Microsoft’s Honeypot Strategy: Luring and Trapping Cybercriminals for Deeper Insight
At the BSides Exeter security conference earlier this year, Microsoft’s security engineer Ross Bevington, who refers to himself as the “Head of Deception” within the company, shed light on an ingenious strategy designed to thwart phishing attacks and improve cybersecurity efforts. This innovative approach revolves around the use of “honeypot tenants,” sophisticated virtual environments that mimic real Azure infrastructure. These virtual traps are designed to attract cybercriminals, particularly those involved in phishing, allowing Microsoft to gather critical intelligence on their tactics, techniques, and procedures (TTPs).
The honeypots work by drawing in scammers, allowing Microsoft to study how these criminals operate within an environment that appears to be a legitimate target. Bevington explained that the concept of honeypots isn’t new — they have been used in cybersecurity for years as decoy systems designed to attract malicious actors. However, Microsoft has taken this concept one step further by not only waiting for attackers to come across the honeypots but actively bringing them to the traps. This proactive strategy involves feeding artificial user accounts with activity that mimics real human behavior, causing scammers to target these accounts, assuming they are legitimate.
Bevington provided insight into how realistic these honeypots are. He cited Microsoft’s now-retired code.microsoft.com website as an example of one such decoy system. The fake environment was populated with thousands of synthetic user accounts that communicated with each other, shared files, and conducted activity in a manner that closely mirrored the behavior of real users. To make it even more convincing, these accounts were actively directed to visit phishing websites — making them more likely to attract the attention of cybercriminals.
The effectiveness of this honeypot strategy is highlighted by the data Microsoft collects. The company monitors over 25,000 phishing websites every single day, feeding 20% of these sites with fake credentials and access data specifically designed to lure attackers. Once the criminals attempt to exploit these systems, about 5% fall into the trap and become tracked by Microsoft’s security team. The best part? These attackers remain unaware for an average of 30 days, during which time Microsoft collects data on their every move.
One of the key takeaways from Bevington’s presentation was the success of the honeypots in not just attracting smaller attackers but even some of the most notorious cybercriminal groups. For example, the Russian hacker group Midnight Blizzard (also known as NOBELIUM), which is responsible for some of the most high-profile cyberattacks in recent years, has been tricked into interacting with these honeypots. This allows Microsoft to gather invaluable intelligence on advanced persistent threats (APTs) and other sophisticated phishing operations, enabling them to refine their strategies and improve defenses against phishing attacks on a global scale.
