Turning The Tables: Using Cyber Deception To Hunt Phishers At Scale - Ross Bevington

welcome um so yeah turning the tables using cyber deception to hunt fishes at scale who the hell am I my name is Ross bedington I am a threat researcher at Microsoft I'm a chartered engineer I'm a reverse engineer I've got a few cves I've been around the houses and for a long time you might have seen me talk at other kind of bides conferences um I work for UK government for a while while um I was recruited into Microsoft to be responsible for Linux threat detections I do don't do that anymore I am Microsoft's head of deception I've called myself head of deceptions no one said that's okay no one's told me to stop so I can keep using that as my

title I am Microsoft's head of deception you might have read a blog post I wrote recently that garnered quite a lot of uh people looking at it about code. microsoft.com so I wrote that as well I'm not to talk about that today um but I'm also known for hacking cameras I've been on Sky talking about hacking e cigarettes and turn those turning those into bad USB devices I thought I had 10 minutes more for this presentation than I thought I have so I'm going to talk quite quickly and also first of all say that this is not the first time I've been to the University of exitor uh I this is I'm quite surprised to see this

is me before I was jaded you know I look a little bit like a murderer I am not so what's this all about about um this is what I'm going to be talking to you about today I'm talking about what is deception you may not have heard of it you may not understand how you can put that into practice uh what is fishing you know this is bsides I get to start really really low my son's here he doesn't know what fishing is so I'm going to have to tell him as well um deception how can you use deception in your organization how can you create a deception operation to do something cool how we've been doing that to do

interesting things at Microsoft and then some results and takeaways I hope you like pie charts that I'll counter through um but before we begin here's a bit of jargon um I'm sorry our industry is RI with jargon but you know this is it you know hopefully you know about multiactor authentication You' got that turned on I might mention ttps you know tactics techniques techniques and procedures this is what threat actors use to actually exploit you know do they use po shell do they use bash that kind of stuff um threat intelligence is another thing that I'll talk about and this is the kind of IP addresses the URLs kind of the raw information that we try and

do stuff with um we want to turn that threat threat intelligence into actionable threat intelligence that is information about an attack that we actually can do something with you know give to the police you know uh send an indictment to the US government that kind of stuff and then I'll talk about a whole raft of kind of Microsoft Technologies so you know office you know Azure which is where you can buy compute in the cloud I'll talk talk about a tenant which is you know effectively a business um that Microsoft kind of host that infrastructure for you and I might kind of drop in aad and entro which is how we do authorization how do we know

that your password is correct that kind of stuff I must first apologize for my old memes if you are younger than me you probably won't have watch the films I've seen and I must apologize for those I also have to apologize because I'm sorry I've not been able to fix cyber security and I've come here today to say broadly speaking these old gray beards like me we haven't fixed it as well and so I've come to bsides to kind of throttle you into helping us come to us with new ideas tell us where we've been going wrong because as you see from this graph you know 36% of businesses have identified a Cyber attack in the last 12

months the cost of ransomware and other stuff is now at the GDP of countries like laia and Estonia and this year is probably going to be Slovakia you know we've got a really big problem and it's you people in the audience that I need you to help fix it because I am do a great job um if you're here you might be thinking well actually there's more money being a bad guy and so I'm also here saying please don't be a bad guy or girl you know when I started um you know down this route of cyber security there wasn't really many different paths and I would just say if you're thinking about doing these things or you've done these

things in the past you're more likely to get caught now than perhaps ever before so anyway we need new blood and we need to start thinking about different things and one of those things I want people to start thinking about is deception technology now deception as it says up here is a form of active defense and rather than kind of attacking the computers and the automations we're interested in deceiving the actual attackers the humans behind the keyboard and I'm going to talk throughout this presentation about actually having an impact on the real people that are Behind These this attack um so deception Technologies is not just about honey pots that's just one thing it's also

using kind of traps lures decoys lots of other tricks often based in Psychology in order to change the game of cyber to make it more difficult for our adversaries to do stuff and make it easier for us to do stuff kind of shift the balance turn the tables if you will it's a type of adversary engagement where we're not talking to a computer you know we're not sending bits and bites to a computer we're really sending that information to who's behind that but deception isn't attacking back you know it's not throwing exploits at them it's not turning an existing attack around and firing it back at them it's things like you know tarpits if somebody

sends you some malicious data you respond Mac really really slowly and cost them more resources cost them more CPU time on Amazon that kind of thing and crucially what I want you to take away from this slide is attackers are already using deception if you're engaging in any part of ransomware they're already using that when they're trying to negotiate with you so we need to use the same Technologies as well and here's some kind of quick examples of that I don't know if you've kind of uh seen Jim Browning on YouTube he baits scammers on the phone this is a really great opportunity for us to do kind of stuff like that in the real world in our

day jobs and he gets these people on the phone and he spies on them and he tricks them and he wastes their time and he slows them down he tarpits them that kind of stuff uh Troy hunt he's done some stuff in deception before this is him kind of um messing around with someone's fake washing machine um you know scam um but he's also got a really great thing which is password Purgatory if you've heard of this um what it is you put a password box on your website someone wants to register that for whatever reason you might drive them there and every try try of a new password the password is doesn't meet the complexity requirements and so

people have wasted their time you know you know how hard it is to enter a password into a website that you want to visit you know he's used that as a kind of defense mechanism so all these things are kind of deception Tech um and I want to get on to that later as I explain what we've been doing at Microsoft so very quickly what is fishing so you probably got your own ideas about what fishing is but there's loads of different types of fishing attacks you know this is I would say the traditional one you get an email although that could be a teams message it could be anything youve you're kind of tricked to visit a

website or prompted to visit a website you enter your credentials now the attacker has those credentials but there's lots of kind of different fishing attacks so this is another one rather than entering credentials you're trick to download a file and then they get code execution or your browser is exploited and you get code execution and an attachment is opened and you get code execution and you know you can repeat this with phone calls and SMS and QR codes um what I want to tell you is there is a bit of a dirty secret in the industry is this kind of stuff behind me where you do an attack and get code execution we got really great Optics on what's going

on on that attack you know the mware sandboxes and we can tell you what the malware does and what it you know goes to when you've given your attacker some creds the story that Defenders have about what the attackers doing those creds you know how long they've got them for what they're going to do with them next what they they do in the first five minutes they've got those credentials they us them passwords we don't actually have a great story a lot of businesses don't know and they look at the logs and they tell them something but the time between the loss of credentials and attack you know ransomware textb on the desktop could be months and so one of

the things I wanted to do was kind of demystify this area of the attack chain anyway let's look at some real examples here so here are some real fishing sites and as you'd expect they look like login boxes and they for any and every business you can think of um but they also come in different formats this is a you know Excel document you have to unlock and put some stuff and eventually ask for your creds um attackers know psychology whereas Defenders I think we're we're not really grasping that as much they're they're doing things like in the case of of this one over here that you know you got to complete this to avoid email

disconnection you know your password is going to expire in 24 hours this idea of scarcity is very common in sales and psychology and attackers know this and they're using it they're using deception technology against their victims so a lot of and this is kind of IRS American Tax um there's lots of different reasons why you might run a fishing campaign and it's not just to get credentials for say Microsoft infrastructure so let's skip forward a bit it's not just the Scopes at the bottom of the pool that are doing this it's also groups like Russia so this is a uh fishing campaign from Midnight blizzard also known as nellum um and this targets kind of

government think tanks military Telos that kind of stuff this is something from Star blizzard also Russia um also known as sorgum U we've got perrywinkle temp Tempest this is a financially motivated actor they're also known as Devo 193 and R and what's kind of behind this is everyone is doing fishing it's not just you know the person in their bedroom is all the way up to come of State actors as well and why does Microsoft track this why are we interested in this because you know we are at the Forefront of fishing Microsoft is one of the most attacked Brands you know attack attackers love to use our brand and masquerade as that and that's something

we need to kind of defend against um this data is from kind of proof point in 2022 and not really has changed um some stats to highlight here is that most kind of users I don't say most but a large proportion of users don't really understand how email works don't how understand how easily things can be you know pushed on them as a trick and this is kind of onto us to fix this you know I would thought in kind of 2024 you know that you know we wouldn't be talking about users not understanding that they can be easily tricked but you know here we are um you know the this kind of behind me here this graph is all

the brands that are being abused you can see how kind of big Microsoft is on that now this is an old slide I rran the results yesterday and broadly speaking it's the same kind of ordering you know it changes on a week by- week basis but Microsoft isn't you know number one again and why is this because Fishers are often really interested in Microsoft's credentials you know Microsoft now as a cloud provider you know if you are buying Office 365 if you're in aure you know you have homed your data from your on premises Network onto our Network and as a result if you're an attacker you want to get access to that and so abusing our brand

is a great way to do that so what what's Microsoft doing about it I don't really want to continue without saying we are doing lots of things in this space we're blocking millions and millions of messages a week but they just keep on coming and they keep on changing we've done things like extended smart screens so that fishing is now enable by default so rather than just protecting you for downloading an XC that was bad we're now saying you've visited a website that's bad as well um our digital crimes unit is doing tons of work to actually take stuff down from the internet which is incredibly hard because there are lots of businesses out there that don't pick up the phone when

you know we we say we've seen abuse on your platform that kind of stuff and we want to take that down we're closing tons of email accounts when we see them you know if people like you are reporting it stuff you know it's not going into a black hole we're actually doing something about it we really want to kind of stop this problem and if you're interested in helping us further we've got a beautiful API that you can call from poers Shell there's a website so if you do see something that looks like fishing you know bad email address something like that something you think Microsoft should be doing you can use that and we can kind of spring into

action so now back on to fishing I want to talk a little bit about a successful fishing attack and there's broadly four parts to that and then I'm going to talk about how we're going to disrupt this so I don't like to talk about kind of kill chains you know not military person um so I've kind of collapsed everything I know from miters attack and kill chain into kind of four kind of easily digestible spaces um and there are so many actors in this space that most groups are picking the areas that they want to do themselves so in reconnaissance they might be a group that specializes in your data dumps exploiting a business getting their

database of email you know users that kind of stuff and putting it on the internet and selling it that's kind of one thing that's your reconnaissance you know to build this attack we're going to need to have a whole list of people to email and so there are groups out there that you can go out there and buy that stuff from next it's resource development and in this case it's talking about building the website that you know people are going to interact with either to download your payload or or something else you know you can go on the dark web and pick these up for pennies and there's a whole group doing that again at the bottom I've got kind of the risk

and reward which is from basically a kind of a law enforcement perspective most of this stuff is really low risk you can do it publish it on the dark web or a hacking forum and no one will kind of really kind of care the economy in this is kind of really interesting then there's initial access things have been you know a bit more interesting now you know this is where someone's actually open the email they've got their creds and you can buy access to those the that INF structure that perhaps been deployed by a group and then use that to go onto your actions which you know used to be deploying coin Miners and now is

ransomware businesses and as I said here you know an entire chain here is often not developed one by one group if you're the Russians you will have you know all of those stages covered in house if you are a much smaller ransomware affiliate you might be picking and choosing those parts about which ones you're interested so let's have a look at these a little bit further depth with some price so I went onto the dark web and I thought to myself you know don't do this you're not going to be bad guys are you I thought to myself what how much money do I need to get into this game and the answer is not very much for reconnaissance you

know getting people's email addresses all of their details to Pro provide um a service that can really launch um you know those targeted email straight into the harb organization you're spending like between 30 and you know 100 quid to buy massive databases of all people's personal information um this is it's it's crazy really um so resource development you know it's even cheaper you know you can pick up a you know a website that you can deploy on a hosting service and collect people's credentials for as little as a dollar um you can get a manag service from 400 quid where they do all for you you know that means defeating all of the blue team's uh

technology to stop that from getting into the of the user um this is the greatest control panel which is the new kind of scourge that's coming up there a whole beautiful manage service you log in you basically put your email addresses in there and they'll provide the access for you they are really good at this now we've allowed them to be that way by not stifling them earlier next up this kind of ini issal access you know the fishing ATT attack has been successful you know we've got our beach head it might be bet in accounts that kind of thing you can buy this you know I just went on the dark web you can get access to a large

company in Europe and Asian tourism Ministry textiles in Italy you're talking about about around about £4,000 for that initial access so if you got £4,000 into your bank account you're straight into Asian tourism ready to start your ransomware caign and of course then there's the actual actions and this is a managed service you can get now and they'll take 50% of the earnings so you don't even have to stump up anything for yourself um the outlay for a Fisher you know is sadly minimal and the returnal investment is great and so we need to do something to disrupt this and hopefully cyber deception can help so we have this big problem in our industry which is the asymmetry in cyber you may

have heard that before the fact that the Defenders have to get lucky all the time and the attackers only have to get lucky once and deception is a way of Chang ing that round hopefully so that you know we can turn the tables in the attacker so they have to get lucky all the time we need to do this to push back against an attacker because if we don't do that it's going to become more and more difficult in the future deception technology allows us to do this by actually attacking the thing in the system that doesn't change very often is hard to change and that's the fish to themselves so we often use psychological tools and tricks to attack

the thing that's behind the keyboard because that's the bit that you can't change that's the diff bit difficult to patch so what I want to do is I want to increase their effort I want to make it more difficult to do their work to do their work which is attack me you know what it's like when you come into the office and you sit down to do your work and everything's broken it's really hard to do your job and you hate your job and that kind of stuff that's the life I want them to have so my plan to do this they're sending me emails I'm going to reply and I'm going to waste all of their time and resources

it's as simple as that and as you'll see in a second perhaps not that simple but I want to waste their time and in doing so collect tons of threat intelligence about them stuff that you know they find really difficult to change stuff that's integrated into their way of working and I want to use that to push into the rest of the Microsoft system to really stifle how they do their business so first of all I need some kind of process to turn this idea into something we can actually deploy and this is what's talking about how we actually prepare internally for a deception operation so these are kind of my steps here so down the side you know what are the

objectives well I want to frustrate people I want to increase their costs you know if they having to buy something I want it to cost even more I want to collect TI to enable Defenders really really easily um you know I talk about channels next like how am I going to communicate with people if you can you think about a ransomware negotiation it's a it's a chat box and you're talking text to the other side in this case it's kind of the emails it's the fishing sites it's their infrastructure that's the channel that I've got to communicate to these fishes and then next up kind of what reaction do I expect from these people you know

probably going to get annoyed they're going to maybe change their behavior you know they'll know that I'll be watching them how am I going to monitor stuff this is really really important to a interception operation how I keep watch make sure stuff's working you know check the response rate make sure that I can still access their sites maybe theyve they blocked my IP address kind of thing you know look on Twitter and other forums that kind of stuff what could go wrong they could do me they could you know find some way of hurting Microsoft well they're already doing that anyway but we need to keep that kind of under consideration how do we stop doing

something bad you know let's say it's all gone wrong and they've they've turned their attention on Microsoft and they've got some big dos Cannon they're firing at us well how can we back off how can we calm the whole kind of stuff down how can we stop this deception operation what Intel are we going to collect this is now really crucial for Defenders you I want tons of IP addresses I want their fish kits I want diagnostic logs I want absolutely everything that I can get and you know how am I going to kind of display this you know dashboard thread hunting great for the rest of the business so loads of people often tell

me that doing deception operations against people never work and I'm here to dispel that um I hear things like they going to see this a mile away you won't catch any bad guys you know it's just not going to work and um the the truth is that people make stupid decisions like even the threat actors They Don't Really Care often they're just doing a job and they're working for a paycheck as well and if they see they've been caught they go oh well and they don't think of the ramifications of that you know they just ignore me you know all of these things um but you know everyone's making mistake here's Kim Kardashian she's making steak she's playing poker and

she's got mirror glasses on you know this is a really great example you know doing things you shouldn't do maybe you can't fool either and uh there's this one as well which is someone saying they've lost their nfts and then they're being scammed literally like one one second later you know everyone thinks they're on the lookout for this stuff but they're often not so anyway what we going to do what's the scam I mean what's the plan so I'm going to turn azour into a Honeypot I'm going to create a new company also known as Microsoft tenant I'm going to enable access to Azure and all the different things on there I'm going to set up a

custom domain name um I will do things like restrict access to services that I'm thinking are dangerous that I don't want people to have access to I might weaken Services you know great one for weakening is turning off multiactor authentication you I don't want the attacker to be burdened with that kind of stuff I'm going to fill this org with Juicy data and I'm going to create thousands and thousands and thousands of user accounts

then I'm going to drive fishes to our infrastructure putting up honey pots and waiting for people to come back it's is never going to happen you need to put a lure out there like you're fishing for something or fishing F Fishers and so I then go to our Microsoft offender for Office 365 great name and that's our service that collects all our different fishing sites it inspects people's emails make sure that they don't contain marware and I look at all the real time list of fishing sites I I you know we collect I then spin up a browser in a in a Linux container visit that site and type in those real creds I do the exact

opposite that we're telling people to do the exact opposite and the Fishers don't know what's happening they're seeing thousands and thousands of different creds and they don't know which ones are real and which ones are fake next up they've got a test them they've got a cred often they do a little bit of automated test in the back end you know do like a quick cheeky request and see if it's valid they always are so at that point they have to log in to that infrastructure and determine if it's if it's a real company or one of Ross's fake companies and at that point for them the game is over we have got every single logging

log turned on um we know exactly the email that they've come from and we can track it all the way back to all of the diagnostic logs that are coming for all of our services so we've really good Optics now on what happens in the first 5 minutes of an attack or or one hour or two hours that kind of stuff um and then we can take those logs and do amazing stuff with it and and here is the results of this this is kind of what I found I'm sorry there are a lot of pie charts um so this is my kind of triangle model of all the the data we get funneling down so we're current browsing

to around two 20 to 25,000 malicious fishing sites a day now some of those have been taken down already there some for some sites the process is really really slick so 15,000 of those are still up by the time we've come to come come and type credit into them now for rightly or wrongly there's there's some complexity about visiting every fishing site and trying to type creds into them we can only type creds into about five thousand of those the fishes might have blocked some of our attempts they might have set up you know they're starting setting up captures and stuff like that which we don't try and break yet um and from that we can see about 200 different

IP addresses logging in a day which is about a 5% response rate which if you're into sales or anything like that that's great 5% is amazing sometimes it goes as high as about seven or eight it's because they can't really tell um if an infrastructure is good or bad um we then see about 150 different user accounts trigger days so that's kind of new one so sometimes the fishes are coming back on old ones um we download about 20 fish kits which is the actual sites they put up there we automatically grab those as well and the vast majority of those are already in virus total we're not alone in kind of finding fish kits and and taging them

like that we on a day-by-day basis track two to three known groups now work in Mystic so that's Microsoft threat Intelligence Center where we do the tracking of all the state groups sometimes these aren't straight State groups they are aligned with you know Financial crime actors that kind of stuff but you know we've already seen that pattern of activity for you know sometimes we can go up to kind of six as well um and you know groups like secret blizzard AKA Krypton okay Tura you know those are the groups that we often see you know still doing this these are Big State actors it's not you know it's not people in their bedrooms less than 10% of the IP

addresses that we see are in any kind of other known database and that's because some of these actors are using single use infrastructure they're not just using you know some 3G long go out their window what do we do with all this information well we push a lot of it into Microsoft's threat intelligent engine and we do collect a lot of secret Source from our diagnostic logs which I'm not going to go through today but things like IP addresses if we see a single single use IP address so that's an IP address that's not used by you know a million different people you know it's not a you know your vone IP address for instance then we will do things like

push that IP address to our Edge to completely block access to it so that fisher logs in with that user account and suddenly as your office everything just 404 for them and what we also do is push information about the identities um that the attacker is using into our ident protection part of entra and if you've ever seen this page before which is your risk score how we understand if users have logged in it's risky or not is because we see the same infrastructure being used by those fishing groups and so if you have our free offering uh you that will go absolutely nuts if you are an E5 customer and you have xdr installed then

we will can automatically take down U you know disable a compromised user as soon as that login has occurred and this is not just based on IP addresses I'm I'm very careful not to tell you what we actually using because I don't want to give this out but we've got lots of different uh metrics about the infrastructure that Fishers are using and that's what we're building that signature and understanding on so where are these attacks coming from so we can look at IP addresses but be do understand that a lot of IP addresses are shared and so put your skepticism hat on um but yeah if from this graph most fishes are using kind of

vpss um you know you can think any VPS provider Under the Sun we're pretty much covered by there are some places though that we know to probably trust those IP addresses and it's kind of areas like that and that that are more likely to be people sat in their rooms often using an iPad or something to conduct their their fishing um we've already got lots of tour blocks in place so we don't see a lot of tall traffic from fishes so we see some fishes using a completely different IP address every time they make a connection but then once they made that successful connection to organization they kind of retain the use of that and we have done

some work in to try and understand what they're doing doing and it looks like they have quite a sophisticated machine to basically give them single use IP addresses and then hold on to them when they're actually needed and this says to me that their infrastructure is incredibly robust they know exactly what they're doing and this is the kind of machine that we as Defenders need to have to have an effect against and how are they accessing a tenant now this is really interesting it is it's the browser you know however way we've cut this we've really looked into the logs it's the browser all the time and that as an engineer is a really kind of

a shock for me I thought I'd be building my automation based on like our sdks and our apis but that's not the case they are often manually doing this and you know we can drill into this a bit further and have a look see what they actually do with our apis and again this is a little bit of a shock to me the first thing they do is they go straight for the inbox um you know when we talk about the graph API here this is the API for getting information about an organization the number of people in that organization what their jobs are that kind of stuff and this is the first thing they do and this is pretty much

the same for all Fishers regarding whether they're State actors or someone in Nigeria and we can look at browsers we can go a bit further everyone's using Chrome um this is a little bit sad because you know Edge is what third place or something so we need to do some kind of Outreach there um yeah but there's some other kind of weird and wacky browsers the maximum browser Yandex browser and yeah a surprising amount of iOS um so it says to me there there are and we can link this back to groups there is one group out there that just does their post uh breach stuff on an iPad you know on their lap in front

of the TV just manually doing it these are the people we're talking about there's no you know there's some groups that got this really sophisticated machine and they've done some programming they're giving out single use IPS and some people just iPad on the lap in front of the TV doing stuff and these are the kind of things that we need to know to be able to you know affect them and if it isn't the browser then broadly speaking it's some kind of male client and I was like ah what's this kind of cool thing Chinese thing up here and it's basically a male client um some other random stuff that's popped up is you think like Bing pops up in our logs

and that's because what they do often is they onboard their entire machine onto our organization they go into you know aad you know join my work or school account and then everything from their browser and stuff is giving us diagnostic log so that's how Bings popped up because if you on board Edge and hit new tab often it's it's using your identity to get things from your organization to fill out that kind of summary page okay I talked about monitoring earlier and it's really important that we monitor what these fishes are doing monitor this system monitor the tons of logs that we're getting after feeding them all these creds and we found something quite interesting we've been

running this now for a couple of years and it takes about 20 days for most that's kind of 80 to 90% of fishers to get wise that we're trying to trick them this is a long time 20 days and and you know what do I mean by that I mean if you get an email from something something example.com then it takes 20 days for them to go hold on I think example.com might be a trick domain and I think that's a really long time um and at that point they start seeing that domain and going I don't think we'll log in anymore they hit the the basically the asure login page or you know your entra login page

and then back away um so we need to do something about that and we can zoom into this and and you know it's interesting to see how we found this so when they hit that login page and bounce away you know that's lost TI they're not logging in not creating that diagnostic logs but I can still play a trick on them I can still do something because I can customize that login page and what we do is we change that login page and we put a web bug in the footer and so when a Fisher goes to that site and they see that company logo that they may have thought actually this is a trick site

I'm going to be tricked they've already lost their IP address and information about their browser because I have started playing the tricks that they would have we kind of they play on us so if you maintain an organization you can do that too you can put your own web bug in there and track people that are hitting your login page but not actually logging in um and so what do we do about that how how do we fix that well we know it's 20 days so every two weeks I create a brand new company I might Microsoft I can go to our back end I summon up a new tenant I use you know GPT to you know

create me a new company name um create me a logo generate all of that and put it out there on the internet and send more credits to them and Deluge them we have built a system called SE Haven which I've open sourced which helps the creation of this test data this realistic company and this is a system that you can say you create me a new company create me 10 or 20 products for this company create me a thous or 10,000 employees and then start doing things like emailing from one employee to the next and create rich rich test data so when they log in they spend as much time as possible in our environment and this

generates a mass Json file which we load into our Exchange Server into our SharePoint site so when the Fishers log in it's not just this empty baren environment and they just kind of Bounce out we want them to stay in our playground want them to stay in our honey pot and waste as much time in there as they can because if they're wasting time in our environment they're not wasting time in your environment so things we didn't expect um we don't have credit cards on our you know subscriptions and our tenants you can't waste money we're not giving free compute to an attacker and and that forces them to get creative so what they did they start turning on the free

trials it's like ah okay so we had to fix that um they turned on teams's vo features which we believe was so they could used that as a basis to do further vo fishing so we've turned that off now they don't get anything free um and they also abused this was a really nice attack so when we leak creds to the attack the Fisher we giving them a real Microsoft account and what they did is they used this Microsoft account to then go and get $150 of azure free trial so and that bypassed our inter internal checks so we have a system that stops that but what that allowed us to do was have direct

access to all of the infrastructure they were setting up with that free subscription so as Microsoft I can say to you that if we if bad if you use our API and you report to us that some subscription or person is using Azure for bad stuff we can shut that down but we can't go into that environment and start pulling the dis images and looking at that because for us you know Microsoft is committed to um privacy and so that kind of prevents the amount of extra work we can do with the data that is already on our platform and you know rightly so but this was a subscription that I could control I'm the administrator of this tenant this is

100% bad actor so I can log in with the user account that I've got and start rumaging around through all of their resources and pull their dis images and doing like forensic work on there and generating new ttps so that was really great for me um we used this to then build a system that could look for that pattern of Life over every single customer on azour and we found found 300 tenants that were similar affected by the same actor they weren't being compromised by free trials their real credit card was being used and build and so we were able to shut that down which is really great we saved a lot of people some money that

day I keep on talking about time wasted time wasted is so so important and we can get the diagnostic logs and work out how much time we've actually wasted I've done this presentation a few times and it's really great to see that every time I do it the number goes up and up and up um so yeah we look at the diagnostic logs we rule out or rule in anything that's human activity and we can we've got a really good understanding about what is human and what isn't human um we can remove really long sessions that look like that's what's that about and concentrate on activity that really is based on a human at a keyboard and when

we do that we started with 3 days of wasted time when they're up to 30 days of wasted time and this isn't working days so working days I put this is 90 working days so this is three months of real people working that we just wasted in our infrastructure and this is a great way of imposing cost on an attacker and making their day really horrible and so I'm really proud to see this keep on going up now I've reached basically the end now I want to leave you with some takeaways that knowing the attacker is key to stopping the attacker if you don't understand how the attacker is operating if you don't understand why

they're doing something the way they're doing it we don't have a hope in creating adequate defenses against them deception is one way of creating an environment that g allows the attacker to tell all this information um Fishers use their browser and they go straight to the Inbox and they they look for your emails so that's where you know if you're a Defender you should put your effort um after the breach has occurred um most most compromises actually happen two to three hours after that credit has been lost so if your anti- fishing training is really really good and your users know to report something immediately you might be okay and 2 to 3 hours is an average obviously

some stuff is seconds afterwards but often these are as I said people in front of a TV with a laptop on their legs doing the kind of stuff and we need it's a Race Against Time um between us and them really Microsoft is investing in loads of anti fishing technology we'll continue to do that and if you're interested in seeing how kind of we've used AI to kind of build this kind of test data that we fill out are as your honey pot you can find kind of the details there and that is it for me thank you very much