Microsoft links Medusa to zero-days

Ransomware is no longer just a “someone clicked a bad file” problem. The Medusa crews Microsoft is tracking are acting more like rapid-response intrusion teams — find an exposed system, get in fast, steal what matters, then encrypt. The new wrinkle is that Microsoft says one Medusa-linked actor, Storm-1175, is not just living off old bugs. It has used zero-days too, sometimes before defenders even knew the flaw existed. ### Who is Microsoft actually talking about? Microsoft is separating the ransomware brand from the operator. Medusa is the ransomware-as-a-service ecosystem — active since mid-2021 — while Storm-1175 is the financially motivated actor Microsoft links to high-tempo intrusions ending in Medusa deployment. That distinction matters because the same ransomware label can hide several different access brokers and affiliates with different habits. (microsoft.com) ### What changed in Microsoft’s latest readout? The big change is attribution plus tempo. Microsoft said Storm-1175 has been consistently exploiting recently disclosed internet-facing vulnerabilities for initial access, but it has also observed the actor using zero-day exploits, in some cases a full week before public disclosure. That pushes the story from “patch faster” to “assume some attacks start before a patch even exists.” (microsoft.com) ### Why does the zero-day detail matter so much? Because zero-days break the comforting version of defense. With an N-day, the vendor has already disclosed the flaw and defenders are racing to patch before attackers get there. With a zero-day, the attacker is already inside the race before the starting gun goes off. Microsoft’s point is basically that Storm-1175 can operate in both modes. (microsoft.com) ### Where does the phishing piece fit in? Separately, Microsoft disclosed a large AiTM phishing campaign that hit more than 35,000 users across 13,000 organizations in 26 countries between April 14 and April 16, 2026. The lure was a fake “code of conduct” review. The goal was not just passwords — it was authenticated Microsoft session tokens, which let attackers ride an already approved login and bypass ordinary MFA checks. (microsoft.com) ### Is Microsoft saying Medusa ran that phishing campaign? Not from what Microsoft has published publicly so far. The Medusa/Storm-1175 writeup and the code-of-conduct AiTM writeup both show the same broader trend — initial access is getting faster, more modular, and less dependent on a single trick — but they are separate Microsoft posts. So the safe read is convergence, not a confirmed single campaign chain. (microsoft.com) ### Why are stolen tokens such a headache? A stolen password is one thing. A stolen session token is worse because the user has already passed the checks. Microsoft’s own incident-response guidance says token theft can let an attacker access organizational resources even after MFA was satisfied. That is why AiTM phishing keeps showing up — it sidesteps the “we turned on MFA, so we’re fine” assumption. (microsoft.com) ### Who is getting hit? Microsoft said recent Storm-1175 intrusions heavily affected healthcare, education, professional services, and finance organizations in the United States, United Kingdom, and Australia. Those are sectors with lots of exposed edge systems, lots of identity infrastructure, and real pressure to restore operations quickly after disruption. That makes them attractive ransomware targets. (learn.microsoft.com) ### So what should defenders take from this? Treat Medusa as a speed problem. The actor can exploit exposed systems, steal credentials, tamper with security tools, move laterally, and deploy ransomware within days — sometimes within 24 hours. The practical takeaway is layered response: shrink internet exposure, patch aggressively, monitor Entra and email logs for token abuse, and assume phishing-resistant MFA is stronger than ordinary MFA but still not a complete answer if tokens get stolen. (microsoft.com) The bottom line is simple. Microsoft is not just warning about Medusa ransomware. It is warning that ransomware crews now blend exploit development, cloud identity abuse, and token theft into one fast-moving business. (microsoft.com)