Open SesameOp: Abusing trusted AI platforms to host a C2 server

Sherrod DeGrippo: Welcome to The Microsoft Threat Intelligence Podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage? cybercrime? social engineering? fraud? Well, each week, dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird, but don't worry. I'm your guide to the back alleys of the threat landscape. Hello, and welcome back to The Microsoft Threat Intelligence Podcast. Today we're kind of stepping back from a single incident. We're asking a bigger question. What does recent activity on the threat landscape tell us about where the landscape is actually headed? We're going to look at two different stories today. We're going to talk about a threat actor's evolution, Storm-0501, and how they have become a cloud-native kind of ransomware group. We're also going to look at a backdoor called SesameOp and how it's able to abuse trusted AI platforms. But, when you look at these together, they tell a coherent story sort of about what the modern threat landscape looks like and what modern attackers are doing with the tools in their toolkit. We aren't looking at smash and grab operations. These operators, this kit, it really is from the point of view of understanding the cloud; understanding control planes; understanding identity systems; and, unfortunately, understanding how defenders think. So I am joined by two Microsoft senior security researchers, Anna Seitz and Jonathan Checchi who both work with me here at Microsoft. Thank you for joining the show, Jonathan and Anna.

Anna Seitz: Thank you for having us.

Sherrod DeGrippo: It's good to see you both. If you're new to the show, I am Sherrod DeGrippo with Microsoft. And part of what we try to do here is not just describe threats, but what we really want to do is help security teams understand what the patterns are, what actually matters, and how defenders can win in the end. So let's talk about this inflection point, Jonathan, with Storm-0501. It's a threat group that's been active for years. But, in 2024 and 2025, it seems like something changed. So I kind of want to understand from your point of view what's the inflection point that kind of made this group pop on the landscape a little bit.

Jonathan Checchi: Yeah. So, as you said, Storm-0501 has had a quite a notable evolution. They started off with just on-prem ransomware. And they've gone through quite a few of those, actually, going back a few years, starting with the Sabbath ransomware in 2021. It seems like, when they deployed a ransomware, they used it until it was typically shut down. In the case of Sabbath and in the case of Hive ransomware, when it was shut down later in January 2023 and then they transitioned to your Black Cat ransomware in February of 2023, but then the notable kind of inflection point that you mentioned was when Storm-0501 kind of expanded their targeting to include hybrid cloud environments as well as they were sort of deploying embargo ransomware. But I think the most interesting point and kind of the point we want to focus on here today is that recently, in 2025, Storm-0501 demonstrated more of cloud-based ransomware tactics here where they would actually start exfiltrating large amounts of data and then just start destroying data and all the backups within the victim environment, then demanding the ransom. So this is all using cloud-native capabilities without relying on any sort of traditional malware deployment.

Sherrod DeGrippo: So I think that this is an interesting evolution to talk about a little bit. When we are talking about hybrid clouds, correct me if I'm wrong here, Jonathan, but that just means, like, an on-prem system or multiple on-prem systems that are tightly connected to cloud identity, cloud control planes; and it's a powerful connection because it can be really dangerous if it's misused. It gives you access into sort of like both universes of an organization. So, once Storm-0501 expands into those hybrid cloud environments, what does that give them? Like, what does that unlock that they didn't really previously have on-prem?

Jonathan Checchi: So, when a threat actor targets just an on-prem system, they're only able to get what's within that enterprise's data center or collection of systems. However, a threat actor is able to do more with a pivot point to the cloud, and they're able to target more of the -- whether it could be federated identities; it could be any sort of capabilities that might be more cloud-native, including cloud resources that might be expanded or even into potentially other tenants.

Sherrod DeGrippo: And something else I think that it's important to mention is that these hybrid environments a lot of times, whatever is left on-prem in most organizations is the most fragile, the most valuable, the most important, in many ways, assets and resources that a lot of organizations have because, in the evolution and maturity of moving to the cloud, most organizations in their digital transformations got everything they could get into the cloud. They pushed hard. They did the work. Brothers and sisters in the IT trenches out there, they made it happen. And, for anything that's generally left on-prem, a lot of those assets many times are the most important ones that everyone is very scared to touch, that are very fragile systems that have data going back possibly decades and decades. I worked telephony and -- early in my career, and I was working on systems that were used to provision telephone accounts when phone numbers had words in them. I mean, this was in the database that I was working on; and it was really fragile and scary. And I think that's kind of what the on-prem situation is for a lot of organizations. It's all this left. It's the sort of final fear for a lot of organizations. And Storm-0501 is able to take advantage of that. So they can do identity pivoting. They can get into these really important environments that are on-prem. They can use that to pivot into the cloud. They can have impact super fast. And something I think that's important to note for those malware watchers out there, this is just not a malware-reliant situation. It's something that gives them the ability to do things to deploy Black Hat or to deploy other ransomware variants without needing a lot of malware to back them up on it. That's kind of the unsettling part, I think. It changes what that impact radius is. When you put the identity and cloud control planes into scope for a threat actor, it changes their, you know, to use a term we all love, ability to execute. They've got the vision. They've got the ability to execute. They're at the top right. They're at the top right. So I think it's important to kind of know about that. Jonathan, is this indicative potentially of a shift to fully cloud-native ransomware on the threat landscape? Just what do you think on that one?

Jonathan Checchi: Yes. I would say absolutely.

Sherrod DeGrippo: You think we're going to see a lot more of this?

Jonathan Checchi: I think so. Yeah. I think, as threat actors evolve more and more, as just companies are evolving more and more, like you just said, there's an opportunity for less operating system specific malware and more cloud-native ransomware capabilities using cloud-native APIs, which might be harder to detect or might just blend in more with the noise in the logs that we're all looking through.

Sherrod DeGrippo: When we talk about cloud-native ransomware, I don't want anyone to think that we're talking about malware running in the cloud. This is abusing features provided by the cloud, like identity, backup, permissions, using all of those things to create a broader, bigger impact. And it almost gets to the point where encryption is sort of optional in the whole attack model in this particular style. So they can do things like data destruction, as you mentioned, delete backups. They can lock out accounts. And I think that we've seen some extortion and financially motivated ransomware type groups doing things like denying access, locking you out completely, and holding that for ransom, not necessarily having to deploy decryption. So, like, if the threat actor can deny you access, destroy any of your recovery paths, then they already have all the leverage they need at that point, I think. So let's talk about identity. Identity is a thing where, once an attacker has that control, they can lock you out, they can destroy your paths, all those things and then extort you without ever encrypting a single thing, it all becomes downstream of the identity. So what is the angle with Storm-0501 and their abuse of identity? It seems like that's kind of a foundational aspect for them.

Jonathan Checchi: So Storm-0501, especially considering their evolution from on-prem to hybrid to cloud deployments and compromises, in the case of identity, Storm-0501 was able to move laterally through their compromised identities, allowing them to be able to reach the global admin role that was so valuable to them. It essentially gave them the keys to the kingdom that they were able to then essentially do whatever they want on that tenant or on that subscription.

Sherrod DeGrippo: I think it's interesting how identity has become such an important and powerful tool for threat actors. It really means that, as an organization, you have to maintain protection of your identity assets, really more strongly than a lot of other things that are available to defenders. If you're able to keep your identity safe, yes; identity and access management is important. Access is the thing that I think a lot of threat actors look for, especially if they can get it with an easy in. Like, they don't just have persistence at that point. They have legitimacy. So, like, the system sees those logins as legitimate logins. To the system and to a lot of these detective capabilities, a lot of detection capabilities, it's very hard to tell when a system is being logged into by a threat actor that's compromised in identity unless you have really good control set up and unless you have really good detection engineering setup. I've mentioned many times on the podcast that, in many ways, detection engineering really is the first and last frontier on keeping things safe because, when we can detect, we can defend. If we don't see it happening, then there's really very little option in terms of keeping things safe. So let's talk a little bit more about Storm-0501. They're using Federation, and I think that's something that's really worth talking about. Just to clarify, federated identities are how one identity system is trusted to authenticate users for another system. You might go to log into an account and it says, Log in with one of these variety of other accounts that you might have, whether it's one of the large tech providers or a large cloud provider. Microsoft has availability for these as well. When an attacker controls that trust, they can just create as much valid access as they want. And Storm-0501 knows that. They got right down to business, I think, on that tip. Like, they saw immediately, if they can control the trust between federated authentication from user system to user system, they can have a lot of access available to them. So is there anything we should know here about how Storm-0501 is leveraging federated authentication to get what they want, how they're abusing federated authentication?

Jonathan Checchi: Yes. Storm-0501 added a malicious federated domain that allowed a sign-in as nearly any user and was able to implant a backdoor. This led to them being able to implant a backdoor in the Entra ID tenant, as well as the potential for, in any case, the threat actor is able to use something like this to then do any sort of actions on objective, any part of that -- that kill chain, such as deploying ransomware to encrypt endpoints on servers and even compromising any sort of those trusts that you mentioned.

Sherrod DeGrippo: So I think this federated authentication abuse aspect is really important. We don't see a lot of threat actors having that level of sophistication, especially on the financially motivated side. So I think that's really interesting. And I think that it's really interesting that this threat actor knows that that is a great vulnerability to exploit, to leverage. They get that legitimacy as far as the system is concerned. So they're not just persistent. They're able to say this is a legitimate user login and kind of take that identity. It's very hard to detect, and it also gives them the ability to have access for a very long time. It's a regular user account. It's logging in. And, from most detective capabilities, from a detection engineering standpoint, it's behaving in a way that this normal user would behave. So I think that's interesting to call out. And the final thing I want to talk about is what actually breaks this attack chain. So, Jonathan, give me an idea, if you're a defender, what can you do. This activity looks like legitimate admin behavior. So what can break this from happening? What can stop the threat actor from leveraging these paths?

Jonathan Checchi: I would say the typical identity based mitigation such as conditional access policies and, of course, deploying multifactor authentication and ensuring that all roles and users only have the privilege of -- at least all follow the principle of least privilege. Don't give anyone more access than they need. And, in this case, Storm-0501 was able to essentially laterally move around a network because, at first, conditional access and multifactor authentication blocked their initial attempts and pivot to the cloud. However, they were able to compromise a second server that -- where they repeated the reconnaissance process for first active directory domains and then moved laterally until they found a hyper joint device that satisfied the conditional access. And so, in this case, making sure that whatever path to all of your global admins or any sort of high-privileged users and roles in your environment, whether it be on-prem, hybrid, or cloud, make sure that they are all locked down as strict as possible.

Sherrod DeGrippo: I think that that's a job for defenders to really check into, to make sure your organization is doing things like enforcing MFA everywhere without exceptions; conditional access policies, like you mentioned; having the conditional access evaluated every time there's a sign in; monitoring identity events, not just endpoint. I think it's super important to look up the stack, east, west, north, south, understand all of those checkpoints that an attacker has to go through and make sure that you're looking at all of them. So that comes down to monitoring identity events, like I said, not just focusing 100% on endpoint. A lot of these controls have existed for a very long time. So it's not a lack of capability on controls. It's that organizations are postponing implementing them in certain cases. I also think that, when it comes to identity, it's very much treated like foundational IT, sort of the domain of IT to deal with. But, as a defender, as someone who is security minded, you have got to stop thinking of identity just like foundational IT stuff. It is not something that you can figure once and then just let it go. Attackers like Storm-0501 are treating identity as an active attack surface, and you have to keep that in mind when you're looking at things like legitimate admin behavior. Legitimate admin behavior is something that we say, but what it really is, is unverified admin behavior. So you have to legitimize admin behavior before it becomes legitimate, if that makes sense. You have to know for sure. You have to verify for sure that that administrative action is being done by an administrator with that identity. So I think that's really important. Jonathan, I'll ask you one follow-up question. What do you think the controls are that organizations are most likely to delay? Like, what controls do organizations really need to prioritize because attackers are looking at those so closely?

Jonathan Checchi: Really, I think the best thing is correctly configuring your pivot points in the cloud, whether it's Microsoft Entra Connect Sync or any other part of cloud provider that you may have, the biggest thing is just making sure that things are as locked down as they can be. Any sort of mitigations will all follow. I think correctly configuring your pivot points to the cloud, whether it is an Entra Connect Sync device or the other devices for another cloud provider, as well as ensuring proper monitoring, just as you said earlier, even with really good log retention because modern threat actors today sometimes will sit in an environment without doing anything.

Sherrod DeGrippo: I think that's really good to remember, too. And I think it really does come down to proper management, maintenance review, and visibility into your identity. You've got to get your identity situation squared away. And I think I have a lot of sympathy for organizations that still have on-prem, that are still sort of living and dying by one on-prem server that's super important to them. I have a ton of sympathy for that. I'm not going to tell you what to do here, but you have to really keep good eyes on what's happening there because threat actors are really leveraging those pivot points to be able to get in and out of your cloud onto the on-prem environment or from the on-prem environment into cloud. We see a variety of threat actors doing that. Some of the Sleet threat actors do that. Obviously, this new Storm actor is doing that. It's become part of the playbook. So keep your identities up to date. Keep your identities monitored. Keep your on-prem and cloud pivot points really examined and locked down as much as you possibly can. So let's talk a little bit about SesameOp. It is using trusted platforms as command and control. This is technically really different, but it's the same pattern that we have kind of been talking about, which is this new evolution on the threat landscape. Anna, SesameOp isn't just interesting because it's AI, which is very interesting. It's interesting because it's using a trusted platform as its infrastructure. Help me understand what's happening with this back door.

Anna Seitz: Yes. This is a fascinating event that has occurred. I do think this is something that has shook up the threat landscape. When we were uncovering this, it was a very exciting time, obviously. So basically what happened, we have a team here called Microsoft Incident Response Detection and Response Team. So the acronym is DART. Security researchers on DART uncovered this back door. And this back door is really notable because it has OpenAI assistance as a mechanism for command and control.

Sherrod DeGrippo: So help me understand. SesameOp is using an API as command and control. And just really quickly for those listening, command and control is how a threat actor sends instructions to malware and gets results back. What's unusual in this particular instance is this communication lives inside a legitimate SaaS platform, a legitimate AI SaaS platform. So, from a defender's point of view, it just looks like normal API usage. It doesn't look like your traditional command and control traffic, which is beaconing out to the primary server for the attacker. So what happens here, Anna? How are they leveraging this? What does it look like?

Anna Seitz: Yes. So analysis concludes that the back door is purpose-built to maintain persistence and also allow a threat actor to stealthily manage compromised devices. And the stealthy nature of SesameOp is consistent with their objective of the attack, which is determined to be long-term persistence for espionage type purposes.

Sherrod DeGrippo: And I want to mention quickly, the system in this case is being used as it's designed. It's giving malicious outcomes, but this is not something where there's a vulnerability that needs to be patched. There's not really a traditional exploit the way we think of exploits. This is leveraging a platform to do things it's not supposed to do. So it's essentially policy compliant, but it is abuse.

Anna Seitz: Yes. So there's no vulnerability or misconfiguration. It is just a misuse of the built-in capabilities of the OpenAI assistance API. And that is actually being deprecated in August of 2026.

Sherrod DeGrippo: And so how do we deal with something like this? What can we tell defenders they need to do? What has Microsoft done? How do we know that this isn't being leveraged anymore?

Anna Seitz: Right. So the main reason why we're even sharing these findings in the first place is to help disrupt this back door and improve defenses of this and similar threats. Microsoft and OpenAI investigated this together, and they shared findings. DART shared their findings with OpenAI who identified and disabled an API key and associated account believed to have been used by this threat actor. And the review confirmed that the account had not interacted with any OpenAI models or services beyond limited API calls. And then Microsoft and OpenAI continued to collaborate on this to better understand and also disrupt how threat actors are attempting to misuse these emerging technologies.

Sherrod DeGrippo: So, for organizations out there that are SaaS platforms, is this something that they should be worried about?

Anna Seitz: Yes. This is -- this is a pretty scary thing. I mean, there's -- you know, obviously, when you talk about AI, everyone thinks of end of the world immediately. We're not there. But, obviously, like you say, there was nothing vulnerable. There was nothing too out of the ordinary. It's a legitimate tool being used for illegitimate purposes.

Sherrod DeGrippo: I think it's interesting, too, to kind of mention that, with AI, with threat actors, I think what we have fallen into is this rhythm that AI really is another tool that threat actors are leveraging, just like they have for decades. And it isn't this new, undefined nuclear situation that I think some were concerned about at the beginning. We see them leveraging AI tooling to enhance what they're doing, to get better at what they're doing. And then, as we see in this situation where Microsoft worked with OpenAI to get some of this mitigated and getting this handled, I think it's important to note that it's the same pattern that we always see. A threat actor gets a tool. The threat actor uses the tool. We work with vendors, platforms, partners, private sector, public sector, our commercial friends, all of these people and we say, okay. We see a threat actor doing this. Let's shut it down. That really, I think, is going to be the way forward with the AI usage by threat actors. It's going to be we discovered it. They're doing something that's abuse, that's policy breaking, that's malicious. Let's work together to cut their access to it. Do you think actors are going to copy this? You think there's going to be more of it?

Anna Seitz: I do. I think, you know, anytime there's a new technology, there's obviously lots of room for bad guys to be bad. And, in this case, this was a fairly sophisticated campaign -- oh, I wouldn't say campaign. It's a very sophisticated incident. And so I think the level of technical ability in this case was -- was really detailed and high. But we already see this happening with LLMs. You know, obviously threat actors abuse LMS for phishing campaigns all the time, and it's in the similar vein as that. So, yes. I think as long as there's a tool in existence, somebody's going to find a way to use it for badness.

Sherrod DeGrippo: I think that's really true. And I think that, honestly, that in many ways, to me, is a positive realization. We are defenders. We've been doing this for a long time. I've been doing this since some of you were not even children yet. And this is the pattern that we follow, right, is we see the abuse. We see the malicious behavior. We chase down the threat actor. We cut them off. We -- we kill their access. We take away the vulnerability they're using. We change configurations. We secure things, and then we go through the next one. And I think that that really is kind of the -- you know, it's the Sisyphus of security. So we're always pushing that rock up the hill, and we'll just keep doing that. That's just sort of the reality of a lot of what security is. And I think it's important to -- with SesameOp, specifically, to mention we immediately go work with OpenAI. And we will work with whoever else we need to work with to cut threat actors out of the ecosystem because it truly does impact all of us when threat actors have access to tools, platforms, capabilities that they are either abusing or they're using for malicious purposes. Let me understand. If defenders just say, oh, platform providers will catch all this. I don't need to worry about it. Do you think that is true or false?

Anna Seitz: I would say that's false. I think that's something that, like you say, detection engineers are most crucial element of security. I feel like it's going to be all hands on deck type situation. Everyone needs to be looking after their own stuff.

Sherrod DeGrippo: Yeah. I think that that is really something as AI gets more and more integrated into organizations, into people's daily lives, right? One of my favorite AI LLMs recently added connection into my favorite music streaming service and can make playlists for me now. I said, wow. That's really interesting. Of course, I tried it out. I think what we're going to see is this kind of new reality where AI platforms are woven into the things that we're already doing every day, that the connectors are going to be created for us by a lot of the platform providers. And so we're going to have to make smart choices about how we secure ourselves; how we secure our identity, as we mentioned before; and how we secure our data as individual consumers, as well as obviously in the enterprise as enterprise defenders, whatever it may be. My -- I will mention also that that AI provider also now integrated with my favorite grocery delivery service. So I can literally say I want to have filet mignon. I want to have steak frites for dinner. I'm a steak frites eater constantly. I want steak frites for dinner and ice cream, and please get it. And it will get me the ingredients. It will get them ordered through the delivery service, and here they come. So I think that that's kind of the mindset that defenders need to have is that things are going to start getting pretty tangled up.

Anna Seitz: Yes. And even just to clarify, in this instance, in the context of OpenAI, assistance in this case refers to a feature within the OpenAI platform that allows developers to create custom AI agents for specific tasks. And that kind of goes back to why would a bad guy want to create something brand new when they can use something that already works very well and they don't have to reinvent the wheel. So I do believe we'll probably continue to see that.

Sherrod DeGrippo: I also think that it's sort of a tried and true unsecured API access is something that threat actors are always looking for. Open API available out on the internet. All of these things, threat actors know about it. They want to find API access. In this case, this isn't about AI being dangerous. As much as, you know, I hear my -- my fellow compatriots in security talk about AI being the, you know, fall of civilization -- it's going to ruin everything -- this is not about AI being dangerous. This is about a threat actor knowing where defenders aren't comfortable, where defenders aren't comfortable drawing really hard lines between who's responsible for what and threat actors knowing, Oh, wait. I just need to wiggle my way in there, and I will have a lot more access than I had. I'll have a lot more capability than I had. And then they've got a fantastic command and control capability.

Anna Seitz: Yes. And also stealth. I think the obfuscation here was really interesting, as well, since the infection chain consists of that loader and a net-based backdoor that leverages the OpenAI as the C2. So that kind of makes it a little novel, exciting. But, yeah. It's hard to -- it's going to be harder and harder to see these types of events, unfortunately.

Sherrod DeGrippo: Because this command and control traffic doesn't look like malware. It doesn't look like malware traffic. It just looks like normal API usage because it is normal API usage in an abusive, malicious way. But shout-out again. Shout-out number two to my detection engineers out there. This is going to be a tough one that's going to be really hard, that might not even be possible to write traditional detections for. And that kind of goes back to that question of where is AI, and where are your SaaS platforms being woven into everything within your enterprise. Policy compliant abuse is very hard to defend against. I'll tell you. If I say one thing about Microsoft, policy compliant abuse is something that we work super hard on. You can go back in this podcast and find episodes with Kelly Bissell. He works super hard. His team and he works super hard to find abuse within Microsoft that doesn't seem like abuse. So security -- security teams are good at detecting violations. They're good at detecting clearly malicious things. But I think that, as defenders, we're not as good at detecting something that's just misuse. And I feel like SesameOp has that misuse policy compliant abuse wiggle word within it. So there's no patch. Like, you can't -- you can't patch this. You can't, you know, detect this traffic. It's always being malicious. It's not malware, things like that. Something else I want to point out before we kind of wrap up here is that this is Living Off the Land, but it's Living Off the Land at a SaaS layer, which I think is really novel. When you move up into that software as a service level and into that API layer, you're Living Off the Land in a whole new way, a whole new frontier of Living Off the Land. But, again, it doesn't require malware. It doesn't require installing specific software. It's leveraging what's there to make the things happen that you want to happen. So, Anna, we're going to wrap up now. But tell me, if our listeners are super excited and super interested about a deep technical dive on SesameOp, where can they go?

Anna Seitz: They can visit the Microsoft Security blog. There's an extensive technical writeup on exactly how Microsoft worked with OpenAI to uncover this and all of the details of how the back door works, and you can check it out on the blog.

Sherrod DeGrippo: Perfect. Thank you. If there's one thing I think you should take away from today, it's this: Threat actors are not just innovating technically. They are innovating strategically. They are thinking from a strategic point of view about where they can go to get the most access, to keep it longer without getting detected. That really is what both of these stories kind of tell us today. Storm-0501 shows us what ransomware looks like when it kind of is cloud-native, grows up in the cloud. SesameOp shows us what command and control looks like when attackers just borrow trust instead of building their own infrastructure or using malware. That's why threat intelligence matters. It doesn't just explain what happens, but it helps all of us as defenders recognize what might be coming next. And it helps us think more like threat actors. And, ultimately, if you can think like a threat actor, you can see your network, your defense, all of these things in a completely new way that allows you to find those holes, patch them, secure them, deploy them, secure by default. It really does help when you understand what threat actors are doing. Thank you so much to Anna Seitz and Jonathan Checchi, and thank you to everyone else listening to The Microsoft Threat Intelligence Podcast. Thanks for joining me, guys.

Anna Seitz: Thank you so much.

Jonathan Checchi: Thank you.

Sherrod DeGrippo: Thanks for listening to The Microsoft Threat Intelligence Podcast. We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode will decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, msthreatintel podcast.com for more, and subscribe on your favorite podcast app.