Microsoft has begun using honeypots with access to Azure to collect information on cybercriminals.
Using the collected data, the company can map the malicious infrastructure, gain deeper insight into complex phishing operations, influence the course of campaigns, identify cybercriminals and significantly slow down their operations.
The tactic and its devastating impact on phishing activity was described at the BSides conference in Exeter by Ross Bevington, a principal security software engineer at Microsoft. He created a “high-interaction hybrid honeypot” on the now-defunct code.microsoft.com to gather threat intelligence from less sophisticated cybercriminals and nation-state groups targeting the company’s infrastructure.
Bevington and his team combat phishing by using Microsoft tenant environments as honeypots with custom domain names, thousands of user accounts, internal communications and file sharing.
In addition to distracting attackers from real environments, the honeypot also allows for the collection of data on the methods used to compromise systems, which can then be applied to the legitimate network.
To make the hackers' involvement active, Bevington's team visits phishing sites identified by Defender and enters credentials from the honeypot's tenants.
Microsoft says it monitors about 25,000 phishing sites daily, providing honeypot credentials to about 20% of them; the rest are blocked by CAPTCHA or other anti-bot mechanisms.
Once the attackers log into the fake accounts, which happens 5% of the time, detailed logging is enabled to track their every action.
The data collected includes IP addresses, browsers, location, behavior patterns, VPN or VPS use, and phishing kits.
Additionally, when attackers try to interact with fake accounts in the environment, Microsoft slows down responses as much as possible.
Currently, deception technology takes an attacker an average of 30 days to realize they have compromised a fake environment. During this time, Microsoft collects data that can be used by security teams to create more sophisticated profiles and better protect against attacks.
Bevington notes that less than 10% of IP addresses collected this way can be matched to data in other known threat databases.
Using the collected data, the company can map the malicious infrastructure, gain deeper insight into complex phishing operations, influence the course of campaigns, identify cybercriminals and significantly slow down their operations.
The tactic and its devastating impact on phishing activity was described at the BSides conference in Exeter by Ross Bevington, a principal security software engineer at Microsoft. He created a “high-interaction hybrid honeypot” on the now-defunct code.microsoft.com to gather threat intelligence from less sophisticated cybercriminals and nation-state groups targeting the company’s infrastructure.
Bevington and his team combat phishing by using Microsoft tenant environments as honeypots with custom domain names, thousands of user accounts, internal communications and file sharing.
In addition to distracting attackers from real environments, the honeypot also allows for the collection of data on the methods used to compromise systems, which can then be applied to the legitimate network.
To make the hackers' involvement active, Bevington's team visits phishing sites identified by Defender and enters credentials from the honeypot's tenants.
Microsoft says it monitors about 25,000 phishing sites daily, providing honeypot credentials to about 20% of them; the rest are blocked by CAPTCHA or other anti-bot mechanisms.
Once the attackers log into the fake accounts, which happens 5% of the time, detailed logging is enabled to track their every action.
The data collected includes IP addresses, browsers, location, behavior patterns, VPN or VPS use, and phishing kits.
Additionally, when attackers try to interact with fake accounts in the environment, Microsoft slows down responses as much as possible.
Currently, deception technology takes an attacker an average of 30 days to realize they have compromised a fake environment. During this time, Microsoft collects data that can be used by security teams to create more sophisticated profiles and better protect against attacks.
Bevington notes that less than 10% of IP addresses collected this way can be matched to data in other known threat databases.
