{“lastseen”:”2025-12-12T19:15:00″,”description”:”In the latest edition of our Cyberattack Series, we dive into a real-world case of fake employees. Cybercriminals are no longer just breaking into networks\u2014they\u2019re gaining access by posing as legitimate employees. This form of cyberattack involves operatives posing as legitimate remote hires, slipping past human resources checks and onboarding processes to gain trusted access. Once inside, they exploit corporate systems to steal sensitive data, deploy malicious tools, and funnel profits to state-sponsored programs. In this blog, we unpack how this cyberattack unfolded, the tactics employed, and how Microsoft Incident Response\u2014the Detection and Response Team (DART)\u2014swiftly stepped in with forensic insights and actionable guidance. Download the full report to learn more.\\n\\nGet intelligence-driven response services with Microsoft Incident Response\\n\\n\\u003e **Insight** \\n\\u003e Recent Gartner research reveals surveyed employers report they are increasingly concerned about candidate fraud. **Gartner predicts that by 2028, one in four candidate profiles worldwide will be fake** , with possible security repercussions far beyond simply making \u201ca bad hire.\u201d1\\n\\n## What happened?\\n\\nWhat began as a routine onboarding turned into a covert operation. In this case, four compromised user accounts were discovered connecting PiKVM devices to employer-issued workstations\u2014hardware that enables full remote control as if the threat actor were physically present. This allowed unknown third parties to bypass normal access controls and extract sensitive data directly from the network. With support from Microsoft Threat Intelligence, we quickly traced the activity to the North Korean remote IT workforce known as Jasper Sleet.\\n\\n\\u003e \\n\\u003e **TACTIC** \\n\\u003e **PiKVM devices** \u2014low-cost, hardware-based remote access tools\u2014were utilized as egress channels. These devices allowed threat actors to maintain persistent, out-of-band access to systems, bypassing traditional endpoint detection and response (EDR) controls. In one case, an identity linked to Jasper Sleet authenticated into the environment through PiKVM, enabling covert data exfiltration.\\n\\nDART quickly pivoted from proactive threat hunting to full-scale investigation, leveraging numerous specialized tools and techniques. These included, but were not limited to, Cosmic and Arctic for Azure and Active Directory analysis, Fennec for forensic evidence collection across multiple operating system platforms, and telemetry from Microsoft Entra ID protection and Microsoft Defender solutions for endpoint, identity, and cloud apps. Together, these tools and capabilities helped trace the intrusion, contain the threat, and restore operational integrity.\\n\\n## How did Microsoft respond?\\n\\nOnce the scope of the compromise was clear, DART acted immediately to contain and disrupt the cyberattack. The team disabled compromised accounts, restored affected devices to clean backups, and analyzed Unified Audit Logs\u2014a feature of Microsoft 365 within the Microsoft Purview Compliance Manager portal\u2014to trace the threat actor\u2019s movements. Advanced detection tools, including Microsoft Defender for Identity and Microsoft Defender for Endpoint, were deployed to uncover lateral movement and credential misuse. To blunt the broader campaign, Microsoft also suspended thousands of accounts linked to North Korean IT operatives.\\n\\n## What can customers do to strengthen their defenses?\\n\\nThis cyberthreat is challenging, but it\u2019s not insurmountable. By combining strong security operations center (SOC) practices with insider risk strategies, companies can close the gaps that threat actors exploit. Many organizations start by improving visibility through Microsoft 365 Defender and Unified Audit Log integration and protecting sensitive data with Microsoft Purview Data Loss Prevention policies. Additionally, Microsoft Purview Insider Risk Management can help organizations identify risky behaviors before they escalate, while strict pre-employment vetting and enforcing the principle of least privilege reduce exposure from the start. Finally, monitor for unapproved IT tools like PiKVM devices and stay informed through the Threat Analytics dashboard in Microsoft Defender. These cybersecurity practices and real-world strategies, paired with proactive alert management, can give your defenders the confidence to detect, disrupt, and prevent similar attacks.\\n\\n## What is the Cyberattack Series?\\n\\nIn our Cyberattack Series, customers discover how DART investigates unique and notable attacks. For each cyberattack story, we share:\\n\\n * How the cyberattack happened.\\n * How the breach was discovered.\\n * Microsoft\u2019s investigation and eviction of the threat actor.\\n * Strategies to avoid similar cyberattacks.\\n\\n\\n\\nDART is made up of highly skilled investigators, researchers, engineers, and analysts who specialize in handling global security incidents. We\u2019re here for customers with dedicated experts to work with you before, during, and after a cybersecurity incident.\\n\\nDownload the full Cyberattack report\\n\\n## Learn more\\n\\nTo learn more about DART capabilities, please visit our website, or reach out to your Microsoft account manager or Premier Support contact. To learn more about the cybersecurity incidents described above, including more insights and information on how to protect your own organization, download the full report.\\n\\nTo learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.\\n\\n* * *\\n\\n1AI Fuels Mistrust Between Employers and Job Candidates; Recruiters Worry About Fraud, Candidates Fear Bias\\n\\nThe post Imposter for hire: How fake people can gain very real access appeared first on Microsoft Security Blog.”,”published”:”2025-12-11T17:00:00″,”modified”:”2025-12-11T17:00:00″,”type”:”mssecure”,”title”:”Imposter for hire: How fake people can gain very real access”,”source”:””,”references”:””,”id”:”MSSECURE:982F05C23C9CBA5201A483C4DDE5D64F”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/12\/11\/imposter-for-hire-how-fake-people-can-gain-very-real-access\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-12T19:15:00″,”description”:”In the latest edition of our Cyberattack Series, we dive into a real-world case of fake employees. Cybercriminals are no longer just breaking into networks\u2014they\u2019re…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,110,13,33,7,11,5],"class_list":["post-30847","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-mssecure","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n