Microsoft Threat Intelligence Podcast

In this episode of the Microsoft Threat Intelligence Podcast, host⁠ ⁠⁠Sherrod DeGrippo speaks with Cynthia Kaiser to unpack the progression of ransomware from isolated attacks into a sophisticated global criminal ecosystem. Drawing on her two decades at the FBI and current role at Halcyon, Cynthia explains how cybercrime has scaled through organized networks, improved tactics, and increasing speed, with some attacks now unfolding in under an hour. The conversation explores how law enforcement strategies have shifted from targeting low-level actors to disrupting entire ecosystems, leading to more impactful takedowns. Cynthia also highlights the real-world consequences of ransomware, including its growing impact on critical infrastructure like hospitals and the potential for loss of life. The episode examines how AI is shaping both attacker and defender capabilities, accelerating phishing and access while also enabling stronger defensive responses. In this episode you’ll learn: How ransomware evolved into a global organized criminal ecosystem Why modern ransomware attacks are faster, more scalable, and harder to stop The real-world impact of ransomware, including risks to critical infrastructure Some questions we ask: How has ransomware shifted into a larger ecosystem over time? What are companies getting wrong about cyber insurance and recovery? Are autonomous AI-driven attacks a real threat yet? Resources: View Cynthia Kaiser on LinkedIn View Sherrod DeGrippo on LinkedIn Related Microsoft Podcasts: Afternoon Cyber Tea with Ann Johnson The BlueHat Podcast Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts Get the latest threat intelligence insights and guidance at Microsoft Security Insider The Microsoft Threat Intelligence Podcast is produced by Microsoft, Hangar Studios and distributed as part of N2K media network.

In this episode of the Microsoft Threat Intelligence Podcast, host⁠ ⁠⁠Sherrod DeGrippo speaks with Jarrod Forgues Schlenker of the FBI’s Cyber Division about the pattern's investigators see in cyber incidents and how initiatives like Operation Winter Shield aim to close the gap between knowing what to do and actually implementing it. They discuss the importance of foundational controls like phishing-resistant authentication, secure logging, and strong identity protection, as well as the role threat intelligence and prevention play in strengthening organizational defenses. The conversation highlights how small, practical security improvements can significantly disrupt attackers and help organizations reduce risk before an incident occurs. In this episode you’ll learn: How the FBI identifies recurring patterns in cyber-attacks across investigations Why phishing-resistant authentication and MFA are critical for stopping credential theft What Operation Winter Shield is and how it encourages organizations to move from awareness to action Some questions we ask: Which security control themes in the program stand out to you the most? Why are log retention and protection so critical during investigations? How can threat intelligence programs help organizations strengthen their defenses? Resources: View Jarrod Forgues Schlenker on LinkedIn View Sherrod DeGrippo on LinkedIn Related Microsoft Podcasts: Afternoon Cyber Tea with Ann Johnson The BlueHat Podcast Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts Get the latest threat intelligence insights and guidance at Microsoft Security Insider The Microsoft Threat Intelligence Podcast is produced by Microsoft, Hangar Studios and distributed as part of N2K media network.

In this episode of the Microsoft Threat Intelligence Podcast, host⁠ ⁠⁠Sherrod DeGrippo is joined by Greg Schlomer and Vlad H. to discuss new research on Jasper Sleet, a North Korean–aligned threat actor incorporating AI into active operations. The conversation examines how AI is being integrated across the attack lifecycle — from highly tailored phishing lures and fabricated job applicant personas to accelerating malware development and refining operational workflows. Rather than treating AI as a novelty, Jasper Sleet is using it to increase speed, scale, and adaptability while reducing many of the friction points that once slowed campaigns. They also explore what this shift means for defenders. As AI compresses iteration cycles and lowers barriers to entry, traditional attribution signals evolve, influence operations become more convincing, and defensive teams must tighten the loop between intelligence, detection, and response. This is less about experimentation and more about the operationalization of AI as part of modern tradecraft. In this episode you’ll learn: How AI is changing the speed at which cyber operations evolve Why jailbreaking AI models is often trivial for motivated adversaries The strategic implications of AI leveling the playing field between threat actors Some questions we ask: Is there resistance among experienced malware authors to adopting AI? Are we seeing fully AI-written malware in the wild? What stands out about Jasper Sleet’s use of AI? Resources: View Greg Schloemer on LinkedIn View Sherrod DeGrippo on LinkedIn Related Microsoft Podcasts: Afternoon Cyber Tea with Ann Johnson The BlueHat Podcast Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts Get the latest threat intelligence insights and guidance at Microsoft Security Insider The Microsoft Threat Intelligence Podcast is produced by Microsoft, Hangar Studios and distributed as part of N2K media network.

In this episode of the Microsoft Threat Intelligence Podcast, Sherrod DeGrippo speaks with Microsoft security and AI researchers Giorgio Severi and Noam Kochavi about a newly observed trend in AI abuse: recommendation poisoning through memory manipulation. While looking into prompt injection and reprompt-style behaviors, the team uncovered something quieter but potentially more persistent—websites embedding hidden instructions inside Summarize with AI links that attempt to influence what an AI assistant remembers and recommends over time. Rather than focusing on immediate exploitation, this technique aims to shape long-term behavior inside AI systems. Giorgio and Noam explain how it works, why it’s spreading across industries, where legitimate marketing tactics can blur into security risk, and what defenders and users should understand about managing AI memory in an increasingly agent-driven environment. In this episode you’ll learn: How AI memory poisoning differs from traditional prompt injection Why legitimate businesses are using memory manipulation tactics What threat hunters can look for inside enterprise telemetry Some questions we ask: How is memory poisoning different from prompt injection? What are the long-term risks of embedding bias into AI memory? Could this technique be used for more harmful influence beyond marketing? Resources: View Giorgio Severi on LinkedIn View Noam Kochavi on LinkedIn View Sherrod DeGrippo on LinkedIn Related Microsoft Podcasts: Afternoon Cyber Tea with Ann Johnson The BlueHat Podcast Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts Get the latest threat intelligence insights and guidance at Microsoft Security Insider The Microsoft Threat Intelligence Podcast is produced by Microsoft, Hangar Studios and distributed as part of N2K media network.

In this episode of the Microsoft Threat Intelligence Podcast, host⁠ ⁠⁠Sherrod DeGrippo is joined by Microsoft security researchers Megan Stalling and Anna Seitz to examine how financially motivated threat actors are using familiar, low-complexity techniques to drive real-world impact across the financial services sector. They examine Storm-0727, a financially motivated threat actor targeting cryptocurrency, financial services, and government entities, highlighting how simple techniques like financial-themed lures, macro-enabled documents, and credential theft allow attackers to quietly establish and maintain access. The conversation then expands to broader financial-services threat trends, including business email compromise, ransomware with data extortion, phishing-as-a-service, and why social engineering and unpatched vulnerabilities continue to succeed even in mature security environments. In this episode you’ll learn: How credential theft helps attackers maintain persistence Why social engineering works even in well-secured environments How Storm-0727 targets financial services and cryptocurrency organizations Some questions we ask: What happens after a victim opens a macro-enabled document used by Storm-0727? How are phishing as a service platforms changing the threat landscape? What major threat trends are currently shaping the financial services sector? Resources: View Megan Stalling on LinkedIn View Anna Seitz on LinkedIn View Sherrod DeGrippo on LinkedIn Related Microsoft Podcasts: Afternoon Cyber Tea with Ann Johnson The BlueHat Podcast Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts Get the latest threat intelligence insights and guidance at Microsoft Security Insider

In this episode of the Microsoft Threat Intelligence Podcast, host⁠ ⁠⁠Sherrod DeGrippo is joined by security researcher Crane Hassold and Digital Defense Report lead Chloe Mesdaghi for a grounded, practitioner-led discussion on where artificial intelligence actually stands today. Moving beyond hype and fear-driven narratives, the conversation examines how AI is realistically being used by threat actors, where its impact is often overstated, and why defenders currently stand to gain the most from AI-driven tooling. The episode explores AI’s strengths in detection, triage, and workflow acceleration, the psychology and incentives that shape attacker behavior, and emerging risks such as prompt injection and AI systems becoming direct attack targets. In this episode you’ll learn: Where AI is genuinely being used in real-world cyber operations Why AI systems themselves are becoming attractive targets for attackers How AI is accelerating defensive workflows like detection engineering and threat triage Some questions we ask: What does AI do well right now, and where has it been overpromised? Does AI shift the balance of power toward defenders or attackers? Why are prompt injection and agent manipulation such serious concerns? Resources: View Chloé Messdaghi on LinkedIn View Crane Hassold on LinkedIn View Sherrod DeGrippo on LinkedIn Related Microsoft Podcasts: Afternoon Cyber Tea with Ann Johnson The BlueHat Podcast Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts Get the latest threat intelligence insights and guidance at Microsoft Security Insider The Microsoft Threat Intelligence Podcast is produced by Microsoft, Hangar Studios and distributed as part of N2K media network.

To kick off Season 3 of Microsoft Threat Intelligence Podcast, host⁠ ⁠⁠Sherrod DeGrippo is joined by Microsoft security researchers Anna Seitz and Jonathan Checchi. Our guests examine two developments shaping today’s threat landscape: the cloud-native evolution of ransomware group Storm-0501 and the SesameOp backdoor’s abuse of trusted AI platforms for stealthy command-and-control. The discussion highlights how identity, hybrid-cloud pivot points, and federated authentication enable high-impact attacks without traditional malware, and why policy-compliant platform abuse is becoming harder to detect. Sherrod, Anna, and Jonathan provide guidance for defenders around enforcing MFA, tightening conditional access and identity controls, monitoring across cloud and on-prem environments, and partnering with platform providers to disrupt emerging attacker tradecraft. In this episode you’ll learn: What happens when threat actors gain control of highly privileged identities Why monitoring identity behavior is as critical as monitoring endpoints How attacker tactics are adapting to environments that blend cloud and on-prem systems Some questions we ask: What does recent threat activity tell us about where the landscape is headed? How is Storm-0501 using federated authentication in their operations? What should security teams focus on as AI becomes more integrated into systems? Resources: View Anna Seitz on LinkedIn View Sherrod DeGrippo on LinkedIn Related Microsoft Podcasts: Afternoon Cyber Tea with Ann Johnson The BlueHat Podcast Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts Get the latest threat intelligence insights and guidance at Microsoft Security Insider The Microsoft Threat Intelligence Podcast is produced by Microsoft, Hangar Studios and distributed as part of N2K media network.

In this episode of the Microsoft Threat Intelligence Podcast, host⁠ ⁠⁠Sherrod DeGrippo is joined by security researchers Geoff McDonald and JBO to discuss Whisper Leak, new research showing that encrypted AI traffic can still unintentionally reveal what a user is asking about through patterns in packet size and timing. They explain how LLM token streaming enables this kind of side-channel attack, why even well-encrypted conversations can be classified for sensitive topics, and what this means for privacy, national-level surveillance risks, and secure product design. The conversation also walks through how the study was conducted, what patterns emerged across different AI models, and the steps developers should take to mitigate these risks. In this episode you’ll learn: Why packet sizes and timing patterns reveal more information than most users realize How user-experience choices like showing streamed text create a larger attack surface The difference between classic timing attacks and the new risks uncovered in Whisper Leak Resources: View JBO on LinkedIn View Geoff McDonald on LinkedIn View Sherrod DeGrippo on LinkedIn Learn more about Whisper Leak Related Microsoft Podcasts: Afternoon Cyber Tea with Ann Johnson The BlueHat Podcast Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts Get the latest threat intelligence insights and guidance at Microsoft Security Insider The Microsoft Threat Intelligence Podcast is produced by Microsoft, Hangar Studios and distributed as part of N2K media network.

In this episode of the Microsoft Threat Intelligence Podcast, host⁠ ⁠⁠Sherrod DeGrippo is joined by Matt Duncan, Vice President of Security Operations and Intelligence at the North American Electric Reliability Corporation’s E-ISAC, to explore the cyber threats targeting the North American power grid. Matt breaks down why the grid remains resilient despite increasing pressure from nation-states, cybercriminals, and hacktivists, how AI is lowering the barrier of entry for attackers, and why OT systems and interconnected devices present unique risks. He also highlights real success stories, the value of large-scale grid exercises, and how strong collaboration and a focus on foundational security practices help defenders keep power flowing safely and reliably. In this episode you’ll learn: How severe weather events trigger heightened cyber-readiness across utilities What motivates hacktivist groups and how their tactics differ from other threat actors Why outdated equipment and legacy systems remain such attractive targets Some questions we ask: Are you seeing more educated and capable OT-focused adversaries now? How do you work with policymakers to help them understand these threats? If you could eliminate one misconception about securing the grid, what would it be? Resources: View Matt Duncan on LinkedIn View Sherrod DeGrippo on LinkedIn Learn more about E-ISAC Related Microsoft Podcasts: Afternoon Cyber Tea with Ann Johnson The BlueHat Podcast Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts Get the latest threat intelligence insights and guidance at Microsoft Security Insider The Microsoft Threat Intelligence Podcast is produced by Microsoft, Hangar Studios and distributed as part of N2K media network.

In this episode of the Microsoft Threat Intelligence Podcast, host⁠ ⁠⁠Sherrod DeGrippo is joined by security researchers Tori Murphy and Anna Seitz to unpack two financially motivated cyber threats. First, they explore the Payroll Pirates campaign (Storm 2657), which targets university payroll systems through phishing and MFA theft to reroute direct deposits. Then, they examine Vanilla Tempest, a ransomware group abusing fraudulent Microsoft Teams installers and SEO poisoning to deliver the Oyster Backdoor and Recita ransomware. Together, they discuss how attackers exploit trust in identity, code signing, and SaaS platforms and share practical steps organizations can take to strengthen defenses, from phishing-resistant MFA to stricter executable controls and out-of-band banking verification. In this episode you’ll learn: How Payroll Pirates diverted university salaries through SaaS HR phishing schemes Why universities are prime targets for identity-based cyberattacks How Vanilla Tempest evolved from basic ransomware to complex multi-stage attacks Some questions we ask: How are attackers stealing credentials and paychecks? Why do attackers create inbox rules after compromising accounts? What alerts should organizations monitor for these types of attacks? Resources: View Tori Murphy on LinkedIn View Anna Seitz on LinkedIn View Sherrod DeGrippo on LinkedIn Investigating targeted “payroll pirate” attacks affecting US universities Microsoft Threat Intelligence healthcare ransomware report highlights need for collective industry action Related Microsoft Podcasts: Afternoon Cyber Tea with Ann Johnson The BlueHat Podcast Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts Get the latest threat intelligence insights and guidance at Microsoft Security Insider The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network.

In this episode of the Microsoft Threat Intelligence Podcast, host⁠ ⁠⁠Sherrod DeGrippo is joined by Zack Korman, CTO of cybersecurity startup Pistachio. They explore the reality of AI in security, cutting through hype to discuss where AI is both brilliant and flawed, how vendors AI-wash outdated tech, and why Zack believes AI won’t replace jobs but instead scale human creativity. They also dive into phishing simulations, human psychology behind social engineering, AI-powered attacks, jailbreak chaining between AI systems, and the future risks and opportunities AI introduces in cybersecurity. In this episode you’ll learn: How to evaluate whether a vendor is truly using AI in their product The psychology behind why people fall for phishing attacks Why human judgment will remain essential in the era of AI-driven security. Some questions we ask: How can AI unlock new capabilities in cybersecurity? What questions should people ask AI security vendors? Why do trained security professionals still fall for phishing attacks? Resources: View Zack Korman on LinkedIn View Sherrod DeGrippo on LinkedIn Related Microsoft Podcasts: Afternoon Cyber Tea with Ann Johnson The BlueHat Podcast Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts Get the latest threat intelligence insights and guidance at Microsoft Security Insider The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network.

In this episode of the Microsoft Threat Intelligence Podcast, host Sherrod DeGrippo is joined by Chloé Messdaghi and Crane Hassold to unpack the key findings of the 2025 Microsoft Digital Defense Report; a comprehensive look at how the cyber threat landscape is accelerating through AI, automation, and industrialized criminal networks. They explore how nation-state operations and cybercrime have fused into a continuous cycle of attack and adaptation, with actors sharing tooling, infrastructure, and even business models. The conversation also examines AI’s growing impact, from deepfakes and influence operations to the defensive promise of AI-powered detection, and how identity compromise has become the front door to most intrusions, accounting for over 99% of observed attacks. Listeners will gain perspective on: How AI is shaping both attacker tradecraft and defensive response. Why identity remains the cornerstone of global cyber risk. What Microsoft’s telemetry—spanning 600 million daily attacks—reveals about emerging threats and evolving defender strategies. Questions explored: How are threat actors using AI to scale deception and influence operations? What does industrialized cybercrime mean for organizations trying to defend at scale? How can defenders harness AI responsibly without overreliance or exposure? Resources: Download the report and executive summary Register for Microsoft Ignite View Chloé Messdaghi on LinkedIn View Crane Hassold on LinkedIn View Sherrod DeGrippo on LinkedIn Related Microsoft Podcasts: Afternoon Cyber Tea with Ann Johnson The BlueHat Podcast Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts Get the latest threat intelligence insights and guidance at Microsoft Security Insider The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network.

In this episode of the Microsoft Threat Intelligence Podcast, host⁠ ⁠⁠Sherrod DeGrippo is joined by Tori Murphy, Anna Seitz, and Chuong Dong to break down two threats: the modular backdoor PipeMagic and Medusa ransomware. They discuss how PipeMagic disguises itself as a ChatGPT desktop app to deliver malware, its sophisticated modular design, and what defenders can do to detect it. The team also explores Medusa’s evolution into a ransomware-as-a-service model, its use of double extortion tactics, and the broader threat landscape shaped by ransomware groups, social engineering, and the abuse of legitimate tools. In this episode you’ll learn: Why modular malware is harder to detect and defend against How attackers abuse vulnerable drivers to disable security tools Why leak sites play a central role in ransomware operations Some questions we ask: How did Microsoft researchers uncover PipeMagic in the wild? Why do ransomware groups often borrow names and themes from mythology? What initial access techniques are commonly associated with Medusa attacks? Resources: View Anna Seitz on LinkedIn View Chuong Dong on LinkedIn View Sherrod DeGrippo on LinkedIn Related Microsoft Podcasts: Afternoon Cyber Tea with Ann Johnson The BlueHat Podcast Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts Get the latest threat intelligence insights and guidance at Microsoft Security Insider The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network.

In this episode of the Microsoft Threat Intelligence Podcast, host⁠ ⁠⁠Sherrod DeGrippo is joined by Kelly Bissell, Corporate Vice President at Microsoft, to explore how domain impersonation and typosquatting are changing in the age of AI. They discuss how attackers are increasingly using AI and bots to scale online deception, why this tactic is so effective, and how Microsoft is countering cutting-edge defenses like Siamese neural networks to detect fraudulent domains in real time. Kelly shares insights on the massive scale of these threats, the shift toward defender advantage, and the broader implications for securing organizations worldwide. In this episode you’ll learn: How attackers use AI and bots to scale domain impersonation and typosquatting Why defenders may finally have the higher ground in the fight against online fraud How Microsoft’s Siamese neural network model detects fraudulent domains in real time Some questions we ask: What excites you most about this new detection approach? How do fake domains fit into a larger social engineering chain? What indicators should defenders watch for in typosquatting domains? Resources: View Kelly Bissell on LinkedIn View Sherrod DeGrippo on LinkedIn Related Microsoft Podcasts: Afternoon Cyber Tea with Ann Johnson The BlueHat Podcast Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts Get the latest threat intelligence insights and guidance at Microsoft Security Insider

In this episode of the Microsoft Threat Intelligence Podcast, host⁠ ⁠⁠Sherrod DeGrippo is joined by Microsoft researchers Kelsey Clapp and Anna Seitz to examine two major cybercrime campaigns. The team unpacks Storm 2561’s use of SEO poisoning to distribute Trojanized software like SilentRoute and Bumblebee, stealing VPN credentials and paving the way for ransomware brokers. They also dive into Storm 1811’s ReadBed malware, a loader deployed through bold social engineering tactics, such as fake IT help desk calls via Teams, that enable lateral movement and ransomware deployment. The discussion highlights how modern threat actors exploit trust, extend attack chains, and continually evolve their techniques, underscoring the importance of vigilance, strong security controls, and verifying before trusting. In this episode you’ll learn: How Storm 2561 uses SEO poisoning to trick users into downloading Trojanized software The role of trust, urgency, and habit in social engineering tactics Practical steps organizations can take to block these threats and strengthen defenses Some questions we ask: Why are initial access loaders such a big risk for organizations? How are threat actors using fake IT help desk calls to gain access? What steps should defenders take to cut off these entry points? Resources: View Anna Seitz on LinkedIn View Kelsey Clapp on LinkedIn View Sherrod DeGrippo on LinkedIn Related Microsoft Podcasts: Afternoon Cyber Tea with Ann Johnson The BlueHat Podcast Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts Get the latest threat intelligence insights and guidance at Microsoft Security Insider The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network.

In this episode of the Microsoft Threat Intelligence Podcast, host⁠ ⁠⁠Sherrod DeGrippo is live from Black Hat 2025 with a special lineup of Microsoft security leaders and researchers. First, Sherrod sits down with Tom Gallagher, VP of Engineering and head of the Microsoft Security Response Center (MSRC). Tom shares how his team works with researchers worldwide, why responsible disclosure matters, and how programs like Zero Day Quest (ZDQ) are shaping the future of vulnerability research in cloud and AI security. He also announced the next iteration of ZTQ with $5 million up for grabs. Next, Sherrod is joined by Eric Baller (Senior Security Researcher) and Eric Olson (Principal Security Researcher) to unpack the fast-changing ransomware landscape. From dwell time collapsing from weeks to minutes, to the growing role of access brokers, they explore how attackers operate as organized ecosystems and how defenders can respond. Finally, Sherrod welcomes Travis Schack (Principal Security Researcher) alongside Eric Olson to examine the mechanics of social engineering. They discuss how attackers exploit urgency, trust, and human curiosity, why AI is supercharging phishing campaigns, and how defenders can fight back with both training and technology. In this episode you’ll learn: How MSRC partners with researchers across 59 countries to protect customers Why Zero Day Quest is accelerating vulnerability discovery in cloud and AI How ransomware dwell times have shrunk from days to under an hour Resources: View Sherrod DeGrippo on LinkedIn Zero Day Quest — Microsoft Microsoft Security Response Center Blog Related Microsoft Podcasts: Afternoon Cyber Tea with Ann Johnson The BlueHat Podcast Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts Get the latest threat intelligence insights and guidance at Microsoft Security Insider The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network.