Microsoft's Deceptive Honeypots Trap Phishers: Insights from BSides Exeter
October 21, 2024At the recent BSides Exeter conference, Ross Bevington, a principal security software engineer at Microsoft, delivered a presentation titled 'Turning the Tables: Using Cyber Deception to Hunt Phishers At Scale.'
This event is part of the broader BSides conference series, which fosters community-driven discussions and education in cybersecurity.
During his talk, Bevington discussed innovative strategies to combat phishing attacks, emphasizing the use of cyber deception techniques.
He highlighted the creation of a 'hybrid high interaction honeypot' on the retired code.microsoft.com, which serves as a critical tool in their defense strategy.
Once inside, attackers often spend time searching for signs of deception, which delays their realization of being in a fake environment by an average of 30 days.
The data collected from these interactions helps Microsoft map malicious infrastructure, disrupt phishing campaigns, and identify cybercriminals.
In addition to these tactics, Microsoft monitors around 25,000 phishing sites daily, feeding about 20% of them with honeypot credentials while blocking the rest with anti-bot mechanisms.
These honeypot credentials are intentionally not secured by two-factor authentication, allowing attackers easy access to the fake tenants.
Intelligence gathered includes details such as IP addresses, browsers used, geographical locations, and the phishing kits utilized by the attackers.
Bevington stressed the importance of proactive defense measures in the ever-evolving landscape of cybersecurity threats.
Microsoft employs deception techniques that utilize entire tenant environments as honeypots, complete with custom domain names and thousands of realistic user accounts.
When attackers log into these fake tenants, which happens about 5% of the time, Microsoft records their actions to gain insights into their tactics, techniques, and procedures.
Summary based on 2 sources