Live from Black Hat: Ransomware, Responsible Disclosure, and the Rise of AI

Sherrod DeGrippo: Welcome to the Microsoft Threat Intelligence Podcast. I am ⁠Sherrod DeGrippo, Director of Threat Intelligence Strategy here at Microsoft, and this week, we're coming to you live from Black Hat, with three mini-episodes in one. First, we'll chat with MSRC's Tom Gallagher about our bug bounty program and round two of the Zero Day Quest. Then we shift into a chat about the current ransomware landscape with the Erics. After that, we'll wrap up with a talk about phishing and social engineering with members of Microsoft's incident response. Hello, everyone, I am ⁠Sherrod DeGrippo, Director of Threat Intelligence Strategy here at Microsoft. I am joined by one of my most favorite people, Tom Gallagher, Vice President of Engineering and, quite importantly, the head of the Microsoft Security Response Center. Welcome, Tom. [ Cheering & Applause ]

Tom Gallagher: Thanks for having me here, Sherrod.

⁠Sherrod DeGrippo: It's so good to see you. I've tried to get you on my podcast several times, and it has not happened. Why is that? That's your first question.

Tom Gallagher: I look forward to our conversation today.

⁠Sherrod DeGrippo: Oh, that was very diplomatic. That was really good. So, give me just a rundown of MSRC, the Microsoft Security Response Center. What's the main responsibilities and mission there? What do you guys do?

Tom Gallagher: There's a lot of different things that we do, but the main thing is any security vulnerability that's found by somebody outside of the company gets reported through the MSRCs. And then we go and triage that, we do a technical assessment, we work with the product teams to get that issue mitigated, and then we work with the researchers so that they can publicly disclose the information. In some cases, we'll pay a bug bounty for them as a reward.

⁠Sherrod DeGrippo: So when somebody reports a bug, they get to disclose it, or do they disclose it in partnership with Microsoft? How does that work?

Tom Gallagher: Yes, a new issue standard is coordinated following disclosure, which means that the person that finds it, reports it to the vendor, and then the vendor and the researcher work together to make sure that customers are protected. And then when that issue is mitigated, the researcher is free to go and talk about it. That way, customers are protected, but the researcher is also able to publicly discuss at conferences like Black Hat and push research among the community forward, because we all learn from each other.

⁠Sherrod DeGrippo: I love that, and I know that you and your team, like Stephanie and Alex and others, have really good relationships with the researchers, the bug hunters. And what is that like? What is that group of people like? How would you describe them?

Tom Gallagher: I would describe them as very diverse. We have a very wide set of researchers around the world. If you look at the last year of bug bounty submissions, you have people from 59 different countries that have submitted vulnerabilities. We also-- like you have people that are still in high school, all the way to people that are well experienced, close with PhDs. So everybody brings a different angle, a different perspective, and we really benefit from that.

⁠Sherrod DeGrippo: Now, in the past couple of years, I have sort of seen the advent of being a bug researcher or a bug hunter as somebody's just entire source and income. People say, you know what, I am kicking it on bug bounties. I'm making a lot of money on this across the board, and they just do that full-time. How much of the community is like that? Like, is that a real thing?

Tom Gallagher: That is definitely a real thing. Some of those folks are a part of our program, and they submit to us. Some exclusively, some will submit to us, and also some other bug bounty programs. There's a pretty wide array of how much people are involved. There's people like you're describing who get up and they look for bugs all day long. They come up with techniques. They'll try it against Microsoft. They'll try it against other vendors, and they'll try to monetize that, and that is the way that they make their money. But then you also have people that may be doing it for fun on the side, on the weekends, late at night, some of these folks are just learning, they may not have a job in infosec yet, and, you know, all kinds of different stuff.

⁠Sherrod DeGrippo: And that goes back to that diversity we're talking about across hobbyists and professionals and early in career, super senior, and all that kind of stuff. Yeah. And help me understand, to you with MSRC, is that every Microsoft product, like pretty much everything?

Tom Gallagher: So we take vulnerability submissions for anything that's Microsoft.

⁠Sherrod DeGrippo: Awesome.

Tom Gallagher: We pay out, we try to incentivize research in certain areas, and so those are going to be the areas that we have bug bounty for. We do not have everything under bug bounty.

⁠Sherrod DeGrippo: And I know that last year, there was a new program called Zero Day Quest, and that was announced by Satya in November 2024 in Chicago at the big Ignite Conference, the Microsoft conference. And tell me what Zero Day Quest is exactly.

Tom Gallagher: So, Zero Day Quest, we did it for the first time in April of this year. We had a qualifying period where we said, hey, these are areas that we want to see people do research in. They were focused on cloud and AI. We asked people to submit bugs in those areas. And then we took the top people and we invited them to an in-person event at Redmond's.

⁠Sherrod DeGrippo: Oh, what happened at this in-person event? Sounds fun.

Tom Gallagher: Yeah, so it was a lot of fun. We had the researchers on campus. It's our main campus, so a lot of the product development is there. So we had people working hard to find vulnerabilities. Our team would in person go and assess them. It was really great for our team to be able to go and tap the researcher on the shoulder and say, "Hey, we want to understand this a little bit more." Then we would submit the bug to the product team for them to go and address. And then in many cases, we would say, you know, "These quotes are here on campus." You know, the product team would show up and say, "Hey, how did you find this bug? What's going on?" And so, the engineers that are actually developing the features learned a bunch about, you know, that hacker mindset, help develop an approach, and you're trying to find security vulnerabilities. And then the researchers were like, "Hey, can you tell me a little bit more about the architecture? How does this work? How does that work?" So that they could further their research at home, where they're going to go and look to find vulnerabilities.

⁠Sherrod DeGrippo: That's so full, because it compresses that timeline from bug finds and bug fix into, what, a day?

Tom Gallagher: You know, the fix-- so certainly, the submission to go in triage was like super quick. The mitigation of an issue is going to vary depending on what that fix is.

⁠Sherrod DeGrippo: What the product is.

Tom Gallagher: We have to be very intentional not to be too fast and break things, but certainly our time to mitigate is something that's very important for functioning.

⁠Sherrod DeGrippo: I think it's really interesting, since I've come to Microsoft seeing just really the scale of Microsoft deployment. A lot of people think about like Windows or the Edge browser or obviously, you know, Azure. But in Microsoft has such massive splits currently, not just within the Windows ecosystem, but within Mac, iOS, Android, across IoT devices, and you're taking all those bugs in across any Microsoft product. That's huge.

Tom Gallagher: Yeah.

⁠Sherrod DeGrippo: How many bugs do you say come in a day?

Tom Gallagher: We don't publicly talk about the number of bugs that are coming in.

⁠Sherrod DeGrippo: Are you tired?

Tom Gallagher: I would say that we are very smart about how we triage things. So if we're going to use technology to go through, not every submission that we get is like a critical issue. And we're using a lot of AI now to go and triage things and prioritize and work through all of the issues that are boring.

⁠Sherrod DeGrippo: I've heard a lot about AI. It seems to be very popular. Tell me now, you've talked before about the ethics around responsible disclosure. Kind of help me understand how MSRC implements those kinds of values.

Tom Gallagher: Yeah, so everything we do is to protect customers, right? At Microsoft, that's another way to protect customers. The first part is that coordinate of all disclosures that we talked about earlier, where people are going to partner together to get the issue fixed before we go and disclose. The other thing is we want to be intentional with how people engage and, you know, how far they go with their research. You know, we don't want people to find the vulnerability and then start using that to touch customer data and things like that.

⁠Sherrod DeGrippo: Right.

Tom Gallagher: One of the things that we did during Zero Day Quest is we set up these things we call Flash Challenges, where we said, you know, can you go and read this email? Can you go and find the ability to look at the SharePoint document, and things like that, so that people could go a little bit further than they normally would, but it's all within a contained boundary that would be responsible.

Sherrod DeGrippo: I love that. I think that, you know, having such a massive footprint like Microsoft does, being committed to ethical, responsible disclosure is kind of our like mantle, foundationally in the world. Like to protect the global digital landscape, we have to be willing to have rigor and discipline and approach names in a really clear, visible way. So I think it's fantastic with MSRC and everything that I've done with MSRC, because I've worked with your group quite a bit. That value is in every person and every project, and everything that we do there, so it's pretty cool. So, how does all of these cool names like Zero Day Quest, bug bounties, how do all of these kind of contribute back into the big focus of Microsoft, which is security and the Secure Future Initiative?

Tom Gallagher: Yeah, one of the pillars is to accelerate response and remediation. I'm the pillar owner for that.

⁠Sherrod DeGrippo: You're the pillar owner? What kind-- do you have a crown or a scepter, or what do you get? What do you get for being a pillar owner? A bag of concrete.

Tom Gallagher: I get a lot of work.

⁠Sherrod DeGrippo: You get a lot of work. Okay.

Tom Gallagher: So certainly, we put a lot of energy into helping everyone across the company understand the vulnerabilities to accelerate the ability to mitigate those issues quickly. But if you think about the longer timeline, you know, security really starts from the time somebody envisions what a feature would look like. It's well before somebody's writing code, and, you know, threat modeling, all those things happen at Microsoft. By the time a security researcher is finding an issue, that means the landscape could have changed, there are new threats that are understood. The research of me had had a different perspective on things than we did. And so that's all the feedback. That's the feedback channel that we use to change the way we think about things. So it might be, you know, we missed something. Let's go out and see diag analysis rules. It could be, let's make sure that people that are doing threat modeling consider this perspective when we're building and designing new features. So it's all just to get a feedback loop.

⁠Sherrod DeGrippo: It's a great partnership, I think, between Microsoft's Careers Center and our Microsoft software engineers, software developers. I work through your group, doing a lot of workshops for those software developers, and it's a really different mindset working with somebody who considers themselves a software engineer versus people like us who kind of are security people, and I always say, you know, the developers are the makers and we're kind of the breakers on the security side, and sometimes I just wish I could live in that software developer world where I just wanted to give people cool features all the time instead of feeling a little destructive where I'm going to try to find problems and bring them up.

Tom Gallagher: Well, I think it's a great partnership. I worked on the Office team for 23 years. And so we were shipping features, but I was always responsible for how do we do this in a fast way, but in a secure way. And so, it's really about building that awareness, building the partnerships with the software engineers, because they're going to be well-equipped to go and address the issue if they're aware of how to go and do that.

⁠Sherrod DeGrippo: I love the way that Microsoft handles these things, because we have the scale that we have. Let me ask you now, Zero Day Quest, are we going again in 2025?

Tom Gallagher: We are.

⁠Sherrod DeGrippo: We are.

Tom Gallagher: And we've started the next phase, it's a qualification phase. We opened it up on Monday, it goes through October 4th. You should check our board. We're accepting submissions right now. Basically, the way that you submit is by a vulnerability in cloud and AI products. Submit those, you're going to get Jotform. We have even multipliers for critical issues that are being found. And then we'll take the top people and invite them for that in-person experience that we've described before.

⁠Sherrod DeGrippo: And that'll be in Redmond again at KFS?

Tom Gallagher: It will.

⁠Sherrod DeGrippo: Amazing. It's absolutely worth it if you're listening. Search up Zero Day Quest Microsoft, go get involved, and check that out. And finally, there is BlueHat Asia in Bengaluru coming up. How do you feel about that? When is that?

Tom Gallagher: I'm very excited. So, we have three BlueHat events around the world now. It started in Redmond. We've had an event in Israel for several years. And then recently, we started one in India. And it's been such a big success that we're expanding to attract the broader region. And it's called the BlueHat Asia.

⁠Sherrod DeGrippo: Fantastic. So those are some things for the audience to go check out right now. Get on your computer and look up Zero Day Quest, Microsoft, and BlueHat Asia coming up soon. Tom, I have one final question for you. What is something that you would love to see more of from the research community this year?

Tom Gallagher: I think there's still a big opportunity to do more AI research. I think there's a lot of folks with a lot of talent around application security, and that's a great mindset. What we'd like to do is see more people pivot to think about the AI problem. The researchers that work in the AppSOC space have a great mindset. If they apply that same mindset to AI, I think it'll unlock a lot of different things. Some of the things that we're doing is we're providing additional training. We have videos out, we have information about that. It's a different type of problem, and so you just have to think about it a little bit differently, but the core competencies are really the same thing.

⁠Sherrod DeGrippo: One of the things that I think is so cool about AI bug hunting is that you could do a lot of it in natural language. So the bar to entry really is anybody can do it.

Tom Gallagher: That's right.

⁠Sherrod DeGrippo: And I want to put a particular call out to my social engineers out there because combining your social engineering experience with natural language capabilities, getting into AI systems, you can hit bugs that you maybe not-- you maybe could not have hits otherwise without a social engineering background.

Tom Gallagher: That's right. And you don't have to get sweaty like you were a social engineer, a real person.

⁠Sherrod DeGrippo: You don't need a clipboard or anything like that, just a computer and your little typey typey fingers.

Tom Gallagher: And if you fail, you just try again. It's not like social engineering in the real world, where you get shut down.

⁠Sherrod DeGrippo: Absolutely. You can keep trying. I love it, Tom Gallagher. Thank you so much for joining us. That was Vice President of Engineering from the Microsoft Security Response Center, Tom Gallagher. I'm ⁠Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft, coming to you live from Black Hat 2025. Thanks for joining me, Tom.

Tom Gallagher: Thanks, Sherrod. It was great.

⁠Sherrod DeGrippo: Welcoming to the stage, my close friends that I have known for a very long time. Eric Olson, Principal Security Researcher. [ Booing ] And Eric Baller, Senior Security Researcher. [ Booing ] I've heard that you guys like crime. True or false?

Eric Olson: True. Not committing crime, but crime, yes.

⁠Sherrod DeGrippo: Got to make that distinction. Don't want to commit the crimes. Want to research--

Eric Olson: -- the crimes. Exactly.

⁠Sherrod DeGrippo: Yeah, it's okay. So, let's talk about ransomware. Ransomware is one of my most favorite things to research and never do. Because it really had followed over like the past 10 years to become this thing that used to be an individual situation where, like a computer would get encrypted, to now they're shutting down entire organizations operationally. So help me understand. I'll start with you, like help me understand what you're seeing on the ransomware ecosystem.

Eric Olson: Yeah, I think what we've been seeing lately is that when they come in, they seemingly know where they want to go. A lot faster than they used to. So, whether that's going straight towards NIT servers or targeting the backups, and trying to inflict the damage fast and early, because they have a better chance of getting the ransom payment, rather than just encrypting a few workstations, which doesn't really motivate the company to want to pay. And I think another thing that's really been brought up is they usually have the accounts when they come in. They don't need to do a lot of privilege escalation. I don't know if that's the rise of ransomware brokers and access brokers, giving them credentials. The initial access is usually really fast. And then we'll see them do things such as golden ticket attacks or trying to drop other persistent mechanisms to keep us from kind of stamping the malw, but the speed, I think, is the real thing that's changed the last two or three years for us. >>⁠ Sherrod DeGrippo: That's really interesting. When we talk about speed, for years, the DBIR for Verizon would have stats on dwell time, which is essentially the time from when a threat actor has access to a network, how long it takes before they actually do the encryption capabilities to an account or the organization. And year after year, the dwell time would get shorter and shorter. And I remember dwell times of 10 days, I remember dwell times of seven days. And as those got shorter, I think we're seeing dwell times down in hours.

Eric Baller: Yeah, we-- I worked a case a few weeks ago, and it was about 30 to 40 minutes from when they came in, where we had the first VPN log time stamp to when they started hitting the backgrounds was around 40 minutes, so it's very quick now. >>⁠Sherrod DeGrippo: Are you seeing the same kinds of things with the ransomware that you're looking at?

Eric Olson: Yeah, it's been interesting. So we see abuse of common exploits. So a good example is Citrix Bleed 2, which is more recent. So you'll see them jump from some exploits like that, and then once they get in the network, set up shop quick, deploy itineraries. And in a lot of instances, these folks know the tools better than the customers. So they're like, hey, we can-- you're using a software deployment mechanism. Guess what? We have people who are experts in this, and they're able to just get in, get it deployed, and get out. >>⁠ Sherrod DeGrippo: I think that's something that we've seen too, especially when it comes to social engineering. Threat actors really do seem to know the organizations, the people, the business processes in a lot of cases better than the employees themselves, they're able to really understand, "Okay, if we ransom this organization or this company, will we get a pay? Will we get paid? Do they have the money? Do they have the capability? And how exactly would we get that access?" And I think that it's really-- it's a shift over the past decade of kind of a "spray-and-pray" ransomware, like Loki was in 2015, to now is really targeted. It's really specific and intentional. Do you have any insight into how these ransomware actors are choosing their targets? It varies. It really varies. It could be open-source intelligence, and they're just going to expand on some systems, [inaudible 00:19:55] is the word. Some of their remote access protocol exposed, it could be through some social engineering and credential theft. We've seen like a forum hits compromise where some of users used something like, let's say codes, and that person gets, you know, hunt to download an Adobe executable, and it's actually the first stage of access into the organization.

⁠Sherrod DeGrippo: And something that I think is interesting now too about the way ransomware operates is we're seeing a lot of, you know, the phrase we used to use was double extortion, but I think now we're saying, we see, extortion, how are we seeing that playing out with not just encryption for pay, meeting encryption for pay, but additional extortion hacks leaked so to save the organization the time.

Eric Baller: Yes, I think there's the data theft can go in it, of them actually exfilling, proprietary data before doing the encryption, so they have kind of two options, right, like we'll release your data to the public, you don't need to sit there with everything encrypted. So, I think I guess most of what I've seen recently is the extortion of their proprietary data.

⁠Sherrod DeGrippo: I think looking forward in terms of ransomware, I think something that really is on the horizon is the use of AI, but you might say like, well, where do you put AI in the attack chain essentially for a ransomware event. And I think what we're going to see is the usefulness of vintage data breaches. Ransomware actors going, pulling down old data breach archives, putting them through an LLN, or an SLN locally, and saying, hey, help me figure out their weaknesses, help me figure out based on these data breaches, where I could potentially do a ransomware event on this particular organization, or, you know, look through this and see if there's extortion tactics that maybe we can use. Maybe if you get an email dump, look for email conversations that talk about mergers and acquisitions, or maybe a supervisor being inappropriate with one of their employees, and we can use that as a kind of extortion. So it's going to really, I think, accelerate these threat actors' ability to understand the businesses. Like we were talking about before, they're going to be a lot quicker at that.

Eric Baller: I'll go back to your early question, too, of how they get in sometimes. I think-- and you've probably seen this too, Olson. If the company's using a third-party MSB and they compromise that, sometimes the way they pick their targets is whatever the employee they compromised in that third party, that's who they go after. So if the employee has access to these four companies to do normal administration work, they go after them. I think we've seen a lot of those seemingly seem like they start from the data service provider and then go into a company. So I think there's-- going-- I think there's a kind of a bright spot, I think, though. We have seen a lot of customers getting smart, too, having their backups disconnected from their main network. We worked at one recently where they hit the A6I servers, they were going to pivot to their backups, and they just cut the line right away, and they seemingly were able to save themselves. So, as we see like ransomware, the dwell time gets fast. I think the customer's responses are actually getting pretty fast as well.

⁠Eric Olson: Yeah, and a good point on the use of AI [inaudible 00:23:20], thinking back and say, "Hey, this company was impacted by this previous vulnerability of some software." And now a new version comes along. So you go back and play back that, you know, repeat that playbook and say, "Okay. Hey, the customer is vulnerable at this time. What's the chance they're now also vulnerable with this new version?"

⁠Sherrod DeGrippo: And that, I think, brings up that important conversation around software supply chain or providers supply chain, where your vendors and providers are just as much of a target as you are, if not more, because ultimately, those vendors, whether they sell you software, they sell you services, you use their platforms, if threat actors know that those service providers and software sellers are vulnerable, it's a lot easier to compromise a mostly high order, like you said, an MSSP, and they go down free to all of those customers that make absolute targets for some of these threat actors, especially to ransomware.

Eric Baller: Yeah, and I think from the customer side, too, they don't really know how the security is on the other side from them. They may do everything right on their side, but they're going to leave enough vulnerability out there in some way.

⁠Sherrod DeGrippo: Yeah, I think that cuts back to like one of the least fun and cool parts of security, which is like vendor audits. To like make sure your vendors are doing the boring parts of security and you have, you know, as three of visibility into those vendors and understand their approach to security, what they think is important, how they do the things they do. I want to talk a little bit about the business of ransomware. We always say ransomware is an ecosystem. You're not fighting a single threat actor group, you're fighting an entire organized ecosystem. What have you seen in terms of the organization of these ransomware threat actor groups? How they operate?

Eric Olson: I have a specific answer on that. I think the access broker side does maybe where I've seen that evolve a little bit because before it was always kind of an exploit and like an edge device or compromise credentials of, you know, it can be social engineering or something, but now it's-- we're seeing cases where it really seemingly happens in the logs, they just kind of log in with an account. So did they buy those credentials from an access broker or somewhere else with the permissions that they need, and just logged in and do it? And so--

Eric Baller: Yeah, also disagreements between different ransomware groups and they break away, form their own ransomware group, and maybe take that as a moment to, you know, introduce some changes that they log in and the way that products that they want to use, and that they use, and then do it that way.

⁠Sherrod DeGrippo: If there's definitely an element of kind cut-throat, no honor among thieves, when it comes to like these ransomware groups, and the way that most of us know that is we read things like the Conti Leaks or various other leaks that have come out of these groups, where we can really see the inner workings of, hey, this guy's getting paid more than I was getting paid. I want a raise, or, you know, we're doing it in this way. I don't think that's the most effective. Let's make a change here. Somebody says, no, I don't like that, so we're going to splinter or we're going to shut it down.

Eric Baller: They're not getting anything enough time.

⁠Sherrod DeGrippo: They're not getting anything enough time. I've also seen instances where, like it'll be, you know, one person working for multiple ransomware groups at a time, because they just sort of know what to do, and they take on as many jobs as they can. What do customers need to know in terms of ransomware? What would you say is that would make customers safer long term?

Eric Olson: I think would be having a plan to disconnect critical systems, back-ups, stored in a manner that's not connected through the normal production environment, so you're not totally shielded, and if you don't get a hold of it in time. And then another thing I always want when we're on is the response geeks, it's the VPN and the firewall logs. And especially for any kind of historical compromise, not having those logs anywhere really limits the how they got in and where they came from, and to really track if there's any other threat actors. So I think just check the backups and having proper logins.

⁠Sherrod DeGrippo: So, for all of you listening, you're going to need to do proper log-in and backups. Things like network segmentation, and make sure that you're-- you have a firewall on. So we're really talking the language of like 2002. Yeah, that people haven't taken care of.

Eric Baller: The same issues. Also equally important, you know, realizing where your sensitive data is at, because the ransomware folks, they definitely know. And when we start, when they send you an e-mail and they're like, "Hey, look at all this data I set up." And you know, maybe the customer is like, "Hey, Google scans mails. Send me a proof of life. I don't believe you. Tell me you took my data." And they send you a text, like, hey, look, here's all the data I took. And now you're that company going, all right, I see this data. I don't recognize this. Where did it come from inside my network? And then they can't find it.

⁠Sherrod DeGrippo: So you can't verify whether or not a different actor really has what they say they have.

Eric Baller: Or even proving that the data was X-filled because maybe that segment was not logged or audited, and there was no evidence.

⁠Sherrod DeGrippo: So there really is just such a big element, I think, of social engineering aspect for ransomware, whether it's, you know, the initial entry leverages, text messages, or [inaudible 00:28:31], whatever, Threads, or if it's at the, you know, incursive stage, where they say, "Oh, we really do have this data," and then the organization has to decide whether or not they believe that's true.

Eric Baller: Yeah.

⁠Sherrod DeGrippo: All right. We are going to wrap up now. I want to thank my two guests, Eric Olson, Principal Security Researcher, and Eric Baller, Senior Security Researcher at Microsoft. I am ⁠Sherrod DeGrippo, Director of Threat Intelligence Strategy. Thank you for joining me at Black Hat 2025. Hello, and welcome to the Microsoft booth at Black Hat. Wow. Okay, we're going to talk about credential phishing and social engineering, two of my most favorite topics. And with me, I have fantastic guests from Microsoft, Travis Schack, Principal Security Researcher, and my good friend, Eric Olson, also Principal Security Researcher. I am ⁠Sherrod DeGrippo, Director of the Threat Intelligence Strategy of Microsoft, and let's get into it. Travis, I will start with you. What exactly is social engineering?

Travis Schack: Well, definitely it should be-- can you hear me? So, social engineering is just a tactic that threat actors use to pitch you to do something, to provide something; lots of different techniques involved in that. We'll probably talk a lot about phishing, and we'll start at the email side with phishing and some other techniques.

⁠Sherrod DeGrippo: So, Eric, I'll ask you, what examples of social engineering have you seen that threat actors have actually sent out there into the world?

Eric Olson: Well, so social engineering actually, probably a really good one is, everyone who's got a text message that says, "Hey, you have a toll due, click this link." Or UPS says, "Oh, don't forget your package."

⁠Sherrod DeGrippo: Oh, no, I got that one.

Eric Olson: Click this link.

Travis Schack: I know everyone's got that.

⁠Sherrod DeGrippo: So you should click the link, right?

Travis Schack: If you're a researcher, maybe. No, definitely not.

⁠Sherrod DeGrippo: Click the link only if it's for research purposes.

Travis Schack: Yeah, exactly.

⁠Sherrod DeGrippo: So people get those all the time. I think a lot of people, I think, are probably pretty smart and just delete the message or ignore it. What happens if you click on the toll link? What is it?

Eric Olson: It varies. It could be something that's like, "Hey, put in your email address and password." And you're like, "Oh, well, I use the same password for everything, naturally. So let me just put in my password." And then now they got your password, and they could either, you know, go to some credential broker or, you know, that threat actor was hoping that you would put in your password, and then now they have it.

⁠Sherrod DeGrippo: So what kind of scale are we looking at when we talk about things like social engineering for credential theft? Like, how many of these messages are getting sent? How many people are clicking on them? Is this actually profitable?

Eric Olson: Very much so. Profitable and probably way too many to count. I know I have family members who send me emails all the time. "Eric, is this spam?" I'm like, yes. It is a phishing emial, please tell me that you did not click the link. You didn't provide your password or any of the other info that it asked for. And I think one of the things that's changed is that with the use of AI, so previously, you know, you get an email and you're like, oh, this is unrealistic, because either the English isn't correct or the grammar doesn't match up with something that would be said in person. So now, through the use of AI and like using deepfakes, you're like, all right, this is kind of believable if you're not looking for other indicators, like, hey, it came from a random email address that's not the company that said they sent it.

⁠Sherrod DeGrippo: Right, and I think that people don't understand them. For the most part, things like credential phish are really the beginning of an attack. So, Travis, walk me through, like, once the threat actor has your username and password, let's say you did fall for it, you put it in the landing page, what happens after that?

Travis Schack: Yeah, so typically they want to use that information, once they capture it, and if you don't have multi-factor authentication on that account, they're going to gain access to whatever systems where you use those credentials. So whether it's work-related, personal-related, banking, they're going to try everywhere. Social media, they're going to try everything to try to get users' credentials, the gates, and access.

⁠Sherrod DeGrippo: So, I guess that leads me to my next question. Eric, how do we prevent this stuff? Like, what's the way to stop it?

Eric Olson: Well, you know, I was reading something earlier that was talking about corporate training, and you get-- you know, and we get it too, and it'll be a video, like, hey, click on this thing or watch this video about something. And, you know, for the most part, a lot of folks are probably just tuning out, because like, hey, I have 40 hours of training they have to do with videos, and I think it'd be much better served for some kind of like micro learning, like a simulation where you're like, hey, you click on this area of the email that looks suspicious, so I know that you know if you get an email at the company that you'll be a good, a good cybersecurity person, because everybody can not do a little bit of security and be like, "Hey, this is no good." And then report it and be like, "Hey, nope. Not clicking it."

⁠Sherrod DeGrippo: So what else, Travis, can we do in terms of prevention? How do we stop this stuff?

Travis Schack: Yeah, we were talking about the user education, but then you're still going to have some failures there. Then you got to rely on some of the technology side of the house. It's where multi-factor authentication is going to help, adding in that second layer of authentication. Tools like Defender for Office 365 is going to help with that. So really, the multi-factor authentication is probably one of the biggest protections that we can have.

Eric Oslon: Yeah, because, you know, for phishing and actually social engineering too, it's not necessarily starting with breaking the system, it's breaking trust of the person who's on the other side. And then you have to hope that all the other security controls and tools and things that you have at your disposal are what, you know, stops the next step.

Sherrod DeGrippo: Yeah, I think too, like you mentioned, AI, and I've been thinking a lot about this. I think that a lot of the AI tools that we have available to us today really are these large language models, generative text. They can create images, and they can create text. And I think we are seeing threat actors leverage AI tools to create really good social engineering work. But something to think about, too, is all of those data breaches that have happened over the last several years; those are out there available for threat actors to take. And it would be really easy, I feel, for a threat actor to download a bunch of breach data, whether it's emails or credentials or corporate IP, and then run those through an LLM and say to the LLM, if I was going to try to trick someone from this company, how could I do that? What is something that people in this company are concerned about that would cause this to click? I don't know that we've seen that yet, but it makes sense to me that threat authors are thinking about leveraging AI as that kind of tool.

Eric Olson: Yeah, definitely, leaves the breaking trust bit. >>⁠ Sherrod DeGrippo: Right, it makes things move faster. And I think AI really-- something that is important to think about when you're rebranding it is the A can very easily stand for acceleration, just making things a lot faster that we used to do manually, or even when you did it with code, you could do it even faster today than when the hand was writing most scripts, because when you think about bodies of text, which is what LLMs specifically are really great at handling, the amount of different types of user names and passwords, and data that's out there, writing a regular expression for that to like rip through a giant database of text is really hard. Like that regular expression is probably impossible to create. So with an LLM, you've now got that natural language interface. And you could say, hey, go through this and find me anything that would be interesting if I was a hacker, basically.

Travis Schack: Yeah.

Eric Olson: Yeah.

⁠Sherrod DeGrippo: So, help me understand, we talk about social engineering in terms of emotion, emergency, and habit. Any examples of social engineering that you thought were really clever to do really good?

Eric Olson: Use of like audio or deepfakes is actually--

⁠Sherrod DeGrippo: Audio deepfakes. Wow.

Eric Olson: Listening to, I don't remember what it was. There was something in the news, the politician in the US, and they deepfaked his voice, and then used his voice to call other politicians. And I mean, unless I guess you talk to the person every day, you could easily be tricked. They're breaking your trust, and you're like, okay, this sounds believable, or at least they have enough context about what they want that it sounds believable, and you're like, okay. You lower your shield down and, you know, just allow, you know, allow the conversation to continue.

⁠Sherrod DeGrippo: Yeah. Travis, what have you seen?

Travis Schack: I'd have to say what Eric said, you're starting to see the phishing becoming more successful because they are getting better at calling, right? We see a lot of help desk being targeted. And, typically, you used to be able to like decipher, like, "Is this person really real or not?" But now with the voice generation stuff. And with the AI coming in, helping with the grammar mistakes, and making that more believable. But you just see that.

Eric Olson: And I think AI has definitely helped it be more relatable because you're like, "Hey, well, I know that you like this specific thing." So you don't start the conversation with what you want, you start the conversation with something to build trust first, and kind of get that person to lower their barrier, and then you come in for your ask.

⁠Sherrod DeGrippo: Absolutely, I think, you know, we see multi-chain relationships with social engineering. We see things like, just a single email sent out. A really good example that I talk about a lot is, you know, it's on sort of email letter heads, like with a thick file and graphics and everything that says we're in a law firm and it says, "Hey, I'm of this LLP law firm, if your spouse has contracted me to repair your divorce papers, go ahead and click here to view our first draft of your divorce papers." And I think really anybody married, single, happy, unhappy, there's so many reasons for people to click on things like that.

Travis Schack: Yeah, absolutely, prey on their fear.

⁠Sherrod DeGrippo: Yeah, or prey on their curiosity.

Travis Schack: Like jobs right now, right? I was the former CIS, the last company where I was a CISO, our HR VP got impersonated and were basically offering jobs to people, and then scamming them out of money through Google sites. And it was really hard to stop that threat actor, because they thought that it was actually from our organization. So today you see a lot-- like a lot of my friends are saying, hey, I just got this from a recruiter, they just sent me something about a job. We think this is real. So you're going to use the current times, whatever's going on. And so, you really have to be aware of what's happening right now and how threat actors can leverage that.

Eric Olson: Yeah, and even something like, "Hey, take a look at this job description." And it's in a Word doc or a PDF, and the person on the other side has malicious intent, and, you know, you're looking for a job, so of course you're going to have an interest on opening up the email and looking at the attachment.

⁠Sherrod DeGrippo: I also think too there's, you know, threat actors have been able to really be smart about who they're targeting in terms of looking at data that's available, either open-source data or data that's out of reach and say, oh, like this group of high value individuals all have the following thing in common, I could kind of write a similar form, send that out to all of them, and see what comes back to me. I know of an example where one of those big email platforms, one of those marketing platforms, an account on one of those was compromised. And the threat actor is saying, "Great, I've got access to all these people." It was a newsletter about the wine of the month. It was a wine review newsletter. And the threat actor said, you know, great, I have access to this. I can send from it. I'm going to look through these individuals that see who's-- maybe I'll find out first who has high access that I want to maybe compromise them so I can get further access. And the threat actor sent out a wine newsletter that said, "Click here for a free bottle of wine."

Eric Olson: Hopefully, they sent the wine.

Sherrod DeGrippo: Unfortunately, you didn't get a wine, you got hacked. Bait and switch. But it makes sense, right? If you know even a little bit about your target, you can social engineer them so much more effectively. And, you know, there's everything across the spectrum of threat actors who do deep, deep research on their targets, they understand them, they tailor perfect, perfect social engineering, it pours directly in that individual. And then there's those massive campaigns of spray and pray, where the threat actor is like, I'm just going to send this to everybody and just hope for the best.

Eric Olson: Yeah.

⁠Sherrod DeGrippo: So I think social engineering is something that we can never overlook, and I'll kind of leave everyone with this, if you're looking at an email and it's telling you to do something immediately, that is probably social engineering. Anytime that an email says you must act now, hurry, going fast, all those kinds of things, generally, you should be a little suspicious.

Eric Olson: Yeah, definitely.

⁠Sherrod DeGrippo: All right. I want to thank Travis Schack and Eric Olson, both principal security researchers at Microsoft, for joining me, ⁠Sherrod DeGrippo, Director of Threat Intelligence Strategy, here at Black Hat 2025, to talk about social engineering and phishing. Thank you both.

Eric Olson: Thanks for having us.

Travis Schack: Thank you.