Hot Takes: Inside a Microsoft Ransomware Attack
The Marks & Spencer incident is a textbook example of how modern ransomware operations succeed by targeting identity infrastructure and virtualization hosts rather than individual endpoin...
This "loiter and harvest" behavior — spending significant time inside the network before taking disruptive action — mirrors tactics seen from other threat actors such as Volt Typhoon, although the motivations and follow-on actions differ (nation-state pre-positioning vs. criminal ransomware monetization).
The most consequential technical event in this attack was the exfiltration of the Active Directory database. Once an attacker has a copy of this database, they effectively hold "the keys to the kingdom": every account's password hash can be cracked or relayed offline, at leisure, without triggering account lockout policies or other live-network detections.
With cracked or replayed credentials in hand, the attackers were able to move laterally across the network largely undetected, because they were authenticating as legitimate accounts rather than exploiting a technical vulnerability at each hop. This is why credential-focused attacks against identity infrastructure are considered so much more dangerous than a single-host compromise: capturing the domain's credential material collapses the effort needed for lateral movement across the entire environment down to almost zero.
Sign in to read this course
A free account unlocks all 514 courses. 20 are readable without one.
What's inside
3 sections- 1 Table of Contents
- 2 Module 1: Inside the M&S Ransomware Attack
- 3 Summary
More Security Hot Takes & Threat Intel courses
View all 21IT Security Champion: Cyber Threat Intel and Emerging Threats
Security is everyone's job — not solely the responsibility of the security department. Adopting a security culture and a security mindset is the foundation of being an effective IT securi...
Security Hot Takes: The LastPass Breach
The LastPass breach is actually two distinct but connected security incidents, separated by several months, with confusing and inconsistent public communication from the company throughou...
Sandworm: Application Layer Protocol and Web Emulation
Command and control is the connective tissue of nearly every intrusion that progresses beyond initial access — without it, an attacker cannot issue commands, move laterally, or exfiltrate...
Security Hot Takes: SBOMs
security · hot · takes · sboms · threat · intel · networking · systems · sbom · bills · materials · concept · debate · mandate · software.
Security Hot Takes: The Aliquippa Water Breach
The Aliquippa Water Authority breach is a case study in how a basic, avoidable systems-integration failure — not a sophisticated exploit — can expose critical infrastructure to compromise...
Security Hot Takes: Are You Pen Testing AI Apps?
AI applications are not "just another web app," and treating them that way leaves organizations blind to an entire class of risk. Historical precedent — such as attackers reverse engineer...
Interested in this course?
Contact us to book it or get a custom training plan for your team.