DART contained both intrusions using a structured response playbook, the report said, pulling telemetry from identities, endpoints, and cloud services into a single view to spot abnormal behavior, flag credential misuse, and track the attackers. It briefed the affected customer daily and worked with Microsoft Threat Intelligence to confirm the two actors were active in parallel. Only by “correlating identity, endpoint, and cloud telemetry together,” Microsoft said, did the full scope of the attack become clear.
What enterprises should take away?
Microsoft urged organizations to prioritize patching for internet-facing systems, especially on-premises SharePoint, and to treat privileged identities as a primary attack surface, with tighter controls and monitoring.
It also recommended deploying endpoint protection broadly, centralizing telemetry, restricting remote-access and developer tools that attackers abuse, and keeping tested incident response playbooks ready to isolate compromised accounts quickly.
