Security

Third-Party Compromise Enables Stealthy Trusted Access

3 min read

Summary

Microsoft Incident Response detailed a stealthy intrusion in which attackers abused a compromised third-party IT services provider and trusted management tools to gain long-term access. The case highlights how legitimate admin channels, identity infrastructure, and web-based persistence can be misused, making stronger monitoring of trusted relationships critical for defenders.

Need help with Security?Talk to an Expert

Introduction

Microsoft has published a new incident response case study showing how threat actors can bypass traditional detection by abusing trusted relationships instead of relying on obvious malware or exploits. For IT and security teams, the key takeaway is clear: approved tools, delegated admin models, and third-party service providers can become part of the attack surface.

What happened

Microsoft Incident Response investigated an intrusion where the attacker compromised a third-party IT services provider and used legitimate enterprise management tooling to operate inside the customer environment.

Key findings

  • The attacker used HPE Operations Agent (OA) and HPE Operations Manager (HPOM) as the primary delivery path.
  • Microsoft noted there was no vulnerability in HPE OA itself; the risk came from abuse of a trusted operational relationship.
  • Activity blended in with normal administration, delaying detection.
  • The campaign focused on:
    • Long-term persistence
    • Credential theft
    • Lateral movement
    • Reestablishing access after partial disruption

Attack progression

Microsoft’s timeline shows a slow, deliberate intrusion:

  • Day 1: Initial foothold through the third-party trust path
  • Days 9–14: Credential interception introduced on domain infrastructure
  • Days 24–32: Web-based persistence established on internet-facing servers
  • Days 40–60: Lateral movement to additional and sensitive systems
  • Days 104–106: Persistence reestablished after detection efforts

Techniques used

The report highlights several notable methods:

  • Web shells found on internet-exposed web servers
  • VBScript deployment through HPOM to execute discovery actions
  • Credential harvesting on domain controllers using a malicious network provider named mslogon
  • Abuse of Windows authentication notification APIs such as:
    • NPLogonNotify
    • NPPasswordChangeNotify

This allowed the attacker to capture cleartext credentials during sign-ins and password changes, then store them locally for reuse.

Why this matters for administrators

This incident is a strong reminder that security monitoring cannot focus only on malware, exploits, or unknown binaries. Legitimate signed tools and delegated administration platforms can be used as attack infrastructure when trust boundaries are not tightly controlled.

Security teams should pay particular attention to:

  • Third-party remote management and monitoring platforms
  • Administrative script execution through approved tools
  • Unexpected changes to network providers on domain systems
  • Authentication-related DLL registrations and credential access behavior
  • Persistence mechanisms on internet-facing servers

Microsoft’s post includes Defender detection and hunting guidance, along with mitigation recommendations. Organizations should:

  • Review and restrict third-party privileged access
  • Audit trust relationships and delegated admin paths
  • Hunt for unusual HPOM/HPE OA-driven script execution
  • Monitor domain controllers for unauthorized network provider registration
  • Validate persistence checks on web servers and sensitive assets

The broader lesson is simple: trusted relationships must be monitored as closely as untrusted ones.

Need help with Security?

Our experts can help you implement and optimize your Microsoft solutions.

Talk to an Expert

Stay updated on Microsoft technologies

Read the original article by Microsoft Incident Response
Securitythird-party compromisetrusted relationshipcredential theftMicrosoft Defender

Related Posts

Security

Microsoft Intune Named a Leader in Forrester Wave

Microsoft says it has been named a Leader in The Forrester Wave for Endpoint Management Platforms, Q2 2026, highlighting Intune’s integrated approach to endpoint management, security, identity, and AI governance. The announcement matters for IT teams because Microsoft is expanding bundled Intune capabilities, adding Linux support, and positioning Intune as a central policy layer for managing both devices and AI agents.

Security

Microsoft CNAPP Evolution: Unified Cloud Risk Focus

Microsoft says the CNAPP market is moving beyond basic visibility and compliance toward unified, context-aware cloud risk operations. The update highlights how Microsoft Defender for Cloud correlates posture, identity, data, and runtime signals to help security teams prioritize exploitable risks across multicloud and AI-driven environments.

Security

StealC and Amadey Threats: Microsoft Disrupts C2

Microsoft detailed how the StealC infostealer and Amadey malware loader fuel credential theft, account takeover, and downstream ransomware attacks. The company also announced a coordinated disruption with Europol and partners to take down more than 200 related command-and-control domains and IPs, giving defenders new insight into how these threats operate and how to respond.

Security

AI Memory Security in Microsoft 365 Explained

Microsoft has outlined how it secures AI memory in Microsoft 365, addressing emerging risks such as memory poisoning and delayed tool execution. The update matters because persistent AI memory can improve personalization and agent performance, but it also creates new security, compliance, and audit requirements for IT and security teams.

Security

Parallel Threat Activity: Microsoft DART Findings

Microsoft Incident Response detailed a complex intrusion in which two unrelated threat actors operated simultaneously in the same environment, complicating attribution and detection. The case highlights how ransomware activity, SharePoint exploitation, trusted tool abuse, and identity compromise can overlap across hybrid estates, reinforcing the need for strong telemetry, patching, and coordinated response.

Security

AutoJack RCE in AutoGen Studio: Security Lessons

Microsoft security researchers detailed AutoJack, an exploit chain in AutoGen Studio that could let untrusted web content rendered by an AI browsing agent trigger remote code execution on the host. Although the vulnerable MCP WebSocket surface was never shipped in a PyPI release and the issue was hardened upstream during development, the findings highlight important security risks for agent frameworks that combine web browsing with privileged local services.