* [Blog](https://www2.paloaltonetworks.com/blog) * [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/) * [Must-Read Articles](https://www2.paloaltonetworks.com/blog/security-operations/category/must-read-articles/) * Cortex ITDR: Cyber Threat... # Cortex ITDR: Cyber Threats in Microsoft Teams and Their Detection [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fcortex-itdr-cyber-threats-in-microsoft-teams-and-their-detection%2F) [](https://twitter.com/share?text=Cortex+ITDR%3A+Cyber+Threats+in+Microsoft+Teams+and+Their+Detection&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fcortex-itdr-cyber-threats-in-microsoft-teams-and-their-detection%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fcortex-itdr-cyber-threats-in-microsoft-teams-and-their-detection%2F&title=Cortex+ITDR%3A+Cyber+Threats+in+Microsoft+Teams+and+Their+Detection&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/cortex-itdr-cyber-threats-in-microsoft-teams-and-their-detection/&ts=markdown) \[\](mailto:?subject=Cortex ITDR: Cyber Threats in Microsoft Teams and Their Detection) Link copied By [Noam Sala](https://www.paloaltonetworks.com/blog/author/noam-sala/?ts=markdown "Posts by Noam Sala") and [Ofir Shlomo](https://www.paloaltonetworks.com/blog/author/ofir-shlomo/?ts=markdown "Posts by Ofir Shlomo") Nov 19, 2025 11 minutes [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [Cortex XSIAM](https://www.paloaltonetworks.com/blog/tag/cortex-xsiam/?ts=markdown) [Microsoft Teams](https://www.paloaltonetworks.com/blog/tag/microsoft-teams/?ts=markdown) [SaaS Security](https://www.paloaltonetworks.com/blog/tag/saas-security/?ts=markdown) [Threat Detection](https://www.paloaltonetworks.com/blog/tag/threat-detection/?ts=markdown) ## **Executive Summary** Adversaries are actively shifting their focus from traditional email to modern collaboration platforms like Microsoft Teams, transforming them into a primary vector for sophisticated attacks. By leveraging the inherent trust users place in internal communication applications, threat actors can bypass conventional security measures to gain initial access, establish persistence, steal sensitive data, and move laterally within an organization. Established groups like [Midnight Blizzard](https://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/#section8SubHeading1) and [Black Basta](https://thehackernews.com/2024/12/black-basta-ransomware-evolves-with.html) are already weaponizing Microsoft Teams, proving that security operations must extend their visibility into the heart of the collaborative workspace. To counter this evolving threat, organizations need a security approach that can dissect activity within the SaaS application itself. This blog demonstrates how the Palo Alto Networks Cortex XSIAM platform provides the crucial visibility and analytics required to detect and respond to attacks that originate and operate within Microsoft Teams. By correlating various indicators - from token theft via a phishing message to anomalous data gathering using the Graph API - Cortex XSIAM connects disparate events into a cohesive incident, allowing security teams to see the full attack narrative and eliminate the threat. ## The Challenge As organizations across the globe integrate Microsoft Teams and other instant messaging platforms into the core of their daily operations, sophisticated threat actors are taking notice. These tools are no longer seen merely as channels for communication - they're emerging as powerful attack vectors for initial access, reconnaissance, sensitive data collection, and lateral movement within enterprise environments. It's time for security teams to shift their focus from the traditional email inbox and address the growing threats landscape within the collaboration ecosystems. ### Understanding the Risk: The Factor of User Trust The core of the problem lies in a dangerous trust in instant messaging platforms. Users perceive Teams as a secure, internal "walled garden." A message from a colleague or even a federated partner in Teams doesn't trigger the same level of suspicion as an external email, there is no ingrained cultural habit of inspecting every link. This inherent trust is precisely what makes it such an effective phishing and social engineering platform. Employees are far more likely to click a link, open a file, or approve a request sent via Microsoft Teams, believing it has already been vetted by the corporate environment. This isn't just speculation; real-world incidents have established the urgency of the topic. State-sponsored groups like Midnight Blizzard have been observed weaponizing Teams, luring users into approving multifactor authentication (MFA) prompts and hijacking accounts. Similarly, distributors of the [DarkGate malware](https://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html) have abused the platform to send malicious attachments, successfully bypassing traditional email gateways by targeting users where their guards are lowered. These events prove that the collaborative hub is firmly in the crosshairs of adversaries, demanding our immediate and focused attention. ### The Crown Jewels in Plain Sight The threat extends far beyond phishing. The deep integration of Microsoft Teams into the business workflow has created a powerful and multifaceted attack surface. Many organizations, in the name of seamless collaboration, have misconfigured overly permissive external access and federation settings. This can create an unlocked side door, allowing an attacker from a compromised external tenant - or one they control - to directly message employees. To the end-user, this message can appear as if it's coming from a trusted partner or contractor, providing the attacker with an instant foothold of credibility. Beyond being an entry point, Microsoft Teams is a destination. Think about the conversations that happen in private chats and channels that you have access to. They can be a treasure trove of sensitive information: intellectual property, sensitive credentials for other systems, API keys, strategic plans, and confidential financial data. For an attacker, compromising a single Teams account isn't just about reading messages; it's about attempting to gain access to the organization's most valuable secrets, all conveniently indexed and searchable. ## Anatomy of a Teams Attack: From Initial Access to Data Exfiltration ### Initial Access - The Deceptive First Contact The primary goal of initial access is to establish a foothold within the target's environment. In Microsoft Teams, this often begins with social engineering, leveraging the inherent trust users have in the platform. Attackers frequently exploit the configured external access policy, which might be too permissive, to initiate contact. While external users are restricted from sending links or files directly, clever adversaries have developed bypasses: For example a common technique involves starting a chat with more than one member and then proceeding to remove one of them to avoid restrictions for external users on link sharing. Once the user clicks a malicious link sent, they are often directed to a phishing page designed to harvest credentials or session tokens. Public tools like [EvilGinx](https://github.com/kgretzky/evilginx2/releases) are perfectly suited for this, acting as a reverse proxy to steal session cookies, bypassing MFA and granting the attacker direct access to the user's Teams session, and potentially other Microsoft 365 services. Figure 1 shows an example of how such a phishing page created using EvilGinx might appear to a user after clicking on it, luring them to a credential harvesting site. ![Figure 1. A phishing page crafted using EvilGinx in our lab environment mimicking Microsoft’s login page.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/11/word-image-348763-1.png) Figure 1. A phishing page crafted using EvilGinx in our lab environment mimicking Microsoft's login page. Figure 2 shows how intercepted credentials and tokens will look on EvilGinx's server after a user clicked and logged in through the phishing link sent. ![Figure 2. Showing EvilGinx server side after it intercepted credentials after a phishing link was used.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/11/word-image-348763-2.png) Figure 2. Showing EvilGinx server side after it intercepted credentials after a phishing link was used. Another example of a publicly available tool that can be used to lure victims into downloading malicious payloads is [TeamsPhisher](https://github.com/Octoberfest7/TeamsPhisher). Figure 3 shows how TeamsPhisher would be used by an attacker to send a phishing message to a user inside a target company. ![Figure 3. Executing teamsphisher.py in our test environment.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/11/word-image-348763-3.jpeg) Figure 3. Executing teamsphisher.py in our test environment. ### Discovery and Internal Pivoting - Blending In Once an attacker has gained initial access, their next step is typically to understand the environment, identify high-value targets, and expand their reach. This phase focuses on discovery and internal pivoting, often leveraging the compromised user's existing permissions. With a compromised internal account, an attacker can now perform highly credible spear phishing attacks from within the organization. Messages sent from a trusted internal identity - even if it's a low-privilege account - are far more effective. The attacker might impersonate IT support, a manager, or a colleague requesting urgent assistance, sharing a seemingly legitimate document, or asking for sensitive information. These internal phishing attempts can lead to further credential theft, malware execution, or tricking other users into granting additional permissions. Figure 4 shows how an attacker can leverage Microsoft's Graph API to automate the process of internal spear phishing attack through Teams by sending messages to multiple users via Graph API. ![Figure 4. Sending multiple messages to internal users through a compromised user using MS Graph API.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/11/word-image-348763-4.jpeg) Figure 4. Sending multiple messages to internal users through a compromised user using MS Graph API. ### **Persistence - Securing a Long-Term Foothold** A sophisticated attacker will also seek to maintain their presence within the tenant. One method for achieving persistence in Microsoft Teams can be by creating and sideloading a malicious custom application or a bot. If the organization's policies allow users to upload custom applications, an attacker can use a compromised account's privileges to install an application that appears benign but contains malicious functionality. To further enhance the effectiveness of the method, the attacker, with the right permissions, can publish the application to the organization catalog, letting more users download the malicious application, which can be used as another pivoting method. Figure 5 is an example of a malicious application that is published to the organization catalog in our lab environment, and it appears under the "built for your org" section. ![Figure 5. A malicious application published to an organization catalog, called “Evil app” in a lab environment.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/11/word-image-348763-5.png) Figure 5. A malicious application published to an organization catalog, called "Evil app" in a lab environment. ### Data Gathering and Exfiltration - The Heist This is often the ultimate objective of the attack - stealing the sensitive information that resides within Microsoft Teams chats and channels. Microsoft [Graph API](https://learn.microsoft.com/en-us/graph/api/resources/teams-api-overview?view=graph-rest-1.0) can work with Microsoft Teams across a variety of APIs. . For an attacker, it can be a tool for mass data collection. Using the session tokens stolen during the initial access phase, or the permissions granted to their malicious application, an attacker can make programmatic API calls to access a vast amount of data, including reading the full history of a user's private one-on-one and group chats. Figure 6 provides a conceptual view of how an attacker might use Graph API to pull chat data, effectively exfiltrating sensitive conversations. ![Figure 6. Pulling conversations messages with Graph API web interface.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/11/word-image-348763-6.png) Figure 6. Pulling conversations messages with Graph API web interface. ## Detection: How Cortex XSIAM Exposes Malicious Activity in Teams Cortex XSIAM is capable of detecting attacks targeting Microsoft Teams, by analyzing behavior and correlating events directly from the application itself. Cortex XSIAM provides rich detection capabilities that can identify the various stages of an attack conducted through Microsoft Teams. By ingesting and analyzing a rich data stream from Teams and other services, the platform applies behavioral analytics to distinguish legitimate user activity from the subtle indicators of a compromise. For example, after establishing a baseline of normal communication patterns, it can detect deviations indicative of an in-progress phishing attempt and raise a corresponding alert. The platform's Identity Threat Detection and Response (ITDR) capabilities can provide the next layer of security by detecting any subsequent misuse of stolen credentials, such as an anomalous session logon to Microsoft Teams. Figure 7 and 8 show some examples of alerts investigations that are related to Microsoft Teams. ![Figure 7. A Microsoft Teams alert investigation example from Cortex XSIAM.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/11/teams-updated-photo-1.png) Figure 7. A Microsoft Teams alert investigation example from Cortex XSIAM. ​​ ![Figure 8. A Microsoft Teams alert investigation on a new application published to the organization catalog example from Cortex XSIAM.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/11/word-image-348763-8.png) Figure 8. A Microsoft Teams alert investigation on a new application published to the organization catalog example from Cortex XSIAM. By linking the alerts and events that will trigger upon an attack via Microsoft Teams, security teams are provided with a holistic view of how the entire Microsoft Teams platform can be abused as an attack surface, connecting the dots from initial entry to the final objective. ## **Conclusion** Throughout this post, we deconstructed a realistic attack kill chain - from an initial phishing page that bypasses traditional defenses to internal pivoting, persistence, and finally, data collection using the platform's own APIs. This highlights a critical shift: security risks now extend into the core of trusted collaborative spaces. Detecting these threats requires moving beyond perimeter controls and gaining deep visibility into application behavior. As we analyzed, the operational footprints of these attacks are subtle. They are found not in obviously malicious files, but in anomalous communication patterns, unusual API calls, and suspicious actions. By correlating these signals into a clear, coherent story, a platform like Cortex XSIAM can expose an attack that would otherwise remain hidden. ## **Additional Resources** * **Real world cases** [Canada government - Midnight Blizzard](https://www.cyber.gc.ca/en/alerts-advisories/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams) [Cleardata - Midnight Blizzard](https://www.cleardata.com/blog/healthcare-security-alert-microsoft-teams-malware/) [TheHackerNews - BlackBasta](https://thehackernews.com/2024/12/black-basta-ransomware-evolves-with.html) * **Tools** [EvilGinx](https://github.com/kgretzky/evilginx2/releases)[TeamsPhisher](https://github.com/Octoberfest7/TeamsPhisher)[Graph API](https://learn.microsoft.com/en-us/graph/api/resources/teams-api-overview?view=graph-rest-1.0) ### XSIAM Alerts and MITRE Techniques Table 1 lists the Cortex XSIAM alerts and the associated MITRE ATT\&CK techniques these alerts detect. | **Alert Name** | **Alert Source** | **ATT\&CK Technique** | | Microsoft Teams messages were exported from conversation | XDR Analytics, Identity Analytics | [Data from Information Repositories: Messaging Applications: Messaging Applications](https://attack.mitre.org/techniques/T1213/005/) | | User exported multiple messages in Microsoft Teams via Graph API | XDR Analytics, Identity Analytics | [Data from Information Repositories: Messaging Applications](https://attack.mitre.org/techniques/T1213/005/) | | External user started a Microsoft Teams conversation | XDR Analytics, Identity Analytics | [Phishing](https://attack.mitre.org/techniques/T1566/) | | External user created a Microsoft Teams conversation with suspicious operations | XDR Analytics, Identity Analytics | [Phishing](https://attack.mitre.org/techniques/T1566/) | | External user added a link to a Microsoft Teams chat | XDR Analytics, Identity Analytics | [Phishing](https://attack.mitre.org/techniques/T1566/) | | User installed an application in Microsoft Teams via Graph API | XDR Analytics, Identity Analytics | [Cloud Application Integration](https://attack.mitre.org/techniques/T1671/) | | A Microsoft Teams application was installed | XDR Analytics, Identity Analytics | [Cloud Application Integration](https://attack.mitre.org/techniques/T1671/) | | User sent messages in Microsoft Teams to multiple users via Graph API | XDR Analytics, Identity Analytics | [Internal Spearphishing](https://attack.mitre.org/techniques/T1534/) | | Microsoft Teams application setup policy was modified | XDR Analytics, Identity Analytics | [Cloud Application Integration](https://attack.mitre.org/techniques/T1671/) [Impair Defenses](https://attack.mitre.org/techniques/T1562/) | | Microsoft Teams external communication policy was modified | XDR Analytics, Identity Analytics | [Impair Defenses](https://attack.mitre.org/techniques/T1562/) [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048/) | | New Teams application published to the organization catalog | XDR Analytics, Identity Analytics | [Account Manipulation](https://attack.mitre.org/techniques/T1098/) | | A user uploaded malware to SharePoint or OneDrive | XDR Analytics, Identity Analytics | [User Execution: Malicious File](https://attack.mitre.org/techniques/T1204/002/) [Taint Shared Content](https://attack.mitre.org/techniques/T1080/) | | A Microsoft Teams bot was added to a team | XDR Analytics, Identity Analytics | [Cloud Application Integration](https://attack.mitre.org/techniques/T1671/) | | Microsoft Teams enumeration activity | XDR Analytics, Identity Analytics | [Cloud Service Discover](https://attack.mitre.org/techniques/T1526/)[y](https://attack.mitre.org/techniques/T1526/) | |---------------------------------------------------------------------------------|-----------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------| *Table 1. Relevant alerts and MITRE techniques.* *** ** * ** *** ## Related Blogs ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### SIEM Replacement Made Easy (Yes, Really!)](https://www2.paloaltonetworks.com/blog/security-operations/siem-replacement-made-easy-yes-really/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### Cortex Advanced Email Security -- Built for Today's AI Threats](https://www2.paloaltonetworks.com/blog/security-operations/cortex-advanced-email-security-built-for-todays-ai-threats/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### Not in My Sandbox: Save Those Deployment Tears](https://www2.paloaltonetworks.com/blog/security-operations/not-in-my-sandbox-save-those-deployment-tears/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### From ILOVEYOU to AI Defenders -- 25 Years of Email Evolution](https://www2.paloaltonetworks.com/blog/security-operations/from-iloveyou-to-ai-defenders-25-years-of-email-evolution/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### Transform Your SOC with Cortex XSIAM: Lessons From a Zombie Infestation](https://www2.paloaltonetworks.com/blog/security-operations/transform-your-soc-with-cortex-xsiam-lessons-from-a-zombie-infestation/) ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### The Data Digestion Revolution: Why Cortex XDL is the Foundation of Modern Security](https://www2.paloaltonetworks.com/blog/security-operations/the-data-digestion-revolution-why-cortex-xdl-is-the-foundation-of-modern-security/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language