Incident response

Incident response is the process of detecting, investigating, and responding to cyberattacks, security breaches, or IT incidents. Explore the latest trends and intelligence-driven strategies that help you prevent future attacks.

Refine Results

Filtered by

Clear All

Newest to Oldest

Refine results

Sort By

Content Type

Topic

Products and services

Publish date

Start Date

End Date

Go beyond data protection with Microsoft Purview
Govern, protect, and manage all of your data with Microsoft Purview, comprehensive solutions to help give you better visibility and control.
Learn more
November 16, 2022

9 min read

Token tactics: How to prevent, detect, and respond to cloud token theft

As organizations increase their coverage of multifactor authentication (MFA), threat actors have begun to move to more sophisticated techniques to allow them to compromise corporate resources without needing to satisfy MFA.
November 2, 2022

9 min read

Microsoft Security tips for mitigating risk in mergers and acquisitions

Mergers and acquisitions can be challenging.
October 18, 2022

13 min read

Defenders beware: A case for post-ransomware investigations

The Microsoft Detection and Response Team (DART) details a recent ransomware incident in which the attacker used a collection of commodity tools and techniques, such as using living-off-the-land binaries, to launch their malicious code.
September 21, 2022

6 min read

The art and science behind Microsoft threat hunting: Part 2

In this follow-up post in our series about threat hunting, we talk about some general hunting strategies, frameworks, tools, and how Microsoft incident responders work with threat intelligence.
Streamline privacy management with Microsoft Priva
Protect and govern personal information, reduce privacy risks, and manage subject rights requests at scale with Microsoft Priva privacy risk management solutions.
Learn more
September 8, 2022

7 min read

The art and science behind Microsoft threat hunting: Part 1

At Microsoft, we define threat hunting as the practice of actively looking for cyberthreats that have covertly (or not so covertly) penetrated an environment.
August 24, 2022

21 min read

MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone

Microsoft security researchers have discovered a post-compromise capability we’re calling MagicWeb, which is used by a threat actor we track as NOBELIUM to maintain persistent access to compromised environments.
April 12, 2022

7 min read

Tarrask malware uses scheduled tasks for defense evasion

Microsoft Detection and Response Team (DART) researchers have uncovered malware that creates “hidden” scheduled tasks as a defense evasion technique.
March 22, 2022

18 min read

DEV-0537 criminal actor targeting organizations for data exfiltration and destruction

The activity we have observed has been attributed to a threat group that Microsoft tracks as DEV-0537, also known as LAPSUS$.
Simplify endpoint management with Microsoft Intune
Microsoft Intune is a cloud-based unified endpoint management platform that empowers IT to manage, assess, and protect apps and devices.
Learn more
January 15, 2022

7 min read

Destructive malware targeting Ukrainian organizations

Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a destructive malware operation targeting multiple organizations in Ukraine.
December 15, 2021

5 min read

A report on NOBELIUM’s unprecedented nation-state attack

In the final post of a four-part series on the NOBELIUM nation-state attack, we explore key findings from the after-action report on the attack.
December 2, 2021

5 min read

Behind the unprecedented effort to protect customers against the NOBELIUM nation-state attack

In the third of a four-part series on the NOBELIUM nation-state attack, we share how Microsoft product teams built new detections into products to better protect customers.
November 22, 2021

11 min read

How to investigate service provider trust chains in the cloud

This blog outlines DART’s recommendations for incident responders to investigate potential abuse of these delegated admin permissions, independent of the threat actor.