Microsoft has implemented a new strategy to combat phishing by creating plausible Hanipots in the form of Azure fake tenants. These fake tenants are designed to attract cybercriminals and collect data on their activities. This data is then used to build cards of harmful infrastructure, gain a deeper understanding of phishing operations, and significantly slow down their activity.
Ross Bevington, a leading security engineer at Microsoft, introduced this technology and its influence on reducing the activity of Fishers at the BSIDES Exeter conference. Bevington described the method as “a high level of interaction” for collecting reconnaissance information about cyber threats. This method has helped identify both inexperienced attackers and groups supported by states.
Microsoft’s approach involves creating fake tenant environments with domain names, thousands of accounts, and imitation of user activity to resemble real corporate systems. Unlike traditional methods, where traps passively wait for attackers to find them, Microsoft actively enters these accounts on phishing sites identified using Defender.
These fake accounts lack two-factor authentication (2FA) and appear believable, allowing attackers to quickly gain access. However, these hackers unknowingly spend their time exploring the fake environment without realizing they have been trapped.
Microsoft monitors approximately 25,000 phishing sites daily, with 20% of them receiving fake account data. When cybercriminals enter these traps, detailed tracking of their actions begins, providing Microsoft with valuable information on IP addresses, browsers, location, and behavior.
One crucial aspect of this method is slowing down the system response to ensure hackers spend as much time as possible analyzing the fake environment. On average, attackers spend about 30 days before realizing they were in a false environment. This timeframe allows Microsoft to gather vital data for enhancing protection and developing more accurate threat profiles.
Bevington highlighted that only about 10% of the collected IP addresses can be matched with existing threat databases. However, this amassed information helps attribute attacks to specific groups, including financially motivated criminals and government hackers.