Microsoft recently showed how deception, usually the playground of black hat hackers, can become a powerful tool against them. At the BSides security conference in Exeter, England, Ross Bevington, Microsoft’s “head of deception,” detailed a strategic project that lures cybercriminals into realistic “honeypot” environments within Microsoft’s Azure cloud. This setup allows the company to gather intelligence on cybercriminals’ actions while derailing their schemes.
Microsoft’s approach relies on the creation of fake tenants within Azure, with access credentials that are fed to about 20% of the 25,000 phishing sites it monitors daily. When attackers log into these dummy accounts, Microsoft gains insight into their tactics, techniques, and procedures (TTPs), using this intelligence to disrupt their operations.
Security experts are impressed by the scale of Microsoft’s efforts. Roger Grimes, a security specialist with KnowBe4, noted that while many deception projects might involve a few endpoints, Microsoft’s project operates at a large scale, creating a whole network of fake users and simulated data, a rarity in cybersecurity. “It’s impressive how Microsoft is handling it, creating a substantial environment that lets them learn directly from cybercriminals’ own moves,” Grimes observed.
Microsoft’s deception strategy not only disrupts attackers but also leverages the company’s extensive cloud infrastructure to map out the criminals’ operations. The honeypots help detect phishing techniques in real time, allowing Microsoft to stay one step ahead of new schemes. Chris Dukich, founder of Display Now, highlighted the effectiveness of using fake Azure tenants to map phishing networks, saying, “It’s a new level of deception, enabling Microsoft to collect intelligence and neutralize threats before they escalate.”
This deception tactic reflects Microsoft’s larger strategy of real-time cyber defense. According to Stephen Kowski, field CTO at SlashNext, the fake Azure tenants allow Microsoft to create a controlled yet realistic environment, giving the company a window into the behavior of phishing operations. The data collected from these interactions is invaluable for detecting and countering increasingly sophisticated attacks.
There is also a psychological aspect to Microsoft’s strategy, as Bevington hinted during the BSides event. Casey Ellis, founder of Bugcrowd, pointed out that by openly discussing this deception, Microsoft sends a message to would-be attackers. “By announcing that they are doing this, Microsoft is playing a bit of a mind game with the bad guys,” Ellis explained. Knowing that a phishing attempt might be a trap could make cybercriminals think twice before engaging, creating additional friction for attackers.
Yet, deploying deception tactics on this scale isn’t feasible for every organization. Setting up a successful deception campaign requires considerable resources and ongoing monitoring. Vaclav Vincalek, a cybersecurity consultant, noted that creating and managing these fake accounts takes time and manpower. Many companies, particularly small to mid-sized ones, might find it too labor-intensive without sufficient resources to capitalize on the gathered information.
This is where artificial intelligence can play a role. Daniel Blackford, director of threat research at Proofpoint, explains that AI could help create realistic, dynamic environments that engage attackers effectively. By simulating real employee interactions and histories, AI can generate convincing decoys, allowing businesses to use fewer resources while still deceiving attackers effectively.
While this approach is viable for large players like Microsoft, other organizations can still benefit from simpler deception strategies to counter phishing. By deploying fake credentials, decoy emails, or simulated websites, companies can distract attackers and gather valuable insights without risking sensitive data. Shawn Loveland, a cybersecurity expert at Resecurity, points out that this method “diverts threats from genuine targets and gathers intelligence on phishing tactics,” which can help businesses improve defenses.
Phishing, however, remains one of the most persistent threats in cybersecurity. Traditional phishing, business email compromise (BEC), and the newer wave of “3D phishing,” where attackers use trusted platforms like Dropbox or OneDrive to disguise malicious links, continue to grow in complexity. Security experts, including Kowski, warn that these multi-channel tactics can make phishing even more challenging to detect.
To truly protect against phishing, deception is best combined with other security measures. Vincalek advises businesses to use deception in conjunction with other strategies, as relying solely on it can leave vulnerabilities unaddressed. For example, companies using Microsoft environments should tailor their deception technologies to look and behave like Microsoft services, complete with the right ports and services that mimic the real network.
As Grimes adds, “The biggest mistake is putting out deception technology that doesn’t match your environment. It’s like placing a roadblock on a road that no one drives on.” Customizing deception tools so that they blend seamlessly with an organization’s regular setup makes it harder for attackers to spot the ruse.
Microsoft’s strategy demonstrates how big tech can lead the charge in cyber defense, using their resources to learn from attacks in real-time and develop countermeasures that can benefit the industry at large. For smaller organizations, deception can still serve as a valuable tool in the fight against phishing, as long as it is deployed thoughtfully and as part of a broader cybersecurity strategy.