Microsoft creates fake Azure tenants to pull phishers into honeypots

Microsoft is using deceptive tactics against phishing actors by spawning realistic-looking honeypot tenants with access to Azure and lure cybercriminals in to collect intelligence about them.

With the collected data, Microsoft can map malicious infrastructure, gain a deeper understanding of sophisticated phishing operations, disrupt campaigns at scale, identify cybercriminals, and significantly slow down their activity.

The tactic and its damaging effect on phishing activity was described  at BSides Exeter conference by Ross Bevington, a principal security software engineer at Microsoft calling himself Microsoft’s “Head of Deception.”

Bevington created a “hybrid high interaction honeypot” on the now retired code.microsoft.com to collect threat intelligence on actors ranging from both less skilled cybercriminals to nation state groups targeting Microsoft infrastructure.

Illusion of phishing success

Currently, Bevington and his team fight phishing by leveraging deception techniques using entire Microsoft tenant environments as honeypots with custom domain names, thousands of user accounts, and activity like internal communications and file-sharing.

Companies or researchers typically set up a honeypot and wait for threat actors to discover it and make a move. Apart from diverting attackers from the real environment, a honeypot also allows collecting intelligence on the methods used to breach the systems, which can then be applied on the legitimate network.

While Bevington’s concept is largely the same, it differs in that it takes the game to the attackers instead of waiting for threat actors to find a way in.

In his BSides Exeter presentation, the researcher says that the active approach consists in visiting active phishing sites identified by Defender and typing in the credentials from the honeypot tenants.

Since the credentials are not protected by two-factor authentication and the tenants are populated with realistic-looking information, attackers have an easy way in and start wasting time looking for signs of a trap.

Microsoft says it monitors roughly 25,000 phishing sites every day, feeding about 20% of them with the honeypot credentials; the rest are blocked by CAPTCHA or other anti-bot mechanisms.

Once the attackers log into the fake tenants, which happens in 5% of the cases, it turns on detailed logging to track every action they take, thus learning the threat actors’ tactics, techniques, and procedures.

Intelligence collected includes IP addresses, browsers, location, behavioral patterns, whether they use VPNs or VPSs, and what phishing kits they rely on.

Additionally, when attackers try to interact with the fake accounts in the environment, Microsoft slows down responses as much as possible.

“Microsoft creates around 2 of these tenants per month, each one is populated with 20k user accounts. Microsoft is alerting around 400 users per day that they have been compromised. These are all under the research efforts of the Microsoft Threat Intelligence Center and referred to as “Microsoft Deception Network” or “Sensor Network”. The intelligence gathered here allows Microsoft to do a variety of things to protect customers. One of the most relevant is creating a better and more robust ability to detect and block malicious email in our Defender systems. With this intelligence we have blocked over 40k connections from accessing Microsoft resources. Threat actors are always changing and evolving their techniques, to defend against them, we use these kinds of tools and research efforts to better improve our ability to protect customers and stop threat actor activity❖ Sherrod DeGrippo, Director of Threat Intelligence Strategy.

The deception technology currently wastes an attacker 30 days before they realize the breached a fake environment. All along, Microsoft collects actionable data that can be used by other security teams to create more complex profiles and better defenses.

Bevington mentions that less than 10% of the IP addresses they collect this way can be correlated with data in other known threat databases.

The method helps collect enough intelligence to attribute attacks to financially-motivated groups or even state-sponsored actors, such as the Russian Midnight Blizzard (Nobelium) threat group.

Although the principle of deception to defend assets is not new and many companies rely on honeypots and canary objects to detect intrusions and even track the hackers, Microsoft found a way to use its resources to hunt for threat actors and their methods at scale.

Update 10/21 – Added Microsoft statement.