Security

Microsoft Defender Detects Infiltrating IT Workers

3 min read

Summary

Microsoft has outlined detection strategies for identifying North Korea-aligned threat actors posing as remote IT hires to infiltrate organizations. The guidance focuses on correlating HR SaaS, identity, email, conferencing, and Microsoft 365 signals so security and HR teams can spot suspicious candidates before and after onboarding.

Need help with Security?Talk to an Expert

Introduction

Microsoft is warning organizations about a growing threat: fake remote IT workers who use stolen or fabricated identities to get hired and gain legitimate access to corporate systems. For security teams managing Microsoft 365, Defender, and SaaS integrations, this matters because the attack starts in normal HR processes and can quickly become an identity and data security incident.

What’s new

Microsoft’s latest guidance explains how defenders can detect this activity across the full hiring lifecycle, with Jasper Sleet cited as a known example of this tactic.

Pre-recruitment detection in Workday

Microsoft observed suspicious use of Workday Recruiting Web Service endpoints exposed through external career sites. Key behaviors include:

  • Repeated access to hrrecruiting/* API endpoints
  • Calls to job application, resume, and questionnaire APIs
  • Multiple external accounts showing the same repeating access pattern
  • Activity originating from known threat actor infrastructure

With the Microsoft Defender for Cloud Apps Workday connector, organizations can track these API calls, identify external accounts, and compare activity against threat intelligence.

Recruiting phase investigation

During interviews and document handling, defenders should correlate additional signals such as:

  • Suspicious email exchanges with hiring teams
  • External Teams messages from risky IP addresses or accounts
  • Activity in Zoom or Cisco Webex via Defender for Cloud Apps connectors
  • DocuSign activity related to offer letters from suspicious sources

This helps security and HR teams flag fraudulent candidates earlier in the process.

Post-hire identity and SaaS monitoring

Once hired, the risk increases because the actor receives a legitimate account. Microsoft observed cases where new hire Workday sign-ins and payroll changes came from known malicious infrastructure. After onboarding, defenders should watch for:

  • Impossible travel alerts on new hire accounts
  • Access from anonymous proxies or unusual locations
  • Search and download activity in Teams, SharePoint, OneDrive, and Exchange Online
  • Unusual data access patterns during the first weeks or months of employment

Why this matters for IT admins

This is not just an HR issue. A fraudulent hire can bypass many traditional perimeter defenses because they receive valid credentials and approved access. Security teams need visibility across HR systems, Entra ID, Microsoft 365, and third-party collaboration tools to catch the behavior early.

  • Review Workday API telemetry for repeated hrrecruiting/* activity
  • Enable and validate Defender for Cloud Apps connectors for Workday, Zoom, Webex, and DocuSign where applicable
  • Hunt for suspicious communications involving candidates and external accounts
  • Closely monitor new hire identities for impossible travel, proxy use, and abnormal Microsoft 365 access
  • Coordinate HR and security investigations for suspicious onboarding events

Organizations with remote hiring programs should treat recruitment workflows as part of their identity attack surface and include them in threat hunting and detection strategies.

Need help with Security?

Our experts can help you implement and optimize your Microsoft solutions.

Talk to an Expert

Stay updated on Microsoft technologies

Read the original article by Microsoft Defender Security Research Team and Microsoft Threat Intelligence
Microsoft DefenderWorkdayremote IT workersidentity securityDefender for Cloud Apps

Related Posts

Security

AI GitHub Actions Secret Exposure in Claude Code

Microsoft Threat Intelligence found that Anthropic’s Claude Code GitHub Action could expose CI/CD secrets when AI agents process untrusted GitHub content such as issues, pull requests, and comments. Anthropic fixed the issue in Claude Code 2.1.128, but the research highlights broader risks for any AI-enabled workflow with access to secrets, file reads, or outbound communication.

Security

Agentic AI Failure Modes Taxonomy Updated by Microsoft

Microsoft has updated its taxonomy of failure modes in agentic AI systems after a year of red teaming against real-world deployments. The v2.0 framework adds seven new risk categories and expanded mitigations, giving security teams a more practical model for assessing agentic AI threats such as MCP/plugin abuse, goal hijacking, and session context contamination.

Security

Red Hat npm Miasma Attack Hits CI/CD Supply Chains

Microsoft Threat Intelligence uncovered a large-scale npm supply chain attack involving trojanized packages under the @redhat-cloud-services scope. The campaign abused a compromised CI/CD publishing workflow to deliver credential-stealing malware targeting GitHub, npm, AWS, Azure, GCP, Kubernetes, and developer systems, making it especially relevant for security teams and DevOps administrators.

Security

Microsoft Build 2026 Security: Code, Agents, Models

At Microsoft Build 2026, Microsoft announced new security capabilities to protect code, AI agents, and models across the development lifecycle. Highlights include the expanded preview of MDASH for exploitability-focused vulnerability discovery and general availability of Microsoft Defender integration with GitHub Code Security to help teams prioritize and remediate real risks faster.

Security

npm Dependency Confusion Attack Targets Developer Environments

Microsoft Threat Intelligence uncovered 33 malicious npm packages that abused dependency confusion to impersonate internal corporate packages and silently profile developer systems during installation. The campaign matters because it targets developer workstations and CI/CD environments, creating a foothold for potential follow-on supply chain attacks.

Security

Microsoft Defender Named a 2026 Endpoint Leader

Microsoft says it has been named a Leader in the 2026 Gartner Magic Quadrant for Endpoint Protection for the seventh consecutive time. The announcement highlights recent Microsoft Defender for Endpoint enhancements, including attack disruption, custom telemetry, simplified onboarding, sovereign-ready deployment options, and protection for local AI agents.