Microsoft is using deceptive tactics against phishing actors by spawning realistic-looking honeypot tenants with access to Azure and lure cybercriminals in to collect intelligence about them.

With the collected data, Microsoft can map malicious infrastructure, gain a deeper understanding of sophisticated phishing operations, disrupt campaigns at scale, identify cybercriminals, and significantly slow down their activity.

The tactic and its damaging effect on phishing activity was described  at BSides Exeter conference by Ross Bevington, a principal security software engineer at Microsoft calling himself Microsoft’s “Head of Deception.”

Bevington created a “hybrid high interaction honeypot” on the now retired code.microsoft.com to collect threat intelligence on actors ranging from both less skilled cybercriminals to nation state groups targeting Microsoft infrastructure.

Illusion of phishing success

Currently, Bevington and his team fight phishing by leveraging deception techniques using entire Microsoft tenant environments as honeypots with custom domain names, thousands of user accounts, and activity like internal communications and file-sharing.

Companies or researchers typically set up a honeypot and wait for threat actors to discover it and make a move. Apart from diverting attackers from the real environment, a honeypot also allows collecting intelligence on the methods used to breach the systems, which can then be applied on the legitimate network.

While Bevington’s concept is largely the same, it differs in that it takes the game to the attackers instead of waiting for threat actors to find a way in.

In his BSides Exeter presentation, the researcher says that the active approach consists in visiting active phishing sites identified by Defender and typing in the credentials from the honeypot tenants.

Since the credentials are not protected by two-factor authentication and the tenants are populated with realistic-looking information, attackers have an easy way in and start wasting time looking for signs of a trap.

Microsoft says it monitors roughly 25,000 phishing sites every day, feeding about 20% of them with the honeypot credentials; the rest are blocked by CAPTCHA or other anti-bot mechanisms.

Once the attackers log into the fake tenants, which happens in 5% of the cases, it turns on detailed logging to track every action they take, thus learning the threat actors’ tactics, techniques, and procedures.

Intelligence collected includes IP addresses, browsers, location, behavioral patterns, whether they use VPNs or VPSs, and what phishing kits they rely on.

Additionally, when attackers try to interact with the fake accounts in the environment, Microsoft slows down responses as much as possible.

The deception technology currently wastes an attacker 30 days before they realize the breached a fake environment. All along, Microsoft collects actionable data that can be used by other security teams to create more complex profiles and better defenses.

Bevington mentions that less than 10% of the IP addresses they collect this way can be correlated with data in other known threat databases.

The method helps collect enough intelligence to attribute attacks to financially-motivated groups or even state-sponsored actors, such as the Russian Midnight Blizzard (Nobelium) threat group.

Although the principle of deception to defend assets is not new and many companies rely on honeypots and canary objects to detect intrusions and even track the hackers, Microsoft found a way to use its resources to hunt for threat actors and their methods at scale.