Microsoft's Honeypots Lure Phishers at Scale - to Spy on Them and Waste Their Time

📅 2024-10-21    ⚓ Slashdot: IT    🌐 Source    🖼️ Load Image

A principal security software engineer at Microsoft described how they use their Azure cloud platform "to hunt phishers at scale," in a talk at the information security conference BSides Exeter. Calling himself Microsoft's "Head of Deception." Ross Bevington described how they'd created a "hybrid high interaction honeypot" on the now retired code.microsoft.com "to collect threat intelligence on actors ranging from both less skilled cybercriminals to nation state groups targeting Microsoft infrastructure," according to a report by BleepingComputer: With the collected data, Microsoft can map malicious infrastructure, gain a deeper understanding of sophisticated phishing operations, disrupt campaigns at scale, identify cybercriminals, and significantly slow down their activity... Bevington and his team fight phishing by leveraging deception techniques using entire Microsoft tenant environments as honeypots with custom domain names, thousands of user accounts, and activity like internal communications and file-sharing... In his BSides Exeter presentation, the researcher says that the active approach consists in visiting active phishing sites identified by Defender and typing in the credentials from the honeypot tenants. Since the credentials are not protected by two-factor authentication and the tenants are populated with realistic-looking information, attackers have an easy way in and start wasting time looking for signs of a trap. Microsoft says it monitors roughly 25,000 phishing sites every day, feeding about 20% of them with the honeypot credentials; the rest are blocked by CAPTCHA or other anti-bot mechanisms. Once the attackers log into the fake tenants, which happens in 5% of the cases, it turns on detailed logging to track every action they take, thus learning the threat actors' tactics, techniques, and procedures. Intelligence collected includes IP addresses, browsers, location, behavioral patterns, whether they use VPNs or VPSs, and what phishing kits they rely on... The deception technology currently wastes an attacker 30 days before they realize they breached a fake environment. All along, Microsoft collects actionable data that can be used by other security teams to create more complex profiles and better defenses.

Read more of this story at Slashdot.