystems, economies, and people. Through this approach, we aim to ensure our growth supports and helps sustain the communities and environments where we operate.
Transparency remains central to how we work and how we report. Microsoft has eliminated nearly all single-use plastics in our primary product packaging, reducing the share that remained to just 0.07% at the end of calendar year 2025.[4] But we are not rounding down. We are staying accountable to the work required to eliminate them entirely.
Across our cloud operations, we achieved 92% reuse and recycling of decommissioned servers and components for the second consecutive year, diverted 90.5% of construction and demolition waste from landfills and incinerators, and expanded our Circular Centers to seven facilities globally. These results also reflect a broader shift toward solutions that have co-benefits—reducing both emissions and resource demand over time.
Throughout this journey, we have learned that progress in one area often depends on progress in another. Clean energy investments are essential to decarbonization. Water use is linked not only to our operations, but also to the energy systems that power them. And extending hardware life through circular approaches can reduce both emissions and material demand across the value chain.
That is why our priorities extend beyond tracking progress against individual commitments on water, carbon, waste, and ecosystems as though they move independently. Our experience has made clear that progress does not happen pillar by pillar. Some of the most consequential work ahead will be measured in whether we address system challenges and help build the conditions for long-term progress: more resilient grids, stronger markets for lower-carbon materials, more effective water stewardship, and infrastructure designed and operated with local realities and community priorities in mind.
For that reason, this year’s report takes a more integrated approach—placing progress against our commitments in the broader context of how those commitments are operationalized across our infrastructure and products.
We are proud of what we have accomplished, and we remain humbled by the scale of the challenge ahead. Responsibly building the AI future requires clear accountability for what AI demands, candor about real constraints and tradeoffs, and sustained focus on outcomes that are durable and broadly shared. The chapters that follow show how we translate that intent into execution across our physical infrastructure, products, and value chain—where our sustainability commitments become operational reality.
Read the full report: https://aka.ms/SustainabilityReport2026
[1] The solid line represents Microsoft’s reported greenhouse gas emissions (Scopes 1, 2, and 3) for FY20–FY25, prepared in accordance with GHG Protocol and management’s criteria, and uses a market-based emissions approach. The dotted line represents an illustrative counterfactual scenario of estimated emissions had select, discrete carbon reduction initiatives not been undertaken. These initiatives include energy efficiency improvements for XBOX consoles, renewable energy purchases, sustainable aviation fuel (SAF) and sustainable marine fuel (SMF) certificates, and supply chain decarbonization of Surface devices. The difference
between the two lines is an estimate of emissions avoided through these specific initiatives relative to a scenario without those initiatives occurring. This estimate is directional in nature, does not represent the full scope of Microsoft’s decarbonization efforts, and is not part of our reported greenhouse gas inventory. It should not be interpreted as a comprehensive measure of total emissions reductions or as additive to other carbon reduction or removal claims.
[2] Microsoft defines renewable energy as electricity that comes from sources that are replenished at a rate greater than or equal to their rate of depletion, such as geothermal, wind, solar, hydro, and biomass. To date, Microsoft’s renewable energy target includes two primary categories: renewable energy from contracted projects and grid mix. The first is renewable energy delivered under PPAs or similar long-term contracting mechanisms, generally for new projects where our financial involvement in the project’s development is critical for its success. This category represents more than 90% of the renewable energy applied to achieve our 2025 target. The second category is “grid mix” – renewable energy supported via our standard utility relationships and rates, inclusive of policy programs such as renewable portfolio standards and state and utility decarbonization goals. Our 2025 100% renewable target does not include purchases from short-term, so-called “spot market” renewable energy credits (RECs) sourced from operational clean energy projects.
[3] Microsoft defines carbon-free electricity (CFE) technologies as technologies with zero direct emissions and biogenic technologies with lifecycle emissions equivalent to renewables. CFE technologies include wind; solar; geothermal; sustainable biomass; hydropower; nuclear; fossil fuels with complete carbon capture, utilization, and sequestration; and storage charged with CFE generation.
[4] By weight, as designed, portfolio average. More details can be found in our Environmental Data Fact Sheet.
The post Responsibly building the AI future appeared first on Microsoft On the Issues.







In armed conflict, a simple symbol can save lives. The Red Cross, Red Crescent, and Red Crystal emblems signal that those providing medical care and humanitarian assistance must be protected.
In cyberspace, there is not yet a widely adopted equivalent, even as hospitals, humanitarian organizations, and relief operations increasingly rely on digital systems to deliver care, coordinate assistance, protect sensitive data, and reach people in crisis.
Today, the digital systems that support hospitals and humanitarian operations—including communications tools, logistics platforms, patient care systems, cloud services, and the data center infrastructure which underpins them—can be difficult to distinguish from surrounding digital infrastructure. In conflict, that raises the risk of misidentification, spillover, and cascading disruption from cyber operations. As cybersecurity operations become more automated and machine-driven, clear, trustworthy, machine-readable signals become even more important.
That is why Microsoft supports the International Committee of the Red Cross as it launches the next phase of the Digital Emblem initiative today in Geneva. The Digital Emblem is intended to provide a machine-readable way to help identify digital assets that support protected medical and humanitarian functions, so they can be recognized, verified, and avoided in conflict settings.
The Digital Emblem does not create new legal protections, and it does not replace cybersecurity. Instead, it helps to make existing protections under international humanitarian law more actionable in cyberspace.
For many years, governments, humanitarian actors, civil society, technical experts, and industry have worked to clarify how international law applies in cyberspace. These efforts have reinforced a core principle that civilians, medical services, and humanitarian operations must be respected and protected in armed conflict. But translating that principle into operational reality remains difficult when protected digital assets are not easily identifiable.
The Digital Emblem can help bridge that gap. If implemented responsibly, a clearer, more consistent, and technically usable signal can support recognition, verification, and respect for protected medical and humanitarian functions in cyberspace.
This next phase marks an important transition for the Digital Emblem: from concept development toward operationalization, testing, standards, and implementation.
Over the past several years, the ICRC has worked with states, the Red Cross and Red Crescent Movement, technical experts, standards bodies, academia, and industry to explore whether the protective function of the physical emblems can be translated meaningfully into cyberspace. That work has helped move the Digital Emblem from an important idea to a project with growing legal, technical, and operational foundations.
The work now is to test how the Digital Emblem can be deployed, discovered, authenticated, and verified in real-world conditions. It also means advancing standards work through bodies such as the Internet Engineering Task Force and the International Telecommunication Union, developing guidance for those who operate protected digital infrastructure, and engaging the actors who will need to recognize and respect the Digital Emblem in practice.
Across our cybersecurity work, we have consistently argued that protecting civilians and critical services in cyberspace requires more than statements of principle. It requires practical standards, technical implementation, trusted partnerships, and cooperation among governments, humanitarian actors, civil society, standards bodies, and industry.
From our early calls for stronger norms of responsible state behavior in cyberspace, to the launch of the Cybersecurity Tech Accord, Microsoft has advocated for the application of international law and the protection of civilians online.
Every day, Microsoft works alongside governments and partners to detect, disrupt, and defend against cyberattacks that target critical infrastructure, healthcare, and humanitarian operations. Together, we have seen the importance of real-time visibility, trusted signals, and coordinated defense across public and private actors. This work has underscored a central reality: as civilian and humanitarian services become more digitally dependent, cybersecurity is increasingly connected to humanitarian resilience.
Microsoft will continue supporting the ICRC with a focus on how our technologies enable this model at scale. That includes exploring how technology can support both sides: enabling humanitarian and medical organizations to signal protected systems and helping defenders recognize and verify those signals in real-world operations.
The ICRC’s leadership is essential to the credibility and neutrality of this effort. But for the Digital Emblem to succeed, it must also work across the broader technology ecosystem, which includes the cloud services and data centers, telecommunications networks, cybersecurity tools, identity systems, and other digital infrastructure on which humanitarian and medical organizations increasingly rely.
Industry, therefore, has an important role to play in helping ensure the Digital Emblem is technically sound, interoperable, and aligned with how defenders operate in practice. That includes supporting standards development, helping test implementation models, and ensuring that any approach reflects both sides of the model: enabling eligible humanitarian and medical organizations to express the signal for relevant assets and helping defenders recognize and verify that signal in operational workflows.
In today’s fragmented and low-trust geopolitical environment, shared technical standards can reduce ambiguity even where political agreement is difficult. That is why standards-based implementation can help make the Digital Emblem consistent, verifiable, and usable across networks, platforms, and borders.
The launch in Geneva marks an important milestone, but the Digital Emblem’s promise will depend on what happens next.
The work ahead should focus on clear and concrete outcomes: continued technical testing, progress in standards development bodies, practical implementation guidance, and broader engagement from states, humanitarian actors, technology companies, telecommunications providers, cybersecurity professionals, and operational defenders.
The call to action is straightforward. Governments should support the Digital Emblem as a mechanism for making protected humanitarian and medical functions more identifiable in cyberspace and promote respect for it in policy and practice. Humanitarian and medical organizations should help test and shape implementation so it reflects operational reality. Standards bodies should continue building the technical foundations for trusted adoption. And technology companies should help translate the Digital Emblem into the tools, systems, and workflows defenders already use.
Physical emblems made humanitarian protection visible on the battlefield. The Digital Emblem can help make protected humanitarian and medical functions visible, verifiable, and actionable in cyberspace. Turning that promise into practice will require sustained cooperation so that those who care for the wounded, the sick, and civilians can be more easily recognized, respected, and protected in the digital age.
The post Making humanitarian protection visible in cyberspace: The promise of the Digital Emblem appeared first on Microsoft On the Issues.







