Microsoft Warns Jasper Sleet Phishing Infiltrates Cloud Environments
Key Takeaways A North Korea-backed group, Jasper Sleet, is infiltrating organizations by securing legitimate remote IT positions. The threat actor crafts sophisticated fake personas, often using AI,...
Key Takeaways
- A North Korea-backed group, Jasper Sleet, is infiltrating organizations by securing legitimate remote IT positions.
- The threat actor crafts sophisticated fake personas, often using AI, to pass recruitment screenings and gain access to cloud environments.
- Once hired, Jasper Sleet leverages internal access to steal data or conduct extortion, posing a risk to any organization hiring remote workers and utilizing cloud-connected HR platforms.
- Microsoft has provided detection strategies and recommends a joint effort between security and HR teams to mitigate this unique threat.
North Korean Threat Group Infiltrates Cloud Environments Through Fake Remote IT Worker Scheme
A sophisticated threat group, identified as Jasper Sleet and linked to North Korea, is actively compromising corporate cloud environments by exploiting the shift to remote work. This actor crafts elaborate fake professional identities to secure legitimate remote IT positions within target companies, subsequently gaining direct access to sensitive internal data and critical cloud infrastructure.
Table Of Content
The global pivot towards remote and hybrid work models, accelerated by the COVID-19 pandemic, fundamentally altered corporate hiring practices. Organizations increasingly rely on online interviews, digital onboarding processes, and remote access tools, inadvertently creating new vulnerabilities that Jasper Sleet has been quick to exploit.
Microsoft analysts and researchers have meticulously tracked Jasper Sleet’s operational tactics across various cloud environments and HR platforms. Their findings indicate a systematic approach where the group targets companies utilizing widely adopted HR software, such as Workday.
Sophisticated Recruitment Exploitation
According to Microsoft Threat Intelligence, Jasper Sleet’s method involves surveying open roles on external career sites. They then employ generative AI to analyze job postings, identify required skills, and construct highly convincing digital personas tailored to specific roles, designed to bypass initial recruitment screenings.
This is not a random attack strategy. The group conducts thorough research on target organizations, meticulously aligning their applications with the language and requirements of job listings, thereby submitting credible applications that effectively deceive hiring teams.
Upon successful hiring, Jasper Sleet proceeds through standard onboarding procedures, establishes payroll accounts, and gains access to essential internal tools like Microsoft Teams, SharePoint, OneDrive, and Exchange Online. Microsoft has observed a notable increase in “impossible travel” alerts among new hires during their initial months, a key indicator of suspicious remote IT worker activity linked to this group.
With unfettered access, the threat actor can then navigate the organization’s cloud environment, exfiltrate sensitive files, and in some instances, execute data theft or extortion schemes. The scope of this threat is broad, impacting any organization that employs remote workers and utilizes cloud-connected HR platforms. Microsoft has publicly shared its research to equip security and HR teams with the knowledge to identify and neutralize suspicious candidates before they gain internal access.
How Jasper Sleet Operates Inside HR Platforms
A distinctive feature of Jasper Sleet’s methodology is their precise exploitation of HR software workflows.
Pre-Recruitment Phase
During the pre-recruitment phase, Microsoft observed the group executing programmatic API calls to Workday’s Recruiting Web Service endpoints, which are accessible via external career sites. These calls allowed them to access data related to job postings, active applications, and questionnaires, revealing a pattern of suspicious API call activity originating from known Jasper Sleet infrastructure.
What differentiates this activity from a legitimate job seeker is its repetitive nature. Microsoft noted that the group utilized multiple external accounts to access the same API endpoints consistently and repeatedly, a behavior inconsistent with typical applicant interaction with hiring portals.
Recruitment and Post-Onboarding
In the recruitment phase, Jasper Sleet engages with hiring teams through email and video conferencing platforms, including Microsoft Teams, Zoom, and Cisco Webex. Following a successful hire, the threat actor logs into the newly created Workday account and updates payroll details from known Jasper Sleet infrastructure, capturing post-onboarding sign-in activity from flagged IP addresses.
What You Should Do
Microsoft advises organizations to implement several measures to mitigate exposure to this threat, emphasizing a collaborative approach between security and HR teams, as the campaign spans both functions.
- Enable Cloud App Connectors: Integrate connectors in Microsoft Defender for Cloud Apps to enhance visibility into activities across Workday, DocuSign, Zoom, and Cisco Webex. This enables security teams to track API events, monitor external account activity, and cross-reference suspicious IP addresses against threat intelligence feeds.
- Monitor Anomalous Login Behavior: Flag and promptly investigate any events associated with newly hired employees that originate from anonymous proxies or multiple disparate geographic locations.
- Enhance Social Engineering Training: Provide comprehensive social engineering training for HR teams and all employees involved in the hiring process. This training should focus on recognizing suspicious interview behaviors, such as candidates avoiding camera use, providing inconsistent background details, or exhibiting unusual urgency regarding payroll setup.
- Prioritize Early Detection: Emphasize early detection of red flags during the recruitment process, as identifying and addressing threats before a candidate is hired and granted access is significantly more effective than post-access detection.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.