Microsoft’s CVP of Fraud on Combating Ecosystem Abuse

In this episode of the Microsoft Threat Intelligence Podcast, host <a href="https://www.linkedin.com/in/sherroddegrippo/">Sherrod DeGrippo</a> is joined by two expert guests to explore critical challenges in today’s evolving threat landscape. </p><br /></p>First, Sherrod sits down with <a href="https://www.linkedin.com/in/cbissell/">Kelly Bissell</a>, CVP of Fraud at Microsoft, to discuss the complexities of combating fraud and product abuse. Kelly digs into the unique challenges Microsoft faces, highlighting prevalent schemes such as crypto mining, tech support scams, and the exploitation of deepfakes. Kelly also shares insights into Microsoft’s proactive approach, including recent Azure policy changes and efforts to detect and prevent fraud across its services, especially those attempting to use the compute power for crypto mining. </p><br /></p>Later, Sherrod is joined by <a href="https://www.linkedin.com/in/priyanka-ramesha-94b8a3b6/?originalSubdomain=in">Priyanka Ramesha</a>, Senior Threat Researcher on the Defender Experts team, to examine the rising risks of cloud-native attacks. They unpack why threat actors are increasingly targeting the cloud, exploiting its complexity, scalability, and common misconfigurations. Priyanka explains how attackers gain initial access through tactics like phishing, API exploitation, and OAuth abuse, and outlines their methods for credential theft, lateral movement, and data exfiltration. </p><br /></p><br /></p><strong>In this episode you’ll learn</strong>:      </p><ul> <li>What crypto mining looks like in Azure and how Microsoft detects and prevents it </li> <li>The five main areas of fraud and product abuse that Microsoft focuses on </li> <li>How attackers exploit the complexity and misconfigurations in cloud infrastructures </li> </ul> </p><strong>Some questions we ask:</strong>     </p>  </p><ul> <li>How long do crypto mining operations run unnoticed in a customer's environment? </li> <li>What changes did Microsoft make to its policy regarding crypto mining? </li> <li>Why are legitimate apps sometimes compromised and used in attacks? </li> </ul> </p><strong>Resources:</strong>  </p><a href="https://www.linkedin.com/in/cbissell/">View Kelly Bissell on LinkedIn</a>   </p><a href="https://www.linkedin.com/in/priyanka-ramesha-94b8a3b6/?originalSubdomain=in">View Priyanka Ramesha on LinkedIn</a>  </p><a href="https://www.linkedin.com/in/sherroddegrippo/">View Sherrod DeGrippo on LinkedIn</a>  </p> </p><strong>Related Microsoft Podcasts:                  </strong> </p><ul> <li> <a href="https://afternooncybertea.com/">Afternoon Cyber Tea with Ann Johnson</a> </li> <li> <a href="https://bluehatpodcast.com/">The BlueHat Podcast</a> </li> <li> <a href="https://uncoveringhiddenrisks.com/">Uncovering Hidden Risks</a>     </li> </ul> </p>Discover and follow other Microsoft podcasts at<a href="https://news.microsoft.com/podcasts/"> microsoft.com/podcasts</a>  </p> </p>Get the latest threat intelligence insights and guidance at Microsoft <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fsecurity%2Fbusiness%2Fsecurity-insider%2F&data=05%7C02%7Cv-ropetrillo%40microsoft.com%7C81e205a6b727403624b808dc64a26e6b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638495896032091649%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=LTpBsEuiaY5YiYn2FYDydHrHkYWl%2FBTl2uAQlkBz1N0%3D&reserved=0">Security Insider</a> </p> </p><br /></p><em>The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network. </em> </p>

00:50:35

Seashell Blizzard Ramping Up Operations and OSINT Trends of DPRK Threat Actors

In this episode of the Microsoft Threat Intelligence Podcast, host <a href="https://www.linkedin.com/in/sherroddegrippo/">Sherrod DeGrippo</a> is joined by security researchers <a href="https://www.linkedin.com/in/eeldridge5/">Elise Eldridge</a> and <a href="https://www.linkedin.com/in/anna-seitz-65a41b88/">Anna Seitz</a> to discuss the most recent notable developments across the threat landscape.  </p><br /></p>The threat actor, also known as Sandworm or APT44, has also been observed resuming the use of the wrappers WalnutWipe and SharpWipe, and expanded the use of the Prickly Pear malware downloader.</p><br /></p>The team highlights the geopolitical implications of these attacks, particularly in the context of Russia's influence on energy and global events. Sherrod also touches on the history of wipers in cyber operations and transitions to a discussion with Elise about trends in North Korean cyber activity, emphasizing Microsoft's ongoing efforts to analyze and mitigate these threats. </p><br /></p><strong>In this episode you’ll learn</strong>:      </p><ul> <li>Why recent attacks have targeted the European energy sector </li> <li>How Seashell Blizzard’s attacks in 2024 involved spear-phishing campaigns </li> <li>Why North Korean hackers infiltrate companies through remote IT job programs </li> </ul> </p><strong>Some questions we ask:</strong>       </p><ul> <li>How has Seashell Blizzard returned to using wipers, and what might explain this shift? </li> <li>After sending out crafted spear-phishing emails, what happens next in the attack chain? </li> <li>How might global geopolitics impact Seashell Blizzard's campaigns? </li> </ul>  </p><strong>Resources:</strong>  </p><a href="https://www.linkedin.com/in/eeldridge5/">View Elise Eldridge LinkedIn</a>  </p><a href="https://www.linkedin.com/in/anna-seitz-65a41b88/">View Anna Seitz on LinkedIn</a>  </p><a href="https://www.linkedin.com/in/sherroddegrippo/">View Sherrod DeGrippo on LinkedIn</a>  </p> </p><strong>Related Microsoft Podcasts:                  </strong> </p><ul> <li> <a href="https://afternooncybertea.com/">Afternoon Cyber Tea with Ann Johnson</a> </li> <li> <a href="https://bluehatpodcast.com/">The BlueHat Podcast</a> </li> <li> <a href="https://uncoveringhiddenrisks.com/">Uncovering Hidden Risks</a>     </li> </ul> </p>Discover and follow other Microsoft podcasts at<a href="https://news.microsoft.com/podcasts/"> microsoft.com/podcasts</a>  </p> </p>Get the latest threat intelligence insights and guidance at Microsoft <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fsecurity%2Fbusiness%2Fsecurity-insider%2F&data=05%7C02%7Cv-ropetrillo%40microsoft.com%7C81e205a6b727403624b808dc64a26e6b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638495896032091649%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=LTpBsEuiaY5YiYn2FYDydHrHkYWl%2FBTl2uAQlkBz1N0%3D&reserved=0">Security Insider</a> </p> </p> </p><em>The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network. </em> </p>

00:26:02

Threat Landscape Update: North Korean IT Workers, OSINT, and Remote Monitoring and Management Abuse

In this episode of the Microsoft Threat Intelligence Podcast, host Sherrod DeGrippo is joined by security researchers <a href="https://www.linkedin.com/in/caitlin-hopkins1/">Caitlin Hopkins</a>, <a href="https://www.linkedin.com/in/diana-duvieilh/">Diana Duvieilh</a>, and <a href="https://www.linkedin.com/in/anna-seitz-65a41b88/">Anna Seitz</a> to discuss the latest trends in cybersecurity threats.  </p><br /></p>The team explores OSINT observations around Remote Monitoring and Management (RMM) tools like Screen Connect by nation-state actors and reveals how they are used to deploy malware like AsyncRAT, ransomware, and execute phishing scams. They also uncover alarming tactics, such as North Korean IT workers posing as legitimate coders to infiltrate organizations, who steal cryptocurrency and use it to fund their regime. Since 2017 they have contributed to the theft of more than $3 billion. </p><br /></p><strong>In this episode you’ll learn</strong>:      </p><ul> <li>The role of tech support scam websites in tricking victims into allowing remote access </li> <li>How cybercriminal and nation-state actors are increasingly exploiting remote monitoring </li> <li>Why the financial services sector is a major target for cyberattacks </li> </ul> </p><strong>Some questions we ask:</strong>     </p>  </p><ul> <li>What is Screen Connect, and why is it attractive to threat actors? </li> <li>How long have RMM tools been used in C2 frameworks? </li> <li>Why are remote management tools being used in command-and-control systems? </li> </ul> </p><strong>Resources:</strong>  </p><a href="https://www.linkedin.com/in/caitlin-hopkins1/">View Caitlin Hopkins on LinkedIn</a>  </p><a href="https://www.linkedin.com/in/diana-duvieilh/">View Diana Duvieilh on LinkedIn</a>  </p><a href="https://www.linkedin.com/in/anna-seitz-65a41b88/">View Anna Seitz on LinkedIn</a>  </p><a href="https://www.linkedin.com/in/sherroddegrippo/">View Sherrod DeGrippo on LinkedIn</a>  </p> </p><strong>Related Microsoft Podcasts:                  </strong> </p><ul> <li> <a href="https://afternooncybertea.com/">Afternoon Cyber Tea with Ann Johnson</a> </li> <li> <a href="https://bluehatpodcast.com/">The BlueHat Podcast</a> </li> <li> <a href="https://uncoveringhiddenrisks.com/">Uncovering Hidden Risks</a>     </li> </ul> </p>Discover and follow other Microsoft podcasts at<a href="https://news.microsoft.com/podcasts/"> microsoft.com/podcasts</a>  </p> </p>Get the latest threat intelligence insights and guidance at Microsoft <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fsecurity%2Fbusiness%2Fsecurity-insider%2F&data=05%7C02%7Cv-ropetrillo%40microsoft.com%7C81e205a6b727403624b808dc64a26e6b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638495896032091649%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=LTpBsEuiaY5YiYn2FYDydHrHkYWl%2FBTl2uAQlkBz1N0%3D&reserved=0">Security Insider</a> </p> </p> </p><em>The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network.</em></p>

00:28:10

Doctors’ Perspective: The Rise of Healthcare Ransomware

In this episode of the Microsoft Threat Intelligence Podcast host Sherrod DeGrippo is joined by <a href="https://www.linkedin.com/in/cdameff/">Christian Dameff</a> and <a href="https://www.linkedin.com/in/jeff-tully-672679102/">Jeff Tully,</a> co-directors from the <a href="https://vchs.ucsd.edu/about/institutes-centers/center-for-healthcare-cybersecurity/index.html">UCSD Center for Healthcare Cybersecurity</a>, and contributors to our recent <a href="https://www.microsoft.com/en-us/security/security-insider/emerging-threats/US-healthcare-at-risk-strengthening-resiliency-against-ransomware-attacks?msockid=08a52c1cfc5466451d7238b9fd5067de">Healthcare Ransomware report</a>.  </p><br /></p>They discuss their unique backgrounds as doctors and hackers, focusing on healthcare cybersecurity, and the growing risks of hospital ransomware attacks. Christian shares his journey from hacking as a teenager to combining his passion for medicine and cybersecurity, particularly the risks posed to patient safety by vulnerable medical devices. Jeff adds his perspective, highlighting the parallels between medicine and hacking, and their efforts at UCSD to bring evidence-based research to healthcare cybersecurity. The conversation explores the challenges and importance of protecting critical healthcare systems from cyber threats, aiming to improve patient safety and outcomes. </p><br /></p><strong>In this episode you’ll learn</strong>:      </p><ul> <li>How medical device vulnerabilities reveal the impact of cybersecurity on patient care </li> <li>The lack of comprehensive data on healthcare ransomware attacks </li> <li>When ransomware-induced disruptions can delay life-saving procedures </li> </ul> </p><strong>Some questions we ask:</strong>     </p>  </p><ul> <li>As healthcare providers, what stands out to you about ransomware in healthcare? </li> <li>What does the UCSD Center for Healthcare Cybersecurity do? </li> <li>What ransomware attacks are common in healthcare, and how do they differ from other industries? </li> </ul> </p><strong>Resources:</strong>  </p><a href="https://www.linkedin.com/in/jeff-tully-672679102/">View Jeff Tully on LinkedIn </a> </p><a href="https://www.linkedin.com/in/cdameff/">View Christian Dameff on LinkedIn</a>  </p><a href="https://www.linkedin.com/in/sherroddegrippo/">View Sherrod DeGrippo on LinkedIn</a>  </p><br /></p><a href="https://www.microsoft.com/en-us/security/security-insider/emerging-threats/US-healthcare-at-risk-strengthening-resiliency-against-ransomware-attacks?msockid=08a52c1cfc5466451d7238b9fd5067de">Healthcare Ransomware Report</a> </p> </p><strong>Related Microsoft Podcasts:                  </strong> </p><ul> <li> <a href="https://afternooncybertea.com/">Afternoon Cyber Tea with Ann Johnson</a> </li> <li> <a href="https://bluehatpodcast.com/">The BlueHat Podcast</a> </li> <li> <a href="https://uncoveringhiddenrisks.com/">Uncovering Hidden Risks</a>     </li> </ul> </p>Discover and follow other Microsoft podcasts at<a href="https://news.microsoft.com/podcasts/"> microsoft.com/podcasts</a>  </p> </p>Get the latest threat intelligence insights and guidance at Microsoft <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fsecurity%2Fbusiness%2Fsecurity-insider%2F&data=05%7C02%7Cv-ropetrillo%40microsoft.com%7C81e205a6b727403624b808dc64a26e6b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638495896032091649%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=LTpBsEuiaY5YiYn2FYDydHrHkYWl%2FBTl2uAQlkBz1N0%3D&reserved=0">Security Insider</a> </p> </p> </p><em>The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network. </em> </p>

00:42:47

A Couple of Rats Pick Up New Tricks, Un Proposes Cybercrime Treaty

In this episode of the Microsoft Threat Intelligence Podcast host Sherrod DeGrippo is joined by Microsoft’s <a href="https://www.linkedin.com/in/dinesh-natarajan-638a3b40/?originalSubdomain=in">Dinesh Natarajan</a>, Senior Threat Hunter, and <a href="https://www.linkedin.com/in/thomasfball/">Thomas Ball</a>, Senior Security Researcher. They unpack recent findings around <em>AsyncRAT</em>, a remote access Trojan (RAT) used for keylogging, data exfiltration, and deploying further malware.  </p> </p>Dinesh explains how attackers are now using screen-sharing tools, like Screen Connect, as part of a new infection chain that makes the malware delivery process more deceptive. Thomas then shares insights on <em>SectopRAT</em>, another threat targeting browser data and crypto wallets. Uniquely, this RAT creates a second desktop, allowing attackers to operate undetected.  </p> </p>Next, Sherrod talks with Microsoft’s Senior Director of Diplomacy, <a href="https://www.linkedin.com/in/kaja-ciglic-29333b7/?originalSubdomain=si">Kaja Ciglic</a>, about the UN’s proposed cybercrime treaty. Originally spearheaded by Russia, the treaty aims to create a global framework for prosecuting cybercrime, but critics worry about its potential impact on freedom of expression and human rights. </p> </p><strong>In this episode you’ll learn</strong>:      </p><ul> <li>How tech support scam emails lead to AsyncRAT installations on different devices </li> <li>The importance of leveraging tools like Microsoft Defender's SmartScreen for protection </li> <li>The treaty encourages cooperation but may let governments exploit unclear cybercrime definitions </li> </ul> </p><strong>Some questions we ask:</strong>    </p><ul> <li>How does social engineering through email play a role in these attacks? </li> <li>What capabilities does AsyncRat have, and why is it so concerning? </li> <li>How do we ensure the treaty doesn't impact freedom of expression or human rights? </li> </ul> </p><strong>Resources:</strong>  </p><a href="https://www.linkedin.com/in/dinesh-natarajan-638a3b40/?originalSubdomain=in">View Dinesh Natarajan on LinkedIn</a> </p><a href="https://www.linkedin.com/in/tball/">View Thomas Ball on LinkedIn</a> </p><a href="https://www.linkedin.com/in/kaja-ciglic-29333b7/?originalSubdomain=si">View Kaja Ciglic on LinkedIn</a>  </p><a href="https://www.linkedin.com/in/sherroddegrippo/">View Sherrod DeGrippo on LinkedIn</a>  </p> </p><strong>Related Microsoft Podcasts:                  </strong> </p><ul> <li> <a href="https://afternooncybertea.com/">Afternoon Cyber Tea with Ann Johnson</a> </li> <li> <a href="https://bluehatpodcast.com/">The BlueHat Podcast</a> </li> <li> <a href="https://uncoveringhiddenrisks.com/">Uncovering Hidden Risks</a>     </li> </ul> </p>Discover and follow other Microsoft podcasts at<a href="https://news.microsoft.com/podcasts/"> microsoft.com/podcasts</a>  </p> </p>Get the latest threat intelligence insights and guidance at Microsoft <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fsecurity%2Fbusiness%2Fsecurity-insider%2F&data=05%7C02%7Cv-ropetrillo%40microsoft.com%7C81e205a6b727403624b808dc64a26e6b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638495896032091649%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=LTpBsEuiaY5YiYn2FYDydHrHkYWl%2FBTl2uAQlkBz1N0%3D&reserved=0">Security Insider</a> </p> </p> </p><em>The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network. </em> </p>

00:43:56

Between Two Gregs: An Update on the North Korean Threat Landscape

In this episode of the Microsoft Threat Intelligence Podcast host Sherrod DeGrippo is joined by Proofpoint’s <a href="https://www.linkedin.com/in/greg-lesnewich-3b368148/">Greg Lesnewich</a> and Microsoft’s <a href="https://www.linkedin.com/in/greg-schloemer/">Greg Schloemer</a> to share the unique threat posed by North Korea’s (DPRK) state-sponsored cyber activities. The Gregs discuss their years of experience tracking North Korean cyber actors and the distinct tactics that set DPRK apart from other nation-sponsored threats. The conversation also explores North Korea’s high stakes, as DPRK threat actors operate under intense pressure from government handlers, adding a layer of urgency and fear to their operations. They share insights into North Korea’s aggressive use of stolen cryptocurrency to fund the regime’s initiatives, like ballistic missile tests, and discuss the broader geopolitical impact.  </p><br /></p><strong>In this episode you’ll learn</strong>:      </p><ul> <li>The technical sophistication and the relentlessness of DPRK cyber tactics </li> <li>Complex motives behind funding and sustaining the North Korean government </li> <li>The training and skills development of North Korean cyber operators </li> </ul> </p><strong>Some questions we ask:</strong>     </p><ul> <li>How do North Korean threat actors set up their relay networks differently? </li> <li>What sets North Korea apart from other nation-sponsored threat actors? </li> <li>How do North Korean cyber actors differ from traditional e-crime actors? </li> </ul> </p><strong>Resources:</strong>  </p><a href="https://www.linkedin.com/in/greg-schloemer/">View Greg Schloemer on LinkedIn</a>  </p><a href="https://www.linkedin.com/in/greg-lesnewich-3b368148/">View Greg Lesnewich on LinkedIn</a> </p><a href="https://www.linkedin.com/in/sherroddegrippo/">View Sherrod DeGrippo on LinkedIn</a>  </p> </p><strong>Blog links:</strong> </p><a href="https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/">Citrine Sleet Observed Exploiting Zero Day</a> </p><a href="https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/">New North Korean Threat Actor Identified as Moonstone Sleet</a> </p><a href="https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/east-asia-threat-actors-employ-unique-methods">East Asia Threat Actor Technique Report</a> </p> </p><strong>Related Microsoft Podcasts:                  </strong> </p><ul> <li> <a href="https://afternooncybertea.com/">Afternoon Cyber Tea with Ann Johnson</a> </li> <li> <a href="https://bluehatpodcast.com/">The BlueHat Podcast</a> </li> <li> <a href="https://uncoveringhiddenrisks.com/">Uncovering Hidden Risks</a>     </li> </ul><br /></p> </p>Discover and follow other Microsoft podcasts at<a href="https://news.microsoft.com/podcasts/"> microsoft.com/podcasts</a>  </p> </p>Get the latest threat intelligence insights and guidance at Microsoft <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fsecurity%2Fbusiness%2Fsecurity-insider%2F&data=05%7C02%7Cv-ropetrillo%40microsoft.com%7C81e205a6b727403624b808dc64a26e6b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638495896032091649%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=LTpBsEuiaY5YiYn2FYDydHrHkYWl%2FBTl2uAQlkBz1N0%3D&reserved=0">Security Insider</a> </p> </p> </p><em>The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network. </em> </p>

00:44:46

Microsoft’s Yonatan Zunger on Red Teaming Generative AI

In this episode of the Microsoft Threat Intelligence Podcast host Sherrod DeGrippo is joined by <a href="https://www.linkedin.com/in/yonatanzunger/">Yonatan Zunger</a>, CVP of AI Safety and Security at Microsoft. The conversation delves into the critical role of the AI Red Team, which focuses on identifying vulnerabilities in AI systems. Yonatan emphasizes the importance of ensuring the safety of Microsoft’s AI products and the innovative methods the team employs to simulate potential threats, including how they assess risk and develop effective responses. This engaging dialogue offers insights into the intersection of technology, security, and human behavior in the evolving landscape of AI.  </p><br /></p> </p><strong>In this episode you’ll learn</strong>:      </p>  </p><ul> <li>Why securing AI systems requires understanding their unique psychology </li> <li>The importance of training and technical mitigations to enhance AI safety </li> <li>How financial incentives drive performance improvements in AI systems </li> </ul><br /></p><strong>Some questions we ask:</strong>     </p>  </p><ul> <li>How does Retrieval Augmented Generation (RAG) work? </li> <li>What are the potential risks with data access and permissions in AI systems? </li> <li>Should users tell language models that accuracy affects their rewards to improve responses? </li> </ul><br /></p><strong>Resources:</strong>  </p><a href="https://www.linkedin.com/in/yonatanzunger/">View Yonatan Zunger on LinkedIn</a>  </p><a href="https://www.linkedin.com/in/sherroddegrippo/">View Sherrod DeGrippo on LinkedIn</a>  </p> </p><strong>Related Microsoft Podcasts:                  </strong> </p><ul> <li> <a href="https://afternooncybertea.com/">Afternoon Cyber Tea with Ann Johnson</a> </li> <li> <a href="https://bluehatpodcast.com/">The BlueHat Podcast</a> </li> <li> <a href="https://uncoveringhiddenrisks.com/">Uncovering Hidden Risks</a>     </li> </ul><br /></p><br /></p>Discover and follow other Microsoft podcasts at<a href="https://news.microsoft.com/podcasts/"> microsoft.com/podcasts</a>  </p> </p>Get the latest threat intelligence insights and guidance at Microsoft <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fsecurity%2Fbusiness%2Fsecurity-insider%2F&data=05%7C02%7Cv-ropetrillo%40microsoft.com%7C81e205a6b727403624b808dc64a26e6b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638495896032091649%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=LTpBsEuiaY5YiYn2FYDydHrHkYWl%2FBTl2uAQlkBz1N0%3D&reserved=0">Security Insider</a> </p> </p> </p><em>The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network.</em></p>

00:39:05

Vanilla Tempest: The Threat Actor Behind Recent Hospital Ransomware Attacks

In this episode of the Microsoft Threat Intelligence Podcast, host Sherrod DeGrippo is joined by security researchers Anna and Keivan to discuss two prominent threat actors: Vanilla Tempest and Peach Sandstorm. </p><br /></p>Vanilla Tempest, a financially motivated cybercrime group, has been involved in recent ransomware attacks on U.S. hospitals, utilizing various ransomware payloads such as Ink. They are known for using tools like PowerShell scripts and Goot Loader to exfiltrate data and extort victims. Peach Sandstorm, an Iranian nation-state threat actor, focuses on cyber espionage and intelligence collection. They have targeted various sectors, including energy, defense, and critical infrastructure, and have shown increasing sophistication in their attacks. Later, Sherrod speaks with <a href="https://www.linkedin.com/in/colton-bremer-5132289a/">Colton Bremer</a>, a senior security researcher at Microsoft, about his work on the Defender Experts (DEX) team. Colton explains the different tiers of DEX services, which focus on detecting and mitigating advanced threats that may bypass traditional security measures. </p><br /></p><h3> <strong>In this episode you’ll learn</strong>:      </h3><ul> <li>A backdoor called Tickler that uses Azure infrastructure for command and control </li> <li>The significance of these groups' tactics and maintaining ransomware resiliency </li> <li>The different tiers of DEX services detecting and mitigating advanced threats </li> </ul> </p><h3> <strong>Some questions we ask:</strong>    </h3><ul> <li>How does Vanilla Tempest typically execute their attacks? </li> <li>Has Peach Sandstorm evolved over time in their cyber espionage efforts? </li> <li>What can individuals or organizations do to mitigate cloud identity abuse? </li> </ul> </p><h3> <strong>Resources:</strong>  </h3><a href="https://www.linkedin.com/in/colton-bremer-5132289a/">View Colton Bremer on LinkedIn</a>  </p><a href="https://www.linkedin.com/in/sherroddegrippo/">View Sherrod DeGrippo on LinkedIn</a>  </p> </p><h3> <strong>Related Microsoft Podcasts:                  </strong> </h3><ul> <li> <a href="https://afternooncybertea.com/">Afternoon Cyber Tea with Ann Johnson</a> </li> <li> <a href="https://bluehatpodcast.com/">The BlueHat Podcast</a> </li> <li> <a href="https://uncoveringhiddenrisks.com/">Uncovering Hidden Risks</a>     </li> </ul> </p>Discover and follow other Microsoft podcasts at<a href="https://news.microsoft.com/podcasts/"> microsoft.com/podcasts</a>  </p> </p>Get the latest threat intelligence insights and guidance at Microsoft <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fsecurity%2Fbusiness%2Fsecurity-insider%2F&data=05%7C02%7Cv-ropetrillo%40microsoft.com%7C81e205a6b727403624b808dc64a26e6b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638495896032091649%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=LTpBsEuiaY5YiYn2FYDydHrHkYWl%2FBTl2uAQlkBz1N0%3D&reserved=0">Security Insider</a> </p> </p> </p><em>The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network. </em> </p>

00:32:52

Gingham Typhoon’s Cyber Expansion Into the South Pacific

In this episode of the Microsoft Threat Intelligence Podcast host Sherrod DeGrippo is joined by <a href="https://www.linkedin.com/in/nick-m-78130760/">Nick Monaco</a>, Principal Threat Intelligence Analyst at Microsoft, delving into findings from Microsoft's April 2024 East Asia threat report. They discuss Gingham Typhoon's expanding cyber operations in the South Pacific, notably targeting strategic partners like Papua New Guinea despite their involvement in China's Belt and Road Initiative. The conversation shifts to Nylon Typhoon's global espionage efforts, including recent activities in South America and Europe. They also cover Volt Typhoon's sophisticated attacks on U.S. critical infrastructure and highlight Storm 1376's (now Tides of Flood) use of AI-generated news anchors for spreading misinformation. This episode emphasizes the evolving nature of cyber threats and influence operations, including the creative use of technology by adversaries to advance their agendas. </p><br /></p><strong>* This episode is from April 2024 and is not new information.</strong> </p> </p><h3> <strong>In this episode you’ll learn</strong>:      </h3>  </p><ul> <li>How Nylon Typhoon targets geopolitical intelligence in South America and Europe </li> <li>The evolving landscape of influence operations and China's growing capabilities </li> <li>How disinformation campaigns have exploited real-world events </li> </ul> </p><h3> <strong>Some questions we ask:</strong>     </h3>  </p><ul> <li>How has generative AI changed influence operations and disinformation? </li> <li>What are the key trends in North Korean cyber operations with cryptocurrency and AI? </li> <li>Why are Chinese influence operations engaging with questions on social media? </li> </ul> </p><h3> <strong>Resources:</strong>  </h3><a href="https://www.linkedin.com/in/nick-m-78130760/">View Nick Monaco on LinkedIn</a>  </p><a href="https://www.linkedin.com/in/sherroddegrippo/">View Sherrod DeGrippo on LinkedIn</a>  </p> </p><h3> <strong>Related Microsoft Podcasts:                  </strong> </h3><ul> <li> <a href="https://afternooncybertea.com/">Afternoon Cyber Tea with Ann Johnson</a> </li> <li> <a href="https://bluehatpodcast.com/">The BlueHat Podcast</a> </li> <li> <a href="https://uncoveringhiddenrisks.com/">Uncovering Hidden Risks</a>     </li> </ul><br /></p>Discover and follow other Microsoft podcasts at<a href="https://news.microsoft.com/podcasts/"> microsoft.com/podcasts</a>  </p> </p>Get the latest threat intelligence insights and guidance at Microsoft <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fsecurity%2Fbusiness%2Fsecurity-insider%2F&data=05%7C02%7Cv-ropetrillo%40microsoft.com%7C81e205a6b727403624b808dc64a26e6b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638495896032091649%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=LTpBsEuiaY5YiYn2FYDydHrHkYWl%2FBTl2uAQlkBz1N0%3D&reserved=0">Security Insider</a> </p><br /></p><br /></p><em>The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network. </em> </p>

00:38:56

The Inside Scoop on Using KQL for Cloud Data Security

In this episode of the Microsoft Threat Intelligence Podcast host Sherrod DeGrippo is joined by the authors of the new book <em>The Definitive Guide to KQL: Using Kusto Query Language for Operations, Defending, and Threat Hunting</em>. Guests <a href="https://www.linkedin.com/in/rodtrent/">Rod Trent</a>, <a href="https://www.linkedin.com/in/matthewzorich/?originalSubdomain=au">Matt Zorich</a>, and <a href="https://www.linkedin.com/in/markmorow/overlay/about-this-profile/">Mark Morowczynski</a> discuss the significance of KQL (Kusto Query Language) in cloud data security and how it enables efficient data querying for threat detection in Microsoft products like Sentinel and Defender. They share insights from their own experiences, highlight key features of the book, and explain how both beginners and experts can benefit from KQL. Later in the episode Sherrod speaks with Senior Threat Hunter <a href="https://www.linkedin.com/in/lekshmi-vijayan-1891786a/?originalSubdomain=in">Lekshmi Vijayan</a> about the growing trend of cyberattacks using malicious PowerShell commands. Lekshmi explains how attackers trick users into copying and pasting harmful code, often through compromised websites or phishing emails. They discuss how these attacks aim to install remote access tools like NetSupport RAT or information stealers, targeting sensitive data like browser credentials and crypto keys. </p> </p><h3> <strong>In this episode you’ll learn</strong>:      </h3><ul> <li>How KQL is applied in real-world security scenarios including incident response </li> <li>Key features and benefits of KQL when it comes to security and cloud data </li> <li>Distinguishing between legitimate and malicious uses of remote management tools  </li> </ul>  </p><h3> <strong>Some questions we ask:</strong>       </h3><ul> <li>How does KQL tie into the Microsoft ecosystem, like Defender and Copilot? </li> <li>What advice would you give to someone new to KQL who wants to start learning? </li> <li>What is the technique we're seeing with copy-pasting malicious PowerShell?  </li> </ul> </p><h3> <strong>Resources:</strong>  </h3><a href="https://www.linkedin.com/in/markmorow/overlay/about-this-profile/">View Mark Morowczynski on LinkedIn</a> </p><a href="https://www.linkedin.com/in/matthewzorich/?originalSubdomain=au">View Matt Zorich on LinkedIn</a> </p><a href="https://www.linkedin.com/in/rodtrent/">View Rod Trent on LinkedIn</a> </p><a href="https://www.linkedin.com/in/lekshmi-vijayan-1891786a/?originalSubdomain=in">View Lekshmi Vijayan on LinkedIn</a>  </p><a href="https://www.linkedin.com/in/sherroddegrippo/">View Sherrod DeGrippo on LinkedIn</a>  </p> </p><h3> <strong>Related Microsoft Podcasts:                  </strong> </h3><ul> <li> <a href="https://afternooncybertea.com/">Afternoon Cyber Tea with Ann Johnson</a> </li> <li> <a href="https://bluehatpodcast.com/">The BlueHat Podcast</a> </li> <li> <a href="https://uncoveringhiddenrisks.com/">Uncovering Hidden Risks</a>     </li> </ul> </p>Discover and follow other Microsoft podcasts at<a href="https://news.microsoft.com/podcasts/"> microsoft.com/podcasts</a>  </p> </p>Get the latest threat intelligence insights and guidance at Microsoft <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fsecurity%2Fbusiness%2Fsecurity-insider%2F&data=05%7C02%7Cv-ropetrillo%40microsoft.com%7C81e205a6b727403624b808dc64a26e6b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638495896032091649%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=LTpBsEuiaY5YiYn2FYDydHrHkYWl%2FBTl2uAQlkBz1N0%3D&reserved=0">Security Insider</a> </p> </p> </p><em>The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network. </em> </p>

00:26:45