Detection strategies across cloud and identities against infiltrating IT workers
Microsoft Defender Security Research Team and Microsoft Threat Intelligence ·
2026-04-21 ·
Read original ↗
ATT&CK techniques detected
5 predictions
T1525Implant Internal Image
75%
"and associated oauth tokens, and expose the apis so that the organization ’ s external career sites can use them. microsoft has observed api call events coming from known jasper sleet infrastructure in workday telemetry to hrrecruiting / * api endpoints. these events access infor…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1528Steal Application Access Token
65%
"and associated oauth tokens, and expose the apis so that the organization ’ s external career sites can use them. microsoft has observed api call events coming from known jasper sleet infrastructure in workday telemetry to hrrecruiting / * api endpoints. these events access infor…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1078.004Cloud Accounts
64%
"summarize make _ set ( actiontype ) by ipaddress, accountid, bin ( timestamp, 1d ) cloudappevents | where application = = " microsoft teams " | where isexternaluser | where ipaddress = = " < suspiciousips > " | summarize make _ set ( actiontype ) by ipaddress, accountid, bin ( ti…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1078.004Cloud Accounts
59%
"alerts for such new hires, indicating suspicious remote it worker behavior in the initial months of onboarding. mitigation and protection guidance microsoft recommends leveraging access to telemetry coming from multiple data sources and monitoring behavioral anomalies in hiring c…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1078.004Cloud Accounts
41%
"webex connectors to detect malicious external accounts in the interviewing process. organizations can also leverage defender for cloud apps ’ docusign connector, which enables them to monitor activity related to hiring documentation, like offer letter signing from suspicious exte…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
The shift to remote and hybrid work since the pandemic expanded global hiring and accelerated digital onboarding, increasing reliance on online identity verification and remote access.