Critical security intelligence for Azure and Microsoft 365 environments
Cloud Security Weekly #8 October 4th - 12th 2025
A CVSS 10.0 vulnerability is being actively exploited, universities are getting hit by “payroll pirates,” and new research shows SOC teams can only handle half their daily alerts. Yeah, it’s been one of those weeks. Here’s what you need to know.
In This Issue:
Critical CVE under active attack by ransomware operators
Storm-2657 hijacking university paychecks through Workday
Microsoft Teams is the new favorite target for attackers
Why your SOC is drowning (and it’s not your fault)
What you should actually do about all this
🚨 Critical & Breaking News
GoAnywhere MFT: Perfect 10.0 Score, Actively Being Exploited
If you’re running GoAnywhere MFT, stop what you’re doing and patch it. Storm-1175—the group behind Medusa ransomware—is actively exploiting CVE-2025-10035, a deserialization bug that lets them execute whatever code they want remotely. Microsoft Threat Intelligence confirmed it’s happening in the wild right now.
Fortra put out a security advisory, and Microsoft is basically saying: patch this immediately. The CVSS score is 10.0 for a reason.
Read more: Microsoft Security Blog
🆕 Product Updates & Announcements
Microsoft Defender
Defender Antivirus just got updated
Microsoft pushed out security intelligence update version 1.439.121.0 on October 12. Engine version 1.1.25090.3001, platform version 4.18.25080.5. It’s part of their monthly update cycle to keep up with the latest malware. Even if Defender’s running in passive mode on your systems, make sure it’s updated.
Read more: Microsoft Security Intelligence
Defender for Cloud Apps is changing how it detects threats
Starting in early November, Microsoft’s rolling out the second wave of their dynamic threat detection model. What this means: they’re ditching legacy policies for research-driven detections that adapt faster to new threats. Better signal-to-noise ratio, less alert fatigue. The good news? It happens automatically—you don’t need to do anything. Some of the old policies will get split into multiple detections so you get better visibility into what’s actually happening.
Read more: M365 Admin
🔐 Vulnerabilities & Patches
CVE-2025-10035: GoAnywhere Managed File Transfer
Here’s what you need to know:
CVSS score is 10.0 (as bad as it gets)
Storm-1175 is actively exploiting it
It’s a deserialization vulnerability that leads to remote code execution
Patch it now—upgrade to the latest GoAnywhere MFT version
The threat actor behind this also deploys Medusa ransomware
Read more: Microsoft Security Blog
🎯 Threat Intelligence
Storm-2657: The “Payroll Pirates” Hitting Universities
This one’s clever and kind of terrifying. Microsoft Threat Intelligence found a financially motivated threat actor who’s compromising employee accounts at universities, getting into their Workday HR systems, and literally redirecting people’s paychecks to attacker-controlled bank accounts.
Since March 2025, they’ve hit three universities hard—compromised 11 accounts and used them to send almost 6,000 phishing emails across 25 different schools. The phishing emails are pretty convincing too. They’re using themes like COVID exposure notifications, faculty misconduct reports, and fake HR updates. A lot of them link to Google Docs (which makes them harder to spot in an academic environment), then redirect to attacker infrastructure.
Here’s how the attack works: They phish credentials, sometimes steal MFA codes through adversary-in-the-middle attacks. Once they’re in, they create inbox rules to delete any notification emails from Workday. Then they log into Workday through SSO, change the victim’s direct deposit info, and enroll their own phone as an MFA device so they can keep coming back. In one campaign, they sent 500 phishing emails to a single university—about 10% of people reported it, which means 90% didn’t.
The real problem? A lot of these accounts don’t have MFA enabled at all, or they’re using MFA that’s vulnerable to phishing attacks.
“Since March 2025, we’ve observed 11 successfully compromised accounts at three universities that were used to send phishing emails to nearly 6,000 email accounts across 25 universities.”
Read more: Microsoft Security Blog
Look, here’s something most people won’t tell you: reading about these threats doesn’t actually help your career. What gets you promoted is building detections for them.
Right now, while you’re reading about Storm-2657, there are engineers in Adversary Lab who are simulating this exact attack, building detections that would catch it, getting feedback from their peers, and shipping it to production. That’s the difference between staying stuck as an alert chaser and becoming someone leadership can’t afford to lose.
Free community + premium detection resources available
Microsoft Teams Is Under Attack (And It’s Getting Worse)
Attackers aren’t just targeting email anymore—they’re going after Microsoft Teams. Microsoft just published a whole guide on how to defend against it, and honestly, it’s pretty eye-opening.
They’re seeing everything from TeamsPhisher attacks (Storm-0324 used this to deliver JSSloader malware back in July) to fake Teams installers spreading credential stealers through malicious ads. The problem is that Teams has become such a trusted communication tool that people don’t question suspicious messages the same way they do with email.
Some of the attacks they’re tracking: admin tools like AADInternals being used to push malicious payloads directly into Teams, adversary-in-the-middle attacks that spoof Teams branding, fake “Microsoft Teams for Mac” installers delivering malware, and spoofed Teams apps that give attackers a foothold in your network. Storm-0324 and Sangria Tempest (a ransomware operator) have both been using TeamsPhisher to maintain persistence.
Microsoft put together countermeasures across identity, endpoints, data, and network layers, plus they included hunting queries you can run right now to see if you’ve got suspicious Teams activity in your environment.
Read more: Microsoft Security Blog
📊 Research & Industry News
Your SOC Can Only Handle Half Its Alerts (And It’s Getting Worse)
Dark Reading covered Microsoft Sentinel’s new agentic AI capabilities this week, but the real story is buried in the research: SOC teams can only handle about 50% of all alerts in a typical day. And that percentage has been climbing steadily for the past five years.
This comes from Scott Crawford at S&P Global’s 451 Research, and it explains why Microsoft’s pushing so hard on automation and AI agents through Sentinel Graph, the data lake, and their MCP server. It’s not just innovation for innovation’s sake—security teams are legitimately drowning in alerts, and the volume keeps growing faster than teams can hire people.
Crawford’s research shows that the ability to automate threat discovery and analysis isn’t a nice-to-have anymore. It’s becoming the only way to keep up.
“SOC teams can only handle roughly half of all alerts in a typical day, and that percentage has been climbing steadily over the last five years.” — Scott Crawford, S&P Global 451 Research
Read more: Dark Reading
🎓 Upcoming Events & Resources
Microsoft Ignite 2025
November 18-20, hybrid event (in-person and virtual). Registration’s open now. If you want hands-on sessions with the stuff we covered this week—Sentinel, Defender, AI-powered security features—this is where it’ll happen.
Register: Microsoft Ignite
💡 Community Spotlight
Hunting Queries Worth Running This Week
Microsoft dropped some really useful hunting queries with their threat reports. These are KQL-based and ready to run in Defender XDR and Sentinel right now.
For the Storm-2657 payroll attacks: You can detect inbox rules that hide Workday emails, spot changes to payment elections in Workday, catch suspicious device additions, and hunt for bulk phishing campaigns coming from .edu domains.
For Teams threats: Monitor for suspicious admin tool usage, detect malicious link patterns in Teams messages, and identify compromised accounts sending phishing through Teams.
The full queries with syntax are in the blog posts—check them out if you want to actually run these in your environment.
Storm-2657 Queries: Microsoft Security Blog
Teams Queries: Microsoft Security Blog
🔧 What You Should Actually Do This Week
Do this today:
Patch GoAnywhere MFT systems if you have them (CVE-2025-10035)
Update Defender Antivirus to version 1.439.121.0 or later
Do this week:
Check your HR/payroll system logs for Storm-2657 indicators
Look for inbox rules that delete Workday emails
Verify MFA device registrations in Workday and similar systems
Run those hunting queries for Storm-2657 and Teams threats
Start planning:
Roll out phishing-resistant MFA for privileged accounts if it doesn’t already exist
Enable the Workday connector in Defender for Cloud Apps
Review your Teams security configuration
Get ready for the Defender for Cloud Apps detection model changes in November
📣 Share This
If you found this useful, forward it to your security team or share it on LinkedIn. If you’re new here, subscribe to get Cloud Security Weekly every Sunday. No spam, no vendor pitches—just verified security intel for people who work in the Microsoft Cloud.
📚 About This Newsletter
Cloud Security Weekly is a digest of Microsoft Azure security news, threat intelligence, and product updates. Every article is verified, dated, and sourced because your time matters and accuracy counts.
What you get: critical vulnerabilities and active threats, product updates from Sentinel, Defender, and Entra ID, actionable threat intelligence with hunting queries, research and industry analysis.
What you don’t get: vendor marketing fluff.
Connect: LinkedIn | Adversary Lab Community
Created by: Charles Garrett
SecOps Engineer | Curating the week’s most important O365 and Azure security news so you don’t have to
See you next week! 👋