This is how Microsoft lures phishing scammers into sophisticated honeypot traps
Microsoft has also been using its powerful cloud infrastructure to trap criminals for some time. Deceptively real “honeypot” environments in Azure are primarily intended to bind phishing operators and extract information from them.
Deceptively real simulations
This strategy has now been explained at the BSides Exeter conference by Ross Bevington, a senior security engineer at Microsoft. Bevington describes himself as the “Head of Deception” at Microsoft. The data collected allows the company to map malicious infrastructure, better understand complex phishing operations, disrupt large-scale campaigns and significantly slow down the activities of cybercriminals.
Bevington and his team rely on so-called “hybrid high interaction honeypots” that not only attract perpetrators, but also entice them to engage in extensive, time-consuming interaction. These imitate entire Microsoft customers with custom domain names, thousands of user accounts and simulated activities such as internal communications and file sharing.
The difference from traditional honeypots is that Microsoft actively uses deception rather than just waiting for attackers to stumble upon the traps on their own. Bevington and his team specifically visit phishing websites that were detected by Microsoft Defender and enter login data from the honeypot environments. Because these credentials do not require two-factor authentication and the environment appears very realistic, attackers feel safe and begin their search for vulnerabilities.
30 days in the honeypot
Microsoft monitors around 25,000 phishing sites every day. Around 20 percent of these are fed honeypot credentials, while the rest are blocked by CAPTCHA or other anti-bot mechanisms. In about 5 percent of cases, the attackers manage to log into the fake environments, whereupon Microsoft logs their every action in detail.
Information such as IP addresses, browsers, location, behavioral patterns and phishing kits used are collected, explained Bevington. In addition, Microsoft artificially slows down the response times of the honeypot environments in order to steal even more time from the attackers. On average, cybercriminals waste up to 30 days before realizing they have fallen into a trap. During this time, Microsoft collects important information that makes it possible to attribute the attacks to specific groups, such as the Russian threat group “Midnight Blizzard” (also known as Nobelium).
Alexia is the author at Research Snipers covering all technology news including Google, Apple, Android, Xiaomi, Huawei, Samsung News, and More.