update

Author: msmbaldwin

articles/security/fundamentals/ransomware-detect-respond.md

@@ -6,18 +6,18 @@ ms.service: security
 ms.subservice: security-fundamentals
 ms.topic: article
 ms.author: mbaldwin
-ms.date: 01/06/2026
+ms.date: 02/12/2026
 
 ---
 
 # Detect and respond to ransomware attacks
 
-Ransomware incidents typically present with distinct warning signs that security teams can identify. Unlike other malware types, ransomware usually produces highly evident indicators that require minimal investigation before declaring an incident. These high-confidence triggers stand in contrast to more subtle threats that would demand extensive analysis before escalation. When ransomware strikes, the evidence is often unmistakable.
-
-In general, such infections are obvious from basic system behavior, the absence of key system or user files, and the demand for ransom. In such cases, the analyst should consider whether to immediately declare and escalate the incident, including taking any automated actions to mitigate the attack.
+This article provides Azure-specific guidance for detecting and responding to ransomware attacks.
 
 > [!TIP]
-> For comprehensive ransomware detection and response guidance across all Microsoft platforms and services, see [Protect your organization against ransomware and extortion](/security/ransomware/protect-against-ransomware). This article focuses specifically on Azure-based detection and response capabilities.
+> This article focuses on Azure-specific detection and response. For comprehensive guidance, see [Protect your organization against ransomware and extortion](/security/ransomware/protect-against-ransomware).
+
+Ransomware incidents typically present with distinct warning signs that security teams can identify. Unlike other malware types, ransomware usually produces highly evident indicators that require minimal investigation before declaring an incident. These high-confidence triggers stand in contrast to more subtle threats that would demand extensive analysis before escalation. When ransomware strikes, the evidence is often unmistakable.
 
 ## Detecting ransomware attacks
 

articles/security/fundamentals/ransomware-prepare.md

@@ -6,15 +6,15 @@ ms.service: security
 ms.subservice: security-fundamentals
 ms.topic: article
 ms.author: mbaldwin
-ms.date: 01/06/2026
+ms.date: 02/12/2026
 ---
 
 # Prepare for a ransomware attack
 
 This article provides Azure-specific guidance for preparing your organization to defend against and recover from ransomware attacks.
 
 > [!TIP]
-> This article focuses specifically on Azure capabilities and best practices. For comprehensive ransomware preparation guidance across all Microsoft platforms and services, see [Prepare your ransomware recovery plan](/security/ransomware/protect-against-ransomware-phase1).
+> This article focuses on Azure-specific preparation. For comprehensive guidance, see [Protect your organization against ransomware and extortion](/security/ransomware/protect-against-ransomware).
 
 ## Adopt a Cybersecurity framework
 
@@ -41,61 +41,7 @@ Ultimately, the Framework is aimed at reducing and better managing cybersecurity
 | [DevOps Security (DS)](/security/benchmark/azure/mcsb-devops-security) |
 | [Governance and Strategy (GS)](/security/benchmark/azure/mcsb-governance-strategy) |
 
-## Prioritize mitigation
-
-Based on our experience with ransomware attacks on Azure environments, we find that prioritization should focus on:
-1. Prepare - Have backups and recovery plans for your Azure resources
-1. Limit - Protect privileged access to Azure resources
-1. Prevent - Harden Azure security controls
- 
-This may seem counterintuitive, since most people want to prevent an attack and move on. Unfortunately, we must assume breach (a key Zero Trust principle) and focus on reliably mitigating the most damage first. This prioritization is critical because of the high likelihood of a worst-case scenario with ransomware. While it's not a pleasant truth to accept, we're facing creative and motivated human attackers who are adept at finding a way to control the complex real-world environments in which we operate. Against that reality, it's important to prepare for the worst and establish frameworks to contain and prevent attackers' ability to get what they're after.
-
-While these priorities should govern what to do first, we encourage organizations to run steps in parallel where possible, including pulling quick wins forward from step 1 when you can.
-
-For comprehensive guidance on the three-phase approach to ransomware protection, see [Protect your organization against ransomware and extortion](/security/ransomware/protect-against-ransomware).
-
-## Make it harder to get in
-
-Prevent a ransomware attacker from entering your Azure environment and rapidly respond to incidents to remove attacker access before they can steal and encrypt data. This causes attackers to fail earlier and more often, undermining the profit of their attacks. While prevention is the preferred outcome, it's a continuous journey and may not be possible to achieve 100% prevention and rapid response across a real-world organization's complex multi-platform and multicloud estate with distributed IT responsibilities.
-
-To achieve this, organizations should identify and execute quick wins to strengthen security controls for their Azure resources to prevent entry, and rapidly detect/evict attackers while implementing a sustained program that helps them stay secure. Microsoft recommends organizations follow the principles outlined in the Zero Trust strategy. Specifically, for Azure resources, organizations should prioritize:
-- Improving security hygiene by focusing efforts on attack surface reduction and threat and vulnerability management for Azure resources. 
-- Implementing Protection, Detection and Response controls for Azure workloads that can protect against commodity and advanced threats, provide visibility, and alerting on attacker activity and respond to active threats.
-
-For comprehensive guidance on making it harder for attackers to access your environment, see [Defend against ransomware attacks](/security/ransomware/protect-against-ransomware-phase3).
-
-## Limit scope of damage
-
-Ensure you have strong controls (prevent, detect, respond) for privileged accounts with access to your Azure resources like IT Admins and other roles with control of business-critical systems. This slows and/or blocks attackers from gaining complete access to your Azure resources to steal and encrypt them. Taking away the attackers' ability to use IT Admin accounts as a shortcut to resources drastically lowers the chances they're successful at attacking you and demanding payment / profiting.
-
-Organizations should have elevated security for privileged accounts with Azure access (tightly protect, closely monitor, and rapidly respond to incidents related to these roles). See Microsoft's Security rapid modernization plan, which covers:
-- End to End Session Security (including multifactor authentication (MFA) for admins)
-- Protect and Monitor Identity Systems
-- Mitigate Lateral Traversal
-- Rapid Threat Response
-
-For comprehensive guidance on limiting the scope of damage, see [Limit the impact of ransomware attacks](/security/ransomware/protect-against-ransomware-phase2).
-
-## Prepare for the worst
-
-Plan for the worst-case scenario and expect that it happens (at all levels of the organization). This helps your organization and others in the world you depend on:
-
-- Limits damage for the worst-case scenario – While restoring all systems from backups is highly disruptive to business, this is more effective and efficient than trying to recovery using (low quality) attacker-provided decryption tools after paying to get the key. Note: Paying is an uncertain path – You have no formal or legal guarantee that the key works on all files, the tools work effectively, or that the attacker (who may be an amateur affiliate using a professional's toolkit) will act in good faith.
-- Limit the financial return for attackers – If an organization can restore business operations without paying the attackers, the attack fails and results in zero return on investment (ROI) for the attackers. This makes it less likely that they'll target the organization in the future (and deprives them of more funding to attack others).
-
-The attackers may still attempt to extort the organization through data disclosure or abusing/selling the stolen data, but this gives them less leverage than if they have the only access path to your data and systems.
-
-To realize this, organizations should ensure they:
-- Register Risk - Add ransomware to risk register as high likelihood and high impact scenario. Track mitigation status via Enterprise Risk Management (ERM) assessment cycle.
-- Define and Backup Critical Business Assets – Define systems required for critical business operations and automatically back them up on a regular schedule (including correct backup of critical dependencies like Active Directory)
-Protect backups against deliberate erasure and encryption with offline storage, immutable storage, and/or out of band steps (MFA or PIN) before modifying/erasing online backups.
-- Test 'Recover from Zero' Scenario – test to ensure your business continuity / disaster recovery (BC/DR) can rapidly bring critical business operations online from zero functionality (all systems down). Conduct practice exercises to validate cross-team processes and technical procedures, including out-of-band employee and customer communications (assume all email/chat/etc. is down).  
-  It's critical to protect (or print) supporting documents and systems required for recovery including restoration procedure documents, CMDBs, network diagrams, SolarWinds instances, etc. Attackers destroy these regularly.
-- Reduce on-premises exposure – by moving data to Azure cloud services with automatic backup & self-service rollback.
-
-For comprehensive guidance on preparing for the worst case scenario, including awareness training and SOC readiness, see [Prepare your ransomware recovery plan](/security/ransomware/protect-against-ransomware-phase1).
-
-## Azure-specific technical controls for ransomware protection
+## Azure technical controls for ransomware protection
 
 Azure provides a wide variety of native technical controls to protect, detect, and respond to ransomware incidents with emphasis on prevention. Organizations running workloads in Azure should leverage these Azure-native capabilities:
 

articles/security/fundamentals/ransomware-protection.md

@@ -6,23 +6,23 @@ ms.service: security
 ms.subservice: security-fundamentals
 ms.topic: article
 ms.author: mbaldwin
-ms.date: 01/06/2026
+ms.date: 02/12/2026
 
 ---
 
 # Ransomware protection in Azure
 
 Ransomware and extortion are a high profit, low-cost business, which has a debilitating impact on targeted organizations, national/regional security, economic security, and public health and safety. What started as simple, single-PC ransomware grew to include various extortion techniques directed at all types of corporate networks and cloud platforms.
 
+> [!TIP]
+> This article focuses on Azure-specific ransomware protection. For comprehensive guidance across all Microsoft platforms, see [Protect your organization against ransomware and extortion](/security/ransomware/protect-against-ransomware).
+
 To ensure customers running on Azure are protected against ransomware attacks, Microsoft invests heavily in the security of our cloud platforms, and provides security controls you need to protect your Azure cloud workloads.
 
 By using Azure native ransomware protections and implementing the best practices recommended in this article, you're taking measures that position your organization to prevent, protect, and detect potential ransomware attacks on your Azure assets.
 
 This article lays out key Azure native capabilities and defenses for ransomware attacks and guidance on how to proactively use these to protect your assets on Azure cloud.
 
-> [!TIP]
-> For comprehensive ransomware protection guidance across all Microsoft platforms and services, see [Protect your organization against ransomware and extortion](/security/ransomware/protect-against-ransomware). For information about what ransomware is and how it works, see [What is ransomware?](/security/ransomware/human-operated-ransomware)
-
 ## How Azure cloud resources are targeted
 
 When attacking cloud infrastructure, adversaries often attack multiple resources to try to obtain access to customer data or company secrets. The cloud "kill chain" model explains how attackers attempt to gain access to any of your resources running in the public cloud through a four-step process: exposure, access, lateral movement, and actions.
@@ -64,15 +64,12 @@ For detailed information about Azure features that help protect, detect, and res
 
 ## Next steps
 
-For comprehensive ransomware protection guidance across all Microsoft platforms, see [Protect your organization against ransomware and extortion](/security/ransomware/protect-against-ransomware).
+Continue with Azure-specific ransomware protection guidance:
 
-Azure-specific ransomware protection articles:
-- [Prepare for a ransomware attack](ransomware-prepare.md)
-- [Detect and respond to ransomware attack](ransomware-detect-respond.md)
-- [Azure features and resources that help you protect, detect, and respond](ransomware-features-resources.md)
+- [Prepare for a ransomware attack](ransomware-prepare.md) - Azure backup and recovery strategies
+- [Detect and respond to ransomware attack](ransomware-detect-respond.md) - Using Microsoft Defender for Cloud
+- [Azure features and resources that help you protect, detect, and respond](ransomware-features-resources.md) - Azure security capabilities
 - [Improve your security defenses for ransomware attacks with Azure Firewall Premium](ransomware-protection-with-azure-firewall.md)
-
-Additional resources:
-- [What is ransomware?](/security/ransomware/human-operated-ransomware)
+- [Back up and restore plan to protect against ransomware](backup-plan-to-protect-against-ransomware.md)
 
 

articles/security/fundamentals/zero-trust.md

@@ -6,14 +6,21 @@ ms.service: security
 ms.subservice: security-fundamentals
 ms.topic: conceptual
 ms.author: mbaldwin
-ms.date: 11/06/2025
+ms.date: 02/12/2026
 ---
 
 # Zero Trust security in Azure
 
-Zero Trust is a security strategy that assumes breach and verifies each request as though it originated from an uncontrolled network. This article explains how to apply Zero Trust principles to Microsoft Azure infrastructure and services.
+Zero Trust is a security strategy that assumes breach and verifies each request as though it originated from an uncontrolled network. This article introduces Zero Trust principles and how they apply to Microsoft Azure.
 
-For comprehensive information about Zero Trust as a security model and its application across Microsoft products, see [What is Zero Trust?](/security/zero-trust/zero-trust-overview).
+> [!TIP]
+> **For comprehensive Zero Trust guidance**, see the [Zero Trust documentation](/security/zero-trust/) which includes:
+> - [What is Zero Trust?](/security/zero-trust/zero-trust-overview) - Core concepts and principles
+> - [Zero Trust for Azure services](/security/zero-trust/azure-infrastructure-overview) - Detailed implementation guidance for Azure IaaS, networking, and workloads
+> - [Zero Trust deployment guidance](/security/zero-trust/deploy/overview) - Technology-pillar specific deployment objectives
+> - [Zero Trust adoption framework](/security/zero-trust/adopt/zero-trust-adoption-overview) - Business-outcome focused implementation
+>
+> This article provides an Azure-focused introduction to Zero Trust concepts.
 
 ## Zero Trust principles for Azure