Back

microsoft.com Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The telemetry indicates a significant exposure event impacting microsoft.com, with over 25 million client records compromised in data breaches and over 600,000 infostealer logs detected. The majority of the exposure, 97.6%, stems from historical data breaches, while 2.4% is attributed to active infostealer activity. The timeline shows a surge in client compromises during November 2025, alongside a notable increase in employee compromises in January 2026. Key malware families involved include Redline, LummaC2, and Rhadamanthys, suggesting a focus on credential harvesting. The high volume of compromised client data and the presence of active infostealer logs elevate the risk to critical levels. The primary remediation focus should be on identifying and securing the compromised client accounts, investigating the root cause of the historical data breaches, and enhancing defenses against the identified infostealer malware. Given the nature of the domain and the services targeted, such as Microsoft 365 sign-up and developer profiles, the primary affected sector is Technology & SaaS.

Total Events

26,420,156
credential exposure events

Employee Affected Events

455,931
account email domain = microsoft.com

Client Affected Events

25,964,225
service target = microsoft.com

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
25,000,00016,666,6678,333,3330
peak month 23,311,102
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events621,017
Share2%
Data breaches
Events25,799,139
Share98%
Infostealer logs (2%)
621,017events
Data breaches (98%)
25,799,139events

455,931 compromised employee accounts pose an infrastructure risk, while 25,964,225 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender9,164
Windows Defender Norton Security Ultra500
Windows Defender.426
Windows Defender McAfee141
Avast102
McAfee76
Malwarebytes67
McAfee VirusScan67
Windows Defender [ON]67

Malware Families Distribution

Distribution of Active Stealer Strains

Redline106,717
LummaC2104,785
Rhadamanthys64,825
Vidar45,797
Acreed34,686
StealC14,953
RisePro14,819
Remus6,249
Millenium3,205

Top Login URLs

Top exposed services found in the event results

  1. 1https://signup.microsoft.com/signup211,109
  2. 2https://signup.microsoft.com/get-started/signup183,607
  3. 3https://developer.microsoft.com/en-us/microsoft-365/profile179,978
  4. 4https://signup.microsoft.com162,061
  5. 5signup.microsoft.com159,558
  6. 6signup.microsoft.com/signup143,788
  7. 7android://iPULpH0pq8ms1Qy7cOzGsVRQN7_zW4IbW-UKcajvtrTrzM5o5VcaghNEA1Ho4Wq7ay0efqqJcalxa8eHxVnHKA==@com.microsoft.office.outlook/117,296
  8. 8developer.microsoft.com/en-us/microsoft-365/profile102,598
  9. 9signup.microsoft.com/get-started/signup98,664
  10. 10android://McN3PWbfVdV_mfkWiw_OfIL7801yLsqCMLzcdmz3cyKK7M81TjF_DvV6UvsXlhd-8MkJTUpxO_oALZnBQVe_oA==@com.microsoft.rdc.androidx/98,640

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

India
Events57,242
Brazil
Events28,964
United States
Events17,892
Egypt
Events17,538
Pakistan
Events16,873
Vietnam
Events15,317
Philippines
Events12,879
Indonesia
Events12,764

Country Breakdown

  1. 1India57,242
  2. 2Brazil28,964
  3. 3United States17,892
  4. 4Egypt17,538
  5. 5Pakistan16,873
  6. 6Vietnam15,317
  7. 7Philippines12,879
  8. 8Indonesia12,764

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

Microsoft24,011
Extranet2,727
Git148
WordPress89
Citrix51
F538
Microsoft Entra ID (External ID / B2C)29

Operating System Distribution

Distribution of compromised endpoint builds

Windows 10 Enterprise x6444,218
Windows 1143,163
Windows 11 24H2 build 26100 (64 Bit)29,251
Windows 10 Pro26,620
Windows 10 22H2 build 19045 (64 Bit)22,216

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
2,263,479
Combolist pools
23,535,660
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.