{ "id": "79bedebf-e82e-4e33-b9a6-fd49e5273bd7", "created_at": "2026-04-06T00:09:24.65832Z", "updated_at": "2026-04-10T03:28:46.782723Z", "deleted_at": null, "sha1_hash": "16c141d9d362d2d18b694aa83afb035d83d67ea9", "title": "DEV-0537 criminal actor targeting organizations for data exfiltration and destruction | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 432390, "plain_text": "DEV-0537 criminal actor targeting organizations for data\r\nexfiltration and destruction | Microsoft Security Blog\r\nBy Microsoft Incident Response, Microsoft Threat Intelligence\r\nPublished: 2022-03-22 · Archived: 2026-04-05 14:11:46 UTC\r\nApril 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned\r\naround the theme of weather. DEV-0537 is now tracked as Strawberry Tempest.\r\nTo learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a\r\ncomplete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming\r\ntaxonomy.\r\nMarch 24, 2022 update – As Microsoft continues to track DEV-0537’s activities, tactics, and tools, we’re sharing\r\nnew detection, hunting, and mitigation information to give you additional insights on remaining vigilant against\r\nthese attacks.\r\nIn recent weeks, Microsoft Security teams have been actively tracking a large-scale social engineering and\r\nextortion campaign against multiple organizations with some seeing evidence of destructive elements. As this\r\ncampaign has accelerated, our teams have been focused on detection, customer notifications, threat intelligence\r\nbriefings, and sharing with our industry collaboration partners to understand the actor’s tactics and targets. Over\r\ntime, we have improved our ability to track this actor and helped customers minimize the impact of active\r\nintrusions and in some cases worked with impacted organizations to stop attacks prior to data theft or destructive\r\nactions. Microsoft is committed to providing visibility into the malicious activity we’ve observed and sharing\r\ninsights and knowledge of actor tactics that might be useful for other organizations to protect themselves. While\r\nour investigation into the most recent attacks is still in progress, we will continue to update this blog when we\r\nhave more to share.\r\nThe activity we have observed has been attributed to a threat group that Microsoft tracks as DEV-0537, also\r\nknown as LAPSUS$. DEV-0537 is known for using a pure extortion and destruction model without deploying\r\nransomware payloads. DEV-0537 started targeting organizations in the United Kingdom and South America but\r\nexpanded to global targets, including organizations in government, technology, telecom, media, retail, and\r\nhealthcare sectors. DEV-0537 is also known to take over individual user accounts at cryptocurrency exchanges to\r\ndrain cryptocurrency holdings.\r\nUnlike most activity groups that stay under the radar, DEV-0537 doesn’t seem to cover its tracks. They go as far\r\nas announcing their attacks on social media or advertising their intent to buy credentials from employees of target\r\norganizations. DEV-0537 also uses several tactics that are less frequently used by other threat actors tracked by\r\nMicrosoft. Their tactics include phone-based social engineering; SIM-swapping to facilitate account takeover;\r\naccessing personal email accounts of employees at target organizations; paying employees, suppliers, or business\r\nhttps://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/\r\nPage 1 of 12\n\npartners of target organizations for access to credentials and multifactor authentication (MFA) approval; and\r\nintruding in the ongoing crisis-communication calls of their targets.\r\nThe social engineering and identity-centric tactics leveraged by DEV-0537 require detection and response\r\nprocesses that are similar to insider risk programs–but also involve short response timeframes needed to deal with\r\nmalicious external threats. In this blog, we compile the tactics, techniques, and procedures (TTPs) we’ve observed\r\nacross multiple attacks and compromises. We also provide baseline risk mitigation strategies and\r\nrecommendations to help organizations harden their organization’s security against this unique blend of tradecraft.\r\nAnalysis\r\nThe actors behind DEV-0537 focused their social engineering efforts to gather knowledge about their target’s\r\nbusiness operations. Such information includes intimate knowledge about employees, team structures, help desks,\r\ncrisis response workflows, and supply chain relationships. Examples of these social engineering tactics include\r\nspamming a target user with multifactor authentication (MFA) prompts and calling the organization’s help desk to\r\nreset a target’s credentials.\r\nMicrosoft Threat Intelligence Center (MSTIC) assesses that the objective of DEV-0537 is to gain elevated access\r\nthrough stolen credentials that enable data theft and destructive attacks against a targeted organization, often\r\nresulting in extortion. Tactics and objectives indicate this is a cybercriminal actor motivated by theft and\r\ndestruction.\r\nWhile this actor’s TTPs and infrastructure are constantly changing and evolving, the following sections provide\r\nadditional details on the very diverse set of TTPs we have observed that DEV-0537 is using.\r\nInitial access\r\nDEV-0537 uses a variety of methods that are typically focused on compromising user identities to gain initial\r\naccess to an organization including:\r\nDeploying the malicious Redline password stealer to obtain passwords and session tokens\r\nPurchasing credentials and session tokens from criminal underground forums\r\nPaying employees at targeted organizations (or suppliers/business partners) for access to credentials and\r\nMFA approval\r\nSearching public code repositories for exposed credentials\r\nUsing the compromised credentials and/or session tokens, DEV-0537 accesses internet-facing systems and\r\napplications. These systems most commonly include virtual private network (VPN), remote desktop protocol\r\n(RDP), virtual desktop infrastructure (VDI) including Citrix, or identity providers (including Azure Active\r\nDirectory, Okta). For organizations using MFA security, DEV-0537 used two main techniques to satisfy MFA\r\nrequirements–session token replay and using stolen passwords to trigger simple-approval MFA prompts hoping\r\nthat the legitimate user of the compromised account eventually consents to the prompts and grants the necessary\r\napproval.\r\nhttps://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/\r\nPage 2 of 12\n\nIn some cases, DEV-0537 first targeted and compromised an individual’s personal or private (non-work-related)\r\naccounts giving them access to then look for additional credentials that could be used to gain access to corporate\r\nsystems. Given that employees typically use these personal accounts or mobile phone numbers as their second-factor authentication or password recovery, the group would often use this access to reset passwords and complete\r\naccount recovery actions.\r\nMicrosoft also found instances where the group successfully gained access to target organizations through\r\nrecruited employees (or employees of their suppliers or business partners). DEV-0537 advertised that they wanted\r\nto buy credentials for their targets to entice employees or contractors to take part in its operation. For a fee, the\r\nwilling accomplice must provide their credentials and approve the MFA prompt or have the user install AnyDesk\r\nor other remote management software on a corporate workstation allowing the actor to take control of an\r\nauthenticated system. Such a tactic was just one of the ways DEV-0537 took advantage of the security access and\r\nbusiness relationships their target organizations have with their service providers and supply chains. \r\nFigure 1. Screenshot of an ad recruiting employees to give out access to their employer’s network\r\nIn other observed activity, DEV-0537 actors performed a SIM-swapping attack to access a user’s phone number\r\nbefore signing into the corporate network. This method allows the actors to handle phone-based authentication\r\nprompts they need to gain access to a target.\r\nhttps://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/\r\nPage 3 of 12\n\nOnce standard user credentials or access was obtained, DEV-0537 typically connected a system to an\r\norganization’s VPN. In some cases, to meet conditional access requirements, DEV-0537 registered or joined the\r\nsystem to the organization’s Azure Active Directory (Azure AD).\r\nReconnaissance and privilege escalation\r\nOnce DEV-0537 obtained access to the target network using the compromised account, they used multiple tactics\r\nto discover additional credentials or intrusion points to extend their access including:\r\nExploiting unpatched vulnerabilities on internally accessible servers including JIRA, Gitlab, and\r\nConfluence\r\nSearching code repositories and collaboration platforms for exposed credentials and secrets\r\nThey have been consistently observed to use AD Explorer, a publicly available tool, to enumerate all users and\r\ngroups in the said network. This allows them to understand which accounts might have higher privileges. They\r\nthen proceeded to search collaboration platforms like SharePoint or Confluence, issue-tracking solutions like\r\nJIRA, code repositories like GitLab and GitHub, and organization collaboration channels like Teams or Slack to\r\ndiscover further high-privilege account credentials to access other sensitive information.\r\nDEV-0537 is also known to exploit vulnerabilities in Confluence, JIRA, and GitLab for privilege escalation. The\r\ngroup compromised the servers running these applications to get the credentials of a privileged account or run in\r\nthe context of the said account and dump credentials from there. The group used DCSync attacks and Mimikatz to\r\nperform privilege escalation routines. Once domain administrator access or its equivalent has been obtained, the\r\ngroup used the built-in ntdsutil utility to extract the AD database.\r\nIn some cases, DEV-0537 even called the organization’s help desk and attempted to convince the support\r\npersonnel to reset a privileged account’s credentials. The group used the previously gathered information (for\r\nexample, profile pictures) and had a native-English-sounding caller speak with the help desk personnel to enhance\r\ntheir social engineering lure. Observed actions have included DEV-0537 answering common recovery prompts\r\nsuch as “first street you lived on” or “mother’s maiden name” to convince help desk personnel of authenticity.\r\nSince many organizations outsource their help desk support, this tactic attempts to exploit those supply chain\r\nrelationships, especially where organizations give their help desk personnel the ability to elevate privileges.\r\nExfiltration, destruction, and extortion\r\nBased on our observation, DEV-0537 has dedicated infrastructure they operate in known virtual private server\r\n(VPS) providers and leverage NordVPN for its egress points. DEV-0537 is aware of detections such as impossible\r\ntravel and thus picked VPN egress points that were geographically like their targets. DEV-0537 then downloaded\r\nsensitive data from the targeted organization for future extortion or public release to the system joined to the\r\norganization’s VPN and/or Azure AD-joined system.\r\nDEV-0537 has been observed leveraging access to cloud assets to create new virtual machines within the target’s\r\ncloud environment, which they use as actor-controlled infrastructure to perform further attacks across the target\r\norganization.\r\nhttps://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/\r\nPage 4 of 12\n\nIf they successfully gain privileged access to an organization’s cloud tenant (either AWS or Azure), DEV-0537\r\ncreates global admin accounts in the organization’s cloud instances, sets an Office 365 tenant level mail transport\r\nrule to send all mail in and out of the organization to the newly created account, and then removes all other global\r\nadmin accounts, so only the actor has sole control of the cloud resources, effectively locking the organization out\r\nof all access. After exfiltration, DEV-0537 often deletes the target’s systems and resources. We’ve observed\r\ndeletion of resources both on-premises (for example, VMware vSphere/ESXi) and in the cloud to trigger the\r\norganization’s incident and crisis response process.\r\nThe actor has been observed then joining the organization’s crisis communication calls and internal discussion\r\nboards (Slack, Teams, conference calls, and others) to understand the incident response workflow and their\r\ncorresponding response. It is assessed this provides DEV-0537 insight into the victim’s state of mind, their\r\nknowledge of the intrusion, and a venue to initiate extortion demands. Notably, DEV-0537 has been observed\r\njoining incident response bridges within targeted organizations responding to destructive actions. In some cases,\r\nDEV-0537 has extorted victims to prevent the release of stolen data, and in others, no extortion attempt was made\r\nand DEV-0537 publicly leaked the data they stole.\r\nImpact\r\nEarly observed attacks by DEV-0537 targeted cryptocurrency accounts resulting in compromise and theft of\r\nwallets and funds. As they expanded their attacks, the actors began targeting telecommunication, higher education,\r\nand government organizations in South America. More recent campaigns have expanded to include organizations\r\nglobally spanning a variety of sectors. Based on observed activity, this group understands the interconnected\r\nnature of identities and trust relationships in modern technology ecosystems and targets telecommunications,\r\ntechnology, IT services and support companies–to leverage their access from one organization to access the\r\npartner or supplier organizations. They have also been observed targeting government entities, manufacturing,\r\nhigher education, energy, retailers, and healthcare.\r\nMicrosoft will continue to monitor DEV-0537 activity and implement protections for our customers. The current\r\ndetections and advanced detections in place across our security products are detailed in the following sections.\r\nActor actions targeting Microsoft\r\nThis week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of\r\nsource code. No customer code or data was involved in the observed activities. Our investigation has found a\r\nsingle account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged\r\nto remediate the compromised account and prevent further activity. Microsoft does not rely on the secrecy of code\r\nas a security measure and viewing source code does not lead to elevation of risk. The tactics DEV-0537 used in\r\nthis intrusion reflect the tactics and techniques discussed in this blog. Our team was already investigating the\r\ncompromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public\r\ndisclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting\r\nbroader impact.\r\nRecommendations\r\nhttps://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/\r\nPage 5 of 12\n\nStrengthen MFA implementation\r\nMultifactor authentication (MFA) is one of the primary lines of defense against DEV-0537. While this group\r\nattempts to identify gaps in MFA, it remains a critical pillar in identity security for employees, vendors, and other\r\npersonnel alike. See the following recommendations to implement MFA more securely:\r\nDo:\r\nRequire MFA for all users coming from all locations including perceived trusted environments, and all\r\ninternet-facing infrastructure–even those coming from on-premises systems.\r\nLeverage more secure implementations such as FIDO Tokens, or Microsoft Authenticator with number\r\nmatching. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.\r\nUse Azure AD Password Protection to ensure that users aren’t using easily guessed passwords. Our blog\r\nabout password spray attacks outlines additional recommendations.\r\nLeverage passwordless authentication methods such as Windows Hello for Business, Microsoft\r\nAuthenticator, or FIDO tokens to reduce risks and user experience issues associated with passwords.\r\nImplement user and sign-in risk-based policies that block high impact user actions like device enrollment\r\nand MFA registration.\r\nBreak glass accounts should be stored offline and not be present in any sort of online password vaulting\r\nsolution.\r\nUse automated reports and workbooks such as Azure Monitor workbooks for reports for detailed analysis\r\non risk distribution, risk detection trends, and opportunities for risk remediation.\r\nRemind employees that enterprise or workplace credentials should not be stored in browsers or password\r\nvaults secured with personal credentials\r\nDo NOT:\r\nUse weak MFA factors such as text messages (susceptible to SIM swapping), simple voice approvals,\r\nsimple push (instead, use number matching), or secondary email addresses.\r\nInclude location-based exclusions. MFA exclusions allow an actor with only one factor for a set of\r\nidentities to bypass the MFA requirements if they can fully compromise a single identity.\r\nAllow credential or MFA factor sharing between users.\r\nRequire healthy and trusted endpoints\r\nRequire trusted, compliant, and healthy devices for access to resources to prevent data theft.\r\nTurn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker\r\ntools and techniques, block new and unknown malware variants, and enhance attack surface reduction rules\r\nand tamper protection.\r\nLeverage modern authentication options for VPNs\r\nVPN authentication should leverage modern authentication options such as OAuth or SAML connected to Azure\r\nAD to enable risk-based sign-in detection. Modern authentication enables blocking authentication attempts based\r\non sign-in risk, requiring compliant devices for sign in, and tighter integration with your authentication stack to\r\nhttps://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/\r\nPage 6 of 12\n\nprovide more accurate risk detections. Implementation of modern authentication and tight conditional access\r\npolicies on VPN has been shown to be effective against DEV-0537’s access tactics.\r\nStrengthen and monitor your cloud security posture\r\nDEV-0537 leverages legitimate credentials to perform malicious actions against customers. Since these credentials\r\nare legitimate, some activity performed might seem consistent with standard user behavior. Use the following\r\nrecommendations to improve your cloud security posture:\r\nReview your Conditional Access user and session risk configurations:\r\nBlock or force password reset for high/medium user risk for all users\r\nBlock high sign-in risk logins for all users\r\nBlock medium sign-in risk logins for privileged users\r\nRequire MFA for medium sign-in risk logins for all other users\r\nAlerts should be configured to prompt a review on high-risk modification of tenant configuration,\r\nincluding but not limited to:\r\nModification of Azure AD roles and privileged users associated with those roles\r\nCreation or modification of Exchange Online transport rules\r\nModification of tenant-wide security configurations\r\nReview risk detections in Azure AD Identity Protection\r\nRisk detections highlight risky users and risky sign-ins\r\nAdministrators can review and confirm individual sign-ins listed here as compromised or safe\r\nRead this article on how to investigate risk using Azure AD Identity Protection\r\nFigure 2. Using Azure AD Identity Protection to review risk detections\r\nMicrosoft recommends raising and improving awareness of social engineering tactics to protect your organization.\r\nEducate members of your technical team to watch out for and report any unusual contacts with colleagues. IT help\r\ndesks should be hypervigilant about suspicious users and ensure that they are tracked and reported immediately.\r\nWe recommend reviewing help desk policies for password resets for highly privileged users and executives to take\r\nsocial engineering into consideration.\r\nEmbed a culture of security awareness in your organization by educating employees about help desk verification\r\npractices. Encourage them to report suspicious or unusual contacts from the help desk. Education is the number\r\none defense against social engineering attacks such as this one and it is important to make sure that all employees\r\nare aware of the risks and known tactics.\r\nEstablish operational security processes in response to DEV-0537 intrusions\r\nhttps://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/\r\nPage 7 of 12\n\nDEV-0537 is known to monitor and intrude in incident response communications. As such, these communication\r\nchannels should be closely monitored for unauthorized attendees and verification of attendees should be\r\nperformed visually or audibly.\r\nWe advise organizations to follow very tight operational security practices when responding to an intrusion\r\nbelieved to be DEV-0537. Organizations should develop an out-of-band communication plan for incident\r\nresponders that is usable for multiple days while an investigation occurs. Documentation of this response plan\r\nshould be closely held and not easily accessible.\r\nMicrosoft continues to track DEV-0537’s activities, tactics, malware, and tools. We will communicate any\r\nadditional insights and recommendations as we investigate their actions against our customers.\r\nDetecting, hunting, and responding to DEV-0537 activities\r\nMicrosoft security products provide several detections that can help identify activities resembling DEV-0537\r\ntactics. We’re also sharing several Microsoft 365 Defender, Microsoft Defender for Cloud Apps, and Microsoft\r\nSentinel hunting and detection queries that are linked in the following sections. We suggest reviewing the\r\nfollowing detections and using the highlighted queries to enhance the investigation of potential activity in your\r\nenvironment.\r\nInitial access\r\nMicrosoft Sentinel hunting queries\r\nSign-in from VPS providers – This query looks for successful sign-ins from known VPS provider network ranges\r\nwith suspicious token-based sign-in patterns. This is not an exhaustive list of VPS provider ranges but covers\r\nsome of the most prevalent providers observed. \r\nInvestigate unknown sign-in attempts from uncommon or unusual VPS providers.\r\nSign-in activity from NordVPN providers – This query looks for sign-in activity from NordVPN providers using\r\nthe feed leveraging NordVPN API and is updated daily.\r\nInvestigate unknown sign-in attempts from VPN providers such as NordVPN unless it is commonly seen in your\r\norganization.\r\nUser sign-in IP address teleportation – This query looks at sign-in logs to identify user accounts that have signed\r\nin from two different countries or regions within a specified time window. By default, this is a 10-minute window\r\neither side of the previous sign-in.\r\nInvestigate the users signing in from multiple locations within a short span of time. It might detect users roaming\r\nonto VPNs. You can also exclude known VPN IP address ranges in the query.\r\nReconnaissance\r\nMicrosoft 365 Defender built-in detection: Multiple searches for sensitive data in SharePoint sites\r\nhttps://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/\r\nPage 8 of 12\n\nThis detection looks for instances where a user searched for sensitive data on SharePoint sites that an attacker can\r\nuse as internal information to leverage in later attacks if the user’s account is compromised.\r\nInvestigate the user account performing the queries to determine if it was compromised. Determine what, if any,\r\nsensitive information was accessed to assess the impact.\r\nNote: Data used in this detection requires advanced audit to be enabled in Microsoft Defender 365 that includes\r\nthe SearchQueryInitiatedSharePoint event type.\r\nPrivilege escalation\r\nMicrosoft 365 Defender built-in detection: Risky user created global admin\r\nThis detection will alert users based on the risk score proved by Azure AD Identity Protection when a new global\r\nadmin was created by a user that had a risky sign-in. An attacker might have compromised the user account to\r\nperform lateral movement.\r\nInvestigate the new global admin account to determine if it was created legitimately and if the user account that\r\nperformed the action was compromised.\r\nMicrosoft 365 Defender hunting queries\r\nMultiple admin role removal operations done by a single user – This query looks for multiple users that had their\r\nadministrator role removed by a single user within a certain period.\r\nInvestigate if the user account that removed the admin roles was compromised or if the actions were legitimate. If\r\ndetermined to be compromised, disable the account and reset the password. Restore access to affected accounts as\r\nneeded.\r\n‘ElevateAccess’ operation followed risky sign-in – This query looks for users who had a risky sign-in (based on\r\nAzure AD Identity Protection risk score) and then performed an ‘ElevateAccess’ action. ‘ElevateAccess’\r\noperations can be used by global admins to obtain permissions over Azure resources.\r\nInvestigate the risky sign-ins and the following ‘ElevateAccess’ operation and disable the account if it was\r\ndetermined to be compromised.\r\nMicrosoft Sentinel hunting queries\r\nUser-assigned privileged role – This query identifies when a new privileged role is assigned to a user or when any\r\naccount eligible for a role is given privileged access.\r\nInvestigate if the assignment of privileged access is unexpected or does not align to the role of the account\r\nholder. See Things to monitor in your security operations for privileged accounts for details.\r\nUser added to Azure AD privileged groups (near real-time (NRT) rule) – This query looks for instances when a\r\nuser is added to any privileged groups. \r\nhttps://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/\r\nPage 9 of 12\n\nInvestigate any unusual additions to privileged groups, particularly administrator roles. For details, see Azure AD\r\naudit activity reference and administrator role permissions in Azure AD.\r\nMultiple admin membership removals from newly created admin – This query detects when newly created global\r\nadmin removes multiple existing global admins which can be an attempt by adversaries to lock down the\r\norganization and retain sole access. \r\nInvestigate reasoning and intention of multiple membership removal by new global admins and take necessary\r\nactions accordingly.\r\nFor Microsoft Sentinel customers who have onboarded Okta logs, the following queries can assist in investigating\r\nDEV-0537 activity across those logs:\r\nMicrosoft Sentinel + Okta logs hunting queries\r\nAdmin privilege granted (Okta) – This query searches for successful grant of administrator permissions to\r\nuser/groups. Adversaries often attempt to assign administrator permission to users/group to maintain access as\r\nwell as to elevate privileges. \r\nVerify the behavior is known and filter out any expected activity and triage unknown. See Okta API event types\r\nfor details. \r\nCreate API token (Okta) – This query searches for attempts to create new API token. Okta API tokens are used to\r\nauthenticate requests to Okta APIs.\r\nInvestigate attempts to create new API token creation or authentication attempts. See Okta API event types for\r\ndetails. \r\nInitiate impersonation session (Okta) – This query searches for impersonation events used in LAPSUS$\r\nactivity. User.session.impersonation are rare events, normally triggered when an Okta Support person requests\r\nadmin access for troubleshooting.\r\nReview user.session.impersonation events and correlate that with legitimate opened Okta support tickets to\r\ndetermine if these are anomalous. See Okta API event types and Cloudflare’s investigation of the January 2022\r\nOkta compromise for details. \r\nRare MFA operations (Okta) – MFA helps prevent credential compromise. This query searches for rare MFA\r\noperations like deactivating, updating, resetting, and attempts to bypass MFA.\r\nAdversaries often attempt these operations to compromise networks and high-value accounts.\r\nVerify that the behavior is known and filter out anything that is expected. See Okta API event types for details. \r\nPersistence\r\nMicrosoft 365 Defender hunting queries\r\nhttps://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/\r\nPage 10 of 12\n\nDevice registration after risky sign-in – This query looks for a new device registration in Azure AD preceded by a\r\nmedium or high-risk sign-in session for the same user within a maximum of six hours.\r\nInvestigate the user account to determine if it is compromised. Disable user account, reset user password, and\r\nremove devices registered in Azure AD if compromised.\r\nMFA method added after risky sign-in – This query looks for a new MFA method added to an account that was\r\npreceded by a medium or high-risk sign-in session for the same user within a maximum of six hours.\r\nInvestigate the user account to determine if it is compromised. If compromised, disable the user account, reset user\r\npassword, and remove the MFA method added by threat actor.\r\nExfiltration, destruction, and extortion\r\nMicrosoft Defender for Cloud Apps built-in detection: Delete multiple VMs in a single session\r\nThis detection profiles your environment and triggers alerts when users delete multiple VMs in a single session,\r\nrelative to the baseline in your organization. This might indicate an attempted breach.\r\nInvestigate the user account performing the deletion operations to determine if it was compromised or if the\r\nactivities were performed legitimately and not part of a destructive attack.\r\nMicrosoft 365 Defender query\r\nUpload multiple code repositories to external cloud domains – This query looks for accounts that uploaded\r\nmultiple code repositories to external web domain.\r\nInvestigate if the accounts are compromised. If compromised, disable the accounts and reset the passwords.\r\nAssess the impact of what information was obtained, looking for any passwords, secrets, certificates, and others\r\nthat the attacker might be able to leverage.\r\nNote: This query uses ‘FileUploadedToCloud’ event which is only available for customers that enabled Microsoft\r\nDefender for Endpoint integration with Microsoft Defender for Cloud Apps. See Integrate Microsoft Defender for\r\nEndpoint with Defender for Cloud Apps for details)\r\nMicrosoft Sentinel hunting queries\r\nMass cloud resource deletions time series anomalies – This query generates baseline pattern of cloud resource\r\ndeletions by a user and alert on an anomaly when any unusual spike is detected.\r\nInvestigate the anomalies from unusual or privileged users, they could be indication of a cloud infrastructure\r\ntakedown by an adversary. \r\nMail redirect via ExO transport rule – This query identifies when Exchange Online transport rule configured to\r\nforward emails.\r\nInvestigate detections to determine if a malicious actor has configured a new mailbox to collect mail from\r\nmultiple user accounts.\r\nhttps://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/\r\nPage 11 of 12\n\nTime series anomaly for data size transferred to public internet – This query identifies anomalous or unusual data\r\ntransfers to public networks. This detection identifies large deviations from a baseline pattern based on detection\r\nalgorithms from the Sentinel-integrated Kusto Query Language (KQL) anomaly detection. The higher the score,\r\nthe further it is from the baseline value. The output is aggregated to provide a summary view of unique source IP\r\nto destination IP address and port bytes sent traffic observed in the flagged anomaly hour. The source IP addresses\r\nwhich were sending less than bytessentperhourthreshold have been excluded, the value of which can be adjusted\r\nas needed. You might have to run queries for individual source IP addresses from SourceIPlist to determine if\r\nanything looks suspicious. Investigate any sudden increase in data transferred to unknown public networks as an\r\nindication of data exfiltration attempts.\r\nSource: https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruc\r\ntion/\r\nhttps://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "MISPGALAXY", "Malpedia" ], "references": [ "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" ], "report_names": [ "dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction" ], "threat_actors": [ { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434164, "ts_updated_at": 1775791726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/16c141d9d362d2d18b694aa83afb035d83d67ea9.pdf", "text": "https://archive.orkl.eu/16c141d9d362d2d18b694aa83afb035d83d67ea9.txt", "img": "https://archive.orkl.eu/16c141d9d362d2d18b694aa83afb035d83d67ea9.jpg" } }