Microsoft Defender Detects Infiltrating IT Workers

Introduction

Microsoft is warning organizations about a growing threat: fake remote IT workers who use stolen or fabricated identities to get hired and gain legitimate access to corporate systems. For security teams managing Microsoft 365, Defender, and SaaS integrations, this matters because the attack starts in normal HR processes and can quickly become an identity and data security incident.

What’s new

Microsoft’s latest guidance explains how defenders can detect this activity across the full hiring lifecycle, with Jasper Sleet cited as a known example of this tactic.

Pre-recruitment detection in Workday

Microsoft observed suspicious use of Workday Recruiting Web Service endpoints exposed through external career sites. Key behaviors include:

• Repeated access to hrrecruiting/* API endpoints
• Calls to job application, resume, and questionnaire APIs
• Multiple external accounts showing the same repeating access pattern
• Activity originating from known threat actor infrastructure

With the Microsoft Defender for Cloud Apps Workday connector, organizations can track these API calls, identify external accounts, and compare activity against threat intelligence.

Recruiting phase investigation

During interviews and document handling, defenders should correlate additional signals such as:

• Suspicious email exchanges with hiring teams
• External Teams messages from risky IP addresses or accounts
• Activity in Zoom or Cisco Webex via Defender for Cloud Apps connectors
• DocuSign activity related to offer letters from suspicious sources

This helps security and HR teams flag fraudulent candidates earlier in the process.

Post-hire identity and SaaS monitoring

Once hired, the risk increases because the actor receives a legitimate account. Microsoft observed cases where new hire Workday sign-ins and payroll changes came from known malicious infrastructure. After onboarding, defenders should watch for:

• Impossible travel alerts on new hire accounts
• Access from anonymous proxies or unusual locations
• Search and download activity in Teams, SharePoint, OneDrive, and Exchange Online
• Unusual data access patterns during the first weeks or months of employment

Why this matters for IT admins

This is not just an HR issue. A fraudulent hire can bypass many traditional perimeter defenses because they receive valid credentials and approved access. Security teams need visibility across HR systems, Entra ID, Microsoft 365, and third-party collaboration tools to catch the behavior early.

Recommended next steps

• Review Workday API telemetry for repeated hrrecruiting/* activity
• Enable and validate Defender for Cloud Apps connectors for Workday, Zoom, Webex, and DocuSign where applicable
• Hunt for suspicious communications involving candidates and external accounts
• Closely monitor new hire identities for impossible travel, proxy use, and abnormal Microsoft 365 access
• Coordinate HR and security investigations for suspicious onboarding events

Organizations with remote hiring programs should treat recruitment workflows as part of their identity attack surface and include them in threat hunting and detection strategies.