How Microsoft outplays scammers with clever virtual 'honeypot' traps
Earlier this year at the BSides Exeter security conference, Microsoft security software engineer Ross Bevington — the company’s self-proclaimed “Head of Deception” — described the exciting process by which Microsoft tricks scammers and prevents phishing attacks.
As reported by BleepingComputer, Microsoft uses realistic “honeypot tenants” with access to Azure to attract cyber criminals. The company then collects data about their attack patterns in these virtual honeypots to gain a deeper understanding of how sophisticated phishing operations work and how to better mitigate criminal campaigns.
Related: Common phishing scam types to be aware of
Bringing the honeypots to scammers
In his presentation, Ross Bevington cited Microsoft’s now-retired code.microsoft.com website as an example of one such honeypot that was used to collect data on all kinds of attackers, from individual actors to state-sponsored groups targeting Microsoft’s infrastructure.
To make the honeypots as realistic as possible, Bevington and his team ensured that all kinds of activity took place within them, even going as far as creating thousands of artificial user accounts that communicated with each other and shared files without adequate protection.
While the concept of a honeypot isn’t new, Microsoft cleverly took these honeypots to the hackers instead of simply waiting for them, and they did this by having the fake user accounts actively visit websites that are widely recognized as phishing threats. This brought the user accounts to the attention of scammers, drawing them to the honeypots.
Related: Antivirus and security terms you need to know
The success rate of the honeypots
According to Microsoft, the company monitors 25,000 phishing websites every day, and 20 percent of these are fed with access data for the honeypot to gather important insights into cybercriminal behaviors.
Of the lured attackers, around 5 percent fall into the honeypot trap and end up being tracked and logged by Microsoft at every turn. On average, it takes around 30 days for attackers to realize they’ve landed in a fake environment and have no access to any real user data.
According to Bevington, Microsoft wasn’t only able to lure smaller players into its honeypot, but also “big fish” like the Russian hacker group Midnight Blizzard (NOBELIUM). Because of this, the company is able to develop stronger strategies against phishing attempts of all kinds.
Further reading: Watch out for these online banking scams
This article originally appeared on our sister publication PC-WELT and was translated and localized from German.