Threat actors are increasingly infiltrating organizations by securing legitimate jobs, often through falsified credentials or insider recruitment.
Recently, Microsoft Defender Experts, powered by Microsoft Threat Intelligence, successfully thwarted a sophisticated campaign by Jasper Sleet (formerly Storm-0287), a North Korean state-sponsored threat actor known for stealthy infiltration tactics. Rather than compromising victims directly, these actors pose as job applicants or contractors, infiltrating organizations to gain long-term insider access under false identities. Organizations in the information technology segment throughout the United States have been the primary targets for Jasper Sleet. However, as this threat actor has grown more sophisticated and expanded their reach, other industries including consumer retail, healthcare, financial services, critical manufacturing, and energy across different regions have also become targets.
The challenge
Jasper Sleet leveraged social engineering and identity fraud to bypass traditional security controls. By impersonating remote IT contractors, the actors blend into legitimate workflows, using shared devices for MFA and VPN services to mask their origin. These tactics enabled persistence through long-lived sessions and authentication tokens, creating a high risk of privilege abuse and data exfiltration if left undetected.
Indicators observed during investigation
- Shared devices for MFA: During authentication analysis, it was observed that a single device was repeatedly used to complete multifactor authentication (MFA) for multiple user accounts within the same tenant. MFA is intended to enforce strong identity assurance by binding authentication to a unique user-device pairing. When this control is circumvented, it raises a security concern. Further investigation revealed consistent technical signals across these events, including identical session identifiers, common ISP, and geolocation. Such behavior is strongly indicative of fraudulent personas operating from shared workstations, pooled environments such as Azure Virtual Desktop (AVD), or compromised devices.
- Suspicious login patterns: Initial access attempts originated from US or Western IP addresses to simulate remote work, followed by logins from Russian, Chinese, or other Asian IPs and often linked to VPN services such as Astrill. Certain sessions exhibited AVD-like login patterns originating from Russian-based instances.
- Session persistence: Long-lived authentication sessions, (such as non-password based) cookies and tokens allow malicious insiders to maintain access even after password resets, as these tokens often remain valid without re-authentication.
Together, these behaviors pointed to a stealthy, long-term operation designed to blend in with legitimate activity and maintain persistent access through pre-existing privileges associated with IT roles.
Behavioral indicators mappings
Defender Experts response
Defender Experts took a proactive approach by meticulously analyzing the suspicious behavioral patterns and successfully uncovering multiple customers who had been impacted by the Jasper Sleet campaign. Upon identification, we immediately reached out to the affected organizations through managed response and Defender Expert Notifications, ensuring they were promptly informed about the threat and the necessary actions to be taken. Recognizing the potential for broader impact, we also issued proactive threat advisories to all Defender Experts customers. We actively engaged with the customers, initiating collaborative sessions to validate the attack vectors, discuss findings, and the recommended steps. This open channel of communication fostered a collective defense posture, where shared intelligence and real-time feedback between Defender Experts and customer teams amplified the speed and effectiveness of the response.
Actions included:
- Immediate alerts to affected organizations via Defender Experts Notifications titled “Microsoft Defender Experts: Potential malicious activity linked to threat actor observed in your environment”, which included observed indicators and recommendations.
- Proactive threat advisories to all Defender Experts customers (subject- Microsoft Defender Experts Threat Advisory: Jasper Sleet), informing them of key adversarial tactics, impact, and encouraging them to remain vigilant and review their own environments for similar indicators of compromise.
- Direct collaboration with customers to facilitate joint sessions aimed at validating attack vectors and discussing findings.
Outcome and impact
The coordinated and transparent partnership between Defender Experts and our customers played a critical role in containing the threat before it could escalate. Customers responded promptly by disabling compromised contract employee accounts, effectively mitigating the risk of further misuse. Through these actions, customers addressed immediate risks and strengthened their long-term security posture by implementing best practices and incorporating lessons learned from the incident.
This case highlights the significant value of robust collaboration between Defender Experts and customers in countering sophisticated, targeted cyber-attacks, demonstrating that collective efforts enhance the ability to defend against evolving threats. Together, we are stronger and more capable of defending against evolving threats.
Customers reported that timely alerts and expert guidance prevented downstream compromise and strengthened their security posture. Some of the testimonials from the customers:
“A big thank you to the Microsoft team for all their efforts and coordination in detecting this, which has been immensely helpful.”
“Appreciate Defender Experts for finding this. You guys just signed next year’s renewal with this"
Key takeaways (public safe metrics)
|
Impact Area |
Metric |
|
Alerts and logs analyzed |
>10,000 correlated logs and events |
|
Organizations protected |
40 + enterprise tenants |
|
Defender proactive notifications |
Over 200+ sent |
|
Time to notify |
< 30 mins, immediately after first detection |
Reference
Stay vigilant. Stay protected.
Learn more about how Microsoft Defender Experts can help safeguard your organisation against sophisticated threats. Partner with Microsoft Defender Experts to stay ahead of advanced threats and protect your organization with confidence.
- Microsoft Defender Experts for XDR - Expert-led monitoring and response across your extended detection and response
- Microsoft Defender Experts for Hunting - Proactive threat hunting to identify and stop attacks before they impact your business.
Microsoft