Deception at the Core: Luring Attackers
The use of deception lies at the heart of this tactic. On Azure, Microsoft builds tenant settings that appear like real-world corporate setups, complete with thousands of user accounts, custom domain names, internal communication, and file-sharing activities. The purpose of these honeypots is to lure attackers into thinking they have successfully gained access to a genuine network.
In his talk at the BSides Exeter conference, Ross Bevington, a key security software engineer at Microsoft and the company’s “Head of Deception,” emphasized this strategy. Bevington clarified that, unlike most cybersecurity settings, his team no longer merely waits for attackers to locate their honeypots. Rather, they visit known phishing websites and submit fictitious credentials from these tenant environments, so actively participating in the phishing ecosystem.
This active strategy represents a substantial change from passive defense. By providing them with plausible, yet completely fictitious, data to exploit, it puts the attackers in their own game.
Phishing Sites and Honeypot Tenants
Every day, Microsoft keeps an eye on a staggering 25,000 phishing websites. About 20% of the time, Microsoft gives the attackers the credentials for the honeypot, while the rest of the websites are banned using CAPTCHA and other security measures. An attacker can access the fictitious tenant environments after using these credentials, which enables Microsoft to obtain information about their activities.
The attackers are only being watched in a controlled setting, even though they might think they have effectively compromised a system. Bevington estimates that the phony tenants are compromised in roughly 5% of these phishing attacks. At this point, Microsoft starts meticulously recording every action the attacker takes.
What Microsoft Learns from Phishers (Microsoft Security Flaw Exploits)
Understanding phishing strategies is made possible by the data gathered from these honeypot encounters. Microsoft collects a variety of data, including IP addresses, browser information, location, and usage trends. This information aids in creating a thorough picture of the tools and techniques used by the attackers.
Additionally, Microsoft keeps the attackers interested for a long time—up to 30 days, in some cases—before they recognize that they are in a phony environment by postponing their responses when they try to communicate with the phony accounts. Their operations are severely disrupted, and Microsoft gains further intelligence as a result of the attacker’s wasted time and effort.
Targeting Both Small and Sophisticated Actors
The fictitious tenant environments draw a diverse range of attackers, including nation-state-sponsored organizations like Russia’s Midnight Blizzard (also called Nobelium) and financially driven cybercriminals. By using deception technology, Microsoft is able to collect sufficient data to link assaults to particular organizations, which helps them comprehend and stop potential threats in the future.
Less than 10% of the IP addresses gathered in this manner, according to Bevington, correspond with information from other threat databases. This suggests that attackers are using new or undiscovered infrastructure that Microsoft’s honeypot technology is revealing.
The Broader Implications of Microsoft’s Deception Strategy
Although deception and honeypots are not novel strategies in the field of cybersecurity, Microsoft’s strategy is notable because of the scope and complexity of its activities. The corporation has developed a system that not only safeguards its own assets but also functions as a tool for more thorough investigation and hunting of phishing perpetrators by utilizing its extensive Azure infrastructure.
Other security teams receive the intelligence collected by these honeypots, which enables the development of more complex attacker profiles. By working together, we can improve defenses everywhere, which may make it harder for hackers to carry out successful phishing scams.
Conclusion
Microsoft’s innovative approach to cybersecurity is demonstrated by its deployment of fictitious Azure tenants to entice phishers into honeypots. Microsoft not only stops phishing attempts but also advances our knowledge of cybercriminal strategies by actively interacting with attackers and gathering intelligence. These kinds of tactics could be essential for keeping one step ahead of attackers and safeguarding digital infrastructure globally as phishing threats continue to change.
Read More:
