Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Cloud Microsoft

Microsoft's Honeypots Lure Phishers at Scale - to Spy on Them and Waste Their Time (bleepingcomputer.com) 21

A principal security software engineer at Microsoft described how they use their Azure cloud platform "to hunt phishers at scale," in a talk at the information security conference BSides Exeter.

Calling himself Microsoft's "Head of Deception." Ross Bevington described how they'd created a "hybrid high interaction honeypot" on the now retired code.microsoft.com "to collect threat intelligence on actors ranging from both less skilled cybercriminals to nation state groups targeting Microsoft infrastructure," according to a report by BleepingComputer: With the collected data, Microsoft can map malicious infrastructure, gain a deeper understanding of sophisticated phishing operations, disrupt campaigns at scale, identify cybercriminals, and significantly slow down their activity... Bevington and his team fight phishing by leveraging deception techniques using entire Microsoft tenant environments as honeypots with custom domain names, thousands of user accounts, and activity like internal communications and file-sharing...

In his BSides Exeter presentation, the researcher says that the active approach consists in visiting active phishing sites identified by Defender and typing in the credentials from the honeypot tenants. Since the credentials are not protected by two-factor authentication and the tenants are populated with realistic-looking information, attackers have an easy way in and start wasting time looking for signs of a trap. Microsoft says it monitors roughly 25,000 phishing sites every day, feeding about 20% of them with the honeypot credentials; the rest are blocked by CAPTCHA or other anti-bot mechanisms.

Once the attackers log into the fake tenants, which happens in 5% of the cases, it turns on detailed logging to track every action they take, thus learning the threat actors' tactics, techniques, and procedures. Intelligence collected includes IP addresses, browsers, location, behavioral patterns, whether they use VPNs or VPSs, and what phishing kits they rely on... The deception technology currently wastes an attacker 30 days before they realize they breached a fake environment. All along, Microsoft collects actionable data that can be used by other security teams to create more complex profiles and better defenses.

This discussion has been archived. No new comments can be posted.

Microsoft's Honeypots Lure Phishers at Scale - to Spy on Them and Waste Their Time

Comments Filter:
  • to Spy on Them and Waste Their Time

    Microsoft must think I'm a phisher. Holy shit . . . am I actually one and never realized it?

  • Not a big deal? (Score:3, Insightful)

    by Zigbigadoorlue ( 774066 ) on Sunday October 20, 2024 @06:25PM (#64879915)
    Hmm, This seems like the sort of thing that would be standard practice for any company of their size. Microsoft, are you just trying to put out PR that makes it look like you care about security after the whole CrowdStrike debacle and the State Department email hack?
    • Re:Not a big deal? (Score:4, Informative)

      by gweihir ( 88907 ) on Sunday October 20, 2024 @06:58PM (#64879983)

      It has been standard practice for at least a decade. It has been done for something like 40 years. Seems like Microsoft is late to the game. As usual.

      As to their recent hilariously bad screw-ups, add the losing of security audit logs.

  • I prefer YouTube (Score:4, Informative)

    by dicobalt ( 1536225 ) on Sunday October 20, 2024 @06:38PM (#64879931)
    there's some hilarious people out there who talk to phone tech support scammers and jerk them around by playing a goofy character. By the time theyre done the scammer is begging them to stop calling. Hoax Hotel is one of the bigger channels that does this.
  • They do have a lot of expertise when it comes to filling up people's time with non-productive activities (broken Windows activation, viruses, etc.).

    • Re: (Score:2, Funny)

      by gweihir ( 88907 )

      I would go so far to say that is the only thing they do competently these days.

  • Fianlly! (Score:4, Funny)

    by jenningsthecat ( 1525947 ) on Sunday October 20, 2024 @07:16PM (#64880005)

    "Head of Deception" indeed. Microsoft has spent many years deceiving and spying on their users. At last they're putting the skills they've acquired to good use by going after actual criminals. Too bad they probably won't stop abusing their customers though.

    • Yeah, except that the head of deception is itself a deception. They are deceiving the fact that they've been deceiving us the whole time. Suddenly "micro" and "soft" MEAN something....

  • I thought Cloudflare already had cornered the market on this with endless, useless CAPTCHA shit whenever I use a VPN, wasting everyone's time and breaking everything under the sun.
    • by Bert64 ( 520050 )

      This happens when you use anything which shares a single IP between multiple users. It happens on mobile devices, and on ISPs which use CGNAT too.
      The host (cloudflare in this instance) has no way to differentiate multiple users using the same IP from a single bot spamming out thousands of requests.

      The solution is IPv6, where users have unique addresses - then you get a _LOT_ less captchas from the likes of cloudflare and google.

  • Microsoft first developed this technology with the Microsoft Store and perfected it with the VS Code extensions installer.

  • by kackle ( 910159 ) on Monday October 21, 2024 @08:46AM (#64881005)
    While the planet is burning, can you imagine all the server power used in this back-and-forth?
  • How about finding the coordinates for targeting with 2000 lb bombs?

I'd rather just believe that it's done by little elves running around.

Working...