Microsoft’s CVP of Fraud on Combating Ecosystem Abuse

Sherrod DeGrippo: Welcome to the Microsoft Threat Intelligence Podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week dive deep with us into the underground. Come here for Microsoft's elite threat and intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry. I'm your guide to the back alleys of the threat landscape. [ Music ] Hello and welcome to the Microsoft Threat Intelligence Podcast. I am Sherrod DeGrippo, director of threat intelligence strategy at Microsoft. And I am joined by my friend, my fellow resident of the Atlanta area, Kelly Bissell, CVP of fraud at Microsoft. Kelly, it's so good to have you here. I'm super excited.

Kelly Bissell: Oh, Sherrod, look, thanks for having me on the show. I cannot express how excited I am about being on the show.

Sherrod DeGrippo: Well, a lot of people have been asking when you're coming on. You and I have been trying to coordinate it for a while. And what I'm excited about hearing about from you is what is going on in the world of fraud? Because, you know, I love crime. I love social engineering, threat intelligence, all of those things. So, you're actually in the trenches at Microsoft looking at fraud. What is that? That's got to be huge.

Kelly Bissell: Oh, it's gigantic. Yes. It's fraud and product abuse. So, it's two things wrapped together. And it's big. And I would even say that there is so many cyber gangs out there that you and I know about and others that we'll find out later, that we've got to be super vigilant every day across Microsoft for the protection of our customers. So, that's our mission. And I can describe a little bit more about what we do, but it's so much fun really fighting cybercrime and helping our customers be safe.

Sherrod DeGrippo: So tell me, when you say product abuse, what does that mean? What are people doing? They're writing Word documents that are nasty? What's the product abuse that you're looking at? Sending me messages on Teams.

Kelly Bissell: Maybe the three most common ones are crypto mining on someone's Azure account. Another one could be tech support fraud where maybe the actor pretends to be Microsoft and they call your mom or my grandmother to try to either implement malware or steal their identity. And maybe the third one is an emerging one is around deepfake. And so, those are three good examples of abusing the product, or even spam, abusing products for their gain.

Sherrod DeGrippo: And when you're talking about crypto mining, tell me a little bit more about that. So, essentially I imagine these are Azure tenants that have been popped in some way. The credentials have been stolen or some kind of token from that particular organization that has that Azure tenant has been lost, and threat actors get on those tenants and they leverage those resources to mine crypto. Is that what you're seeing?

Kelly Bissell: That is exactly right. So, the attacker, from their perspective, they want to use all the compute power they can find. And with the elasticity of the cloud, they want to get access or account takeover on a particular customer, and then take all available cores within the cloud environment to process as much as they possibly can.

Sherrod DeGrippo: And you told me that you find these running for a significant amount of time within that customer's environment that they had no idea about.

Kelly Bissell: That's right. In the early days we found that they would have been running for weeks and months, but now we've implemented tools in the last year or so that we could detect crypto mining very, very fast. Almost immediately. That's one way that we're protecting all of our customers to actually help their accounts be safer.

Sherrod DeGrippo: That's really interesting. I wonder how much crypto currency you have thwarted from being created because another thing that I think about too obviously is that I'm not a cryptocurrency expert. I understand really the aspects around criminal activity. The aspects around North Korea leveraging cryptocurrency, but as a cryptocurrency person I'm not an expert. I'm wondering though, mining, they say, is not really the thing anymore. Like it's gotten so much harder. Has that caused this -- it's so much harder to mine cryptocurrency now. Is that why some of these people are looking to steal compute resources because it's so much harder?

Kelly Bissell: Well, it's not only much harder, but we've implemented these controls that make it more difficult for them to mine crypto. At least on the Microsoft environment. So, they have to move in other vectors, as we say, to create cybercrime. So, it has reduced over time much because of our good controls.

Sherrod DeGrippo: And I have a question just for me because I don't know. Is it within policy to use Azure to mine cryptocurrency? Is that allowed?

Kelly Bissell: It used to be that you could do it if you wanted to. Then what we did was said, "Hold on a second. We're going to stop crypto mining unless you get our approval." And it's because many companies, like very large companies, or even small companies, don't need to do crypto mining or don't want to pay for those compute resources. So, we've just changed the policy to disallow all crypto mining so that we can actually have the authority to do detection and prevention. And so, that's where we are today.

Sherrod DeGrippo: That's awesome. So, essentially what you're saying is Microsoft said such a large percentage of crypto mining within Azure is fraudulent or is an account takeover situation. That we're just going to put out a policy completely across the cloud offering. Yes, that's right. In this case, there's not a real legitimate business case for using the cloud to mine cryptocurrency. So, we find that the vast majority, I mean 99.99% of our customers don't want to do crypto mining, so we're making this easier so they don't have to worry about it too much. That's really cool. I feel like that's one occurrence where a policy change actually makes things more secure. We don't see that very often.

Kelly Bissell: Yes, you and I are maybe not big policy people, but this is where policy gives you authority to actually move and actually take action for the safety of the whole world. And so, this is where good policy really helps.

Sherrod DeGrippo: That's cool. I like the idea that we were able to implement a policy change and it caused some nice security gains for people. So, Kelly, tell me some more about if you're not looking at cryptocurrency I'd imagine that you're trying to find account takeovers a lot. And what does that look like? How is that resourced? Who's doing that? Where do you start?

Kelly Bissell: Maybe if it's okay, can I tell you the five areas that are really important around what we think about of fraud and product abuse? And this will help describe how this works.

Sherrod DeGrippo: I want to walk through this because this is such a cool behind the scenes thing that people don't know Microsoft does. I know you just started working on this, I think, you said about a year ago or so.

Kelly Bissell: Right. That's right.

Sherrod DeGrippo: A year and a half ago or something like that. I remember when I talked to you I was like what is it? Tell me all about it because I just feel like kicking threat actors out of our cloud environment, frankly out of all cloud environments whether that's JCP or AWS or any of them, getting them out of those cloud environments really does make the digital footprint safer. So, tell me the areas you have it split up into and how you see that from your point of view.

Kelly Bissell: So, look, I love putting cyberpeople on things like fraud and product abuse because we think like the attacker, and then we can figure out how do we make this whole thing safer? So, Charlie Bell did a really good job. He said, "Kelly, go fix this problem," about a year ago, and we're on it and the team is incredible, and we're kicking butt. Let me kind of describe what we're doing. If you think about Microsoft whether you're buying Microsoft Office, maybe a PC, you buy Xbox for your kids, games, or you buy cloud services, all that goes through a function called commerce. If you think about every bit of revenue comes through Microsoft in a group called commerce. And there's a really incredible team called Commerce Risk, and what they do is focus on payment fraud because all those things, whatever you buy from Microsoft goes through a credit card, a corporate P card, a gift card, or some wire. And so, the first step is to protect payment fraud, and this is at a customer signup or sign in. And so, think about the millions and millions of customers that we've got. That is one control point.

Sherrod DeGrippo: So, you mean like the credit card that they put on their account as the recurring payment charge. So, you're looking at credit card fraud too.

Kelly Bissell: Yes. Credit card fraud, and remember these cards might be stolen. So, we have to really know all about these payment instruments. And I will say that Miriam and Kelly and all these folks over on that team are really incredible. They've been doing this for a long time, and they're brilliant at it. And it's not just payment. It's warranty fraud. It's gift card fraud. It's what's called friendly fraud, perks harvesting. It's all kinds of stuff. But let's put that in the payment bucket, and that's big.

Sherrod DeGrippo: Perks are risky. Is that what I do with my sky miles and my Sapphire points?

Kelly Bissell: Totally.

Sherrod DeGrippo: I'm legit though. I'm actually spending all that money.

Kelly Bissell: Look, I believe it, Sherrod. But it's a big deal to take loyalty programs and other things and abuse that. So, we got payment fraud. And then we've got cloud or account takeover. That's what you were asking about, the takeover. And that's made up of a few things like we've already talked about crypto mining. Another big thing is around what's called domain impersonation or some would call it domain type-o-squatting. Frauds who might set up a domain that looks like a legitimate customer, and they set that up to actually defraud the legitimate customer pretending to be their customers.

Sherrod DeGrippo: Okay. So, that's one. I almost feel like you've broken this up into TTP's, like TTP sections which is cool. So, domain squatting, domain impersonation, homoglyphs, all of these speak to my heart because as you know I spent eight years doing email protection and security, email research, and those things are all over the email threat landscape. So, for those of you who don't understand how that works, threat actors will essentially register a domain that looks like maybe it's because it has a very close number of syllables or it's spelled slightly differently. It looks very close to a well-known brand. And then that threat actor will leverage that domain using often the branding of that well-known brand, you could think Microsooft. They would maybe put two O's in Microsoft. They would use Microsoft branding. Things like that. And those threat actors are able to get a lot of clicks based off of people just quickly into the domain. So, Kelly, we're doing some of that within Microsoft to dig out that fraud.

Kelly Bissell: That is exactly right. So, we're trying to monitor the creation of those type-o-squatting, those impersonations, to be able to prevent that from even occurring. And it's a clearly complicated problem to solve because if you think about all the company names all around the world and did deviations of a name and maybe even a product; a company might have a name and multiple products that have nothing to do with the name, that makes it extremely difficult. So, we have to understand not only the naming but also the behavior for exactly what they're trying to do. So, back to the TTP's.

Sherrod DeGrippo: Back to the TTP's. I want to mention one more thing about type-o-squatting and impersonation domains. Something -- Kelly and I, I think, are from about the same generation. I remember the days when I can only had -- it was like dot com, dot org, dot edu. There were only like five TLD's. There was only a few top-level domains to choose from. Now there are hundreds. So, what that does for threat actors is they can register well-known brand.io, well-known brand.ai, well-known brand dot whatever it may be. Dot social. Things like that. So, the world of typo-o-squatting has massively exploded because we've provided so many newer TLD's. Not just country based but commercial TLD's that aren't dot coms.

Kelly Bissell: Amen sister. You got it right. And this is where we have to work much closely. Not just inside Microsoft but also our partners of the domain registry like Go Daddy and others. So, we have to work in this ecosystem really well together.

Sherrod DeGrippo: So, let's hear what's the next one?

Kelly Bissell: So, we got all the account takeover and Azure and so forth. The next thing is around Microsoft 365, and there are a few things that are really important that we have to tackle. One is around Teams phishing, AI tampering, deepfakes, and, of course, we always have to tackle email spam. I heard the sigh.

Sherrod DeGrippo: That's my favorite. No, social engineering, essentially email threat to me is a threat landscape that I have spent so much of my career focused on. It's wild. But let's start at the beginning. So, let's talk Teams phishing maybe.

Kelly Bissell: Yes, that's right. So, increasingly, the new interface for communicating is not by your mobile phone, although that still is. But it's in the world of Teams where you can text someone or IM them. You can also do calls, and of course, on video you can do deepfakes on these video platforms. There's a lot of abuse and fraud associated with this that we're tackling.

Sherrod DeGrippo: I talk about this quite a bit. When I was in the world of email, I realized -- so I'll just kind of ask the audience. You're listening to this podcast, which let's say it's an hour long. If you're listening to this podcast how many emails are you going back to when you're done listening to this podcast? And most people would say oh quite a few. Email just comes in and comes in. I say, "What if you missed a day of email or five days of email," and people get these ideas of I've got all this work to do. All these emails come in. And I say, "Whoa, whoa, whoa, no. I mean your personal email." And then they say, "Oh, no. I don't use personal emails for anything." Personal email is irrelevant. And it's true. I think personal email has just become this box where you get your shipping notifications, and you get your appointment reminders and deals and sales for brands that you've done business with in the past. People just don't do personal conversational one-to-one emails really anymore. You might get a newsletter, but for the most part it's not your friends sending you an email. They text you or they message you on a messaging platform, or if it's at work a lot of people say don't email me. Send me a Teams message.

Kelly Bissell: That's right.

Sherrod DeGrippo: I know I do that a lot. I'm like I can't get to email. I have too many meetings. If you really need me I will chat you while I'm in that meeting, which is a terrible habit. I think that we are definitely seeing threat actors move to Teams and you're looking at that. When you find it, what happens?

Kelly Bissell: So, the good thing about it is we're blocking for the even getting into the fabric of the product. So, this is where we're building the controls within the engineering fabric itself. And if we do this, we can actually help all of our customers around the world be safer. And it's why we have to think about how we think about identities. Both synthetic and real identities, how we verify those identities, and we have a lot of what we call a risk reputation score around them so that we know who's a bad actor or bad identity and who is a good one. And so, that's foundational for Microsoft.

Sherrod DeGrippo: I love that we're doing that. I think coming to Microsoft has been a broadening of my security mindset because I've always really specialized and focused on certain data streams. I spent a lot of time focused on email and network, and at Microsoft we have this massive identity responsibility. And I really do feel like identity in many ways is kind of the new security frontier. Maybe not new even but the biggest hammer security frontier because threat actors are really narrowed in on the fact that personal identities, stealing identities of your personal email or your personal logins, that does not get them the big cash the way stealing a corporate identity does. I have seen in underground forum sales corporate identities have a higher resale value than private and personal identities. Even the identities of rank-and-file regular employees, they are more valuable because you essentially can then become that person in their work environment and work environments have money. Whether it's writing a PO or approving a purchase, or any of these things, it's much more likely that somebody with a corporate identity stolen is going to have access to money.

Kelly Bissell: You're absolutely right. It's probably 10 times more valuable or maybe more than a consumer account.

Sherrod DeGrippo: I always say to people too if you had your choice between the balance in your personal checking account or the balance in your employer's checking account, which one would you choose, and it's definitely the money in my employer's account much, much more, then I want my own balance that I currently have. And threat actors think about it the same way. They see I know that these corporate bank accounts have major cash. They're a lot more juicy of a target than someone's personal bank. Now that doesn't mean you should let go of your personal security. You should not, but as an employee you have to really be careful with your identity information.

Kelly Bissell: That's right. You are totally right, and I would say you should think about your personal security as the same as your corporate because sometimes those two things, maybe are not linked, but they're connected in some way.

Sherrod DeGrippo: And threat actors know that too. They see people forwarding emails from their work email to their personal as a reminder, or from their personal to their work. It's like oh I got this. I'm supposed to pay my water bill, and I really need to remember to do that, so I'm going to forward it over to my work account, and back and forth and things like that. So, be very careful comingling those identities. Really think about what you're doing. And it's not really something in my opinion that's like the responsibility of DLP to solve. It's really the responsibility of humans to make sure that they're not introducing risks to either of those identities by connecting them too closely.

Kelly Bissell: I agree.

Sherrod DeGrippo: So, tell me more about what you're finding on 365?

Kelly Bissell: And look, this is where I'm not too worried about Microsoft Word or others because those have good controls, but we talked about LinkedIn. We talked about email and spam which is the entry point for a lot of abuse and fraud and attacks, but also what we're thinking about in the future is around deepfake detections. And this is important so that as AI becomes more usable in the marketplace and more adopted even by the attackers, then we got to figure out how might they use those tools for bad purposes like pretending to be someone they're not in these deepfakes. So, that's important for us to work on as a company.

Sherrod DeGrippo: So, let's talk a little bit about deepfakes. So, deepfakes, most people, I think, have seen some element of this essentially where an AI is trained on video or even just audio of a person, and it can then create new content that is not real essentially. There's a really popular video going around right now from the Apple TV series "Severance" where Adam Scott, one of my favorite actors; he's fantastic, is running through a hallway set, and it's a really great CGI very well-done single take beautiful. They worked really hard to get that cut done. But then someone made a deepfake of Keanu Reeves running that exact same hallway as if it were an action movie. So, I think the reality is even these kinds of highly produced expensive premium TV shows can be deepfaked if somebody wants to put that effort into it.

Kelly Bissell: As a matter of fact, you're right, but the cost of doing it is so much lower today than it was before. So, you could do it for pennies. Not have a whole production crew like on that TV show. So, I think the bar is lower as far as for attackers to use this for bad purposes, therefore we must be able to have protections in place, and that's where we are.

Sherrod DeGrippo: Yes. I think that the deepfakes is definitely a horizon that Microsoft is very aware of. I think it's one of the most impressive things about Microsoft actually is that we are in parallel lockstep commitment to being responsible AI focused as we are developing AI. And I tell you sincerely for the listeners, I work with these people at work at the time. That AI red team, the responsible AI teams, the AI safety teams, these are fascinating people. They're super, super nerdy and super, super smart while also being very cool, and we've talked about the AI red team before. But Microsoft is really committing to making sure that the AI world, not just Microsoft products, but the AI world is secure and responsibly used which these deepfakes, it's cute to make a new video of Keanu Reeves running in the hallway. That's cool. I don't know if it's super responsible, but it's not dangerous I don't think. But we do see things that are dangerous. Kelly, can you give us an example of some deepfakes that you've seen?

Kelly Bissell: Yes. Look, maybe just two simple examples. We've seen not on our Teams platform but on other video platforms, we've seen a fake CEO that was dressed correctly, looked exactly like her, had her background, her office exactly the same, and she was actually trying to convince the finance team to wire some money for this MNA "MNA" deal. Now the good thing about it is the finance team checked back and they thwarted the attack, but it could have been very easily done because the CEO was right there on the call with them giving the instructions. So, that's one example that is happening today.

Sherrod DeGrippo: And I've seen some of those before, and the thing that I think is really fascinating about these is that the amount of training data needed to create something like that is actually a lot smaller than you would think. They don't need hours and hours of footage like they do with Keanu Reeves. Keanu Reeves has been in movies since I was a teenager so 30 years, and there's tons of footage. The new reality is that they don't need that much.

Kelly Bissell: That's right. Two minutes. That's it. Two minutes.

Sherrod DeGrippo: Yes, a couple of minutes.

Kelly Bissell: And so, how we think about deepfakes is in line video, and remember with Teams we have 280 million concurrent users on Teams. Yes. So, one is in in-line video. The other one is images. So, if you think about when sometimes you want to verify an identity, maybe a government issued identity like your driver's license, but that picture can be faked. And then you mentioned before that when we started talking about this around voice, call centers, someone pretending to be someone with just a little bit of information to try to gain access to their accounts, like their bank, so those three examples voice, video, and image are real examples that are happening today.

Sherrod DeGrippo: And I love that Microsoft is so focused on making sure that we're responsibly going after threat actors that are leveraging AI in a way that's honestly commensurate with what they've always done. And I think that's something when it comes to AI, that's something I still believe, I haven't seen anything to change my opinion, threat actors are leveraging AI just like they use other tools. It's just a new toolset. It's a new interface, and they can leverage it for bad things just the way I leverage it for great things every day. I use it in my work. I use it in my personal life. I'm an AI user. I know a lot of people are not super keen on it and haven't quite gotten there yet, but I'm all over it. If I can use AI to make my life easier I do it. And threat actors do the same. They know what they want. They know what their goals are. They know what their objective is, and they use AI if they think that will make them go faster. If it doesn't then they don't use it. So, tell me what else we need to know about fraud and Microsoft.

Kelly Bissell: Okay. We have just one more that I'd like to add, and that's around advertisement fraud. So, with Bing, or any search engine, you have fake companies that are setting up fake accounts to be able to sell fake products. And it could be a gift card that they're selling. It could be tickets to a game. It could be financial services. And so, that happens all the time. And so, we have built-in really fraud detections within our search engines too and the ability for customers if they find something, they can actually report bad ads to us. And so, advertisement fraud is something that's out there in the wild, and we're tackling that in a serious way.

Sherrod DeGrippo: I love that. I think that is another thing when I came to Microsoft that I just hadn't considered is that we have data sources from things like Bing, and threat actors purchasing ads, malvertising, leading to either fraudulent goods or some kind of criminal activity or just plain old malware downloads, that data is incredible. And being able to cut out that avenue for threat actors, I think, is really important. Also I didn't know that Bing was so good. I never used it before I came to Microsoft, but it is really good, and I feel like we have such a focus on making sure that it is safe and reliable for people to use, for people to take advantage of all of the shopping features in Bing. The deals. That's when I started using it is a coworker friend here, Holly Stewart, was like, "Oh yes. If you're not shopping with Bing, you're paying too much." I was like what? So, that's when I started using it, but I think the fact that we're so focused on making sure that Bing is safe for people to use, it is safe for consumers, that's really important. Making sure that there's not ads that people can click on that may leave them somewhere they don't really want to be.

Kelly Bissell: That is exactly right. So, that's why when we think about fraud and product abuse across all of Microsoft, we look at it holistically. And I can't describe how much change we've made in the last year. Incredible work. We don't have enough time on this podcast to walk through all the things, but we've got bot detection. We roll out MFA to all customers on Azure. All kinds of things so that they can operate their business safely and not have to worry so much. So, we're just trying to make the world safer.

Sherrod DeGrippo: So, I just want to ask quickly. We rolled out MFA at all Azure? I'm sorry I'm so behind on this. I didn't know that.

Kelly Bissell: Oh, yes. I just kind of slid that in there, didn't I?

Sherrod DeGrippo: Yes, you did. You buried the lead on that one. So, essentially what I like about that is there how many times in security do we hear everyone needs to have MFA? Everyone needs to turn on MFA. We're walking the walk there. That's great.

Kelly Bissell: Look, and this is the important part. We've been talking about MFA for a long time, and I love what Jen Easterly did at CISA when she was still there, but you've got to understand that for a lot of listeners if their journey to the cloud might have started eight years ago or 10 years ago, and so, maybe their site wasn't set up for MFA at that point, but we have gone for all new customers on Azure, Azure Portal we call it, and then existing customers. And that one little change has made a dramatic impact on fraud and product abuse and account takeover and so forth. So, we are building security by design inside everything we do in Microsoft. So, that's how we're trying to make the world safer.

Sherrod DeGrippo: I love it. And I think you and I, I've been with Microsoft two years. You're at three.

Kelly Bissell: Almost. Yes.

Sherrod DeGrippo: Almost three. Yes. I think really there is a turning point with honestly people like me and you and some of our new additions to the security world at Microsoft where we're leading a lot of charges saying we got to actually do this because it's the right thing to do. It's the responsible to do. It's the secure thing to do. But our customers, they are willing to call us out as they should, and we have the ability to do something about it a lot of times. So, now everyone has MFA and Azure.

Kelly Bissell: Yes, I agree. And I would say when Charlie came, we collectively, me and you and Mike, all these people transforming security across Microsoft, and I think we've done incredible work. Now there's more to do because the journey never ends, but I love where we're going because I think this is what the world needs.

Sherrod DeGrippo: There's kind of like a new energy I feel like over the past year or so in terms of just like hey this is the right thing to do for security. Obviously Sadia sent out the security above all else email back in May of 2024. And I really see that being actioned. It's great to be a part of it.

Kelly Bissell: I agree. I agree. As a matter of fact, I've got engineering teams working on a particular Microsoft product calling me and saying, "Hey, I'm thinking about fraud and product abuse. What should I do?" And that is awesome because before I would have to reach out to them maybe and convince them that it was important. I get it the other way around now.

Sherrod DeGrippo: I do a lot of internal threat intelligence, threat actor profiles. Like I'll just get up and talk about a threat actor, and I get a lot of engineers that are like -- they'll Teams me afterwards and say, "I want to make sure that my app or my project could never be subject to this threat actor," and I'm like, "Okay. There is some core things you need to do, and there's an engineering security team I'm going to connect you with that can help you figure that out." But it's really cool because engineers come to you and are like, "You've terrified me with that threat actor. I can never let my project be victimized by this threat actor. What do I do?" And I am not a secure coding guru. I'm advisory on the side maybe a little, but we have people that really know secure coding that can help them which is great.

Kelly Bissell: Look, Sherrod, you are a TI guru for sure.

Sherrod DeGrippo: I know the threat actors really well. How to design an incredible code and be a software engineer, not really my expertise.

Kelly Bissell: This is where the team is good together.

Sherrod DeGrippo: I'm building a team. Yes. Kelly, thank you so much for joining us on the Microsoft Threat Intelligence Podcast. Everyone, this was Kelly Bissell, CVP of fraud. It was awesome to have you on. Come back again and tell us some weird stories.

Kelly Bissell: Thank you, Sherrod. Appreciate you having me. [ Music ]

Sherrod DeGrippo: Welcome to the Microsoft Threat Intelligence Podcast. I am Sherrod DeGrippo, director of threat intelligence strategy here at Microsoft, and I am joined with senior threat hunter, Priyanka Ramesha. Priyanka, thanks for joining me.

Priyanka Ramesha: Good morning and good evening everyone. I'm Priyanka Ramesha working at development experts team as a senior tech researcher, and we will be today talking about an interesting topic which is related to cloud data attacks.

Sherrod DeGrippo: So, the cloud. It's popular. People love it. I use the cloud. So, I think that threat actors also are using the cloud, right? Priyanka, can you tell us why actors are targeting the cloud more?

Priyanka Ramesha: Yes. Because cloud is become [inaudible 00:34:21] today. You know most of us are relying on cloud infrastructure for our business, to run our business and use cloud storage to store the huge data leak that we have and whatnot. So, we very much rely on this technology and for the attackers due to the utilization of cloud in all sectors, from small scale businesses to large scale business, this is a huge space in which attackers are focusing on because it's very complex architecture. And the scalability as well as the adaptability of cloud technology is growing exponentially day by day. So, when it comes to a question, very basic question like why cloud? Because it is very easy for attackers to take advantage of the misconfigurations in the cloud environment as it is very complex in nature, and there are shared resources which can cause a ripple effect even if there is a compromise at one end. You can reach to another end of the architecture within no time. As well as based on the configurations and the cloud design, even the smallest of the small configuration flock and leak to a very huge attack like data exfiltration. And we have really relied on API technologies. API centric tech are easy for attackers to exploit and literally get inside the environment and do all elicit activities which can go unnoticed for a long time.

Sherrod DeGrippo: That's really interesting. I think people ask me a lot why is security so much harder now? It seems like years ago, it was a lot more simple and straightforward. And I think especially with Microsoft, one of the things we can say is used to secure like a box. Like a box of software that you would get off of a shelf like an office supply store. Software used to actually come in boxes for those of you who are maybe too young to remember this. You would buy Windows at a store and even in the 90s, people would line up around the block at like a Staples or a Best Buy or an Office Depot to get Windows 95. That was such a big deal. You would buy it in a box, and you would take it home, and there would be disks inside the box. And you would load those disks onto the PC that you had at home. Securing a box of software, a cardboard box of software just really isn't the way that we operate anymore, right? It's the cloud. It's the Internet. It's all of these connected communication pieces now where that border has become much fuzzier than it was back in the 90s when we were securing essentially a single modem connection potentially or software in a box. So, I think that's kind of where attackers see the cloud. It's like this whole new attack surface that they never really had access to before. That they're getting better and better at attacking. So, Priyanka, tell us a little bit more about, I think, we were talking some about why threat actors are going after the cloud. What are they doing to get that initial access? Initial access is something we talk about a lot, especially in the ransomware and crimeware ecosystems. How are threat actors doing initial access into the cloud?

Priyanka Ramesha: So, they'll come initial access, the very prevalent initial access that we see as an emerging threat against cloud environment is phishing. And sometimes when attackers are intended to launch large-scale attacks like supply chain attacks, we also see them exploiting misconfigurations in the cloud services and then actually get inside the organization.

Sherrod DeGrippo: So, let's talk about the next step then. Once a threat actor is inside that cloud environment, they've leveraged passwords spray or an attack in the middle of the landing page and phish kits, maybe it's an info stealer, maybe they found credentials either that were leaked somewhere in source code or they've purchased them off a marketplace. Once the threat actor has access to that cloud, what are they doing in there?

Priyanka Ramesha: Yes. So, here today we will focus more on how attackers are using cloud native tools like root tools and a framework like Azure Home to perform a credential theft activities as well as leverage the modules available in each of those frameworks to perform token theft and then gain access to highly privileged users and then launch an email exfiltration activities in the environment which we have noticed by actors such as Sandstorm, Silk Typhoon who have leveraged these tools to perform these activities. And then get inside the organization by taking control of highly privileged users and resources like service principles to perform data exfiltration. So, to answer your question, I think, like attackers, like I mentioned, once they are inside the organization they can do credential theft. They can perform lateral movement activities, and they can also do exfiltration using these kinds of sophisticated tools and frameworks.

Sherrod DeGrippo: So, I want to talk about once they're inside, I have seen over the past several years, creating new apps that have a loss capability and letting those remain persistent, primarily because apps don't really hold the same identity requirements that a human login credential might require. So, tell me a little bit about what you're seeing in terms of apps getting created. Over-permissioned apps are a huge, huge issue, and users are installing them. Administrators are installing them. Threat actors are tricking people into installing them, so it's a spectrum of like, oh no, I wanted this app and being tricked into thinking what it was or, oh no, the threat actors put this app on. Or we're also finding, I've seen in the past where a software provider has been compromised and the threat actor then has access to all of those legitimate apps that were installed. So, what's going on with OAuth apps and how are threat actors navigating that?

Priyanka Ramesha: So, these are the major concerns that we have when the attackers are abusing OAuth applications because it is very convenient for attackers who use these applications as the attack vectors and provide consent to alleviate the privileges or to access other resources in the organization and then gain access into a more sensitive part of the order. And from there they'll be launching business email compromise attacks and data exfiltration. So, this is how we have seen impacted in large-scale attacks like hybrid environment attack where attackers were able to use or abuse the existing OAuth application to provide consent and then delete the emails of the targeted users, and from there they could gather a lot of sensitive information. And users were having access to sensitive resources in the organization. And then successfully to do distraction activities too.

Sherrod DeGrippo: Something that's been going on for quite a few years that you mentioned was this concept where we call it double extortion or multi extortion where the threat actor doesn't just encrypt the files and then hold those files for ransom, but they will exfiltrate the data and then do some other type of extortion with it, such as saying, "If you don't pay us additional money we will sell this data. If you don't pay us additional money we will release it publicly." I know that there have been instances where the threat actor has taken the victim data, combed through it and found embarrassing specific information and said, "We will release these very embarrassing specific pieces unless you pay us more." So, seeing that sort of flow of cloud initial access vectors, whatever those may be, ransomware actors, extortion actors getting onto the systems and then going from there is really what attack chains are looking like in the crime space right now and have been for quite some time. I think something else that is important to realize is that these identities really are for sale in so many places. They're so available, and they are pennies. They're fractions of a cent for really, really big packages of identities which necessitates things like obviously MFA and VPN's and as much authentication and authorization in the old school IAM world that you can get going. Another thing that I've been talking about landscape, which you mentioned too Priyanka, is the hybrid environments. The on prem cloud hybrid environments. Threat actors know they're very difficult to defend. We actually see on the landscape threat actors choosing specifically to go after victim organizations that are in a hybrid environment on prem still, but they also have that on prem direct connection to their cloud environment. Meaning that the threat actor can compromise one or the other and then pivot to the one that they didn't start on.

Priyanka Ramesha: That's right. And as you rightly mentioned, it is very complex in nature for defenders to keep track of the attack TTP's at the right time because these attacks can span from months to years. And attackers are leveraging this complex architecture at the on prem level if they are targeting the on prem users or the misconfigurations. or the vulnerabilities to get inside the organization and literally move around the organization by taking control over highly sensitive devices like domain controllers, exchange servers. And then from there they'll compromise the users with domain admin privileges and then they will get inside Microsoft [inaudible 00:45:20] and compromise the service account. From there they'll be able to easily access cloud resources. And once they have full access of these kind of accounts, they'll be able to access the resources such as SharePoint, One Drive, and create the OAuth applications on their own, as well as steal all the sensitive information through which they can intelligently move across the cloud and environment access resources and make API calls which will look very legit in nature. Just like how we have living off the land techniques on premises. We do have living off the cloud techniques that attackers will leverage the existing resources to launch these kinds of TTP's, and then clearly succeed in conducting ransomware, performing disruptions, and then exfiltrating data, so what not.

Sherrod DeGrippo: So, speaking of those actions, what are some things that defenders need to know here? What are some challenges and what are some things that defenders can do about these cloud attacks?

Priyanka Ramesha: So, there are multiple recommendations that we as hunters would recommend in your organization which are affected by cloud attacks as to follow. It is legitimately enable the conditional access policies and having a right credential access evaluations. And enable security defaults, as well as have all these products which are supposed to be present or available to defend against these kind of cloud attacks. Wherein we recommend organizations to onboard through MDA, MDI, MDO devices so that we are safeguarding the customer at each stage of an attack. I mean like looking into those detections on priority. All of this are the clean practices are the defense strategies that we generally recommend to cloud native users so that the defense and depth method is typically followed.

Sherrod DeGrippo: So, it sounds like there's a lot of work for defenders to do to be able to get ahead of some of these cloud threats and what some of the threat actors are doing in the cloud space. Priyanka, we'll put the link to the tech note in the show notes so that listeners can go check all those things out in a page that they can go through themselves, right?

Priyanka Ramesha: Definitely. We will share the event technique articles and the viewers can read the articles, which will again describe the recommendations and the attack TTP's that they can actually notice if there are cloud native attacks launched against any organizations. Yes.

Sherrod DeGrippo: Fantastic. Thanks for joining us, Priyanka. I am Sherrod DeGrippo. This is the Microsoft Threat Intelligence Podcast. Thanks for joining us.

Priyanka Ramesha: Thank you.

Sherrod DeGrippo: Thanks for listening to the Microsoft Threat Intelligence podcast. We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode will decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, msthreatintelpodcast.com for more, and subscribe on your favorite podcast app.