Microsoft Security Response Center

Part 2 of our 3-part XSS series is live! Learn how XSS can be weaponized when chained with other vulnerabilities, turning a simple flaw into a gateway for serious exploits like token theft and remote code execution: https://lnkd.in/guNVHryR   Missed part 1? Catch up here: Why XSS still matters: MSRC’s perspective on a 25-year-old threat: https://lnkd.in/gWAkUqAj Authored by: Carlston Mills, Kul Subedi, and Sonal Shrivastava.

Security updates for November 2025 are now available! Details are here: https://msft.it/6018SZEg0 #PatchTuesday #SecurityUpdateGuide

In our latest blog, Cameron Vincent, Senior Security Researcher at MSRC, features the work of MSRC intern and security researcher, Brian McNulty, who uncovered 22+ critical vulnerabilities in just two months. Learn how the MSRC team leverages automation and tools like IMPOSTR to identify risky multi-tenant apps, why robust authentication and authorization are essential, and how new protocols like Model Context Protocol (MCP) are shaping the future of secure AI integration. This blog covers: • Real-world attack scenarios and variant hunting strategies • Securing multi-tenant authentication and authorization flows • Lessons learned from MCP vulnerabilities and Azure template exposures If you’re a security researcher, CISO, or technical leader interested in advanced detection techniques and evolving best practices, see how MSRC is raising the bar for proactive defense. Read the full blog post here: https://lnkd.in/desF-wxW

From OAuth flaws to AI resilience, the BlueHat Asia day 2 talks showed how small oversights can lead to big risks, and how proactive strategies can transform defense. We started the day with the keynote from Abhilasha Bhargav-Spantzel, Partner Security Architect at Microsoft AI, who shared her vision for trustworthy AI and the human values that must guide technology. Highlights from her keynote include: ➤ Security isn’t just about data, it’s about protecting dignity, creativity, and human relationships. Inspired by Tagore’s call for reason and fearlessness, ➤ Abhilasha urged us to design AI systems with purpose and compassion. Architectural foundations : “Form follows function, every feature must serve a purpose, or it’s a bug.” Security pillars like identity protection, threat intelligence, and resilience must be baked in from the start. ➤ AI-specific challenges: From prompt injection to data poisoning, layered defenses and holistic system thinking are essential in the age of generative AI. ➤ Call to action: “We are the creators of solutions. Let’s build a secure future where brilliant minds are unleashed without fear.” Highlights from the sessions include: ➤ OAuth social logins: Spandan Pokhrel revealed how weak handling of the state parameter in OAuth flows can enable account takeovers, even on major platforms. The takeaway: Validate state tokens rigorously and avoid using them for routing. ➤ Variant hunting at scale: Parul Garg & Sriharsha Pallekonda introduced the APEX model for spotting recurring vulnerability patterns across services, turning reactive fixes into proactive assurance. ➤ Multi-tenant risks & IMPOSTR: Cameron Vincent & Brian McNulty shared explained how attackers can exploit multi-tenant apps to gain unauthorized access, even impersonating users with any app role, name, or email. They also introduced IMPOSTR, an automated tool that scans Microsoft’s internal ecosystem for vulnerable multi-tenant applications, helping escalate and fix critical issues quickly. ➤ Securing MCP: Vishal Chand & Nikhil Srivastava exposed attack chains targeting Model Context Protocol and stressed governance, isolation, and robust frameworks for AI-native apps. ➤ Cloud attack path detection: Yash Narendra showed how analyzing real-world access patterns uncovers hidden attack paths, enabling faster containment and defense. ➤ Augmented disruption for BEC: Ankur Srivastava & Krithika Ramakrishnan introduced graph-based scoring and CARS to proactively disrupt Business Email Compromise attacks before damage occurs. #BlueHatAsia

Thank you to everyone who joined us this week for BlueHat Asia. BlueHat is more than just a conference, it’s a community. One where the security community from inside and outside Microsoft come together as peers to share, challenge, and learn from one another.   From deep technical talks to hallway debates, BlueHat Asia showed how collaboration drives progress in security. Together, we're helping build a safer, more secure world for everyone.   Special shoutout to the BlueHat organizers and volunteers. This event would not be possible without your energy, dedication, and behind-the-scenes magic. Until next year. 💙 Tom Gallagher Jeremy Tinder Karthik Beligiri, CISSP Stephanie Calabrese

At BlueHat Asia, Abhilasha Bhargav-Spantzel, Partner Security Architect, Microsoft AI, delivered a powerful keynote on the future of trustworthy AI and security. With her mother in the audience for the first time in 25 years, Abhilasha shared how relentless support and a mindset of never giving up shaped her journey from Intel to Microsoft and inspired her architectural approach to technology and life. Highlights from Abhilasha’s talk: ➤ Grounding principles: Inspired by Rabindranath Tagore’s poem, Abhilasha calls for building AI systems with reason, compassion, and fearlessness. ➤ Architecture foundations: “Form follows function, “every feature must serve a purpose, or it’s a bug. ➤ People first, future-proof always: Security isn’t just about data, it’s about protecting dignity, creativity, and human relationships. ➤ Security pillars: Identity protection, data protection, threat intelligence, resilience & patching. ➤ Threat modeling: Proactively design for security, document decisions, and comply with standards. Know your product, assets, adversaries, and build security by design. ➤ AI-specific challenges: From prompt injection to data poisoning, Abhilasha emphasized the need for layered defenses and holistic system thinking in the age of generative AI. AI opportunities and risks: ➤ AI is not just an API: Abhilasha explained that AI systems are shaped by data, architecture, and human choices. Shortcut learning and embedded biases can lead to unpredictable outcomes, making it essential to reason about how these systems work. ➤ Single points of failure: Over-reliance on AI and concentration of power can amplify risks. Biased data leads to biased decisions, and lack of diversity in training data can exclude entire communities. ➤ Democratize innovation: AI should be transparent, accountable, and work for everyone, not just the affluent or majority. Competition is great, but governance and oversight are essential. ➤ Holistic system thinking: Security must be systemic, with feedback loops, resilience, and redundancy. Continuous improvement and public-interest safeguards are key. Call to action: “We are the creators of solutions and pave the way for the next generation. Let’s build a secure future where brilliant minds are unleashed without fear.” #BlueHatAsia

Good morning, BlueHat Asia! We're ready to kick off Day 2 with opening remarks from Tom Gallagher, VP of Engineering, MSRC, followed by the Day 2 keynote from Abhilasha Bhargav-Spantzel, Partner Security Architect, Microsoft AI. After the keynote, dive into more incredible sessions, connect with peers during networking opportunities, and explore unique experiences in the security villages. What are you most excited about for Day 2? #BlueHatAsia

Day 1 of BlueHat Asia has officially wrapped. Huge thank you to everyone who joined us. Your energy, curiosity, and collaboration made today memorable. Here’s what we explored together: Tom Gallagher opened BlueHat Asia by celebrating Asia’s incredible security research community and reflected on 25 years of CVEs, evolving from patch-driven alerts to proactive cloud vulnerability disclosures. BlueHat is more than talks. It’s about community, networking, and collaboration. Security is a team sport, and today proved that together we can tackle the toughest challenges. Craig Nelson's morning keynote, VP of the Microsoft Red Team, discussed how AI accelerates proactive security, enabling defenders to move faster, scale impact, and anticipate emerging threats. Rahul Sasi (Shashi), Co-Founder and CEO of CloudSEK, reminded us that attack chains multiply across supply chains. Every connection is an attack vector, requiring infinite vigilance and smarter defenses. Shawn Hernan, Partner Security Engineering Manager, challenged us to rethink how we interpret dashboards and data, because hidden biases can distort risk perception and decision-making. Harish Poornachander revealed real-world misconfigurations in GitHub Actions, Azure DevOps, and more. Plus best practices to keep automation safe. Tzah Pahima shared a fascinating research journey exposing flaws in shared compute environments and lessons learned from bug bounty highs and lows. Shibsankar Das and Rituraj Jodha unveiled a multi-agent system that automates evidence collection and risk scoring, helping SOC teams disrupt malicious cloud apps faster. Srinivasan Govindarajan, Pranjal Gupta, and Rajesh Kumar Natarajan introduced a RAG + LLM-powered forensic framework that automates memory analysis, detects stealthy malware, and is now open source for the community. Vertika Sharma showed how LD_PRELOAD and symbol overloading can block risky operations at runtime, no patch required. A powerful tool when fixes lag behind. Day 1 wasn’t just about talks: our BlueHat Villages brought hands-on learning and deep dives into exploit development, reverse engineering, and cloud security. These spaces sparked collaboration and gave attendees a chance to connect with experts and peers in an informal, interactive setting. What was your favorite insight from Day 1? Share your thoughts below! #BlueHatAsia

At #BlueHatAsia, Rahul Sasi (Shashi), Co-Founder & CEO at CloudSEK, delivered an afternoon keynote on how the security landscape is evolving, and why we must think in 3D. In 2D security, we protect endpoints. In 3D security, every endpoint has endpoints of its own. Attack chains are multiplying, and supply chain vulnerabilities are everywhere. Highlights from Rahul's keynote: ➤ Security knowledge compounds like interest. Each year’s learning multiplies the last, revealing invisible attack chains. ➤ Real-world exploits: From fuzzing PHP libraries to crashing cable TV networks and breaking encryption, attackers are always innovating. ➤ Supply chain attacks (Codecov, IntelBroker) show that the weakest link might be the tools developers use, not just the apps themselves. ➤ Every connection is an attack vector. Infinite possibilities mean infinite vigilance.

At #BlueHatAsia, Craig Nelson, VP, Microsoft Red Team at Microsoft, shared how AI is transforming the future of Red Teaming and defense. Microsoft has long led the way in proactive security, with Red Teaming built on “Assume Breach” and “Embrace the Red,” simulating real-world threats to strengthen defenses before adversaries strike. Today, the challenge is evolving: new AI layers are reshaping both how we test our security and how we protect our digital estate. Highlights from Craig’s keynote: ➤ Design-time security saves resources: 70% of high-severity cloud vulnerabilities could be prevented earlier with secure design. Proactive measures are 8–20x more cost-effective than post-release fixes. ➤ AI is accelerating change: Large language models (LLMs) are now used to automate reporting, triage, and even “vibe coding,” making exploitation faster and more sophisticated. ➤ Defenders control the terrain: The goal is to make it harder for adversaries to move across layers, using hardened technologies and secure defaults. ➤ Continuous improvement: Microsoft’s Secure Future Initiative (SFI) framework guides strategy: secure by design, secure by default, and secure operations. ➤ Red Teaming’s true value: It’s not just about finding problems, but about convincing the right people to care and act. AI helps us communicate findings faster and clearer, influencing both engineering and executive decision-makers. ➤ AI enables broader impact: By automating routine tasks, AI allows defenders to focus on context engineering and continuous improvement, staying ahead of emerging threats. In the 2000s, adversaries compromised computers to mine cryptocurrency. The next generation of challenges is here: compromising AI systems to fine-tune models and host inference for bot swarms. As defenders, we must stay ahead, using AI to augment our teams, anticipate new tactics, and secure the future. AI will empower Microsoft’s defenders to move faster, have a broader impact, and anticipate what future threats may look like. The future of Red Teaming is about speed, scale, and smarter defense, using AI to augment our teams, not replace them.