TechnologyJul 9, 202610 min read

Attackers Go Where Agents Can't. Rubrik and CrowdStrike Follow Them.

 

Every security team wants the same level of threat visibility across their entire environment. On servers and workstations, EDR solutions such as the CrowdStrike Falcon platform deliver real-time detection and response that have become essential to defending endpoints.

But when you consider a typical enterprise environment, that picture changes. There are hypervisors running hundreds of VMs, SaaS applications like Microsoft 365 holding email, documents, and identity infrastructure for the whole organization. Network security appliances protect the perimeter. NAS appliances and cloud storage buckets hold petabytes of unstructured data. 

These are some of the most critical systems in any organization, and every security team would love to have the same depth of threat coverage on them. While EDR provides deep visibility across endpoints, many of these systems require complementary approaches because they do not support endpoint agents.

Adversaries have taken notice of this vulnerability. And they're leaning into it hard. That’s why Rubrik and CrowdStrike have created an integration that scans backup snapshots against CrowdStrike Threat Intelligence—covering 280+ adversary groups and 300M+ hash-based IOCs. 

 

How Attackers are Targeting Vulnerabilities

Attackers go where the data is. And a growing share of enterprise data lives across hypervisors, SaaS platforms, storage systems, and other critical infrastructure. The challenge is ensuring that the same threat intelligence used to identify adversaries can also be applied to the systems where critical data resides. Attacks from last few years tell the story pretty clearly:

Hypervisors: The ESXiArgs campaign in February 2023 automated exploitation of thousands of bare-metal ESXi hypervisors worldwide, mass encrypting entire virtual machine disk files directly on the datastore, beneath any guest-level security tooling. Groups like Black Basta and Royal/BlackSuit have since built dedicated ESXi encryptors. CISA reported more than 500 victim organizations from Black Basta alone.

SharePoint Online: In March 2025, researchers uncovered a campaign using SharePoint Online as both a malware hosting platform and a covert command-and-control channel. Attackers uploaded malicious payloads to SharePoint document libraries, then used Microsoft Graph API calls to send and receive C2 commands. That traffic looks identical to normal OneDrive and SharePoint sync operations.  

Virtual network appliances: Volt Typhoon, a Chinese state-sponsored actor, has been operating inside enterprise firewall appliances, network routers, and SOHO devices across U.S. critical infrastructure since at least 2021 (disclosed jointly by Microsoft and CISA in 2023).

NAS and storage devices: The DeadBolt ransomware campaign encrypted more than 20,000 QNAP storage systems across multiple waves in 2022–2023, exploiting zero-day vulnerabilities in QNAP's proprietary OS. For many of those organizations, the NAS was the backup. Both primary data and recovery copies were wiped out together.

 

Rubrik + CrowdStrike: Bringing the Intelligence to the Data

Rubrik protects workloads across the full range of enterprise infrastructure. Rubrik holds backup snapshots of the systems adversaries target, including all the ones that can't host an agent. Where CrowdStrike is already deployed, Rubrik provides a backstop.  

For workloads where endpoint agents are not an option, Rubrik applies CrowdStrike Threat Intelligence directly to protected data. With this integration, customers can bring CrowdStrike's Threat Intelligence directly into Rubrik Threat Monitoring via API and Rubrik applies it across every one of those workloads automatically.

CrowdStrike Counter Adversary Operations team tracks 280+ eCrime, nation-state, and hacktivist adversaries and 150+ malicious activity clusters. The intelligence is built from global telemetry, incident response engagements, and frontline adversary tracking with context on threat actors, their motivations, TTPs, malware families, infrastructure, and campaigns. Rubrik can ingest the full scope without additional hardware or virtual resources, and scan more than 300M+ IOCs continuously across every protected workload.

 

What This Looks Like in Practice

As Rubrik backs up your critical data and applications, every snapshot is scanned against CrowdStrike Threat Intelligence to detect known malware. Here’s how that works.

One-click activation, continuous scanning: Rubrik Threat Monitoring processes and correlates IOCs from multiple threat feeds including CrowdStrike Threat Intelligence, third-party via TAXII, and custom sources against every backed-up system in the enterprise. When new intelligence arrives, Rubrik automatically re-scans all past backup snapshots, building a forensic timeline across the entire environment.

Visibility into the places that need it most: Rubrik scans VMware vCenter environments, Microsoft 365 data, cloud object stores (S3, Azure Blob), NAS shares, and other workloads where there's no endpoint agent option. Because Rubrik operates outside the production environment, it maintains visibility even during a hypervisor-level attack that knocks out in-guest security tooling. If an attacker deploys malware to a vCenter appliance, encrypts VM datastores, or plants a backdoor through a SaaS platform, the backup snapshots capture the evidence and CrowdStrike's intelligence flags it.

Hundreds of millions of IOCs at petabyte scale: Most approaches to backup threat scanning top out at a few thousand IOCs, run periodic scan jobs, or require extra hardware to handle the load. Rubrik processes the full CrowdStrike Threat Intelligence feed against every backup—at petabyte-plus scale—with no additional infrastructure. One set of forensic tools across data center, cloud, and SaaS, all through Rubrik Security Cloud.

Actionable context for clean recovery: When Rubrik matches a malicious file to a CrowdStrike IOC, it surfaces which snapshot was affected, when the threat first appeared in the environment, and detailed file metadata. Security teams can isolate infected snapshots, quarantine specific files, and pick a clean recovery point with confidence.

Plugs into the tools you already use: Findings from Rubrik Threat Monitoring flow into existing SIEM and SOAR platforms, adding data-layer threat context directly into triage and response workflows security teams are already running.

 

Extending the Perimeter of Threat Intelligence

Every organization running VMware, M365, NAS, or cloud storage has critical data on systems that can't run an endpoint agent. Those workloads need threat coverage too, especially given how aggressively adversaries are targeting them.

Rubrik backs up these systems. CrowdStrike tracks the adversaries going after them. This integration puts CrowdStrike Threat Intelligence to work across every backup snapshot, every workload, continuously.

To learn more, please contact your Rubrik account team

 

Related Articles

Blogs by This Author