CyberWire Daily - Live from Black Hat: Ransomware, Responsible Disclosure, and the Rise of AI [Microsoft Threat Intelligence Podcast]
Episode Date: September 1, 2025While our team is observing the Labor Day holiday in the US, we hope you will enjoy this episode of The Microsoft Threat Intelligence Podcast . New episodes airs on the N2K CyberWIre network every oth...er Wednesday. In this episode of the Microsoft Threat Intelligence Podcast, host Sherrod DeGrippo is live from Black Hat 2025 with a special lineup of Microsoft security leaders and researchers. First, Sherrod sits down with Tom Gallagher, VP of Engineering and head of the Microsoft Security Response Center (MSRC). Tom shares how his team works with researchers worldwide, why responsible disclosure matters, and how programs like Zero Day Quest (ZDQ) are shaping the future of vulnerability research in cloud and AI security. He also announced the next iteration of ZTQ with $5 million up for grabs. Next, Sherrod is joined by Eric Baller (Senior Security Researcher) and Eric Olson (Principal Security Researcher) to unpack the fast-changing ransomware landscape. From dwell time collapsing from weeks to minutes, to the growing role of access brokers, they explore how attackers operate as organized ecosystems and how defenders can respond. Finally, Sherrod welcomes Travis Schack (Principal Security Researcher) alongside Eric Olson to examine the mechanics of social engineering. They discuss how attackers exploit urgency, trust, and human curiosity, why AI is supercharging phishing campaigns, and how defenders can fight back with both training and technology. In this episode you’ll learn: How MSRC partners with researchers across 59 countries to protect customers Why Zero Day Quest is accelerating vulnerability discovery in cloud and AI How ransomware dwell times have shrunk from days to under an hour Resources: View Sherrod DeGrippo on LinkedIn Zero Day Quest — Microsoft Microsoft Security Response Center Blog Related Microsoft Podcasts: Afternoon Cyber Tea with Ann Johnson The BlueHat Podcast Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts Get the latest threat intelligence insights and guidance at Microsoft Security Insider The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Welcome to the Microsoft Threat Intelligence Podcast.
I am Jared DeGrippo, director's threat intelligence strategy here at Microsoft,
and this week we're coming to you live from Black Hat, with three mini episodes in one.
First, we'll chat with MSRC's Tom Gallagher about our bug bounty program and round two of the zero-day quest.
Then we shift into a chat about the current ransomware landscape with the Erics.
After that, we'll wrap up with a talk about fishing and social engineering with members of Microsoft's instant response.
Hello, everyone. I am Shera DiBerco Director of Threat Intelligence Strategy here at Microsoft.
I am joined by one of my most favorite people, Tom Gallagher, Vice President of Engineering, and quite importantly, the head of the Microsoft Security Response Center.
Welcome, Tom.
Thanks for having me here, Sarah.
It's so good to see you. I've tried to get you on my podcast several times, and it is not happened. Why is that? That's your first question.
I look forward to our conversation today. Oh, that was very different. That was really good.
So give me just a rundown of MSRC, the Microsoft Security Response Center. What's the main responsibility as a mission there? What do you guys do?
There's a lot of different things that we do, but the main thing is any security vulnerability that's,
found by somebody outside of the company gets reported through the MSRCs.
And then we go and triage that, we do a technical assessment, we work with the product
teams to get that issue mitigated, and then we work with the researchers so that they
can publicly disclose the information.
In some cases, we'll pay a bunch bounty for them to reward.
So when somebody reports a bug, they get to disclose it or did they disclose it in partnership
of Microsoft?
How's that work?
Yeah, an issue standard is coordinated upon disclosure,
which means that the person that finds it,
reports it to the vendor,
and then the vendor and the researcher work together
to make sure that customers are protected,
and then when that issue is mitigated,
the researcher is free to go and talk about it.
That way, customers are protected,
but the researcher is also able to publicly discuss
at conferences like blackout
and push research among the community forward
because we all learn from each other.
I love that.
And I know that you and your team, like Stephanie and Alex and others,
have really good relationships with the researchers, the buck hunters.
And what is that like?
What is that group of people like?
How would you describe them?
I would describe them as very diverse.
We have a very wide set of researchers around the world.
If you look at the last year of bug bounty submissions,
you have people from 59 different countries that have submitted vulnerabilities.
We also, like you have people that are still in high school, all the way to people that are well experienced, close with PhDs.
So everybody brings a different angle, different perspective, and we really benefit from them.
Now, in the past couple of years, I have sort of seen the advent of being a bull researcher or a bug hunter as somebody's just entire source and income.
people say you know what I am kicking it on bug bounties I'm making a lot of money on this across the board
and they just do that full time how much of the community is like that like is that a real thing
that is definitely a real thing some of those folks are part of our program and they submit to us
some exclusively some will submit to us and also some other bug bounty programs there's a pretty
wide array of how much people are involved. There's people like you're describing who get up
and they look for bugs all day long. They come up with TED Weeks. They'll try it against Microsoft.
They'll try it against other vendors and they'll try to monetize that. And that is the way that
they make their money. But then you also have people that may be doing it for fun on the side,
on the weekends, wait at night. Some of these mocks are just learning. They may not have a job
in infosect yet and know all kinds of different.
And that goes back to that diversity we're talking about across hobbyists and professionals
and early in career, super senior and all that kind of stuff.
And help me understand to you with MSRC, is that every Microsoft product?
Like pretty much everything?
So we take vulnerability submissions for anything that's Microsoft.
Awesome.
We pay out.
We try to incentivize research in certain areas.
And so those are going to be the areas that we have bunk gone for.
we do not have everything on their bug found me.
And I know that last year, there was a new program called Zero Day Quest.
And that was announced by Satya in November 2020,
in Chicago at the Big Ignite conference, the Microsoft Conference.
And tell me what Zero Day Quest is exactly.
So Zero Day Quest, we did it for the first time in April of this year.
We had a qualifying period where we said, hey, these are areas that
We want to see people do research them.
They were focused on cloud and AI.
We asked people to submit bugs in those areas.
And then we took the top people and we invited them to an in-person event at Redmond.
Oh.
What happened at this in-person event?
Sounds fun.
Yeah.
So it was a lot of fun.
We had the researchers on campus.
It's our main campus.
So a lot of the product development is there.
So we had people working hard to find vulnerabilities.
Our team would in-person go and assess them.
It was really great for our team to be able to go and tap the researcher on the shoulder
and say, hey, we want to understand this a little bit more.
Then we would submit the bug to the product team for them to go and address.
And then in many cases, we would say, you know, these quotes are here on campus.
You know, the product team would show and say, hey, how did you find this bug, what's going on?
And so the engineers that are actually developing the features learned a bunch about, you know,
that half of mindset, help people approach and trying to find security vulnerabilities.
And then the researchers were like, hey, can you tell me a little bit more about the architecture?
How does this work?
How does that work?
So that they could further their research and own where they're going to go and look to find vulnerabilities.
That's so full.
Can it compressive that timeline from bug finds and bug fix into, what, a day?
The, you know, the fix.
So certainly the submission to go in triage was like super quick.
The mitigation of an issue is going to vary depending on what that fix.
It's what the product is.
We have to be very intentional not to be too vast and break things,
but certainly our time to mitigate is something that's very important to the complement.
I think it's really interesting since I've come to Microsoft seeing just really the scale of Microsoft deployment.
A lot of people think about Windows or Edge Browser or obviously Azure.
But Microsoft has such a massive splits print, not just within the Windows ecosystem, but was it Mac, iOS, Android, across IOT devices, and you're taking all those bugs in across any Microsoft product. That's huge.
How many bucks do you say come in a day?
You know, I'm publicly talking about the number of bugs that are coming in.
Are you tired?
person. I would say that we are very smart about how we triage things. So if we're going to use
technology to go through, not every submission that we get is like a critical issue. And we're
using a lot of AI now to go and triage things and prioritize and work through all the issues that
are aborting. I've heard a lot about AI. It seems to be very popular. Tell me now, you've talked
before, about the ethics around responsible disclosure, kind of help me understand how MSRC
implements those kinds of values.
Yeah, so everything that we do is to protect customers, right?
And Microsoft, that's another way to protect customers.
The first part is that coordinate of all disclosure that we talked about earlier, where people
are going to partner together to get the issue fixed before we go on disclose.
The other thing is we want to be intention.
with how people engage and how far they go with their research.
You know, we don't want people to find a vulnerability
and then start using that to touch customer data and things like that.
One of the things that we did during Zero Day Quest
is we set up these things we call Flash Challenges
where we said, you know, can you go and read this email?
Can you go and find the ability to look at the SharePoint document
and things like that so that people could go a little bit further
than they normally would,
but it's all within a contained foundry that would be responsible.
I love that.
I think that, you know, having such a massive footprint like Microsoft does,
being committed to ethical, responsible disclosure is kind of our, like, mantle,
foundationally in the world.
Like, to protect the global digital landscape, we have to be willing to have rigor and
discipline and approach names in a really clear of the way.
which I think is fantastic with MSRC.
And everything that I've done with MSRC,
because I've worked with your group quite a bit,
that value is in every person and every project
and everything that we do there.
So it's pretty cool.
So how does all of these cool things like Zero Day Quest,
bug bounties, how do all of these kind of contribute back
into the big focus of Microsoft,
which is security and the secure future initiative?
Yeah.
One of the pillars is to accelerate response and remediation.
I'm the pillar owner for that.
You're the pillar owner.
Do you have a crown or a scepter?
What do you get?
What do you get for me a pillar owner?
A bag of concrete.
I get a lot of work.
I get a lot of work.
So certainly we put a lot of energy into helping everyone across the company
understand the vulnerabilities to accelerate the ability to mitigate those issues quickly.
But if you think about the longer timeline, you know, security really starts from the time somebody envisions what a feature would love like.
It's well before somebody's writing code and, you know, threat modeling, all of it.
All those things happen at Microsoft.
By the time a security researcher is finding an issue, that means the landscape could have changed.
There are new threats that are understood.
The researcher made it had a different perspective on things than we did.
And so that's all feedback.
That's the feedback channel that we use to change the way we think about things.
So it might be, you know, we missed something.
Let's go out some static analysis rules.
It could be let's make sure that people that are doing threat modeling
consider this perspective when we're going and designing new features.
So it's all just a good feedback loop.
It's a great partnership, I think, between IGISO Carriers Bond Center
and our Microsoft software engineers, software developers.
I worked through your group doing a lot.
of workshops for those software developers, and it's a really different mindset working with
somebody who considers themselves a softwareage here versus people like us who kind of are
security people, and I always say, you know, the developers are the makers, and we're kind of
the breakers on the security side, and sometimes I just wish I could live in that software
developer world where I just wanted to give people cool features all the time instead of
feeling a little destructive where I'm going to try to find problems and bring them up.
It's a great partnership. I worked on the office team for 23 years.
And so we were shipping features, but I was always responsible for how do we do this in a fast way, but in a secure way.
And so it's really about building that awareness, building the partnerships with the software engineers,
because they're going to be well-equipped to go and address the issues if they're aware of how to go and do that.
I love the way that Microsoft handles these things because we have the scale that we have.
Let me ask you now, zero-day quest, are we going again in 2025?
And we've started the next phase.
It's a qualification phase.
We opened it up on Monday.
We went through October 4th.
You should check our blog.
We're accepting submissions right now.
Basically, the way that you submit is buying a vulnerability in cloud and AI products.
Submit those.
You're going to get paid for them.
We have even multipliers for critical issues that are being filmed.
And then we'll take the cop people in an invite.
them for that in-person experience that we described before.
And that'll be in Redmond again at campus?
It will.
Amazing.
It's absolutely worth that if you're listening, search up Zero Day Quest Microsoft,
go get involved and check that out.
And finally, there is Lujat Aza in the Gala Roo coming up.
How do you feel about that?
When is that?
I'm very excited.
So we have three Lujat events around the world now.
It started in Redmond.
We've had an event in Israel for several years, and then recently we started one in India,
and it's been such a big success that we're expanding to attract the broader region,
and it's called the Levite, Asia.
Fantastic. So those are some things for the audience to go check out right now.
Get on your computer and look up Zero Day Quest Microsoft and Blue Hat Asia coming up soon.
Tom, I have one final question for you.
What is something that you would love to see more of from the research community this year?
I think there's still a big opportunity to do more AI research.
I think there's a lot of folks with a lot of talent around application security.
And that's a great mindset.
What we'd like to do is see more people pivot to think about the AI problem.
The researchers that work in the AppSecSach space have a great mindset.
If they apply that same mindset to AI, I think it will unlock a lot of different things.
Some of the things that we're doing is we're providing additional training.
We have videos out, we have information about that.
It's a different type of problem, and so you just have to think about it a little bit differently,
but the poor competencies are really the same thing.
One of the things that I think is so cool about AI bug hunting
is that you could do a lot of it in natural language.
So the bar to entry really is anybody can do it.
And I want to put a particular call out to my social engineers out there
because combining your social engineering experience with natural language capabilities,
getting into AI systems, you can hit bugs that you maybe not,
you maybe could not have hits otherwise without a social engineering background.
That's right.
And you don't have to get sweaty like you move it social engineering or real person.
You don't need a clipboard or anything like that, just a computer little typey, typey fingers.
And if you fail, you just try again.
It's not like social engineering in the real world where you get shut down.
Absolutely. You can keep trying.
I love it, Tom Gallagher.
Thank you so much for joining us.
That was Vice President of Engineering from the Microsoft Security Response Center, Tom Gallagher.
I'm Sherrod to Grip Bo Director of Red Intelligence Strategy at Microsoft, coming to you live from Black Hat 2025.
Thanks for joining me, Tom.
Thanks, sir.
It was great.
Welcome to the stage, my close friends that I have known for a very long time, Eric Olson, principal security researcher.
Whoop.
And Eric the baller, senior security researcher.
I've heard that you guys like crime.
True or false?
True.
Not committing crime, but crime, yes.
Got to make that distinction.
Don't want to commit the crimes.
We want to research the crimes.
Exactly.
Yeah.
It's okay.
So, let's talk about ransomware.
Ransomware is one of my most favorite things to research and never do.
Because it really had followed over.
like the past 10 years to become this thing that used to be an individual situation where
like a computer would get printed to now they're shutting down entire organizations operationally.
So help me understand, I'll start with you, like, help me understand what you're seeing
on the Rans of our ecosystem.
Yeah, I think what we've been seeing lately is that when they come in, they seemly know
where they want to go a lot faster than they used to.
So whether that's going straight towards Nye servers
or targeting the backups and trying to inflict the damage.
Fast and early, does they have a better chance
of getting the ransom payment rather than just
encrypting a few workstations, which doesn't really motivate
the company to want to pay.
And I think another thing that's really been brought up
is they seem to really have the accounts when they come in.
They don't need to do a lot of privilege escalation.
I don't know if that's the rise of ransomware brokers
and access brokers, giving them credentials.
the initial accident is usually really fast.
And we'll see them do things such as go to the tick attacks
or trying to drop other persistence mechanisms
to keep us from kind of stamp of the mouth.
But the speed, I think, is the real thing
that's changed the last two very years for us.
That's really interesting.
When we talk about speed for years,
the DVIR for Verizon would have stats on dwell time,
which is essentially the time from when a predator
is access to a network how long it takes
before they actually do the in-prits and take
with the learning and stuff down the organization.
And year after year, dwell time would get shorter and shorter.
And I remember 12 times of 10 days,
for roll times of seven days.
And as those got shorter,
I think we're seeing dwell times now and hours.
Yeah, I worked a case a few weeks ago,
and it was about 30 to 40 minutes.
From when they came in,
when we had the first deep-fant long time,
stay up to when they started getting the background.
was sprout up in 40 minutes.
So it's very quick now.
Are you seeing the same kinds of things
with the ransom that you're looking at?
Yeah, it's been interesting.
So we see a use of common exploits.
So the example is Citrixblee 2, which is more recent.
So you'll see them jump from some exploit like that,
and then once they get into the network,
set up shop click, the toolie tunies.
And in a lot of instances, these folks know
the tools better than the customers.
So they're like, hey, we can, you're using
software deployment mechanism.
Guess what?
We have people who are experts in this
and they were able to just get in,
get it deployed, and get out.
I think that's something that we've seen too,
especially when it comes to
social engineering.
Threat actors really do seem to know
the organizations, the people,
the business processes,
in a lot of cases,
better than the employees themselves,
they're able to really understand,
okay, if we rans up this organization
or this company,
will we get a pain?
will we get paid? Do they have the money? Do they have the capability? And how exactly would
we get that access? And I think that it's really, it's a shift over the past decade of kind of
of a spray and prey ransomware like Lockhey was in 2015 to now it's really targeted. It's really
specific and intentional. Do you have any insight in for you how these ransomware actors are
choosing their targets?
What you have to really?
It was.
It varies.
It really varies.
It could be open source intelligence,
and they're just going to expand,
and find some system that is already
experiment is for work.
Some of their remote access,
protocol exposed,
it could be reviewed.
Some social engineering,
prudential theft.
We've seen, like,
a forum hits compromise.
There's some of us for something like,
let's set coats,
and that person gets, you know,
hot to download them a day.
in the adobe executable and it's actually not in the first stage of own access into the organization.
And something that I think is interesting now, too, about the way Ransaware operates is
we're seeing a lot of, you know, the phrase we used to use was double extortion,
but I think now we're saying, we'll see, extortion, how are we seeing not playing out with
not just encryption repay, knee-cripts of repay, but additional extortion techniques of the same
more innovation of time.
Yes, I think there's the data that component of them actually ex-filling proprietary data
before doing the encryption, so they have kind of two options, right?
Like, we'll release your date to the public, and you're going to sit there with everything
encrypted.
So I think it's mostly what I've seen recently is the extortion of their proprietary data.
I think looking forward in terms of ransomware, I think something that really is on the
horizon is the use of AI.
And you might say, like, well, where do you put AI in the attack chain, essentially, for a ransomware event?
And I think what we're going to see is usefulness of vintage data breaches, ransomware after is going, pulling down old data breach archives, putting them through an LLN or at SLN locally, and saying, hey, help me figure out their week of this, help me figure out based on these data breaches for,
where I could potentially do a ransomware event
on this particular organization
or look through this and see if there's extortion tactics
that we can use.
Maybe if you get an email done,
look for email conversations and talk about
merchant acquisitions or maybe a supervisor
being inappropriate with one of their employees
and we could use that kind of extortion.
So it's gonna really, I think, accelerate
these threat actors ability to understand the business.
like we were talking about before, they're going to be a lot quicker at that.
Go back to your early question, too, of how they get in sometimes.
I think, and you've probably seen this too, also, if the company's using a third-party
MSV and they compromise that, sometimes the way they pick their targets is
whatever the employee they compromised in that third party, that's who they go after.
So if that employee has access to these four companies to do normal administration work,
they go after them.
I think we've seen a lot of those that seemingly seem like they seem like they
start from the unit service provider and then go into a company.
So I think there's going with it.
I think there's a kind of a bright spot in it though.
We have seen a lot of customers getting smart to having their backups disconnected
from their main network.
We worked in recently where they hit the A6i servers.
They were going to pivot to their backups and they just cut the line right away.
And they seemingly were able to save themselves.
So as we see like a ransomware at the 12 time give fast, I think,
The customer's responses are actually getting pretty fast as well.
Yeah, and a good point on the use of AI is, you know, like, their quality of scores.
I love to say, your fingertips.
So you can go back and say, okay, hey, this company was enacted by this previous vulnerability of some software,
and now a new version comes down.
So he went back and played back that, you know, pre-heat that playbook and say,
hey, the customer is vulnerable this time.
What's the chance there now?
I'm also vulnerable with this new version.
And that, I think, Brits have added more conversation.
software supply chain or providers of my chain where your vendors of providers are just as much
of a target as you are, if not more, because ultimately those vendors, whether they sell you
software, they sell you services, use their platforms. If the right afters know that those service
providers and software sellers are vulnerable, it's a lot easier to compromise a mostly platform
like you said in MSSP and they go down to three to all of those customers that make
absolute targets for these threat actors, especially for Ransmore.
Yeah, and I think from the customer side, too,
they don't really know how the Spruce Bata Zone
in the other side. They may do everything right on their side,
but they're going to leave enough vulnerability out there in some way.
Yeah, I think that cuts back to one of the least
fun and cool parts of security, which is like vendor audits.
So, like, making sure your vendors are doing the boring parts of security
and that you have, you know, as,
that have had three of visibility into those vendors
and understand their approach to security
what they think is important, how they do the things they do.
I'm going to talk a little bit about the business of Ranswear.
We always say Ranswear is an a thing in this stuff.
You're not fighting a single threat after group.
You're fighting an entire organized ecosystem.
What have you seen in terms of the organization
of these Ranswear threat actor groups help they offering?
Don't do if I have a specific answer on that,
I think the access broker side does maybe where I've seen that evolve a little bit
because before it was always kind of an exploit at like an edge device or compromised credentials
of, you know, you can be a social engineering or something.
But now we're seeing cases where no of that really seemingly happens in the logs.
They just kind of log in with an account.
So did they buy those credentials from an access broker somewhere else with the permissions
that they need and just log in and do it at the end of view.
Yeah, also you have disagreements between different ransom or brews.
and they break away, form their own ransomware and maybe take that as a moment to, you know,
introduce some changes available in the way that products that they want to use and have used
and then hit it that way.
If there's definitely an element of kind of punt-road, no honor among thieves would have henssel
on these ransburgers, and the way that most of us know that is we read things like the Kansi
leagues or various other leaks that have come out of these brooks where we can really see
the inner workings of, hey, this guy's getting paid.
more than I was getting paid. I want to
reuse work. You know, we're doing
in this way. I don't think that's the most effective.
Let's make it change here.
I said, no. I don't like that. We're going to
split term or we're going to shut it
down. They're not getting a big enough time.
They're not getting a big enough time. I've also seen
instances where, like, it'll be
one person working for
multiple ransomware groups
out of time because they just sort
of know what to do and they tape on
as many jobs as they can.
What do customers need to know?
How did terms of brands become?
Well, do you say if double would then
comes to receiving it in loan cards?
I think we'd be having a plan to disconnect critical systems,
backups stored in a manner that's not connected
to your normal production environment.
So you're not totally free-gilded
and if you don't get a hold of it in time.
And then another thing I always walk when we're on
Mr. Response is the VPN and the firewall logs.
And especially for any kind of historical compromise,
not having those dog anywhere really,
It's how they got in and where they came from
and to really track if there's any other
businesses. So I think
disconnected backups and having
proper logging and things.
So if we're all of you listening,
you're going to mean to do the proper
logated backups.
They click network segmentation and
making sure that you're a hand and
fireball on smart accessible. So we're
really in talking the language of like
2002.
Yeah. Yeah.
The people haven't taken care.
Same recommendations.
Also, equally important, you know, realizing where your sensitive data is at.
Because the ransomer folks, they definitely know.
And when we start, when they send you an email and they're like, hey, look at all this data, it's up.
And, you know, maybe the customer's like, hey, little cat and mouse, I'll send me a proof of life.
I don't believe you.
Tell me you took my data.
And they send you a text while like, hey, look, here's all the data it's up.
And now you're that company going, all right, I see this data.
I don't recognize this.
Where did it come from inside my network?
And then they can't find it.
So you can't verify whether or not the director really has when they say they have.
Or even proving that the data was ex-filled because maybe that segment was not logged or audited and there was no evidence.
So there really is just such a big element I think of social engineering aspect for ransomware,
whether it's, you know, the initial entry leverages, text messages or pollen, hell of the phone, whatever threats.
Or if it's at the, you know, in Crescent stage where they say, oh, we really do have this data,
And then the organization has to decide
whether or not they believe that's true.
Yeah.
All right, we are gonna wrap up now.
I wanna say my two guests,
Eric Olden, principal security researcher
and Eric Waller.
Senior security researcher at Microsoft,
I am sure to promote directors
for that Talden Strategy.
Thank you for joining me at Black Hat 2020.
Hello and welcome to the Microsoft booth at Black Hat.
Wow.
Okay, we're gonna talk about
production fishing and social engineering, two of my most favorite topics.
And with being, I have fantastic guests for Microsoft, Travis Schack, principal security researcher,
and my good friend Eric Olson, also principal security researcher.
I have shared DeGreveau Director for Intelligent Strategy of Microsoft, and let's get into it.
Travis, I would start with you.
More.
What exactly is social engineering?
But definitely should be, can you hear me?
So social engineering is just a tactic that threat actors use to pitch you to do something,
so when you provide something, lots of different techniques involved in that.
We'll probably talk a lot about the fishing.
It was part of the email side with the fishing and some other techniques.
So, Eric, I'll ask you, what examples of so far as far as of the email side with the fishing and some other techniques?
ask you, what examples of social engineering have you seen that threat actors actually sent
out there into the world? Well, so social engineering actually, probably a really good one is
everyone who's got a text message that says, hey, you have a tool to, click this link or UPS, oh,
don't forget your package. Oh, no, I've got that. I know everyone's got that. So you should
click the link, right? If you're a researcher, maybe.
No, definitely not.
Click the link only if it's for research purposes.
Yeah, exactly.
So people get those all the time.
I think a lot of people, and they are probably pretty smart
and just delete the message or ignore it.
What happens if you click on the toll link?
What is it?
On Barry's could be something that's like,
hey, put in your email address and password,
and you're like, oh, well, I use the same password for everything, naturally.
So let me just put in my password,
and now they got your password,
and they could either, you know, go to some credential broker
or, you know, that threat actor was hoping that you would put in your password,
and now they have it.
So what kind of scale are we looking at when we talk about things like
social engineering for credential theft?
Like, how many of these messages are getting sent,
how many people are clicking on them?
Is this actually profits?
Very much so, profitable, and probably way too many to count.
I know I have family members who are sending you,
all the time. They're like, Eric, is this spam? I'm like, yes. It is a phishing email. Please tell me that you did not
click the link. You didn't provide your password or any of the other info that it asked for. And I think
one of the things that's changed is that with the use of AI, so previously, you know, you get an email
and you're like, oh, this is unrealistic because either the English isn't correct or the grammar
doesn't match up with something that would be said in person. So now through the use of AI and
like using deep fakes, you're like, all right, this is kind of believable if you're not looking
for other indicators. Like, hey, it came from a random email address. It's not the company that said
they sent it. Right. And I think that people don't understand. And for the most part,
things like credential fish are really the beginning of an attack. So, Travis, walk me through,
like once the threat actor has your username and password, let's say you did all
for it, you put it in the landing page.
What happens after that?
Yeah, so typically I want to use that information
what's they capture.
And if you don't have multi-factor authentication
on that account, they're going to gain access
to whatever systems where you use those credentials.
So whether it's work-related, personal-related, banking,
they're going to try everywhere.
Social media, they're going to try everything
to try to get used as credentials.
the gates had been an access to that.
So I guess that leads me to my next question, Eric, how do we prevent this stuff?
Like, what's the way to stop it?
Well, you know, I was reading something earlier that was talking about corporate training
and you get, you know, and we get it too, and it'll be a video like, hey, click on this thing
or watch this video about something and, you know, for the most part, a lot of folks probably
just tuning out because like, hey, I have 40 hours of training you have to do it.
its videos, and I think it'd be much better served for some kind of micro-learning, like a simulation
where you're like, hey, you click on this area of the email that looks suspicious, so I know
that you know if you get an email at the company that you'll be a good, a good cybersecurity
person, because everybody can not do a little bit of security and be like, hey, this is no good,
and then report it and like, hey, nope, not clicking it.
So what else, Travis, can we do in terms of preventious? How do we stop this up?
Yeah, it'll be something to use our education, but then you're still going to have some failures there.
Then you've got to rely on some of the technology side of the house.
It's where a multi-factor authentication is going to help adding in that second layer of authentication
tools like Defender for Office 365 is going to help with that.
So really the multi-factor authentication is probably one of the biggest protections that we could have.
Yeah, because, and you know, for fishing and actually,
social engineering, too. It's not necessarily starting with breaking the system, it's breaking
trust of the person who's on the other side. And then you have to hope that all the other security
controls and tools and things that you have at your disposal are what, you know, stops the next
step. Yeah, I think, too, like you mentioned AI, and I've been thinking a lot about this.
I think that a lot of the AI tools that they have available to us today really are these
large language models, generative text. They can create images.
they create texts. And I think we are seeing threat actors leverage AI tools to create really
good social engineering org. But something I think about to you is all of those data breaches
that have happened over the last several years, those are out there available for threat afters
to take. And it would be really easy, I'd feel, for a threat actor to download a bunch of briefed
data, whether it's emails or credentials or corporate IP, and then run those through
in LLM and say to the LLM, if I was going to try to trick someone from this company,
how could I do that?
What is something that people in this company are concerned about that would cause this to click?
I don't know that we've seen that yet, but it makes sense to me that threat afters are
thinking about leveraging AI as not kind of tool.
Yeah, definitely something you've done the breaking trust bit.
Right.
It makes things go faster.
And I think it does.
I think AI really something that is important to think about.
when you're re-braining it is the A can very easily stand for acceleration,
just making things a lot faster that we used to do manually,
or even when you did it with code,
you could do it even faster today than you can with writing most scripts,
because what do you think about bodies of text,
which is what LLM specifically are really great at handling,
the amount of different types of usernames and passwords and data that's out there,
writing a regular expression for that
and to like rep through a giant database of text
is really hard.
Like that regular expression is probably a possible to create.
So with an LLM, you've now got that natural language interface
and you could say, hey, go through this
and find me anything that would be interesting
if I was a hacker basically.
Yeah.
Yeah.
So help me understand.
We talk about social engineering in terms of emotion,
the emergency, haven't.
Any examples of social engineering
that you thought were really clever to do really good?
Use of audio or deep fakes is actually listening to,
I don't remember what it was.
There was something in the news, a politician in the U.S.,
and they defaked his voice and then used his voice to call other politicians.
And, I mean, unless I guess you talk to the person every day,
you could easily be tricked.
They're breaking your trust.
And you're like, okay, this sounds believable,
or at least they have enough.
context about what they want, that it sounds believable. And you're like, okay, you lower your
shield down and, you know, just allow, you know, allow the conversation to continue.
Yeah, Chanas, what have you seen?
I have to say what Eric said. You're starting to see the fishing becoming more successful
because they are getting better at calling, right? We see a lot of help desk being targeted.
and typically he used to be able to like decipher like is this person really real or not
but now with the voice generation stuff and with the AI coming in helping with the grammar
mistakes and making that more believable but it's you just do that and I think AI has
definitely helped you be more relatable because you're like hey well I know that you like this
specific thing so you don't start the conversation with what you want you start the conversation
with something to build trust first and kind of get that person to lower their barrier
and then you come in for your ask.
Absolutely.
I think, you know, we see multi-chain relationships with social engineering.
We see things like just a single email sent out.
A really good example that I talk about a lot is, you know,
it's on sort of email letterhead, like with a thick file and graphics and everything.
It's from a law firm.
And it says, hey, I'm from this LLP law firm.
Your spouse has contracted me to repair your divorce papers.
Go ahead and click here to view our law firm.
our first draft of your divorce papers.
And I think Billy, anybody, married, single, happy, unhappy,
there are so many reasons for people to click on things like that.
Yeah, absolutely prey on their fear.
Yeah, or pray on their curiosity.
Yeah.
Lack of jobs right now, right?
I was a former CISO, the last company where I was a CISO, our HR VP got impersonating.
and we're basically offering jobs to people
and then scamming them out of money through Google sites
and it was really hard to stop that in front of
because they thought that it was actually from our organization.
So today you see a lot of, like a lot of my friends are saying,
hey, I just got this recruiter,
they just said it'd be something about a job.
We think this is real.
So you're going to use the current times,
whatever's going on.
And so you really have to be aware of what's happening right now
and how the Senate Actors can you leverage that.
Yeah, and even something like, hey, take a look at this job description,
and it's in a Word Doc or a PDF, and the person on the other side has malicious intent,
and, you know, you're looking for a job, so of course you're going to have,
you're going to have an interest on opening up the email and looking at the attachment.
I also think, too, there's, you know, threat actors have been able to really be smart
about who they're targeting in terms of looking at data that's available,
will either open source data or data that's out of reach and say,
oh, like this group of high-value individuals all have the following thing in common.
I could kind of write a similar or send that out to all of them and see what comes back to me.
I know of an example where one of those big email platforms,
which is Mark B platforms, an account on one of those was compromised.
And the threat after said, great, I've got access to all these people.
It was a newsletter about wine of the months.
It was a wine review newsletter.
And the threat after said, you know, great.
I have access to this.
I can send from it.
I've been to look through these individuals
that see who's maybe a high net worth,
who has high access that I want to maybe compromise them
so I can get further access.
And the threat after sent out a wine newsletter
that said, click here for a free bottle of wine.
Hopefully they sent the wine.
It didn't get a wine.
You got a hatch.
Bait and switch.
But it makes sense, right?
If you know even a little bit about your target, you can social engineer them so much more effectively.
And, you know, there's everything across the spectrum of threat after after you do deep, deep research on their targets, they understand them.
They tailor perfect, perfect social engineering floors directly in that individual.
And then there's those massive campaigns of spray of prey where the threat after is like, I'm just going to send this to everybody and just hope for the best.
Yeah.
So I think social engineering is something that we can never overlook, and I'll kind of leave everyone with this.
If you're looking at an email and it's telling you to do something immediately, that is probably social engineering.
Any time that an email says you bust acts now, hurry, going fast, all those kinds of things, generally, you should be a little suspicious.
Yeah, definitely.
All right.
I want to thank Travis Shaq and Eric Olson, both principal security researchers at Microsoft for joining me, Sharon Negropo,
direct your threat intelligence strategy, here at Black Cat 2025 to talk about social engineering and fishing.
Thank you both.
Thanks for having us.
Thank you.
This week on the Microsoft Threat Intelligence podcast.
Join us live at Black Cat, where you'll hear about bug bounty programs, ransomware, and all kinds of incident.
Response tactics. Be sure to listen in and follow us at msthreatentelpodcast.com or wherever you get your favorite podcasts.