Microsoft Uses Honeypot Tactics To Outmaneuver Cybercriminals


Deception is critical to the malevolent activity of Black Hat hackers, but, as Microsoft recently showed, it can also be a powerful weapon against those hackers.

At a BSides event earlier this year in Exeter, England, the software maker’s “head of deception,” Ross Bevington, described an ambitious project that lured cybercriminals into realistic-looking honeypot tenants with access to Microsoft’s Azure cloud to gather intelligence about them and disrupt their operations.

According to Microsoft, it monitors some 25,000 phishing sites daily, feeding about 20% of them with the honeypot credentials. Once an attacker logs into the fake tenant, their every action is logged, allowing Microsoft to learn the threat actor’s tactics, techniques, and procedures (TTP).

“I worked for Microsoft for 11 years and deployed deception technology for some of its customers and was involved in internal projects that used deception technologies. As far as I can tell from the very limited details, this seems to be a large-scale deception project,” said Roger Grimes, a defense evangelist for KnowBe4, a security awareness training provider in Clearwater, Fla.

“Most deception projects involve one or a few deception endpoints,” he told TechNewsWorld. “This one seems to involve a bunch of fake tenants with hundreds of fake users and simulated content. That’s pretty big as far as deception projects go.”

Playing Mind Game With Baddies

“During Microsoft’s presentation at BSides, one thing caught my eye: the fake Azure tenants being used to map the infrastructure of the phishing schemes,” added Chris Dukich, founder of Display Now, a digital signage company in Boston.

“That is a new level of deception that gives Microsoft the benefit of being able to gather intelligence on phishers around the world and neutralize them before they deploy their attacks en masse,” he told TechNewsWorld.

Stephen Kowski, field CTO at SlashNext, a computer and network security company in Pleasanton, Calif., noted that Microsoft’s approach of using fake Azure tenants represented an innovative shift in deception tactics.

“By leveraging their cloud infrastructure, they’ve created a more scalable and dynamic honeypot environment,” he told TechNewsWorld. “This method allows for real-time monitoring and analysis of attacker behavior within a controlled, yet realistic, cloud ecosystem, providing deeper insights into sophisticated phishing operations.”

In addition to explaining its honeypot scheme, the BSides session may have had another purpose for Microsoft. “Deception technology isn’t something defenders often talk about,” said Casey Ellis, founder and advisor of San Francisco-based Bugcrowd, which operates a crowdsourced bug bounty platform. “A part of its utility comes from the fact that it looks exactly like a live system, so the typical deployment approach is a silent one.”

“By announcing that they are doing this, Microsoft is playing a bit of a mind game with the bad guys,” he told TechNewsWorld.

Deception Tactic Not for Everyone

As Microsoft has illustrated, deception can be an effective tool for thwarting digital desperadoes, but it isn’t for everyone. “Deception tactics do take quite a few resources,” acknowledged Vaclav Vincalek, a virtual CTO and founder of 555vCTO, in Vancouver, British Columbia, Canada.

“It needs to be properly set up, and then you need manpower to monitor it,” he told TechNewsWorld. “And, of course, the question is, what do you do with the information?”

Grimes agreed. “The average organization just doesn’t have the time to do these types of research activities and, in general, when deception technologies are used, they are used for early warning to quicken incident response and reduce costs and downtime.”

Some of those manpower concerns could be addressed through the use of artificial intelligence.

“Creating realistic or convincing deceptive environments becomes an ideal task to employ large language model AI, as one needs to be able to populate a number of individual accounts all interacting with each other, with a backlog of historical communication between them for threat actors to search through,” Daniel Blackford, director of threat research at Proofpoint, an enterprise security company, in Sunnyvale, Calif., told TechNewsWorld.

Grimes praised Microsoft and other big organizations for doing the hard work of using deception for research and learning and then using the lessons learned to improve defenses that benefit everyone.

“As much as I love deception technologies in general, mitigating phishing isn’t the best use case for the average organization,” he added, “but as Microsoft is using it — where they are learning what are the current and latest tools, techniques and tricks — it’s a great tool.”

Fighting Phishing

While using deception to fight phishing may not be in the cards for every organization, it can be a potent weapon for those who choose to deploy it for that purpose.

“Deception can be a powerful tool against phishing, utilizing fake assets — like decoy emails, websites or credentials — to mislead attackers into revealing their tactics without compromising real data,” said Shawn Loveland, a cybersecurity expert with Resecurity, a global enterprise and government cybersecurity company.

“By using these methods, organizations engage phishers in controlled settings, enabling security teams to detect and analyze phishing attempts in real-time,” he told TechNewsWorld. “This diverts threats from genuine targets while collecting intelligence on phishing tactics.”

“Additionally,” Loveland continued, “simulated phishing campaigns train users and internal monitoring systems to recognize and resist actual attacks, enhancing overall security.”

Kowski added that phishing remains a significant threat to organizations as it evolves and adapts to new security measures. “BEC [Business Email Compromise] innovation has waned, and instead, we’ve seen a rise of multi-channel 3D phishing attacks. Threat actors are innovating and exploiting trusted services like OneDrive, Dropbox, and GitHub to deliver malicious emails,” he said. “This shift in tactics makes phishing a persistent and growing concern for organizations.”

“Phishing is and will continue to be one of the most significant threats individuals and organizations face,” Loveland added. “The new AI-powered phishing tools, combined with personal data available to phishers, will fundamentally change things in the phishers’ favor.”

For organizations that do use deception to combat phishing attacks, Vincalek gave this advice: “Deception really works best when organizations combine the strategy with other security measures. Businesses shouldn’t rely on deception alone to combat all phishing attacks.”

Grimes added: “If you use deception technologies, make sure to customize them so that they mimic your real environment. For example, if you use Microsoft Windows primarily in your environment, you want your deception technologies to look like Windows, using the same default services and network ports.”

“A common mistake new deception technology users make,” he explained, “is to put out deception technologies that don’t appear natural in their environment, advertising the wrong services and ports for what the company really uses.”

Leave a Comment