In multiple incident investigations, Microsoft Threat Intelligence has observed threat actors gain meaningful access without deploying malware or exploiting a vulnerability. The decisive activity occurs before any payload appears, as operators manipulate targets into granting access through support pretexts, manipulated workflows, or credential capture on attacker infrastructure. This places the intrusion outside the visibility of detection built around malicious code. Storm-1811 illustrates the technique. The actor generated urgency through email bombing, then posed as IT or help desk support offering to remediate the disruption it had created and used that pretext to direct targets toward granting remote control of their devices through legitimate tooling. A routine support interaction became hands-on-keyboard access, achieved by manipulating an established trust relationship rather than the endpoint itself. https://lnkd.in/eqjyeDui AI is making this tradecraft more scalable and more convincing. Microsoft Threat Intelligence is tracking a growing number of campaigns that impersonate trusted AI platforms as a lure for credential and token theft. One campaign used acceptable use policy enforcement lures, routing users through an AiTM flow that captured credentials and active access tokens sufficient to bypass MFA and ride a valid session. Others abused popular AI service brands at the scale of 100,000 emails in a single day, with the impersonated brand shifting to whatever platform users currently trust: https://lnkd.in/eV6fBxfy The attack surface extends beyond software vulnerabilities and malware delivery. When attackers gain access through manipulation, defenders need visibility into the identities, accounts, and authentication events that enable the intrusion. To ground a detection model in identity and access, see Microsoft's identity-first security best practices: https://lnkd.in/gbApiF-r
In today’s security landscape, some of the most damaging intrusions don’t start with malware. Instead, they start with identity abuse, social engineering, insider bribery, and access gained through trust. And we've already seen this play out at scale. Strawberry Tempest breached some of the most protected organizations in the world. Octo Tempest matured this approach into full ransomware operations. Storm-1811 convinced users to hand over remote control through Quick Assist. What connects these actors isn't a shared toolset, it's a shared insight: human support processes and identity infrastructure can be a greater point of leverage than software vulnerabilities. That reality forces a shift in detection practices. It’s no longer just about malicious code. The compromise may begin as a phone call, a text, a fake support interaction, or a trusted workflow turned against us. Trust has become the attack path. If your detection model is moving toward identity and behavior, Microsoft's identity-first security best practices will help ground your approach: https://lnkd.in/ekK6SZkE #MSFTHotCybercrimeSummer #MicrosoftSecurity #ThreatIntelligence