When the Defender Becomes the Door: BlueHammer, RedSun, and UnDefend in the Wild by Justin Howe

This report details three related attacks against Microsoft Defender: BlueHammer (a TOCTOU race leading to SYSTEM via Defender remediation, patched in April 2026), RedSun (a Defender-abuse exploit that works on fully patched systems and has been observed in the wild), and UnDefend (malware that degrades Defender updates to reduce detection). Huntress observed targeted, hands-on-keyboard intrusions using these techniques; the report emphasizes applying available patches, monitoring behavioral indicators at the network/identity layer, and using independent NDR/EDR integrations (e.g., Vectra) for detection and one-click containment.