Publications
Microsoft publications
Research published through official Microsoft security channels. New articles are added here automatically as soon as they're added to the data file — no code changes needed.
Photo ZIP Campaign Targeting the Hospitality Industry Delivers a Node.js Implant for Persistent Access
Analysis of an active multi-stage intrusion campaign targeting the hospitality industry across Europe and Asia — photo-themed ZIP lures, obfuscated PowerShell, a Node.js implant, dual registry persistence, and C2 over non-standard ports, including "authentication laundering" through trusted services.
When Trust Becomes the Attack Vector: Analysis of the EmEditor Supply Chain Compromise
A technical breakdown of a supply chain compromise affecting the EmEditor update mechanism, covering the attack path, detection opportunities, and defensive recommendations.
HSM-as-a-Service: Use Cases, Considerations, and Best Practices
Contributor and reviewer on the Cloud Security Alliance Cloud Key Management working-group publication covering the HSM-as-a-Service delivery model, security considerations, and vendor selection.
Key Management Lifecycle Best Practices
Contributor and reviewer on the Cloud Security Alliance publication detailing best practices across each phase of the cryptographic key management lifecycle.
Microsoft Defender Experts Disrupt Jasper Sleet's Insider Access Campaign
Co-authored Microsoft Security Experts analysis of how Defender Experts detected and disrupted Jasper Sleet — a North Korea-nexus actor operating as a remote IT worker inside a live enterprise tenant — through proactive behavioral threat hunting.
The Future of Threat Hunting: The Hunter is Dead, Long Live the Engineer
Published author in the Black Hills Information Security (BHIS) InfoSec Survival Guide (Teal Book) on threat hunting — distributed in hard copy at the Antisyphon Threat Hunting Summit.
Active Exploitation Hunt — CVE-2025-30406
Microsoft Defender Experts (DEX) threat hunt into in-the-wild exploitation of CVE-2025-30406 (CVSS 9.8), an unauthenticated RCE in Gladinet CentreStack and Triofox driven by a hardcoded cryptographic key. Tracked hands-on-keyboard intrusion, backdoor persistence, and post-exploitation activity following the vendor patch (Apr 3, 2025) and CISA KEV listing (Apr 8, 2025) — turning findings into deployable detections. Internal customer hunt report; not publicly published.
Coming soon
Next Microsoft publication appears here — just add it to data/content.json.