Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: microsoft (30 articles)Clear

Microsoft: cryptojacking campaign uses AI chatbot recommendations and SEO poisoning to push fake GPU utilities, deploys ScreenConnect persistence

Microsoft has warned of an active cryptojacking campaign that surfaces malicious download sites through AI chatbot recommendations, extending SEO poisoning beyond conventional search. Attackers impersonate legitimate system utilities - CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, PDFgear - to target users with high-performance GPUs, prioritizing mining yield per host over mass infection. Beyond mining, the operators deploy ScreenConnect for persistent remote access enabling data theft, lateral movement, or ransomware. Victims who ask LLM-based tools for software-download recommendations are served links to attacker domains on subdomains of gleeze[.]com, hosted via Dynu dynamic DNS. Microsoft says it has detected and blocked the activity.

Check
Hunt for ScreenConnect installs you did not authorize and traffic to gleeze[.]com subdomains or Dynu dynamic-DNS hosts. Flag downloads of GPU/hardware utilities from non-official domains.
Affected
Users with high-performance GPUs who download system utilities (CrystalDiskInfo, HWMonitor, FurMark, etc.) via search results or AI chatbot recommendations. Gaming, engineering, and ML workstations at highest risk.
Fix
Block gleeze[.]com and known Dynu C2 at egress. Source utilities only from official vendor sites. Educate users that AI-chatbot download links can be SEO-poisoned. Monitor GPU-utilization anomalies.

Microsoft Defender for Endpoint adds automatic device isolation as part of automatic attack disruption (preview)

Microsoft has rolled out a preview of automatic device isolation in Microsoft Defender for Endpoint as part of its automatic attack disruption feature. When Defender detects a compromised endpoint, it now disconnects the device from the network without operator action, while preserving the Defender management channel so the host can still be monitored, investigated, and released. Security teams can release a device from containment after triage via 'Release from isolation' on the Device inventory or device page. The feature works only on onboarded end-user workstations. It joins earlier preview controls for blocking traffic to unmanaged endpoints and isolating compromised user accounts.

Check
Review Defender for Endpoint Action Center preview features in the Microsoft 365 Defender portal. Confirm automatic device isolation is enabled for high-risk endpoint groups.
Affected
Organizations relying on Defender for Endpoint where manual response to compromise alerts has historically been slow enough to allow lateral movement or data exfiltration.
Fix
Enable automatic device isolation in preview. Define release-from-isolation runbooks. Pair with automatic user-account isolation already available. Document operator override procedures for false positives.

Microsoft issues out-of-band SharePoint RCE patch CVE-2026-45659 for Subscription Edition, 2019, and 2016 servers

Microsoft has released an out-of-band patch for CVE-2026-45659, a remote code execution vulnerability in Microsoft SharePoint Server. The flaw is a deserialization issue and was reported privately by a researcher named MEOW; Microsoft says it is not currently aware of active exploitation but rates it 'less likely to be exploited.' Updates are available for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Last month's CVE-2026-32201 spoofing flaw was actively exploited and machine-key-theft attacks against SharePoint were widespread in 2025, so admins should treat this patch as priority despite the lower-likelihood rating.

Check
Inventory SharePoint deployments by edition (Subscription, 2019, 2016) and confirm patch level. Check for unusual deserialization activity in IIS logs since the patch ships.
Affected
Microsoft SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016 prior to the May 26 out-of-band updates.
Fix
Apply Microsoft's out-of-band CVE-2026-45659 patches across all SharePoint versions. Rotate machine keys after patching - prior SharePoint key-theft incidents enabled persistent post-patch access.

Microsoft Defender zero-days CVE-2026-41091 (SYSTEM LPE) and CVE-2026-45498 (DoS) exploited in attacks, added to CISA KEV

Microsoft has rolled out fixes for two Defender vulnerabilities that have been exploited in zero-day attacks. CVE-2026-41091 is a link-following local privilege escalation in Microsoft Malware Protection Engine 1.1.26030.3008 and earlier that lets attackers gain SYSTEM. CVE-2026-45498 affects Defender Antimalware Platform 4.18.26030.3011 and earlier and triggers denial-of-service. Updates land automatically in Malware Protection Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7. CISA has added both to its KEV catalog and ordered FCEB agencies to patch within two weeks, by June 3. The same KEV update also added five legacy 2008-2010 Internet Explorer, DirectX, Acrobat, and Windows bugs that CISA suggests are seeing fresh exploitation.

Check
Open Windows Security > Virus & threat protection > Protection Updates and click Check for updates. Verify Antimalware Platform >= 4.18.26040.7 and Malware Protection Engine >= 1.1.26040.8.
Affected
Windows endpoints running Microsoft Malware Protection Engine 1.1.26030.3008 and earlier, or Defender Antimalware Platform 4.18.26030.3011 and earlier. Default config auto-updates, but air-gapped or restricted networks may lag.
Fix
Confirm Defender definitions and platform updates auto-install. FCEB agencies must patch by June 3 per CISA BOD 22-01. Investigate any KEV-listed legacy CVE-2008-4250/2009-1537/2009-3459/2010-0249/2010-0806 hits.

Microsoft ships mitigation for YellowKey BitLocker bypass (CVE-2026-45585), no patch yet - PoC published, TPM+PIN required

Microsoft has assigned CVE-2026-45585 and shipped mitigation guidance for YellowKey, a Windows BitLocker bypass that anonymous researcher 'Nightmare Eclipse' disclosed last week with a working PoC. The attack places crafted FsTx files on a USB drive or EFI partition, reboots into WinRE, and holds CTRL during boot to drop into a shell with full access to BitLocker-protected drives. Microsoft says no patch is available yet. Mitigations include removing the autofstx.exe entry from Session Manager's BootExecute and reconfiguring BitLocker to require TPM+PIN at startup. Nightmare Eclipse is the same researcher who recently dropped BlueHammer, RedSun, GreenPlasma, UnDefend, and MiniPlasma.

Check
Inventory Windows endpoints with BitLocker enabled. Check whether autofstx.exe is listed in HKLM\System\CurrentControlSet\Control\Session Manager BootExecute. Look for unattended USB media access on shared or kiosk machines.
Affected
Windows endpoints with BitLocker in TPM-only mode (no PIN). YellowKey requires physical access to drop FsTx files on a USB drive or the EFI partition before triggering WinRE boot.
Fix
Remove autofstx.exe from BootExecute and re-establish BitLocker trust for WinRE per CVE-2026-33825 advisory. Reconfigure BitLocker to TPM+PIN. Restrict USB boot and BIOS access on shared endpoints.

Microsoft dismantles Fox Tempest 'malware-signing-as-a-service' that abused Azure Artifact Signing for 1,000+ certificates

Microsoft's Digital Crimes Unit, supported by law enforcement, has disrupted Fox Tempest, a 'malware-signing-as-a-service' offering that abused Azure Artifact Signing (formerly Trusted Signing) to issue legitimate Microsoft-signed certificates for malware. Operators created more than 1,000 certificates and hundreds of Azure tenants using stolen US and Canadian identities, all valid for 72 hours to reduce takedown risk. Microsoft has revoked the certificates, seized the signspace[.]cloud domain, and taken hundreds of supporting VMs offline. The service signed Oyster, Lumma Stealer, Vidar, and ransomware payloads for Rhysida, Akira, INC, Qilin, and BlackByte, used by groups including Vanilla Tempest and Storm-0501.

Check
Search EDR and Defender SmartScreen logs for binaries signed by Microsoft Azure Artifact Signing certificates between 2025 and 2026-05-19. Cross-reference Microsoft's revoked certificate list.
Affected
Endpoints that trust Microsoft Azure Artifact Signing certificates without additional publisher verification. Especially relevant if previously targeted by Vanilla Tempest, Storm-0501, Storm-2561, or Storm-0249.
Fix
Tighten Defender SmartScreen and AppLocker rules so a publisher signature alone is not sufficient trust. Verify the named publisher of any Microsoft Artifact Signing-signed binary matches the expected software vendor.

MiniPlasma Windows zero-day: working PoC gives SYSTEM on fully patched Windows 11 via cldflt.sys driver

A researcher who goes by Chaotic Eclipse has dropped working proof-of-concept code on GitHub for a Windows local privilege escalation that gives SYSTEM access on fully patched Windows 11 Pro and Windows Server 2025. The bug lives in the Cloud Filter driver cldflt.sys and is, the researcher says, the same flaw Google Project Zero reported to Microsoft as CVE-2020-17103 in 2020, which Microsoft said it fixed in December 2020. The original Google PoC works unmodified. May 2026 Patch Tuesday updates do not stop it. The same researcher has dropped several other Windows zero-days in recent weeks, all of which were quickly seen in real attacks.

Check
Inventory Windows 11 and Server 2022/2025 endpoints. Hunt SIEM for unexpected SYSTEM-context cmd.exe spawns or new processes launched from standard user sessions touching cldflt.sys.
Affected
Microsoft Windows 11 Pro and Windows Server 2025 with May 2026 Patch Tuesday updates applied. The researcher claims all Windows versions are likely affected.
Fix
No patch available. Block execution of the public MiniPlasma binary by hash in EDR. Tighten local user privileges and restrict admin sessions on multi-user endpoints until Microsoft ships a fix.

Microsoft reverses course on Edge: saved passwords will no longer load into memory at startup

Microsoft has flipped its position on Edge keeping saved passwords decrypted in memory the moment the browser launches. After originally telling the researcher who reported it that the behavior was 'by design' and not a security issue, Microsoft now says future Edge builds will stop loading the password store into memory at startup. The fix is already live in the Canary channel and will reach Stable, Beta, Dev, and Extended Stable in build 148. The original disclosure came with a working tool that lets an administrator on a shared Windows machine dump other users' Edge passwords by reading process memory.

Check
Inventory Edge installs across your fleet. Check the current Edge version via edge://settings/help and flag anything below build 148.
Affected
Microsoft Edge versions before build 148 (Stable, Beta, Dev, Canary, Extended Stable) that store credentials via Edge's built-in password manager.
Fix
Update Edge to build 148 or newer when it ships. Until then, disable Edge's built-in password manager on sensitive endpoints and limit local admin rights on shared machines.

Azure Backup for AKS lets low-privileged Backup Contributors gain cluster-admin, Microsoft blocked CVE (VU#284781)

Microsoft has refused to issue a CVE for what an outside researcher and the CERT Coordination Center both describe as a privilege escalation in Azure Backup for Azure Kubernetes Service. The flaw lets a user holding only the low-privileged 'Backup Contributor' Azure role gain cluster-admin on AKS clusters, which Microsoft dismissed by saying the attacker 'already held administrator access.' CERT/CC validated the bug and tracked it as VU#284781. The researcher says Microsoft also tried to get MITRE to reject the submission as 'AI-generated content,' then quietly added new permission checks, suggesting a silent patch even as Microsoft says 'no product changes were made.'

Check
Audit Azure RBAC assignments on subscriptions hosting AKS clusters. Identify any users holding the 'Backup Contributor' role and verify they were intended to hold cluster-admin rights.
Affected
Azure Kubernetes Service clusters with Azure Backup for AKS enabled, where the 'Backup Contributor' role has been assigned. No CVE issued; CERT tracking ID VU#284781.
Fix
Restrict the 'Backup Contributor' role to trusted operators only. No vendor patch acknowledged; rely on least-privilege RBAC until Microsoft confirms a fix. Monitor MSRC for updates.

Pwn2Own Berlin Day 3: DEVCORE wins Master of Pwn ($505K), SharePoint falls in 2-bug chain, $1.298M total

The Pwn2Own Berlin 2026 contest wrapped up Saturday at OffensiveCon, paying out $1,298,250 for 47 unique zero-days across three days. Taiwan's DEVCORE took the Master of Pwn title with 50.5 points and $505,000 in winnings. The headline Day 3 result came from DEVCORE researcher splitline, who chained two bugs into a successful exploit of Microsoft SharePoint, earning $100,000 and 10 points. SharePoint had survived a failed Rapid7 attempt on Day 2, making this a notable late-contest catch. Day 3 also saw attempts against VMware ESXi, Windows 11, Red Hat Enterprise Linux, and OpenAI Codex. All disclosed bugs now enter ZDI's 90-day disclosure window.

Check
Subscribe to the ZDI advisory feed at zerodayinitiative.com/advisories. Identify SharePoint, VMware ESXi, Windows 11, RHEL, and Codex deployments that may need urgent patches over the next 90 days.
Affected
Microsoft SharePoint, VMware ESXi, Windows 11, Red Hat Enterprise Linux, and OpenAI Codex - all targeted at Pwn2Own Berlin 2026 (47 unique zero-days disclosed May 14-16).
Fix
Apply vendor patches the moment ZDI advisories ship and fixes land. Prioritize internet-facing SharePoint and ESXi instances. Until then, restrict access to management interfaces.