Back

windows.net Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The domain windows.net has experienced a significant exposure event, with over 150,000 total events recorded during the reporting period. The majority of these events, approximately 80%, are classified as historical data breaches, impacting over 120,000 clients. Additionally, about 20% of events are active infostealer logs, totaling over 30,000 instances. Employee exposure is relatively low at 268 events. The timeline shows a surge in client-related events in September 2025 and March 2026, with employee events also peaking in September 2025 and February/April 2026. Malware families like LummaC2, Redline, and Vidar are prominently featured in the infostealer logs. This exposure presents a high-risk scenario due to the sheer volume of data breaches and active infostealer activity, suggesting a widespread compromise of client data and potential credential theft. The targeted services, particularly those related to `chiikulblobblock.z21.web.core.windows.net`, indicate a focus on cloud storage or data exfiltration points. Remediation should prioritize investigating the root cause of the data breaches, enhancing client data protection measures, and strengthening defenses against the identified infostealer malware families. Given the nature of the domain and the services targeted, a focus on cloud security and endpoint protection for affected clients is critical.

Total Events

150,898
credential exposure events

Employee Affected Events

268
account email domain = windows.net

Client Affected Events

150,630
service target = windows.net

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
40,00026,66713,3330
peak month 37,118
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events30,744
Share20%
Data breaches
Events120,154
Share80%
Infostealer logs (20%)
30,744events
Data breaches (80%)
120,154events

268 compromised employee accounts pose an infrastructure risk, while 150,630 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender291
Kaspersky27
Windows Defender.16
Windows Defender Trend Micro Maximum Security10
Windows Defender ESET Security8
Reason Cybersecurity5
Windows Defender McAfee.5
Avast AVG2
Sentinel Agent1

Malware Families Distribution

Distribution of Active Stealer Strains

LummaC25,619
Redline5,012
Vidar2,789
Rhadamanthys2,621
Acreed1,268
StealC907
RisePro677
Millenium148
Blank Grabber141

Top Login URLs

Top exposed services found in the event results

  1. 1https://chiikulblobblock.z21.web.core.windows.net/generate42,685
  2. 2chiikulblobblock.z21.web.core.windows.net/generate24,081
  3. 3https://chiikulblobblock.z21.web.core.windows.net15,735
  4. 4chiikulblobblock.z21.web.core.windows.net14,330
  5. 5https://pdnappfamisoftcovidsa.z20.web.core.windows.net/login_portal2,302
  6. 6pdnappfamisoftcovidsa.z20.web.core.windows.net/login_portal1,653
  7. 7https://chiikulblobblock.z21.web.core.windows.net/1,606
  8. 8http://chiikulblobblock.z21.web.core.windows.net/generate869
  9. 9chiikulblobblock.z21.web.core.windows.net/869
  10. 10https://pdnappfamisoftcovidsa.z20.web.core.windows.net863

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

Mexico
Events13,625
Colombia
Events1,124
United States
Events711
Brazil
Events365
India
Events354
Kenya
Events291
Ethiopia
Events278
South Africa
Events244

Country Breakdown

  1. 1Mexico13,625
  2. 2Colombia1,124
  3. 3United States711
  4. 4Brazil365
  5. 5India354
  6. 6Kenya291
  7. 7Ethiopia278
  8. 8South Africa244

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

-
Total

Operating System Distribution

Distribution of compromised endpoint builds

Windows 111,945
Windows 10 Enterprise x641,810
Windows 10 Home x641,606
Windows 10 Pro1,393
Windows 11 24H2 build 26100 (64 Bit)1,224

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
119,959
Combolist pools
195
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.