Microsoft Threat Intelligence has observed a shift in tactics, techniques and procedures (TTP) from Silk Typhoon. Silk Typhoon, a Chinese espionage group, is targeting common IT solutions (such as remote management tools and cloud applications) to gain initial access.

Although the report states that Silk Typhoon has not been observed directly attacking Microsoft cloud services, it emphasizes that the group leverages unpatched applications (often zero-day exploits) to elevate access within target organizations. Once a target is compromised, Silk Typhoon can then use stolen keys and credentials to access customer networks and exploit deployed applications to enact espionage objectives. 

Casey Ellis, Founder at Bugcrowd, comments, “What distinguishes Silk Typhoon from other espionage groups is their technical proficiency in rapidly exploiting recently disclosed zero-day vulnerabilities and efficiently employing covert networks — comprised of compromised or leased infrastructure — to conceal their operational footprint. These techniques complicate detection and attribution, emphasizing the need for defenders to continuously monitor and secure high-risk assets.”

Silk Typhoon has also been observed exploiting VPNs. In January 2025, the group leveraged a zero-day vulnerability in Ivanti Pulse Connect VPN (CVE-2025-0282). 

Mr. Saeed Abbasi, Manager, Vulnerability Research at Qualys Threat Research Unit, shares, “Attackers can rapidly exploit VPN and secure-access vulnerabilities, yet many organizations leave these flaws unpatched well after they become known. Vulnerabilities in VPNs and secure-access tools often linger for extended periods, creating a significant window of opportunity for attackers. These flaws are typically exploited well before organizations can fully address them, leaving networks exposed to potential breaches. This gap between exploitation and remediation emphasizes the urgent need for faster patching and more proactive security measures. To counter this, security teams must act swiftly — identifying their vulnerable assets and using attack surface management, prioritizing critical patches, updating equipment, enforcing multi-factor authentication (MFA), disabling unused features, and shielding administrative access from public exposure.”