Microsoft is leveraging an innovative tactic known as “phishing data poisoning” to disrupt phishing attacks at scale by flooding hackers with fake credentials. By deploying decoy information into phishing sites, Microsoft tricks cybercriminals into wasting time on non-existent accounts and infrastructure while collecting valuable intelligence about their operations. This technique allows Microsoft to track and study the behavior of attackers, ultimately turning the tables on them.
Ross Bevington, a threat researcher and self-proclaimed “Head of Deception” at Microsoft, discussed this approach during
his presentation, Turning The Tables: Using Cyber Deception To Hunt Phishers At Scale. He emphasized that the goal isn't to launch counter-attacks but to confuse, delay, and ultimately frustrate attackers, forcing them to waste time and resources on useless data. Meanwhile, Microsoft gathers actionable threat intelligence, enhancing the company's defenses and enabling it to better protect its users.
How Microsoft's “poisoning” works
The process begins with Microsoft creating fake organizations within its Azure cloud infrastructure. These decoy environments are populated with thousands of fabricated user accounts, fake business data, and email histories. Hackers are lured into these environments via phishing attacks, which are closely monitored by Microsoft's detection systems, like Defender for Office 365.
The key to this strategy is making the phishing attacks seem successful to the hackers. The fake credentials provided by Microsoft are realistic enough to pass initial automated checks that phishing actors typically use to verify stolen login information. This prevents the attackers from realizing they've been tricked, at least initially.
Wasting hackers' time (and resources)
Once hackers attempt to use the fake credentials, they start interacting with Microsoft's decoy systems. Every action they take is logged, monitored, and analyzed, providing Microsoft with valuable insights into their methods, tools, and infrastructure. The decoy environments give attackers the illusion that they've successfully breached an organization, keeping them engaged and wasting their time.
Microsoft's goal is to extend this engagement as long as possible, causing attackers to squander valuable time that could otherwise be spent targeting real systems. The longer the hackers interact with the fake data, the more intelligence Microsoft gathers, such as IP addresses, user behaviors, and the infrastructure hackers use to test stolen credentials.
As Bevington explains, “The idea is simple: attackers send phishing emails, and we respond by wasting all of their time and resources. In doing so, we collect tons of threat intelligence about them — information they find hard to change, such as their infrastructure and operational tactics.”
Interestingly, Microsoft's data shows that it takes attackers an average of 20 days to realize they've been tricked. During this period, hackers actively engage with the fake systems, providing critical insights into their operations. To further prolong this, Microsoft refreshes the fake organizations and credentials every two weeks, creating new “companies” with fresh data and structures so attackers don't catch on too quickly.
Additionally, Microsoft deploys clever monitoring tools, such as web bugs, on the login pages of its decoy environments. Even when attackers become suspicious and attempt to disengage, Microsoft can still gather data like IP addresses and browser information, further expanding its understanding of phishing campaigns.
Impact on phishing operations and results
According to data Bevington shared, Microsoft's systems encounter over 20,000 phishing sites per day, of which approximately 5,000 actively interact with the decoy credentials. These interactions result in around 200 unique IP addresses logging in daily, helping pinpoint the infrastructure and tactics used by phishing groups.
This intelligence is fed into Microsoft's broader security efforts, particularly through the company's threat intelligence system. The data collected allows Microsoft to protect its users better and work with law enforcement to identify and disrupt phishing operations.
Through this strategy, Microsoft has been able to track multiple state-sponsored and financially motivated groups. Bevington noted that many of the phishing campaigns Microsoft encounters are linked to known actors, including state-sponsored groups like
Midnight Blizzard (also known as Nobelium) and financially motivated groups like Perriwinkle.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}