{"id":59832,"date":"2025-12-11T17:00:00","date_gmt":"2025-12-11T17:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=144073"},"modified":"2025-12-11T17:00:00","modified_gmt":"2025-12-11T17:00:00","slug":"imposter-for-hire-how-fake-people-can-gain-very-real-access","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/imposter-for-hire-how-fake-people-can-gain-very-real-access\/","title":{"rendered":"Imposter for hire: How fake people can gain very real access"},"content":{"rendered":"
<\/div>\n

In the latest edition of our Cyberattack Series, we dive into a real-world case of fake employees. Cybercriminals are no longer just breaking into networks\u2014they\u2019re gaining access by posing as legitimate employees. This form of cyberattack involves operatives posing as legitimate remote hires, slipping past human resources checks and onboarding processes to gain trusted access. Once inside, they exploit corporate systems to steal sensitive data, deploy malicious tools, and funnel profits to state-sponsored programs. In this blog, we unpack how this cyberattack unfolded, the tactics employed, and how Microsoft Incident Response<\/a>\u2014the Detection and Response Team (DART)\u2014swiftly stepped in with forensic insights and actionable guidance. Download the full report<\/a> to learn more.<\/p>\n

\n
\n

Insight<\/strong>
Recent Gartner research reveals surveyed employers report they are increasingly concerned about candidate fraud. Gartner predicts that by 2028, one in four candidate profiles worldwide will be fake<\/strong>, with possible security repercussions far beyond simply making \u201ca bad hire.\u201d1<\/sup><\/p>\n<\/blockquote>\n<\/figure>\n

What happened?<\/h2>\n

What began as a routine onboarding turned into a covert operation. In this case, four compromised user accounts were discovered connecting PiKVM devices to employer-issued workstations\u2014hardware that enables full remote control as if the threat actor were physically present. This allowed unknown third parties to bypass normal access controls and extract sensitive data directly from the network. With support from Microsoft Threat Intelligence<\/a>, we quickly traced the activity to the North Korean remote IT workforce known as Jasper Sleet.<\/p>\n

\n
\n

 
TACTIC<\/strong>
PiKVM devices<\/strong>\u2014low-cost, hardware-based remote access tools\u2014were utilized as egress channels. These devices allowed threat actors to maintain persistent, out-of-band access to systems, bypassing traditional endpoint detection and response (EDR) controls. In one case, an identity linked to Jasper Sleet authenticated into the environment through PiKVM, enabling covert data exfiltration.<\/p>\n<\/blockquote>\n<\/figure>\n

DART quickly pivoted from proactive threat hunting to full-scale investigation, leveraging numerous specialized tools and techniques. These included, but were not limited to, Cosmic and Arctic for Azure and Active Directory analysis, Fennec for forensic evidence collection across multiple operating system platforms, and telemetry from Microsoft Entra ID<\/a> protection and Microsoft Defender<\/a> solutions for endpoint, identity, and cloud apps. Together, these tools and capabilities helped trace the intrusion, contain the threat, and restore operational integrity.<\/p>\n

How did Microsoft respond?<\/h2>\n

Once the scope of the compromise was clear, DART acted immediately to contain and disrupt the cyberattack. The team disabled compromised accounts, restored affected devices to clean backups, and analyzed Unified Audit Logs\u2014a feature of Microsoft 365 within the Microsoft Purview Compliance Manager<\/a> portal\u2014to trace the threat actor\u2019s movements. Advanced detection tools, including Microsoft Defender for Identity and Microsoft Defender for Endpoint<\/a>, were deployed to uncover lateral movement and credential misuse. To blunt the broader campaign, Microsoft also suspended thousands of accounts<\/a> linked to North Korean IT operatives.<\/p>\n

What can customers do to strengthen their defenses?<\/h2>\n

This cyberthreat is challenging, but it\u2019s not insurmountable. By combining strong security operations center (SOC) practices with insider risk strategies, companies can close the gaps that threat actors exploit. Many organizations start by improving visibility through Microsoft 365 Defender and Unified Audit Log integration and protecting sensitive data with Microsoft Purview Data Loss Prevention<\/a> policies. Additionally, Microsoft Purview Insider Risk Management<\/a> can help organizations identify risky behaviors before they escalate, while strict pre-employment vetting and enforcing the principle of least privilege reduce exposure from the start. Finally, monitor for unapproved IT tools like PiKVM devices and stay informed through the Threat Analytics dashboard in Microsoft Defender. These cybersecurity practices and real-world strategies, paired with proactive alert management, can give your defenders the confidence to detect, disrupt, and prevent similar attacks.<\/p>\n

What is the Cyberattack Series?<\/h2>\n

In our Cyberattack Series, customers discover how DART investigates unique and notable attacks. For each cyberattack story, we share:<\/p>\n