Microsoft employs deceptive tactics against phishing actors, creating realistic-looking honeypot tenants with Azure access and luring attackers in to gather intelligence on them.
Tech giant can use the acquired data to map malicious infrastructure, gain a better understanding of sophisticated phishing operations, disrupt large-scale campaigns, identify hackers, and significantly slow their activity.
Ross Bevington, a key security software engineer at Microsoft known as Microsoft's "Head of Deception," described the strategy and its negative impact on phishing activities at the BSides Exeter conference.
Bevington developed a "hybrid high interaction honeypot" on the now-defunct code.microsoft.com to gather threat intelligence on actors ranging from rookie hackers to nation-state outfits targeting Microsoft infrastructure.
Illusion of phishing success
Currently, Bevington and his team combat phishing by employing deception techniques that exploit full Microsoft tenant environments as honeypots, which include custom domain names, thousands of user accounts, and activities such as internal communications and file-sharing.
Companies or researchers often set up a honeypot and wait for threat actors to take note of it and take action. A honeypot not only diverts attackers from the real environment, but it also allows for the collection of intelligence on the tactics used to infiltrate systems, which can then be used to the legitimate network.
In his BSides Exeter presentation, the researcher describes the active strategy as visiting active phishing sites identified by Defender and entering the honeypot renters' credentials.
Because the credentials are not safeguarded by two-factor authentication and the tenants include realistic-looking information, attackers can easily get access and begin spending time hunting for evidence of a trap.
Microsoft claims to monitor over 25,000 phishing sites every day, providing about 20% of them with honeypot credentials; the others are prevented by CAPTCHA or other anti-bot techniques.
Once the attackers log into the fake tenants, which occurs in 5% of cases, extensive logging is enabled to follow every activity they perform, allowing them to learn the threat actors' methods, approaches, and procedures. IP addresses, browsers, location, behavioural patterns, whether they use VPNs or VPSs, and the phishing kits they employ are all part of the intelligence gathered.
Furthermore, when attackers attempt to interact with the fake accounts in the environment, Microsoft blocks responses as much as feasible. The deception technology now takes an attacker 30 days to realise they have breached a fictitious environment. Microsoft has regularly gathered actionable data that other security teams could use to construct more complex profiles and better defences.
