https://feed.craftedsignal.io/products/microsoft-defender/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 30 Apr 2026 15:00:00 +0000https://feed.craftedsignal.io/briefs/2026-05-email-phishing-trends/Thu, 30 Apr 2026 15:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-email-phishing-trends/In Q1 2026, email threats increased, including credential phishing, QR code phishing, and CAPTCHA-gated campaigns, with Microsoft's disruption of the Tycoon2FA phishing platform leading to a 15% volume decrease and shifts in threat actor tactics; BEC activity remained prevalent at 10.7 million attacks.In the first quarter of 2026, Microsoft Threat Intelligence observed a significant rise in email-based phishing threats, totaling approximately 8.3 billion. This increase was driven by surges in QR code phishing (more than doubling over the period), CAPTCHA-gated phishing, and credential phishing attacks. Microsoft’s Digital Crime Unit successfully disrupted the Tycoon2FA phishing-as-a-service (PhaaS) platform in early March, leading to a 15% reduction in associated email volume. However, threat actors adapted by shifting hosting providers and domain registration patterns. Business email compromise (BEC) also remained a prevalent threat, with approximately 10.7 million attacks recorded during the quarter, often characterized by low-effort, generic outreach messages. Microsoft Defender Research has also noted the emergence of AI-enabled device code phishing campaigns.

Attack Chain

1. Initial Email Delivery: Attackers send phishing emails impersonating legitimate services or organizations. These emails may contain links, QR codes, or HTML attachments.
2. Victim Interaction: The victim opens the email and clicks on a malicious link or scans a QR code, redirecting them to a phishing page.
3. Phishing Page Redirection: The phishing page mimics a legitimate login portal, such as Microsoft 365 or other enterprise applications.
4. Credential Harvesting: The victim enters their username and password on the phishing page, which are then captured by the attacker.
5. MFA Bypass (AiTM): For attacks using adversary-in-the-middle (AiTM) techniques (like those facilitated by Tycoon2FA), the attacker intercepts the MFA code and uses it to authenticate.
6. Account Compromise: With the stolen credentials and MFA code (if applicable), the attacker gains unauthorized access to the victim’s account.
7. Lateral Movement/Data Theft: The attacker uses the compromised account to access sensitive data, send further phishing emails, or move laterally within the organization.
8. Business Email Compromise: In BEC attacks, attackers use compromised accounts or spoofed email addresses to send fraudulent invoices or requests for wire transfers.

Impact

The observed email threats in Q1 2026 led to a high risk of credential compromise, financial loss through BEC attacks, and potential data breaches across various sectors. Although the total number of victims is not specified, the billions of phishing attempts indicate a widespread impact. Microsoft’s disruption of Tycoon2FA temporarily reduced phishing volumes by 15%, demonstrating the potential for proactive intervention to mitigate these threats. However, threat actors are quickly adapting their techniques, indicating the need for continued vigilance and enhanced security measures. The 10.7 million BEC attacks alone represent a significant financial threat to businesses.

Recommendation

• Deploy the “Detect Tycoon2FA Phishing Attempts” Sigma rule to identify email campaigns associated with the Tycoon2FA platform.
• Enable Microsoft Defender detections to improve detection of phishing emails and malicious payloads.
• Monitor email traffic for suspicious domain registrations, particularly those using newer generic top-level domains (TLDs) such as .DIGITAL, .BUSINESS, .CONTRACTORS, .CEO, and .COMPANY, and the resurgence of .RU registrations, to identify potential Tycoon2FA infrastructure shifts.
• Educate users about the dangers of QR code phishing and CAPTCHA-gated attacks, emphasizing the importance of verifying the legitimacy of login pages and email senders, to reduce the effectiveness of phishing campaigns (T1566).

]]>highthreatemailphishingcredential-theftTycoon2FABEChttps://feed.craftedsignal.io/briefs/2024-01-defender-tampering/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-defender-tampering/Adversaries may disable or tamper with Microsoft Defender features via registry modifications to evade detection and conceal malicious behavior on Windows systems.Attackers commonly disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior within compromised Windows environments. This is often achieved by modifying specific registry keys that control the behavior and functionality of Defender components, such as real-time monitoring, exploit protection, and tamper protection itself. Such actions can significantly reduce the effectiveness of endpoint security, allowing malicious activities to proceed undetected. The references point to techniques that disable PUA protection, tamper protection, memory integrity, and real-time protection. This behavior is observed across various attack scenarios, including ransomware deployment and cryptocurrency mining campaigns.

Attack Chain

1. Initial access is gained through an unspecified vector (e.g., phishing, exploitation of a vulnerability).
2. The attacker obtains elevated privileges on the system.
3. The attacker uses an administrative tool like reg.exe or PowerShell to modify the registry.
4. The attacker disables real-time monitoring by setting HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring to 1.
5. The attacker disables tamper protection by setting HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Features\TamperProtection to 0.
6. The attacker disables PUA Protection by setting HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\PUAProtection to 0.
7. With Defender weakened, the attacker executes malicious payloads, such as ransomware or cryptocurrency miners.

Impact

Successful tampering with Microsoft Defender can lead to a significant degradation of endpoint security posture. This can result in undetected malware infections, data breaches, and system compromise. Disabling Defender features can allow attackers to establish persistence, escalate privileges, and deploy malicious payloads without triggering alerts. The impact can range from individual system compromise to widespread network infection, depending on the attacker’s objectives and the extent of the tampering.

Recommendation

• Deploy the Sigma rule “Microsoft Windows Defender Tampering - Disable Realtime Monitoring” to your SIEM to detect modifications to the DisableRealtimeMonitoring registry value.
• Deploy the Sigma rule “Microsoft Windows Defender Tampering - Disable Tamper Protection” to detect modifications to the TamperProtection registry value.
• Monitor registry modification events, specifically targeting keys associated with Microsoft Defender settings as described in the rule query.
• Investigate any process modifying Windows Defender registry settings that are not explicitly authorized, referencing the process exclusions in the rule query.

]]>mediumadvisorydefense-evasionregistry-modificationwindows