Third-Party Compromise Enables Stealthy Trusted Access

Introduction

Microsoft has published a new incident response case study showing how threat actors can bypass traditional detection by abusing trusted relationships instead of relying on obvious malware or exploits. For IT and security teams, the key takeaway is clear: approved tools, delegated admin models, and third-party service providers can become part of the attack surface.

What happened

Microsoft Incident Response investigated an intrusion where the attacker compromised a third-party IT services provider and used legitimate enterprise management tooling to operate inside the customer environment.

Key findings

• The attacker used HPE Operations Agent (OA) and HPE Operations Manager (HPOM) as the primary delivery path.
• Microsoft noted there was no vulnerability in HPE OA itself; the risk came from abuse of a trusted operational relationship.
• Activity blended in with normal administration, delaying detection.
• The campaign focused on:
  • Long-term persistence
  • Credential theft
  • Lateral movement
  • Reestablishing access after partial disruption

Attack progression

Microsoft’s timeline shows a slow, deliberate intrusion:

• Day 1: Initial foothold through the third-party trust path
• Days 9–14: Credential interception introduced on domain infrastructure
• Days 24–32: Web-based persistence established on internet-facing servers
• Days 40–60: Lateral movement to additional and sensitive systems
• Days 104–106: Persistence reestablished after detection efforts

Techniques used

The report highlights several notable methods:

• Web shells found on internet-exposed web servers
• VBScript deployment through HPOM to execute discovery actions
• Credential harvesting on domain controllers using a malicious network provider named mslogon
• Abuse of Windows authentication notification APIs such as:
  • NPLogonNotify
  • NPPasswordChangeNotify

This allowed the attacker to capture cleartext credentials during sign-ins and password changes, then store them locally for reuse.

Why this matters for administrators

This incident is a strong reminder that security monitoring cannot focus only on malware, exploits, or unknown binaries. Legitimate signed tools and delegated administration platforms can be used as attack infrastructure when trust boundaries are not tightly controlled.

Security teams should pay particular attention to:

• Third-party remote management and monitoring platforms
• Administrative script execution through approved tools
• Unexpected changes to network providers on domain systems
• Authentication-related DLL registrations and credential access behavior
• Persistence mechanisms on internet-facing servers

Recommended next steps

Microsoft’s post includes Defender detection and hunting guidance, along with mitigation recommendations. Organizations should:

• Review and restrict third-party privileged access
• Audit trust relationships and delegated admin paths
• Hunt for unusual HPOM/HPE OA-driven script execution
• Monitor domain controllers for unauthorized network provider registration
• Validate persistence checks on web servers and sensitive assets

The broader lesson is simple: trusted relationships must be monitored as closely as untrusted ones.