In 2023, identity-based cyberthreats surged dramatically, with phishing, ransomware, and other attacks increasing tenfold. Bad actors are constantly evolving, making their techniques more sophisticated, overwhelming, and convincing. From the perspective of employees, every ping, click, and notification can lead to alert fatigue, resulting in a higher risk of falling victim to cyberattacks. In this post, we’ll examine a real-life human-operated ransomware attack that started with a single malicious link in an email. We’ll also explain how Microsoft Incident Response collaborated with security and identity teams to help a customer eliminate the threat and build resilience for future incidents.
One Click, One Threat Actor
Half of Microsoft’s cybersecurity recovery engagements involve ransomware, and 61% of all breaches stem from compromised credentials. Identity attacks remain a persistent challenge because humans are often the weakest link in social engineering attacks. People click on links and open attachments out of habit, providing cybercriminals with easy entry points. Even when employees recognize phishing attempts, they can still fall victim to drive-by URL attacks. In this case, a single click on a malicious link prompted a large organization to reach out to Microsoft Incident Response for assistance.
The malicious link infected the user’s device with Qakbot, a modular malware that has been evolving for over a decade. Qakbot offers attackers a range of capabilities, making it especially dangerous. Once the attacker gained persistence in the network, they appeared ready to deploy ransomware, leaving the organization’s IT and security staff overwhelmed. That’s when they called Microsoft.
Your First Call: Before, During, and After a Cybersecurity Incident
Microsoft Incident Response stepped in and deployed Microsoft Defender for Identity, a cloud-based solution designed to detect and respond to identity-related threats. By integrating identity monitoring early in the incident response process, Microsoft helped the overwhelmed security team regain control. This initial step allowed the team to determine the scope of the incident, protect critical infrastructure, and begin evicting the threat actor. Leveraging Microsoft Defender for Endpoint alongside Defender for Identity, the Microsoft team traced the attacker’s movements and thwarted their attempts to reenter the environment using compromised accounts. Once containment was complete and administrative control was restored, Microsoft Incident Response worked with the organization to bolster its resilience against future attacks.
Strengthening Your Identity Security with Defense in Depth
Protecting user identities is crucial in preventing incidents before they occur, and multiple, layered defenses—also known as defense in depth—can help. No single security measure should bear the entire load. Defense layers might include multifactor authentication, conditional access policies, and endpoint protection. Tools like Microsoft Copilot for Security can further enhance defenses. With a strong defense in depth strategy, cyberattacks can be mitigated or made significantly more difficult to execute.
For example, in a recent case involving the Octo Tempest threat group, targeted phishing and smishing (SMS-based phishing) attacks compromised a customer. They reached out to Microsoft Incident Response for help in containing and evicting the attackers. By coordinating closely with the organization’s IT and security teams, the compromised systems were quickly isolated, and the attackers were expelled. Regular updates, shared threat intelligence, and ongoing collaboration ensured the cyberattack was effectively mitigated.
Honeytokens: A Sweet Layer of Defense
One additional layer of identity protection is the use of honeytokens—decoy accounts created to lure attackers. These accounts divert attackers’ attention from real targets while providing security teams with valuable insights. Honeytokens can help detect in-progress attacks, revealing where the attacker might be positioned in the network. For best practices on how to use honeytokens, you can read our technical post, “Deceptive Defense: Best Practices for Identity-Based Honeytokens in Microsoft Defender for Identity.”
Building Better Resilience Together
Microsoft Incident Response is the go-to resource for organizations seeking expert help before, during, and after a cybersecurity incident. With global on-site and remote assistance, unparalleled access to Microsoft Threat Intelligence, and collaboration across tools like Defender for Identity, Defender for Endpoint, and Copilot for Security, Microsoft ensures a comprehensive and collaborative response to identity-based threats. This teamwork leads to stronger security outcomes and greater resilience for organizations.
Learn more about Microsoft Incident Response’s proactive and reactive services or explore the fourth installment of our ongoing Cyberattack Series to see these solutions in action.
