{"id":25912,"date":"2025-07-25T07:30:32","date_gmt":"2025-07-25T15:30:32","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2025\/07\/25\/news-19632\/"},"modified":"2025-07-25T07:30:32","modified_gmt":"2025-07-25T15:30:32","slug":"news-19632","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2025\/07\/25\/news-19632\/","title":{"rendered":"Protecting customers from Octo Tempest attacks across multiple industries"},"content":{"rendered":"<p><strong>Credit to Author: Microsoft Defender Security Research Team| Date: Wed, 16 Jul 2025 16:00:00 +0000<\/strong><\/p>\n<p class=\"wp-block-paragraph\">In recent weeks, Microsoft has observed <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/10\/25\/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction\/?msockid=0139329c3fb06e3a084e266d3e666fc6\" target=\"_blank\" rel=\"noreferrer noopener\">Octo Tempest<\/a>, also known as Scattered Spider, impacting the airlines sector, following previous activity impacting retail, food services, hospitality organizations, and insurance between April and July 2025. This aligns with Octo Tempest\u2019s typical patterns of concentrating on one industry for several weeks or months before moving on to new targets. Microsoft Security products continue to update protection coverage as these shifts occur.&nbsp;<\/p>\n<p class=\"wp-block-paragraph\">To help protect and inform customers, this blog highlights the protection coverage across the <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/microsoft-defender?msockid=27b7b3bc5be566bc06c9a5a05a7a679d\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Defender<\/a> and Microsoft Sentinel security ecosystem and provides security posture hardening recommendations to protect against threat actors like Octo Tempest.<\/p>\n<div class=\"wp-block-buttons is-content-justification-center is-layout-flex wp-container-core-buttons-is-layout-4 wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link wp-element-button\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/microsoft-defender?msockid=27b7b3bc5be566bc06c9a5a05a7a679d\">Get ahead of threat actors with integrated security solutions from Microsoft Defender<\/a><\/div>\n<\/p><\/div>\n<h2 class=\"wp-block-heading\" id=\"overview-of-octo-tempest\">Overview of Octo Tempest&nbsp;<\/h2>\n<p class=\"wp-block-paragraph\">Octo Tempest, also known in the industry as Scattered Spider, Muddled Libra, UNC3944, or 0ktapus, is a <a href=\"https:\/\/x.com\/FBI\/status\/1938746767031574565\" target=\"_blank\" rel=\"noreferrer noopener\">financially motivated cybercriminal group<\/a> that has been observed impacting organizations using varying methods in their end-to-end attacks. Their approach includes:&nbsp;<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Gaining initial access using social engineering attacks and impersonating a user and contacting service desk support through phone calls, emails, and messages.<\/li>\n<li class=\"wp-block-list-item\">Short Message Service (SMS)-based phishing using adversary-in-the-middle (AiTM) domains that mimic legitimate organizations.<\/li>\n<li class=\"wp-block-list-item\">Using tools such as ngrok, Chisel, and AADInternals.<\/li>\n<li class=\"wp-block-list-item\">Impacting hybrid identity infrastructures and exfiltrating data to support extortion or ransomware operations.&nbsp;&nbsp;<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Recent activity shows Octo Tempest has deployed DragonForce ransomware with a particular focus on VMWare ESX hypervisor environments. In contrast to previous patterns where Octo Tempest used cloud identity privileges for on-premises access, recent activities have involved impacting both on-premises accounts and infrastructure at the initial stage of an intrusion before transitioning to cloud access.&nbsp;<\/p>\n<h2 class=\"wp-block-heading\" id=\"octo-tempest-detection-coverage\">Octo Tempest detection coverage&nbsp;<\/h2>\n<p class=\"wp-block-paragraph\">Microsoft Defender has a wide range of detections to detect Octo Tempest related activities and more. These detections span across all areas of the security portfolio including endpoints, identities, software as a service (SaaS) apps, email and collaboration tools, cloud workloads, and more to provide comprehensive protection coverage. Shown below is a list of known Octo Tempest tactics, techniques, and procedures (TTPs) observed in recent attack chains mapped to detection coverage.<\/p>\n<figure class=\"wp-block-table is-style-regular\">\n<table class=\"has-fixed-layout\">\n<tbody>\n<tr>\n<td><strong>Tactic<\/strong><strong><\/strong>&nbsp;<\/td>\n<td><strong>Technique<\/strong><strong><\/strong>&nbsp;<\/td>\n<td><strong>Microsoft Protection Coverage (non-exhaustive)<\/strong><strong><\/strong>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>Initial Access&nbsp;<\/td>\n<td>Initiating password reset on target\u2019s credentials&nbsp;<\/td>\n<td>Unusual user password reset in your virtual machine; (MDC)&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>Discovery&nbsp;<\/td>\n<td>Continuing environmental reconnaissance&nbsp;<\/td>\n<td>Suspicious credential dump from NTDS.dit; (MDE)<br \/>Account enumeration reconnaissance; (MDI)<br \/>Network-mapping reconnaissance (DNS); (MDI)<br \/>User and IP address reconnaissance (SMB); (MDI)<br \/>User and Group membership reconnaissance (SAMR); (MDI)<br \/>Active Directory attributes reconnaissance (LDAP); (MDI)&nbsp;<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"3\">Credential Access,&nbsp;&nbsp;Lateral Movement&nbsp;<\/td>\n<td>Identifying Tier-0 assets&nbsp;<\/td>\n<td>Mimikatz credential theft tool; (MDE)<br \/>ADExplorer collecting Active Directory information; (MDE)<br \/>Security principal reconnaissance (LDAP); (MDI)<br \/>Suspicious Azure role assignment detected; (MDC)<br \/>Suspicious elevate access operation; (MDC)<br \/>Suspicious domain added to Microsoft Entra ID; (MDA)<br \/>Suspicious domain trust modification following risky sign-in; (MDA)&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>Collecting additional credentials&nbsp;<\/td>\n<td>Suspected DCSync attack (replication of directory services); (MDI)<br \/>Suspected AD FS DKM key read; (MDI)&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>Accessing enterprise environments with VPN and deploying VMs with tools to maintain access in compromised environments&nbsp;<\/td>\n<td>&#8216;Ngrok&#8217; hacktool was prevented; (MDE)<br \/>&#8216;Chisel&#8217; hacktool was prevented; (MDE)<br \/>Possibly malicious use of proxy or tunneling tool; (MDE)<br \/>Possible\u202fOcto\u202fTempest-related\u202fdevice\u202fregistered (MDA)&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>Defense Evasion,&nbsp;Persistence&nbsp;<\/td>\n<td>Leveraging EDR and management tooling&nbsp;<\/td>\n<td>Tampering activity typical to ransomware attacks; (MDE)&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>Persistence,&nbsp;Execution&nbsp;<\/td>\n<td>Installing a trusted backdoor&nbsp;<\/td>\n<td>ADFS persistent backdoor; (MDE)&nbsp;<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\">Actions on Objectives&nbsp;<\/td>\n<td>Staging and exfiltrating stolen data&nbsp;<\/td>\n<td>Possible exfiltration of archived data; (MDE)<br \/>Data exfiltration over SMB; (MDI)&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>Deploying ransomware&nbsp;<\/td>\n<td>\u2018DragonForce\u2019 ransomware was prevented; (MDE)<br \/>Possible hands-on-keyboard pre-ransom activity; (MDE)&nbsp;<\/td>\n<\/tr>\n<\/tbody>\n<\/table><figcaption class=\"wp-element-caption\">Note: The list is not exhaustive. A full list of available detections can be found in the Microsoft Defender portal.&nbsp;<\/figcaption><\/figure>\n<h2 class=\"wp-block-heading\" id=\"disrupting-octo-tempest-attacks\">Disrupting Octo Tempest attacks&nbsp;&nbsp;<\/h2>\n<p class=\"wp-block-paragraph\"><strong>Disrupt in-progress attacks with automatic attack disruption<\/strong>:<br \/>Attack disruption is Microsoft Defender\u2019s <strong>unique, built-in self-defense capability<\/strong> that consumes multi-domain signals, the latest threat intelligence, and AI-powered machine learning models to <a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-xdr\/automatic-attack-disruption\" target=\"_blank\" rel=\"noreferrer noopener\">automatically predict and disrupt<\/a> an attacker\u2019s next move by containing the compromised asset (user, device). This technology uses multiple potential indicators and behaviors, including all the detections listed above, possible Microsoft Entra ID sign-in attempts, <strong>possible Octo Tempest-related sign-in activities <\/strong>and correlate them across the Microsoft Defender workloads into a high-fidelity incident.&nbsp;<\/p>\n<p class=\"wp-block-paragraph\">Based on previous learnings from popular Octo Tempest techniques, attack disruption will automatically <strong>disable the user<\/strong> account used by Octo Tempest and revokes all existing active sessions by the compromised user.&nbsp;<\/p>\n<p class=\"wp-block-paragraph\">While attack disruption can contain the attack by cutting off the attacker, it is critical for security operations center (SOC) teams to conduct incident response activities and post-incident analysis to help ensure the threat is fully contained and remediated.\u202f\u00a0<\/p>\n<p class=\"wp-block-paragraph\"><strong>Investigate and hunt for Octo Tempest related activity<\/strong>:<br \/>Octo Tempest is infamously known for aggressive social engineering tactics, often impacting individuals with specific permissions to gain legitimate access and move laterally through networks. To help organizations identify these activities, customers can use Microsoft Defender\u2019s advanced hunting capability to proactively investigate and respond to threats across their environment. Analysts can query across both first- and third-party data sources powered by Microsoft Defender XDR and Microsoft Sentinel. In addition to these tables, analysts can also use exposure insights from <a href=\"https:\/\/learn.microsoft.com\/en-us\/security-exposure-management\/microsoft-security-exposure-management\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Security Exposure Management<\/a>. &nbsp;<\/p>\n<div class=\"wp-block-buttons is-content-justification-center is-layout-flex wp-container-core-buttons-is-layout-5 wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link wp-element-button\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/siem-and-xdr\/microsoft-security-exposure-management\" target=\"_blank\" rel=\"noreferrer noopener\">Learn more about Microsoft Security Exposure Management<\/a><\/div>\n<\/p><\/div>\n<p class=\"wp-block-paragraph\">Using advanced hunting and the Exposure Graph, defenders can proactively assess and hunt for the threat actor&#8217;s related activity and identify which users are most likely to be targeted and what will be the effect of a compromise, strengthening defenses before an attack occurs.\u00a0\u00a0<\/p>\n<h2 class=\"wp-block-heading\" id=\"proactive-defense-against-octo-tempest\">Proactive defense against Octo Tempest&nbsp;<\/h2>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/siem-and-xdr\/microsoft-security-exposure-management\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Security Exposure Management<\/a>, available in the Microsoft Defender portal, equips security teams with capabilities such as critical asset protection, threat actor initiatives, and attack path analysis that enable security teams to proactively reduce exposure and mitigate the impact of Octo Tempest\u2019s hybrid attack tactics.<\/p>\n<h3 class=\"wp-block-heading\" id=\"ensure-critical-assets-stay-protected\">Ensure critical assets stay protected&nbsp;<\/h3>\n<p class=\"wp-block-paragraph\">Customers should ensure critical assets are <a href=\"https:\/\/learn.microsoft.com\/en-us\/security-exposure-management\/critical-asset-management\" target=\"_blank\" rel=\"noreferrer noopener\">classified as critical<\/a> in the Microsoft Defender portal to generate relevant attack paths and recommendations in initiatives. Microsoft Defender automatically identifies critical devices in your environment, but teams should also create custom rules and expand critical asset identifiers to enhance protection.&nbsp;&nbsp;<\/p>\n<h3 class=\"wp-block-heading\" id=\"take-action-to-minimize-impact-with-initiatives\">Take action to minimize impact with initiatives&nbsp;<\/h3>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/security-exposure-management\/initiatives\" target=\"_blank\" rel=\"noreferrer noopener\">Exposure Management&#8217;s initiatives feature<\/a> provides goal-driven programs that unify key insights to help teams harden defenses and act fast on real threats. To address the most pressing risks related to Octo Tempest, we recommend organizations begin with the initiatives below:&nbsp;<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Octo Tempest Threat Initiative<\/strong>: Octo Tempest is known for tactics like extracting credentials from Local Security Authority Subsystem Service (LSASS) using tools like Mimikatz and signing in from attacker-controlled IPs\u2014both of which can be mitigated through controls like attack surface reduction (ASR) rules and sign-in policies. This initiative brings these mitigations together into a focused program, mapping real-world attacker behaviors to actionable controls that help reduce exposure and disrupt attack paths before they escalate.<\/li>\n<li class=\"wp-block-list-item\"><strong>Ransomware Initiative<\/strong>: A broader initiative focused on reducing exposure to extortion-driven attacks through hardening identity, endpoint, and infrastructure layers. This will provide recommendations tailored for your organization. &nbsp;<\/li>\n<\/ul>\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;68839a92137e7&quot;}\" data-wp-interactive=\"core\/image\" class=\"wp-block-image aligncenter size-full wp-lightbox-container\"><img decoding=\"async\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on-async--click=\"actions.showLightbox\" data-wp-on-async--load=\"callbacks.setButtonStyles\" data-wp-on-async-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/07\/Actor-Profile.webp\" alt=\"A screenshot of the Actor Profile: Octo Tempest [Preview] dashboard.\" class=\"wp-image-141192 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/07\/Actor-Profile.webp\"><button \t\t\tclass=\"lightbox-trigger\" \t\t\ttype=\"button\" \t\t\taria-haspopup=\"dialog\" \t\t\taria-label=\"Enlarge image: A screenshot of the Actor Profile: Octo Tempest [Preview] dashboard.\" \t\t\tdata-wp-init=\"callbacks.initTriggerButton\" \t\t\tdata-wp-on-async--click=\"actions.showLightbox\" \t\t\tdata-wp-style--right=\"state.imageButtonRight\" \t\t\tdata-wp-style--top=\"state.imageButtonTop\" \t\t> \t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\"> \t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/> \t\t\t<\/svg> \t\t<\/button><\/figure>\n<h3 class=\"wp-block-heading\" id=\"investigate-on-premises-and-hybrid-attack-paths\">Investigate on-premises and hybrid attack paths<\/h3>\n<p class=\"wp-block-paragraph\">Security teams can use <a href=\"https:\/\/learn.microsoft.com\/en-us\/security-exposure-management\/work-attack-paths-overview\" target=\"_blank\" rel=\"noreferrer noopener\">attack path analysis<\/a> to trace cross-domain threats\u2014like those used by Octo Tempest\u2014who\u2019ve exploited the critical Entra Connect server to pivot into cloud workloads, escalate privileges, and expand their reach. Teams can use the \u2018Chokepoint\u2019 view in the attack path dashboard to highlight entities appearing in multiple paths, making it easy to filter for helpdesk-linked accounts, a known Octo target, and prioritize their remediation. &nbsp;<\/p>\n<p class=\"wp-block-paragraph\">Given Octo Tempest\u2019s hybrid attack strategy, a representative attack path may look like this:&nbsp;<\/p>\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;68839a9216925&quot;}\" data-wp-interactive=\"core\/image\" class=\"wp-block-image size-full wp-lightbox-container\"><img decoding=\"async\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on-async--click=\"actions.showLightbox\" data-wp-on-async--load=\"callbacks.setButtonStyles\" data-wp-on-async-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/07\/vulnerabilities.webp\" alt=\"Device with high severity vulnerabilities allows lateral movement to azure key vault graph.\" class=\"wp-image-141193 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/07\/vulnerabilities.webp\"><button \t\t\tclass=\"lightbox-trigger\" \t\t\ttype=\"button\" \t\t\taria-haspopup=\"dialog\" \t\t\taria-label=\"Enlarge image: Device with high severity vulnerabilities allows lateral movement to azure key vault graph.\" \t\t\tdata-wp-init=\"callbacks.initTriggerButton\" \t\t\tdata-wp-on-async--click=\"actions.showLightbox\" \t\t\tdata-wp-style--right=\"state.imageButtonRight\" \t\t\tdata-wp-style--top=\"state.imageButtonTop\" \t\t> \t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\"> \t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/> \t\t\t<\/svg> \t\t<\/button><\/figure>\n<h2 class=\"wp-block-heading\" id=\"recommendations\">Recommendations&nbsp;<\/h2>\n<p class=\"wp-block-paragraph\">In today\u2019s threat landscape, proactive security is essential. By following security best practices, you reduce the attack surface and limit the potential impact of adversaries like Octo Tempest. Microsoft recommends implementing the following to help strengthen your overall posture and stay ahead of threats:&nbsp;<\/p>\n<h3 class=\"wp-block-heading\" id=\"identity-security-recommendations\">Identity security recommendations&nbsp;<\/h3>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Ensure multifactor authentication is enabled for all users: Adding more authentication methods, such as the <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/authentication\/how-to-enable-authenticator-passkey\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Authenticator app<\/a> or a phone number, increases the level of protection if one factor is compromised.<\/li>\n<li class=\"wp-block-list-item\">Enable <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/id-protection\/overview-identity-protection\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Entra ID Identity Protection<\/a> sign-in risk policies: Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for.<\/li>\n<li class=\"wp-block-list-item\">Ensure <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/conditional-access\/policy-admin-phish-resistant-mfa\" target=\"_blank\" rel=\"noreferrer noopener\">phishing-resistant multifactor authentication strength<\/a> is required for Administrators.<\/li>\n<li class=\"wp-block-list-item\">Ensure <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/defender-for-cloud\/recommendations-reference-identity-access\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Azure overprovisioned identities<\/a> should have only the necessary permissions.<\/li>\n<li class=\"wp-block-list-item\">Enable <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/id-governance\/privileged-identity-management\/pim-configure\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Entra Privileged Identity Management<\/a> as well as other protective measures to mitigate the risk of unnecessary or unauthorized access.<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\" id=\"endpoint-security-recommendations\">Endpoint security recommendations&nbsp;<\/h3>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Enable Microsoft Defender Antivirus <a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-endpoint\/linux-preferences\" target=\"_blank\" rel=\"noreferrer noopener\">cloud-delivered protection for Linux<\/a>.<\/li>\n<li class=\"wp-block-list-item\">Turn on Microsoft Defender Antivirus <a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-endpoint\/microsoft-defender-endpoint-linux\" target=\"_blank\" rel=\"noreferrer noopener\">real-time protection for Linux<\/a>.<\/li>\n<li class=\"wp-block-list-item\">Enable Microsoft Defender for Endpoint <a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-endpoint\/edr-in-block-mode\" target=\"_blank\" rel=\"noreferrer noopener\">EDR in block mode<\/a> to block post breach malicious behavior on the device through behavior blocking and containment capabilities.<\/li>\n<li class=\"wp-block-list-item\">Turn on <a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-endpoint\/prevent-changes-to-security-settings-with-tamper-protection\" target=\"_blank\" rel=\"noreferrer noopener\">tamper protection<\/a> that essentially prevents Microsoft\u202fDefender\u202ffor\u202fEndpoint\u202f(your\u202fsecurity\u202fsettings)\u202ffrom\u202fbeing\u202fmodified.<\/li>\n<li class=\"wp-block-list-item\">Block credential stealing from the Windows local security authority subsystem: <a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-endpoint\/attack-surface-reduction-rules-reference\" target=\"_blank\" rel=\"noreferrer noopener\">Attack surface reduction (ASR)<\/a> rules are the most effective method for blocking the most common attack techniques being used in cyber-attacks and malicious software.<\/li>\n<li class=\"wp-block-list-item\">Turn on <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/security\/identity-protection\/credential-guard\/configure?tabs=intune\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Defender Credential Guard<\/a> to\u202fisolate\u202fsecrets\u202fso\u202fthat\u202fonly\u202fprivileged\u202fsystem\u202fsoftware\u202fcan\u202faccess\u202fthem.<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\" id=\"cloud-security-recommendations\">Cloud security recommendations&nbsp;<\/h3>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Key Vaults should have <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/key-vault\/general\/key-vault-recovery?tabs=azure-powershell\" target=\"_blank\" rel=\"noreferrer noopener\">purge protection enabled<\/a> to prevent immediate, irreversible deletion of vaults and secrets.<\/li>\n<li class=\"wp-block-list-item\">To reduce risks of overly permissive inbound rules on virtual machines\u2019 management ports, <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/defender-for-cloud\/just-in-time-access-overview?tabs=defender-for-container-arch-aks\" target=\"_blank\" rel=\"noreferrer noopener\">enable just-in-time (JIT)<\/a> network access control.&nbsp;<\/li>\n<li class=\"wp-block-list-item\">Microsoft Defender for Cloud recommends encrypting data with customer-managed keys (CMK) to support strict compliance or regulatory requirements. To reduce risk and increase control, <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/defender-for-cloud\/enable-agentless-scanning-vms\" target=\"_blank\" rel=\"noreferrer noopener\">enable CMK<\/a> to manage your own encryption keys through Microsoft Azure Key Vault.<\/li>\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/key-vault\/general\/howto-logging?tabs=azure-cli\" target=\"_blank\" rel=\"noreferrer noopener\">Enable logs in Azure Key Vault<\/a> and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.<\/li>\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/backup\/backup-during-vm-creation\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Azure Backup<\/a> should be enabled for virtual machines to protect the data on your Microsoft Azure virtual machines, and to create recovery points that are stored in geo-redundant recovery vaults.<\/li>\n<\/ul>\n<div class=\"wp-block-bloginabox-theme-promotional\">\n<div class=\"promotional promotional--has-media promotional--media-right\">\n<div class=\"promotional__wrapper\">\n<div class=\"promotional__content-wrapper\">\n<div class=\"promotional__content\">\n<h2 class=\"wp-block-heading\" id=\"microsoft-defender\">Microsoft Defender<\/h2>\n<p class=\"wp-block-paragraph\">Comprehensive threat prevention, detection and response capabilities for everyone.<\/p>\n<div class=\"wp-block-buttons is-layout-flex wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button\"><a data-bi-an=\"Global CTA\" data-bi-ct=\"cta link\" data-bi-id=\"cta-block\" class=\"wp-block-button__link wp-element-button\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/microsoft-defender?msockid=27b7b3bc5be566bc06c9a5a05a7a679d\">Discover more<\/a><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"promotional__media-wrapper\">\n<div class=\"promotional__media\"> \t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"2560\" height=\"1664\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/06\/Win17_CDOC_1533-scaled.jpg\" class=\"attachment-full size-full\" alt=\"A group of people sitting at computers\" loading=\"lazy\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/06\/Win17_CDOC_1533-scaled.jpg 2560w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/06\/Win17_CDOC_1533-300x195.jpg 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/06\/Win17_CDOC_1533-1024x666.jpg 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/06\/Win17_CDOC_1533-768x499.jpg 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/06\/Win17_CDOC_1533-1536x998.jpg 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/06\/Win17_CDOC_1533-2048x1331.jpg 2048w\" sizes=\"auto, (max-width: 2560px) 100vw, 2560px\" \/>\t\t\t\t\t\t\t\t\t<\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<h2 class=\"wp-block-heading\" id=\"explore-security-solutions\">Explore security solutions<\/h2>\n<p class=\"wp-block-paragraph\">\u200b\u200bTo learn more about Microsoft Security solutions,\u202f<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\" target=\"_blank\" rel=\"noreferrer noopener\">visit our website<\/a>.\u202fBookmark the\u202f<a href=\"https:\/\/www.microsoft.com\/security\/blog\/\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Security blog<\/a>\u202fto keep up with our expert coverage on security matters.<\/p>\n<p class=\"wp-block-paragraph\">Also, follow us on <a href=\"https:\/\/www.linkedin.com\/showcase\/microsoft-security\/\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Security LinkedIn<\/a> and <a href=\"https:\/\/twitter.com\/@MSFTSecurity\" target=\"_blank\" rel=\"noreferrer noopener\">@MSFTSecurity<\/a> on X\u202ffor the latest news and updates on cybersecurity.&nbsp;<\/p>\n<p>The post <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/07\/16\/protecting-customers-from-octo-tempest-attacks-across-multiple-industries\/\">Protecting customers from Octo Tempest attacks across multiple industries<\/a> appeared first on <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/07\/16\/protecting-customers-from-octo-tempest-attacks-across-multiple-industries\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Microsoft Defender Security Research Team| Date: Wed, 16 Jul 2025 16:00:00 +0000<\/strong><\/p>\n<p>To help protect and inform customers, Microsoft highlights protection coverage across the Microsoft Defender security ecosystem to protect against threat actors like Octo Tempest.<\/p>\n<p>The post <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/07\/16\/protecting-customers-from-octo-tempest-attacks-across-multiple-industries\/\">Protecting customers from Octo Tempest attacks across multiple industries<\/a> appeared first on <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[],"class_list":["post-25912","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25912","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=25912"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25912\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=25912"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=25912"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=25912"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}