Two pieces of malware specialising in stealing corporate passwords have just been neutralised thanks to a joint operation by Microsoft and Europol. StealC and Amadey were used by cybercriminals to steal business credentials and prepare ransomware attacks. For SMBs, this news is a concrete opportunity to review the strength of their defences.
Two tools at the heart of organised cybercrime
StealC and Amadey are not newcomers to the cyber threat landscape. These two infostealers (data-stealing programmes) are rented on demand on criminal forums: any attacker can buy them for a few hundred euros per month, without particular technical skills.
Their primary target? Passwords stored in browsers, active Microsoft 365 sessions and tokens used for authentication. Once credentials are recovered, they serve as a passport for more destructive attacks — often a ransomware deployed weeks later, when vigilance has slipped.
The Microsoft × Europol operation: what happened
On 24 June 2026, Microsoft’s Digital Crimes Unit (DCU), in partnership with Europol and several industry partners, seized and simultaneously blocked the domains that made up the distribution infrastructure of these two malware families.
Dozens of command and control (C2) servers — the brains that remotely operated the malware — were neutralised in a single coordinated operation. This action illustrates a strong trend: major cyber offensives are now fought at a European scale. For SMBs, this means Microsoft tools (Defender, Entra ID, Sentinel) actively participate in a shared protection ecosystem from which you directly benefit.
Why SMBs are specially in the crosshairs
Infostealers rarely target large enterprises first. They prioritise organisations without a SOC (Security Operations Center — 24/7 security monitoring) and whose employees reuse passwords or store them in plain text in their browser.
A Walloon SMB of 50 people without an identity management policy is a far more accessible target than a large group equipped with Microsoft Sentinel. Furthermore, attackers often use a compromised SMB as a pivot point to reach a larger client or partner: the risk also affects your business relationships and your reputation.
What this means for your SMB
- Enable multifactors authentication (MFA) on all your Microsoft 365 accounts: a stolen password is no longer enough to open a session if MFA is active. It is the number one measure — immediate and included in your subscription.
- Control unmanaged devices that access your resources: infostealers often infect employees’ personal PCs when working remotely. Microsoft Entra ID (ex-Azure Active Directory) allows you to condition access to applications to only devices compliant with your IT policy.
- Deploy Microsoft Defender for Business on your endpoints: available from Microsoft 365 Business Premium, this solution detects and blocks the typical behaviours of infostealers in real time, before credentials leave your network.
The operation against StealC and Amadey is good news, but it does not mean the end of the threat: new variants emerge every week. The best protection remains solid cyber hygiene, reinforced by the right Microsoft tools correctly configured. Want to discuss this? Get in touch with our Axentys experts.