Podcasts
The Microsoft Threat Intelligence Podcast
Ep 69
The Microsoft Threat Intelligence Podcast 5.20.26
Ep 69 | 5.20.26

Eviltokens: A Conversation with Huntress on an AI‑Enabled Device Code Phishing Campaign

Show Notes
Transcript

Sherrod DeGrippo: Welcome to The Microsoft Threat Intelligence Podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come hear from Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird, but don't worry. I'm your guide to the back alleys of the threat landscape.

Unidentified Person 1: This week on The Microsoft Threat Intelligence Podcast, we are joined by our colleagues at Huntress to discuss EvilTokens. EvilTokens is part of the growing cybercrime-as-a-service ecosystem, but this particular offering abuses AI in order to bypass MFA. Listen in on the discussion from our live recording that was aired earlier in May.

Unidentified Person 2: Artificial intelligence is being hailed as a turning point for humanity, and adversaries are turning it to their advantage.

Jamie Levy: The first anomaly showed up on February 19 and February 24. These were individual alerts, the kind that don't immediately set off alarm bells.

Rich Mozeleski: Usually what we see with these phishing campaigns is it'll be one or two days of activity, and then the trade craft changes or the infrastructure changes.

Jamie Levy: But, if you see the same cloud IP hit 50 organizations within the same week, suddenly you know that it's not just this weird blip.

Rich Mozeleski: All from the Railway organization, all with the same attributes of device code phishing.

Jamie Levy: By this time, our analysts have started pulling on the thread, and we're staring at what would become hundreds of incident reports across 344 organizations, all within 16 days.

Unidentified Person 2: Adversaries adopted AI early, moving quickly and aggressively, knowing that for every innovation there's an exploit.

Jamie Levy: EvilTokens is a Phishing-as-a-Service platform. Think of it as a software as a service except that the product is a complete attack kit.

Unidentified Person 3: This attack has commoditized the device code phishing entirely, and AI has played a significant role from the business email compromise perspective in reducing the time and scaling the number of compromises.

Jamie Levy: It's basically lowered the bar for crime for everyone.

Unidentified Person 2: The campaign at the center of this conversation is old school phishing, only turbocharged. It moved through trusted platforms and legitimate authentication flows, and it didn't even look like an attack.

Unidentified Person 4: Have you ever set up Netflix on your TV where you've got to scan the QR code on your TV and then log in on your phone to log in from your Netflix account so you don't have to enter your nice secure password on your TV remote? That's device code phishing.

Rich Mozeleski: The infrastructure being used was bypassing a lot of traditional email filtering solutions.

Jamie Levy: No password needed. No MFA to defeat. The token gets relayed through Railway.

Unidentified Person 2: This is a watershed moment in cybercrime, a new standard for how attacks are built, launched, and scaled.

Jamie Levy: The attacker goes from capture token to drafted wire fraud email within minutes, all automated. That's the AI shift.

Rich Mozeleski: EvilTokens is not going to be the last AI-assisted adversary infrastructure that we see out there. There will be more. They will continue to bypass traditional defenses like spam filtering, and we have got to get more proactive about our defense against that.

Unidentified Person 2: Microsoft and Huntress don't see this as a one off. We see it as a warning of what's ahead. Are you ready to come together and use this knowledge to make these attacks less effective?

Lindsay O'Donnell-Welch: All right. Hopefully that video gave everyone a little glimpse into the madness of how EvilTokens' platform works. Welcome, everyone. This is -- thanks for joining us today. We're going to be talking about the massive EvilTokens campaign that both Microsoft and Huntress observed earlier this year, breaking down exactly how this attack worked and what it means to and what we think about for identity security moving forward. So quick intros. I'm Lindsay O'Donnell-Welch with Huntress, and I'll be your host for this event. Unfortunately, Casey Smith is out sick today. So I'm joined by Jamie Levy, who is the Senior Director of Adversary Tactics here at Huntress. And we're very excited to also be joined by Sherrod DeGrippo with Microsoft. So, Jamie, Sherrod, thank you so much for joining me today.

Jamie Levy: Yeah. Thanks for having us.

Sherrod DeGrippo: Good to be here.

Lindsay O'Donnell-Welch: Yeah. So, Sherrod, you may not need an intro because most people know of you and of your work in the threat intelligence space and particularly with The Microsoft Threat Intelligence Podcast, which I always love to tune in to. But I will just let you kind of take the floor real quick and give a quick introduction to yourself.

Sherrod DeGrippo: Sure. Thanks, Lindsay. It's great to be here with you and Jamie. My name is Sherrod DeGrippo. I am the Partner General Manager for Global Threat Intelligence at Microsoft where we, you know, watch what threat actors do and try our best to make their lives really terrible. And been doing it for about 23 years. Spent the last 19 years at information security and threat intelligence vendors. I'm a network detection engineer in my heart, and I want to know what threat actors are doing so we can stop them at every turn.

Jamie Levy: Absolutely. Well, we will certainly give an inside look into that during this webinar. Let's move to the next slide and get into the attack here. And, by the way, we'll have Q&A at the end. So, if you have any questions, to our listeners, be sure to use the Q&A box so that we can see those and get them answered by the end. So, just to start real quick, from Huntress's side, we saw EvilTokens as part of a major campaign that we tracked earlier this year. And, Jamie, you were really on the forefront of that investigation from our team. Can you just real quick walk us through what the team saw, how the campaign played out, and really all the different parts and pieces there. Yeah. So at first it kind of just trickled in around February 19 and the 24th. We just saw just the very first glimpses of this, and we didn't really know that this was part of some ongoing campaign. But then, around March 2, everything shifted. All of a sudden we had hundreds of organizations that were impacted, and everything seemed to be coming from this particular website called Railway.com. And so we started looking into it. And there were all these various types of attacks that were going on, but most of them were the device code phishing. So, when we started looking at how this actually works, we noticed that there's a phishing stage. So the EvilTokens customers deploy this phishing page. It's often hosted by Cloudflare workers, other compromised websites, or legitimate accounts. So the URLs look clean and basically are able to get through any normal spam filters or anything like this. The lures were also sophisticated, and they were all unique. So there were things like construction bid proposals, real company names used, DocuSign impersonation of fake Microsoft forms, for examples, and the emails were traveling through legitimate security rewriters like Cisco Secure Email, Trend Micro, Mimecast, etc. So all these things were very carefully orchestrated in order to make sure that they were able to get through various things that would have caught this, and so there could be like three to four hops before you actually got to the actual phishing page. So, when the user clicked it, it just looked like a regular Microsoft authentication code and, you know, just looks like a normal thing that you would just copy and paste in just to get to wherever you're trying to get to. And, unfortunately it would hit the back end of the EvilTokens back end. And there's no password. There's no malware. There's no MFA to defeat. It just gets relayed to Railway. And at this point the attacker could then very easily search across emails, calendar invites, etc. But this was most likely automated by AI; so it could look over all the emails, all the calendar invites, get an idea for who the financial targets should be. It could also write these -- these lures within the same voice as the user. And so it could just very easily spit out a whole bunch of emails and just kind of yeet them out to various victims. And of course it just looked like a normal developer app.

Lindsay O'Donnell-Welch: Yeah. I think that's something to emphasize here is really that just the normalization of this. And, you know, what sticks out to me at least is that there's, you know, trusted infrastructure being used here. There's also no malware, no attachments. These are all things that we've been trained to look as users to look out for when it comes to phishing, and so attackers are kind of finding the ways to, you know, skirt around these red flag tip-offs that we know so well. Sherrod, would love to hear your perspective on the campaign from Microsoft's POV and, you know, how this fits really into the broader cybercriminal landscape that you've been tracking forever.

Sherrod DeGrippo: I think this is a really interesting one, and I think Jamie did a great job of walking through what that attack chain feels. And it really stood out to us because, when we look at global identity, that telemetry at scale is always full of a lot of phish. It's got a lot of phish noise always. But, in this case, it didn't really have that same commodity phish feel. There was a feeling of being coordinated, looking really intentional, and honestly looking like it was engineered and created in a very intentional way. I think there just wasn't that feeling that, oh, this is just another throwaway phish campaign. It had a systematic feel, and that's kind of where the EvilTokens piece of it starts to matter. It just -- it wasn't just somebody sending emails. It was much more productized, feature rich. There was like an infrastructure feel to it. And so, when I talk about this for people, I try to make sure they understand. For the audience, if you're thinking about this as, oh, this is just phishing, that's a complete underestimation really of what's happening here; and we'll dig into that later. But, for the audience, I want them to frame the way they're understanding this as not just phish noise because it is actually an evolutionary shift, I think, in the way that we see broad cred phish, especially the pieces of that ecosystem, the way they're working.

Jamie Levy: Yeah. I mean, it was really interesting how the lures were just so targeted and written within the same voice as the victim. And you would never suspect a thing. It just looked so legit. And they were all different. Everything was different.

Lindsay O'Donnell-Welch: That's -- yeah. It's really interesting. And, Sherrod, I think you make a good point that there are some older tactics that are tried and true that were used in this campaign, but it's really this back-end professionalization that makes a difference here. And, you know, here at Huntress, while this campaign was rolling out, we started to realize, hey. This is really a watershed moment, not necessarily in terms of these components of the attacks but really how threat actors were taking these techniques and automating them almost into a single orchestrated campaign. So, if you go to the next slide, we made this timeline of the -- almost the evolution of phishing techniques, and I wanted to give a callout to our audience here. If there was any major security phishing attack or kit or crimeware app that you remember over the years that really turned your head or even just, you know, a phishing attack that you heard about in the news, I want to -- we want to hear about it. And Sherrod, Jamie, as you look over this timeline, when you think about your careers, were there any real evolutions in tooling or phishing that you remember that were similar maybe to this where you were like, wow. This -- something big is going on here.

Sherrod DeGrippo: Oh, geez. This is so nostalgic. I can see Jamie, too, being like, oh. I've been traumatized by Zeus.

Jamie Levy: Oh, my God. Yeah.

Sherrod DeGrippo: I worked a lot of Ursnif. I worked a ton on Emotet; Bumblebee; Avicadabra, which was a ransomware financial access broker. There have really been eras. Petya, NotPetya, WannaCry. God; there have been so many eras in this landscape. Looking at this is, oh, the good old days. I remember them.

Jamie Levy: Yeah. I mean, in a way it was kind of simpler when there was like actual malware, right?

Sherrod DeGrippo: Yes.

Jamie Levy: Like the Zeus days. Of course, Zeus was a pain in the butt at the time. But yeah; it's just -- it's crazy. You've gone from malware that's injecting HTML code into the browser in order to capture the credentials and then kind of moving away from that to cloning websites so that people would just go to this other website that looks exactly like wherever they're going to go into, right, and then having the adversary in the middle, like, capturing things in between and being able to take over that way. And then we have device code phishing, which is the big thing now. And then you have this AI component, which is basically taking all of these things, right, and just like any type of attack and just kind of like putting them out at scale basically. Yeah. I mean, it's just craziness now.

Sherrod DeGrippo: This is like looking at an old high school yearbook for me.

Jamie Levy: Exactly.

Sherrod DeGrippo: I remember Webinjects with Ursnif and a couple other banking trojans. There was a lot of telemetry and intelligence within the Webinjects themselves that each banking trojan was using because, as Jamie mentioned, they had to create an entire fake landing page to pass through the authentication credentials to steal out of your -- you know, your banking login. And yeah. Really was a simpler time. And I think all of those tactics from the financially motivated landscape that we've seen over the past 10 or 15 years, those are all going to come together at an accelerated scale now that AI is available as tooling for the criminally motivated and financially motivated actors.

Lindsay O'Donnell-Welch: Yeah. Absolutely. I see a couple people in the chat here calling out AI as well. Brian, that's a good callout and then also a couple other ones. Blake said newest ones we've been seeing the sac -- the last six months is the fake captcha, along with the DocuSign phishing email. So those are certainly good ones as well. So, you know, just when we look at this attack in general, one component of this attack, which I want to differentiate is different than that watershed moment that we're talking about. The component is device code phishing. Now, one reason that we had that timeline just now is to show that this is something that attackers have found is tried and true. And I just wanted to have us go through the reasons why this type of attack is so successful and is working really well and make sure that, you know, our listeners come away really with an understanding of what device code phishing actually is. And, by the way, if you've actually -- if you're in the audience and you've actually come across a device code phishing attack, I want to hear about it, like your own detection stories or any kind of red flags that you've seen there that we could share with the audience. So, like we mentioned in the video, this is a legitimate authentication process that attackers are targeting, right? They're not looking at a flaw, they're not looking at a vulnerability. This is them. This is a very real process they're inserting themselves into as you kind of use it maybe to sign into an app on your TV or something like that. And so, for attackers, it allows them to bypass MFA and gives them persistence in the network. And Jamie and Sherrod, by the way, feel free to jump in here, as well, because I know, Sherrod, from your perspective, Microsoft found some really interesting unique parts of this attack, as well, having to do with device code dynamic -- being dynamically generated, things along those lines. So, you know, this is kind of what we're seeing from our end.

Sherrod DeGrippo: Yeah. I think the operational maturity aspect really stood out, and the dynamic device code generation happening at the moment of click. So there's, like, a solution to the timing problem; and the lures, you know, from what we can tell, are AI generated. So they're role specific, and it gets a much higher potential for engagement when they're so customized, as Jamie mentioned. And, also, backend automation allowing for scale out across an entire infrastructure and blending it into normal enterprise traffic, I think that's kind of what makes it feel different, even when each technique by itself isn't necessarily brand new individually. But it feels like evolutionary development to be so coordinated and operationalized and functional. And I think, you know, we see that and have seen that across the financially motivated ecosystem for a long time. Threat actors are becoming so operationally mature in what they do, and I think this is just a great example of it.

Jamie Levy: I think so. I mean, you're definitely on point. The thing that also was a little bit scary to me was, like, the low bar for everybody else to get in on this. So, if you look at the Telegram messages, I mean, it only costs like $1,500 for a license and then a $500, you know, maintenance fee or whatever. So, like, anybody could really just afford that if they just had that burning a hole in their pocket. And then the financial gain of course could be quite a bit.

Sherrod DeGrippo: Yeah. And I saw some -- just quickly in the chat, I saw someone mentioning some questions about MFA. So the reason that this shows as so effective is that a lot of this activity looks legitimate. The authentication is real. The login flow is real. The endpoint that the user is sent to is actual legitimate infrastructure. So that means your signals that you're looking for like bad login, suspicious domain, that does not work. That's where MFA kind of comes in, in a way that I think makes, as Jamie said, scared. There's a discomfort for defenders when we see these kinds of attack chains because the user is actually completing MFA; and we are doing -- they are doing what we have trained them to do for so many years, but they're doing it for the wrong session. So that is what makes it sort of such a killer is that the user feels nothing that's unusual or different or problematic. So, instead of credential theft, it's like session authorization abuse. And the attacker is getting a fully valid token because the user authorized it.

Lindsay O'Donnell-Welch: Yeah. That's a good distinction to make, Sherrod. Okay. If we turn up to the next slide, I just want to show real quick because, Jamie, you talked about at the back end, you know, what threat actors -- what this means for threat actors too. And you can see here on the left Microsoft -- or, Sherrod, this is exactly what you're just talking about. This is literally how it's designed to look for a victim here. I mean, they get the unique code. There's a legitimate link. There's kind of the lure there. And then on the right there you can see that this is scaling on the back end to thousands of targets simultaneously. So this is completely -- looks completely legitimate, normal on the front end; and on the back end we're seeing that scale, that operationalization that threat actors kind of have access to with this. So it's really interesting to see both sides, and we'll actually do a demo here in a second. But I first wanted to talk real quick about the AI aspect of this, which I know everyone has lots of questions about. So, if you could, just go to the next slide. One thing that we found with -- when we looked at the Telegrams from EvilTokens is the inclusion of AI. We actually partnered with Flare here to take a closer look at these Telegram channels where the threat actors were posting messages about these products, quote, unquote. And these included almost marketing messages about AI workflows included in their products that help in terms of bypassing email filtering or tailoring phishing lures and finding sensitive emails for exfil. So you can see again, you know, this is really a product that cybercriminals are selling. And, Sherrod, I know -- you know, we've talked about AI a ton in the past, maybe not more recently because things have certainly accelerated. But I would love to hear what you think of this and how it points to kind of how threat actors are using and embedding AI tools into their attacks.

Sherrod DeGrippo: Yeah. I think for those of you who haven't heard of AI, you should really check it out. It's very new and interesting. It's been under a rock for a while. So I think, you know, that's a question I get quite a lot from CSOs, practitioners, anybody talking about what's happening with threat landscape. The question is always how are threat actors using AI? And now I can very confidently say that threat actors are using AI across the entire attack chain, from recon all the way to ransomware negotiations being automated. And so anything that you can use a tool for, whether that's AI or another tool, anything that you can use a tool for, threat actors are going to use it for malicious purposes. In this particular case, I think it's interesting how dynamically generated bespoke customized content ended up being very compelling feeling for the users. So that's something that I found very interesting in the way that AI is being used how you would expect. You know, many people today are being expected, compelled to use AI at work; and the threat actors are using AI at work just the same.

Lindsay O'Donnell-Welch: Yeah. Go ahead, Jamie.

Jamie Levy: Oh, yeah. I was just going to say, I mean, this definitely made it so much easier to scale things, right? I mean, like, they could look at thousands of emails and calendar invites and documents and whatever at a time in order to craft things that were very convincing, that you wouldn't even know that this is something that you shouldn't interact with, right? And this is normally something that you'd have to have a human look at, a social engineer who could figure out how to craft this in the voice or whatever. And you can imagine that's like hours of time, and then here we're limiting it down to minutes probably but with computer time. So, I mean, it's just crazy. And then you can send out thousands of emails without any effort whatsoever just by typing something in. It just builds the entire infrastructure, the emails, sends it all out, and captures everything on the other end.

Sherrod DeGrippo: I think that's right. And I think looking across, from a financially motivated threat actor perspective, this is sort of not just an evolution but it's almost like they want to be the best. They want to be really good at this. They want to have a highly effective, well-done product. They want higher conversion rates. They want lower friction. They want the victim to just be able to sail on through easily, and they want to evade detection. And it's almost like a product roadmap to the best, you know, type of phishing tooling and phishing infrastructure that you could build. They really said let's make the super car of this kind of malicious hardware software, and they did a great job with it. It's very full-featured.

Jamie Levy: Yeah. I have to say I'm impressed with the entire product 100 percent.

Sherrod DeGrippo: Yeah. It's -- it is -- it's a high-quality, high-performance functioning, really well-done product. If you look at it from that perspective, feature development is there. The infrastructure is there. The operational capabilities are there.

Lindsay O'Donnell-Welch: Absolutely. And, you know, it's interesting when we are faced with something like this. How does this change how we think about identity defense from a security perspective? Would love to hear from both of you about the assumptions that need to change when we approach something like this.

Jamie Levy: Go ahead, Sherrod.

Sherrod DeGrippo: Yeah. I think Jamie and I are both sort of being in-depth with this, we sort of are bewildered a little bit because for defenders it's tough, right? I know I saw some discussion of KQL for detection in the chat. I highly recommend that. Both Huntress and Microsoft have published on this, so we have KQL and hunting queries that you can take out of those blogs. You can just search for them. From the telemetry, this activity is indistinguishable from legitimate user behavior, so that makes things really hard for defenders. That makes things really uncomfortable. Adding more alerts does not solve this problem. So you actually need, as a defender, context on who is user, what are they trying to access, is it consistent with their normal workflow. The authentication is not a strong signal that it -- you know, successful authentication is an indicator; but it is just not a strong enough signal to be able to find this sort of like needle in a needle stack. You really have to think about behavior-based detection and how that can matter more when infrastructure looks clean. I think that's probably what's so frustrating for defenders is that this is so legitimate. We have to start thinking more about anomaly and what normal should really look like from a user behavior perspective.

Jamie Levy: Yeah. I think it's really hard also if it's -- if you're just an individual company that's, you know, looking over or protecting your own identities because it may not even look like much. It may just look like a blip here or there as it's happening to you. But, I mean, luckily for us, you know, we have thousands of identities that we're looking at; so it was very obvious that something was happening because all of a sudden we're getting lots of these -- these events from certain IP addresses. And so we're just kind of wondering what that was, right, and digging into it. So yeah. I mean -- but, like Sherrod said, it's very hard to actually know what's happening because it does just look legitimate. I guess one thing that you could do to be proactive, I mean, Railway.com is one of these things, but there's plenty of these other websites like Fly.io and various other ones. So, like, you could try to be proactive and be like, well, are these IP ranges interacting with my identities, you know, and have alerts around that. But, still, it's probably not the most effective way.

Sherrod DeGrippo: I think, as we always say, threat actors will use trusted infrastructure because they can obtain it. It's cheap; it's not free. They can scale it. It blends in. So sort of some of the comments in the chat are right. A bad domain or malicious domain blocking is not going to keep up with this ever. It has to be about whether an authentication event makes sense, not just whether it is valid and successful -- those are two different things -- which means looking at things like is the user authenticating through an authentication flow that they normally use, is it happening from a trusted device, is it aligned with their role and their behavior; and that's where conditional access can be really helpful. It'll let you enforce contextual things like that. Like, for example, device code flow is not allowed except in these ABC specific scenarios. Or you can have something like certain roles that require stronger requirements around the device or around the location. Somebody mentioned too fast to travel in the chat. That's an aspect that I think is important to examine in this as well. So just I'll wrap up with kind of saying there's -- you know, when I first came to Microsoft, my boss that hired me, John Lambert, he's a security fellow here at Microsoft. And he talks about attackers using your infrastructure. So your job is really to turn that infrastructure into an effective sensor. So you're not just trying to block activity; you are trying to understand that activity that is occurring in your battlefield. And I'll add on to that to say I work with a lot of developers. And now, with AI coding capabilities, we're all developers. And I just ask that software developers and engineers and coders, you're terraforming the battlefield that we have to fight on. And so please give us the higher ground. Please give us the chance to be able to defend the environment with the way that you develop your software and the way you architect it because somebody is going to have to fight on it someday, and giving us the chance to win is a big help. Personal favor.

Jamie Levy: Absolutely.

Lindsay O'Donnell-Welch: Yeah. That's a great point, Sherrod. And, you know, moving on here, if we could just go to the next slide, I just want to show real quick the other piece of this attack, which is kind of the professionalization and the streaming of the operations behind the scenes. And, you know, as we've mentioned, we've seen device code phishing. We've seen other pieces of this. But really this targeted and focused and contextually relevant piece of the attack is another thing that definitely felt different here. And, you know, when we look at, if you go to the next slide, kind of how phishing kits have changed and emerged over the, you know, past couple years, for fans of the usual suspects, we have our own lineup here of AI phishing kit suspects, including BlueKit, Cali365, EvilTokens; and we're seeing more of these pop up this year. And to our listeners, by the way, if there's any big ones that we're missing, feel free to pop off in the chat and throw out kind of what you've worked, you're seeing from your environments. But, Sherrod and Jamie, what are you seeing in terms of these more modern phishing kits and kind of what they're packaging in?

Sherrod DeGrippo: We recently did some work on one called Tycoon 2FA, which was an attacker in the middle to bypass MFA authentication. And I feel like we're going to do continued takedowns. We're going to try to disrupt these ecosystems wherever we can, but it's hard because it keeps popping up. AI keeps accelerating the ability for threat actors to put these kits together, to sell them. And I think, before I pass it over to Jamie, I think the thing I really want defenders to think about and I want your executives to think about, too, is the financially motivated threat landscape is an ecosystem. It's not siloed individual groups of threat actors. It's people selling kits. It's people selling infrastructure. It's groups that all they do is create landing pages. It's groups that all they do is buy, sell, trade authentication credentials. They never deploy ransomware. They never deploy malware. They just do this one particular thing. And that's the danger and the high risk of that landscape is it's this really interconnected ecosystem of different little pieces, and you sort of have to know where all of them are all of the time, like these phish kits that are for sale, in order to really understand what that landscape looks like and to have a better chance at defending against it.

Jamie Levy: Yeah. I mean, that's a really good point. And, I mean, I just see this as getting so much worse. I mean, like you say, I mean, a lot of these kits, it's not even just one particular tactic, right? I mean, even in this thing that we saw with Railway, there were many different types of attacks that were just basically just thrown out. Like we saw the Tycoon 2FA also as part of that. There were a few instances of that. But it's also interesting, like you say, like, about the attacker landscape and that they're all just opportunistic, right? So -- and these are all just little businesses that are going on, and so they're going to do whatever they can to get their stuff sold, right. And they might hop around to all these different phishing kits and make their own phishing kits, and it's just going to keep basically just carrying out like that and continuing on so.

Sherrod DeGrippo: Just one really quickly nostalgically that I've worked on and it's still out there is a threat actor we call Storm-1101, and they sell a phish kit called Naked Pages, which is a fun name. But it's a landing page kit, and it does attacker in the middle bypass and everything. But what I found really interesting about them is that they have full-fledged customer service. You can get on a Telegram channel, a Signal channel, a Slack group. They have not just customer service to help you get set up, walk you through the technical specifications; but they actually do deals and sales and will send out marketing materials saying, hey. You know, you're a loyal customer. If you want to buy a license for the next 12 months, we'll give you the last 12 months pricing before we have a big price increase. Do you want a deal on this phish kit? And I think, you know, it just can't be underestimated how operational and professionalized a lot of the crime groups are in that financially motivated landscape. They're entrepreneurial.

Jamie Levy: Yeah. It's kind of sad to think that their support is probably even better than a lot of other software vendors that we deal with, right?

Sherrod DeGrippo: Yes. That's a sad fact of reality. But they're hustling. And in most instances these threat actors will get caught. At the most they'll get infrastructure disrupted or, you know, infrastructure seized. But they're able to operate pretty well, and I think as defenders we have to put the extra effort into making their lives worse.

Jamie Levy: Yeah. Totally. I mean, not that there's anything wrong with takedowns because I think that's great. But then the other thing to consider is that, you know, when you make these voids, then other things start to move in, right? They start to take that opportunity of, well, now there's an empty space; and I can make it. So it's just interesting how these things shift.

Sherrod DeGrippo: I think that's true. And, you know, whether I'm talking about nation-state or crime, I always remind people that espionage has existed for thousands of years. Crime and fraud has existed for thousands of years. Those are part of, you know, a functional human society. Those are just things that we've seen since civilization began, and now they're on the computer.

Jamie Levy: Yep.

Lindsay O'Donnell-Welch: Absolutely. That's -- yeah. A very philosophical point there, Sherrod.

Jamie Levy: It's true.

Sherrod DeGrippo: When we talk crime, I get philosophical. Yes.

Lindsay O'Donnell-Welch: I love it. Well, you talked briefly about what defenders can do, and I think it's an important point we should touch on. And I know we kind of touched on it earlier but would love to hear, you know, what both of you think in terms of technical controls or even just culture that could be changed to address some of these issues so.

Jamie Levy: You want to start, Sherrod.

Sherrod DeGrippo: Yeah. I think -- I think the too fast to travel and doing conditional access definitely is the technical means of what you need to do. Microsoft Entra ID has, you know, the conditional access capabilities to set for specific users, specific apps, things like that, thinking about authorization in context as opposed to just being valid and thinking beyond the IOC, thinking beyond atomic indicators. And I think we all have to think about the world beyond atomic indicators because that's kind of lazy stuff these days. Looking at creating rules for the inbox, making sure you're really paying attention to new device registrations, that's really important. And, as I said in the blogs and -- oh, great. Yeah. In the blogs and some of the literature that we've published on this, the intelligence we published on this, there are some ideas for hunting queries and things. And then, of course, you know, phish-resistant MFA so something like FIDO2 or passkeys. I touch that YubiKey all day long, and I think that we've kind of got to get really the world moved over to that because that's going to be the next evolution of how things work, is, you know, physical presence.

Jamie Levy: Yeah. I think you pretty much touched all the things that I would have mentioned. I guess there's one other thing that you could do if you had noticed that you were affected by something. You could revoke the refresh tokens, although that might not populate until an hour later or something. But, still, it's something to do.

Lindsay O'Donnell-Welch: All right. Well, moving ahead, you know, as we go through this, we felt that, you know, this -- to the -- in the next slide, this quote from John Lambert with Microsoft really rang true when we look at how threat actors are operationalizing this process and kind of targeting those trusted processes. So just wanted to throw this out there for everyone to kind of take note of. Adversaries are following customers to the cloud. Attackers use your infrastructure. Make it a sensor with event collection. It's not the bite that makes a spider successful. It's the web. So all right. And then, moving on to the next slide here, so we kind of touched on practical takeaways briefly. But, you know, if there's, you know, one assumption, I guess, that defenders need to let go of immediately, would love to hear, Sherrod and Jamie, what your thoughts are there. And then we can kind of move on to closing thoughts and Q&A.

Sherrod DeGrippo: I think I said a lot of the things that I would suggest for defenders at this point, and I'll just kind of go on a little mini rant. SMS for multifactor is not actually multifactor, so we need to move to true multifactor authentication back from our school days of something you have, something you know, something you are. It has to be real. It can't simply be some of the, you know, multistep, they will call it. That's not real true factor authentication. And phish-resistant MFA is really important.

Jamie Levy: Yeah. I think the assumptions that I'm thinking of are about user education because I don't know that the typical user education would have even helped in this case because everything did look legitimate, right? And everything was with clean URLs; and nothing really, you know, flagged out, right? So just usually our first kind of like knee-jerk reaction is to blame the user for interacting with something that they shouldn't have interacted with whenever -- whenever something like this happens. And so I think just not thinking about that and then also not assuming that -- you know, that you're not going to actually get taken by something like this, right. So, like, a lot of people might work at companies that are too large to be, you know, taken; or they have enterprise-grade whatever, right. This could happen to anybody. It's not just the smaller businesses or whatnot. So just kind of taking that away as well.

Lindsay O'Donnell-Welch: Absolutely. All right. Well, moving forward here, are there any kind of closing thoughts that, Jamie and Sherrod, that you have that you want the audience to kind of take out here that we haven't touched on? Anything else?

Sherrod DeGrippo: I think, when you look across as the defender, the things that you need to do, you can't just look for bad logins anymore. In this particular threat, the login is valid; so you have to look at the contextual pieces, which is like tightening device code flow, using conditional access, location signals. You have to think about the behavior after the authentication, not just the authentication piece itself. It has to be a view across that full timeline from before, at, and after the auth implementation goes through.

Jamie Levy: Yeah. These are all really good points. And the only other thing that I would probably add is that we are at a pivotal time with attackers and AI, and things are just going to get -- continue to get worse. I feel like maybe the solution going forward is to build a community, you know, across different companies and continue to share intel with what you're seeing so that we could pivot a little bit faster. Obviously, when these things were happening, I reached out to people at Cloudflare, etc. to get these things taken down as soon as possible, etc. So it's, basically, I feel like we really just kind of need to band together in order to try to actually make a dent in what's happening in the attacker landspace.

Sherrod DeGrippo: Yeah. I agree with Jamie. Defends -- Defenders are the friendships we made along the way. We have to kind of focus on those kinds of relationships and making sure that we're all working together as a group of people who really want to protect our ability to transact freely, our ability to communicate freely and securely. Microsoft's super committed to that. I think, you know, partnering with Huntress is evidence of that, as well as, you know, all of us are kind of in our back channels checking on everyone all the time; and I think that's kind of what we have to do.

Lindsay O'Donnell-Welch: Yeah. For sure. All right. Well, Sherrod and Jamie, thank you so much. And, to our audience, thank you so much for tuning in. I know, before we go, we have a declassified episode coming up. So be sure to tune in. That's going to be featuring Truman Kain and Caitlin Sarian, who is also known as Cybersecurity Girl. And they'll reveal how attackers use social media as intel and kind of what you can do to make yourself harder to target. So I think Cody's going to link below in the chat for that one. But thank you so much for our audience. And, yeah. This will be live on YouTube if you want to catch up or follow up there.

Jamie Levy: Yeah. Thanks for having us.

Sherrod DeGrippo: Thanks, Lindsay. Thanks, Jamie.

Jamie Levy: Thanks for coming, Sherrod.

Sherrod DeGrippo: Thanks for having me. Great chatting with you. And, audience, thank you, all of you, for tuning in. It was great to see all of you.

The Microsoft Threat Intelligence Podcast
Podcast Info
HOST(S):
Sherrod DeGrippo
Sherrod DeGrippo, Deputy CISO, GM Customer Security at Microsoft, is a frequently cited threat intelligence expert with a 19-year career leading global threat research and analyst teams. She was named Cybersecurity Woman of the Year in 2022 and Cybersecurity PR Spokesperson of the Year for 2021. Sherrod has provided expert commentary for BBC News, Wall Street Journal, CNN, and New York Times and has presented extensively at conferences including Black Hat, RSA Conference, RMISC, SleuthCon, and others.
Schedule: Bi-Weekly
Credits: Producer is Rob Petrillo, Production Manager is Max Solomon, Scheduling and Administrative Support is Elliot Volkman, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft