Microsoft creates fake Azure tenants to pull phishers into honeypots
Microsoft is using deceptive tactics against phishing actors by spawning realistic-looking honeypot tenants with access to Azure and lure cybercriminals in to collect intelligence about them.
With the collected data, Microsoft can map malicious infrastructure, gain a deeper understanding of sophisticated phishing operations, disrupt campaigns at scale, identify cybercriminals, and significantly slow down their activity.
The tactic and its damaging effect on phishing activity was described at BSides Exeter conference by Ross Bevington, a principal security software engineer at Microsoft calling himself Microsoft's "Head of Deception."
Bevington created a "hybrid high interaction honeypot" on the now retired code.microsoft.com to collect threat intelligence on actors ranging from both less skilled cybercriminals to nation state groups targeting Microsoft infrastructure.
Currently, Bevington and his team fight phishing by leveraging deception techniques using entire Microsoft tenant environments as honeypots with custom domain names, thousands of user accounts, and activity like internal communications and file-sharing.
