Full Report
Microsoft Vibing — capturing screenshots and voice samples without governanceAn interesting executable caught my eye on endpoints recently — Vibing.exeIt was delivered by Microsoft Store, and claims to be “your interface to the AI-native world”:Published by “Vibing-Team”, the executable flags behaviour for capturing the user’s screen and contents, the clipboard, the user’s microphone, and sending traffic to an Azure interface. The terms of sale link to Microsoft.Vibing-Team themselves have no website, and there’s no clue online as to who Vibing-Team are.The software does not tell the user it is sending data to Azure — there’s no consent or prompt in app.Demos posted on the Vibing website show the software writing Microsoft Words documents, working in Microsoft Teams, and coding in Visual Studio:Microsoft VibingDigging on Microsoft’s store, there is a privacy policy for Vibing, which isn’t referenced in app. This policy incorrectly states the user configures the API servers, but these are actually preconfigured to a Microsoft Azure endpoint — which is indeed a third party service:The pre-configuration:So, what is Vibing, and who owns it?The software itself can be downloaded the Vibing website or Microsoft Store.The software itself is in Vibing.exe, which is digitally signed by Yaoyao Chang using an SSL.com co-signer:Yaoyao works for the Microsoft GenAI research labs in Beijing.Vibing’s first mention online is on Microsoft’s own Github site for VibeVoice — which Microsoft’s Yaoyao Chang is also a contributor to:The entry describes Vibing as “built by the community”, and was added by MSJwyv, another Microsoft employee in Beijing in the AI research centre. The change describes the adoption as “open-source”:However the Vibing Github repo is not open source — it fact, it contains no source code at all, just a 80mb binary, Vibing.exe.Strangely, Yaoyao comments on different Github issues and appears to suggest they are not involved, e.g.:…despite the fact they have digitally signed the binary and published the app.The Vibing Github repo uses the same logo design as the Microsoft VibeVoice product, and has just three contributors:These accounts were created just before Microsoft added the repo to their VibeVoice page.The installation instructions appear to feature screenshots from a Microsoft corporate device, and using OSINT tools I’ve been able to determine the Azure Front Door endpoint it sends user data to is in a Microsoft corporate owned Azure tenant.By “community”, Microsoft’s Research Asia mean Microsoft — they’ve just skipped their own governance and compliance steps around getting security, privacy and AI reviews by pretending it’s an open source project.What does Vibing do?Vibing is available for Windows and Mac. I’ve only looked at the Windows version to date.Vibing sets itself to auto start on Windows login, and when in use hijacks the clipboard to copy content, and takes screenshots of the users PC — these screens are then run through base64, and sent to the Azure Front Door endpoint along with the unique, per machine hardware GUID. This allows screenshots to be identified per machine. It is unclear why Microsoft would want to link screenshots to systems.Along with the screenshots, it sends certain words from windows, window titles/app names, and content over WebSocket. WebSocket can avoid some proxy blocking configurations. It also gathers auto hotwords locally and then submits words when discovered in the WebSocket requests.It also records audio using the microphone, and uploads this raw audio to Azure — also with GUID identifiers.Security concernsI’ve identified a number of cybersecurity concerns which need further investigation and possible responsible disclosure. The software is large and has a rich attack surface.The software itself appears to be vibe coded, and is held together by string. You can grab it yourself for research here.Privacy concernsThere’s no indication in the software it is sending data remotelyVibing’s privacy policy on Microsoft Store says it doesn’t send data to third parties but it absolutely does out of the boxThere’s no named author online anywhere for Vibing-Team or any data controller listed, with the owners within Microsoft attempting to disguise themselvesIt sends a unique GUID for every keystroke and screenshot which allows data to be tracked over time, and this isn’t disclosed anywhere. There’s no reason at all for this to be collected.There’s no way this has been through a proper privacy review at Microsoft prior to release (or security review)It is unclear what privacy oversight this has at Microsoft in terms of operations — e.g. who is looking at the gathered data? Is it really being securely removed? Is the Microsoft AI team in China supposed to be doing this on their own?What is Microsoft doing about this?Multiple concerns have been raised by developers with Microsoft about Vibing, including tagging those at Microsoft who linked and published the project.For example, here concerns are raised — which MSFT’s Yaoyao Chang closes without comment and takes no action:MSFT’s MSJwyv is also tagged with concerns… who doesn’t comment or take action.You may know Microsoft VibeVoice from their prior incident:This has been going on for weeks now.IoCsvibing.exeVibing Installer.exevibing-api-ccegdhbrg2d6bsd7.b02.azurefd.netUpdatesFriday 24th April 2026 – 1am –https://medium.com/media/47fcc768b73a5cbfe65f88b29863d360/href1pm – Microsoft have removed the Vibing downloads and shut down the service, pending a compliance review:https://medium.com/media/1f46743e3bbea109ba035d35dea3944e/hrefSaturday 25th April — 11amMicrosoft are attempting to hide the compliance review of Microsoft Vibing:https://medium.com/media/540c4d8f199b6dfb97217b93dbc1381d/hrefMonday 27th April – 1pmSomebody is attempting to hide the commit with Yaoyao’s name on, which tries to hide the compliance review of Microsoft Vibing:https://medium.com/media/6da859ff0073ea3b4f2614c1fe29b5ed/hrefWednesday 29th April – 5pmJournalist Dan Goodin asked Microsoft about this. They’ve confirmed it is a Microsoft research project. They say “We have removed the application as we review its functionality and adherence to our policies. We remain committed to responsible AI and are taking appropriate steps as part of this review.”https://medium.com/media/db288b773a321ff8f45dcc1dcc97458b/hrefIt is unclear what happened to the screenshots and audio collected, and why Microsoft hadn’t disclosed ownership of the service and why, prior this to blog, staff were pretending it was an open source project that they were not involved with.Microsoft Vibing — capturing screenshots and voice samples without governance was originally published in DoublePulsar on Medium, where people are continuing the conversation by highlighting and responding to this story.
Analysis Summary
# Tool/Technique: Microsoft Vibing (Vibing.exe)
## Overview
Vibing is a suspicious executable and "AI-native world" interface released via the Microsoft Store and GitHub. While ostensibly a productivity tool for AI interaction, it functions as unauthorized telemetry or spyware by capturing high-fidelity user data—including screenshots, audio, and clipboard contents—and transmitting it to Microsoft-owned Azure endpoints without clear user consent or governance.
## Technical Details
- **Type:** Potential Spyware / Grayware (unauthorized data collection tool)
- **Platform:** Windows (analyzed), macOS
- **Capabilities:** Screen capture, audio recording, clipboard hijacking, exfiltration via WebSockets.
- **First Seen:** April 2026 (Initial reporting and subsequent removal).
## MITRE ATT&CK Mapping
- **[TA0003 - Persistence]**
- [T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder]
- **[TA0009 - Collection]**
- [T1113 - Screen Capture]
- [T1123 - Audio Capture]
- [T1115 - Clipboard Data]
- **[TA0010 - Exfiltration]**
- [T1041 - Exfiltration Over C2 Channel]
- **[TA0011 - Command and Control]**
- [T1071.001 - Application Layer Protocol: Web Protocols (WebSockets)]
## Functionality
### Core Capabilities
- **Persistence:** Configures itself to auto-start upon Windows login.
- **Screen & Audio Capture:** Periodically takes screenshots of the user's desktop and records audio via the microphone.
- **Clipboard Hijacking:** Monitors and copies content from the system clipboard.
- **Data Encoding:** Converts screenshots and captured data into Base64 strings for transmission.
- **Identification:** Appends a unique, per-machine hardware GUID to all exfiltrated data, allowing for persistent tracking of specific endpoints.
### Advanced Features
- **Evasion (WebSocket):** Uses WebSocket connections to send data, a technique often used to bypass traditional proxy filtering and stateful inspection firewalls.
- **Contextual Metadata:** Extracts window titles, application names, and specific "hotwords" to provide context to the captured visual and audio data.
## Indicators of Compromise
- **File Names:**
- `Vibing.exe`
- `Vibing Installer.exe`
- **Network Indicators:**
- `vibing-api-ccegdhbrg2d6bsd7.b02[.]azurefd[.]net` (Azure Front Door endpoint)
- **Behavioral Indicators:**
- Unauthorized microphone activation.
- Periodic Base64-encoded POST requests via WebSockets to Azure infrastructure.
- Automated modification of startup registry keys.
## Associated Threat Actors
- **Microsoft GenAI Research (Beijing):** The tool was digitally signed by Yaoyao Chang and promoted by MSJwyv, both employees at Microsoft's GenAI research labs in Beijing. It was marketed as "community-built" to circumvent standard internal security and privacy governance.
## Detection Methods
- **Signature-Based:** Though the binary was digitally signed by a legitimate Microsoft employee, security solutions can flag the file `Vibing.exe` or the signing certificate associated with "Yaoyao Chang."
- **Behavioral Detection:** Monitoring for unexpected audio/screen capture activity by a non-standard background process, and tracking WebSocket traffic to specific Azure Front Door subdomains.
- **Process Monitoring:** Identify processes establishing persistence via `Software\Microsoft\Windows\CurrentVersion\Run`.
## Mitigation Strategies
- **Application Control:** Block the execution of `Vibing.exe` via AppLocker or Windows Defender Application Control (WDAC).
- **Store Restrictions:** Disable or restrict the Microsoft Store in corporate environments to prevent the installation of unvetted "Research" applications.
- **Network Filtering:** Block known Azure Front Door subdomains associated with the project (`*.azurefd.net` subdomains linked to Vibing).
- **Privacy Hardening:** Disable microphone access for non-essential applications via Windows Privacy Settings.
## Related Tools/Techniques
- **Microsoft VibeVoice:** A related Microsoft Research project linked to the same development team.
- **Commercial Spyware:** Exhibits behaviors similar to "stalkerware" or commercial employee monitoring tools.