{ "id": "683a5af5-32a3-4542-8b59-ad547ef61344", "created_at": "2026-04-06T00:14:45.195597Z", "updated_at": "2026-04-10T03:31:49.848573Z", "deleted_at": null, "sha1_hash": "675dd06adff55df31c37dc6376691f0a6600797a", "title": "Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 854047, "plain_text": "Octo Tempest crosses boundaries to facilitate extortion, encryption,\r\nand destruction | Microsoft Security Blog\r\nBy Microsoft Incident Response, Microsoft Threat Intelligence\r\nPublished: 2023-10-25 · Archived: 2026-04-05 14:43:45 UTC\r\nMicrosoft has been tracking activity related to the financially motivated threat actor Octo Tempest, whose\r\nevolving campaigns represent a growing concern for organizations across multiple industries. Octo Tempest\r\nleverages broad social engineering campaigns to compromise organizations across the globe with the goal of\r\nfinancial extortion. With their extensive range of tactics, techniques, and procedures (TTPs), the threat actor, from\r\nour perspective, is one of the most dangerous financial criminal groups.\r\nOcto Tempest is a financially motivated collective of native English-speaking threat actors known for launching\r\nwide-ranging campaigns that prominently feature adversary-in-the-middle (AiTM) techniques, social engineering,\r\nand SIM swapping capabilities. Octo Tempest, which overlaps with research associated with 0ktapus, Scattered\r\nSpider, and UNC3944, was initially seen in early 2022, targeting mobile telecommunications and business process\r\noutsourcing organizations to initiate phone number ports (also known as SIM swaps). Octo Tempest monetized\r\ntheir intrusions in 2022 by selling SIM swaps to other criminals and performing account takeovers of high-net-worth individuals to steal their cryptocurrency.\r\nFigure 1. The evolution of Octo Tempest’s targeting, actions, outcomes, and monetization\r\nBuilding on their initial success, Octo Tempest harnessed their experience and acquired data to progressively\r\nadvance their motives, targeting, and techniques, adopting an increasingly aggressive approach. In late 2022 to\r\nearly 2023, Octo Tempest expanded their targeting to include cable telecommunications, email, and technology\r\norganizations. During this period, Octo Tempest started monetizing intrusions by extorting victim organizations\r\nfor data stolen during their intrusion operations and in some cases even resorting to physical threats.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/\r\nPage 1 of 15\n\nIn mid-2023, Octo Tempest became an affiliate of ALPHV/BlackCat, a human-operated ransomware as a service\r\n(RaaS) operation, and initial victims were extorted for data theft (with no ransomware deployment) using ALPHV\r\nCollections leak site. This is notable in that, historically, Eastern European ransomware groups refused to do\r\nbusiness with native English-speaking criminals. By June 2023, Octo Tempest started deploying\r\nALPHV/BlackCat ransomware payloads (both Windows and Linux versions) to victims and lately has focused\r\ntheir deployments primarily on VMWare ESXi servers. Octo Tempest progressively broadened the scope of\r\nindustries targeted for extortion, including natural resources, gaming, hospitality, consumer products, retail,\r\nmanaged service providers, manufacturing, law, technology, and financial services.  \r\nIn recent campaigns, we observed Octo Tempest leverage a diverse array of TTPs to navigate complex hybrid\r\nenvironments, exfiltrate sensitive data, and encrypt data. Octo Tempest leverages tradecraft that many\r\norganizations don’t have in their typical threat models, such as SMS phishing, SIM swapping, and advanced social\r\nengineering techniques. This blog post aims to provide organizations with an insight into Octo Tempest’s\r\ntradecraft by detailing the fluidity of their operations and to offer organizations defensive mechanisms to thwart\r\nthe highly motivated financial cybercriminal group.\r\nAnalysis \r\nThe well-organized, prolific nature of Octo Tempest’s attacks is indicative of extensive technical depth and\r\nmultiple hands-on-keyboard operators. The succeeding sections cover the wide range of TTPs we observed being\r\nused by Octo Tempest.\r\nFigure 2. Octo Tempest TTPs\r\nInitial access \r\nOcto Tempest commonly launches social engineering attacks targeting technical administrators, such as support\r\nand help desk personnel, who have permissions that could enable the threat actor to gain initial access to accounts.\r\nThe threat actor performs research on the organization and identifies targets to effectively impersonate victims,\r\nmimicking idiolect on phone calls and understanding personal identifiable information to trick technical\r\nadministrators into performing password resets and resetting multifactor authentication (MFA) methods. Octo\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/\r\nPage 2 of 15\n\nTempest has also been observed impersonating newly hired employees in these attempts to blend into normal on-hire processes.\r\nOcto Tempest primarily gains initial access to an organization using one of several methods:\r\nSocial engineering\r\nCalling an employee and socially engineering the user to either:\r\nInstall a Remote Monitoring and Management (RMM) utility\r\nNavigate to a site configured with a fake login portal using an adversary-in-the-middle\r\ntoolkit\r\nRemove their FIDO2 token\r\nCalling an organization’s help desk and socially engineering the help desk to reset the user’s\r\npassword and/or change/add a multi-factor authentication token/factor\r\nPurchasing an employee’s credentials and/or session token(s) on a criminal underground market\r\nSMS phishing employee phone numbers with a link to a site configured with a fake login portal using an\r\nadversary-in-the-middle toolkit\r\nUsing the employee’s pre-existing access to mobile telecommunications and business process outsourcing\r\norganizations to initiate a SIM swap or to set up call number forwarding on an employee’s phone number.\r\nOcto Tempest will initiate a self-service password reset of the user’s account once they have gained control\r\nof the employee’s phone number.\r\nIn rare instances, Octo Tempest resorts to fear-mongering tactics, targeting specific individuals through phone\r\ncalls and texts. These actors use personal information, such as home addresses and family names, along with\r\nphysical threats to coerce victims into sharing credentials for corporate access.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/\r\nPage 3 of 15\n\nFigure 3. Threats sent by Octo Tempest to targets\r\nReconnaissance and discovery \r\nCrossing borders for identity, architecture, and controls enumeration\r\nIn the early stage of their attacks, Octo Tempest performs various enumeration and information gathering actions\r\nto pursue advanced access in targeted environments and abuses legitimate channels for follow-on actions later in\r\nthe attack sequence. Initial bulk-export of users, groups, and device information is closely followed by\r\nenumerating data and resources readily available to the user’s profile within virtual desktop infrastructure or\r\nenterprise-hosted resources. \r\nFrequently, Octo Tempest uses their access to carry out broad searches across knowledge repositories to identify\r\ndocuments related to network architecture, employee onboarding, remote access methods, password policies, and\r\ncredential vaults.\r\nOcto Tempest then performs exploration through multi-cloud environments enumerating access and resources\r\nacross cloud environments, code repositories, server and backup management infrastructure, and others. In this\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/\r\nPage 4 of 15\n\nstage, the threat actor validates access, enumerates databases and storage containers, and plans footholds to aid\r\nfurther phases of the attack.\r\nAdditional tradecraft and techniques:\r\nPingCastle and ADRecon to perform reconnaissance of Active Directory \r\nAdvanced IP Scanner to probe victim networks\r\nGovmomi Go library to enumerate vCenter APIs \r\nPureStorage FlashArray PowerShell module to enumerate storage arrays \r\nAAD bulk downloads of user, groups, and devices\r\nPrivilege escalation and credential access\r\nOcto Tempest commonly elevates their privileges within an organization through the following techniques:\r\nUsing their pre-existing access to mobile telecommunications and business process outsourcing\r\norganizations to initiate a SIM swap or to set up call number forwarding on an employee’s phone number.\r\nOcto Tempest will initiate a self-service password reset of the user’s account once they have gained control\r\nof the employee’s phone number.\r\nSocial engineering – calling an organization’s help desk and socially engineering the help desk to reset an\r\nadministrator’s password and/or change/add a multi-factor authentication token/factor\r\nFurther masquerading and collection for escalation\r\nOcto Tempest employs an advanced social engineering strategy for privilege escalation, harnessing stolen\r\npassword policy procedures, bulk downloads of user, group, and role exports, and their familiarity with the target\r\norganizations procedures. The actor’s privilege escalation tactics often rely on building trust through various\r\nmeans, such as leveraging possession of compromised accounts and demonstrating an understanding of the\r\norganization’s procedures. In some cases, they go as far as bypassing password reset procedures by using a\r\ncompromised manager’s account to approve their requests.\r\nOcto Tempest continually seeks to collect additional credentials across all planes of access. Using open-source\r\ntooling like Jercretz and TruffleHog, the threat actor automates the identification of plaintext keys, secrets, and\r\ncredentials across code repositories for further use.\r\nAdditional tradecraft and techniques:\r\nModifying access policies or using MicroBurst to gain access to credential stores\r\nUsing open-source tooling: Mimikatz, Hekatomb, Lazagne, gosecretsdump, smbpasswd.py, LinPEAS,\r\nADFSDump\r\nUsing VMAccess Extension to reset passwords or modify configurations of Azure VMs\r\nCreating snapshots virtual domain controller disks to download and extract NTDS.dit\r\nAssignment of User Access Administrator role to grant Tenant Root Group management scope\r\nDefense evasion\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/\r\nPage 5 of 15\n\nSecurity product arsenal sabotage\r\nOcto Tempest compromises security personnel accounts within victim organizations to turn off security products\r\nand features and attempt to evade detection throughout their compromise. Using compromised accounts, the threat\r\nactor leverages EDR and device management technologies to allow malicious tooling, deploy RMM software,\r\nremove or impair security products, data theft of sensitive files (e.g. files with credentials, signal messaging\r\ndatabases, etc.), and deploy malicious payloads.\r\nTo prevent identification of security product manipulation and suppress alerts or notifications of changes, Octo\r\nTempest modifies the security staff mailbox rules to automatically delete emails from vendors that may raise the\r\ntarget’s suspicion of their activities.\r\nFigure 4. Inbox rule created by Octo Tempest to delete emails from vendors\r\nAdditional tradecraft and techniques:\r\nUsing open-source tooling like privacy.sexy framework to disable security products\r\nEnrolling actor-controlled devices into device management software to bypass controls\r\nConfiguring trusted locations in Conditional Access Policies to expand access capabilities\r\nReplaying harvested tokens with satisfied MFA claims to bypass MFA\r\nPersistence \r\nSustained intrusion with identities and open-source tools\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/\r\nPage 6 of 15\n\nOcto Tempest leverages publicly available security tools to establish persistence within victim organizations,\r\nlargely using account manipulation techniques and implants on hosts. For identity-based persistence, Octo\r\nTempest targets federated identity providers using tools like AADInternals to federate existing domains, or spoof\r\nlegitimate domains by adding and then federating new domains. The threat actor then abuses this federation to\r\ngenerate forged valid security assertion markup language (SAML) tokens for any user of the target tenant with\r\nclaims that have MFA satisfied, a technique known as Golden SAML. Similar techniques have also been observed\r\nusing Okta as their source of truth identity provider, leveraging Okta Org2Org functionality to impersonate any\r\ndesired user account.\r\nTo maintain access to endpoints, Octo Tempest installs a wide array of legitimate RMM tools and makes required\r\nnetwork modifications to enable access. The usage of reverse shells is seen across Octo Tempest intrusions on\r\nboth Windows and Linux endpoints. These reverse shells commonly initiate connections to the same attacker\r\ninfrastructure that deployed the RMM tools.\r\nFigure 5. Reverse shellcode used by Octo Tempest\r\nA unique technique Octo Tempest uses is compromising VMware ESXi infrastructure, installing the open-source\r\nLinux backdoor Bedevil, and then launching VMware Python scripts to run arbitrary commands against housed\r\nvirtual machines.\r\nAdditional tradecraft and techniques:\r\nUsage of open-source tooling: ScreenConnect, FleetDeck, AnyDesk, RustDesk, Splashtop, Pulseway,\r\nTightVNC, LummaC2, Level.io, Mesh, TacticalRMM, Tailscale, Ngrok, WsTunnel, Rsocx, and Socat\r\nDeployment of Azure virtual machines to enable remote access via RMM installation or modification to\r\nexisting resources via Azure serial console\r\nAddition of MFA methods to existing users\r\nUsage of the third-party tunneling tool Twingate, which leverages Azure Container instances as a private\r\nconnector (without public network exposure)\r\nActions on objectives\r\nCommon trifecta: Data theft, extortion, and ransomware\r\nThe goal of Octo Tempest remains financially motivated, but the monetization techniques observed across\r\nindustries vary between cryptocurrency theft and data exfiltration for extortion and ransomware deployment.\r\nLike in most cyberattacks, data theft largely depends on the data readily available to the threat actor. Octo Tempest\r\naccesses data from code repositories, large document management and storage systems, including SharePoint,\r\nSQL databases, cloud storage blobs/buckets, and email, using legitimate management clients such as DBeaver,\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/\r\nPage 7 of 15\n\nMongoDB Compass, Azure SQL Query Editor, and Cerebrata for the purpose of connection and collection. After\r\ndata harvesting, the threat actor employs anonymous file-hosting services, including GoFile.io, shz.al, StorjShare,\r\nTemp.sh, MegaSync, Paste.ee, Backblaze, and AWS S3 buckets for data exfiltration.\r\nOcto Tempest employs a unique technique using the data movement platform Azure Data Factory and automated\r\npipelines to extract data to external actor hosted Secure File Transfer Protocol (SFTP) servers, aiming to blend in\r\nwith typical big data operations. Additionally, the threat actor commonly registers legitimate Microsoft 365\r\nbackup solutions such as Veeam, AFI Backup, and CommVault to export the contents of SharePoint document\r\nlibraries and expedite data exfiltration.\r\nRansomware deployment closely follows data theft objectives. This activity targets both Windows and Unix/Linux\r\nendpoints and VMware hypervisors using a variant of ALPHV/BlackCat. Encryption at the hypervisor level has\r\nshown significant impact to organizations, making recovery efforts difficult post-encryption.\r\nOcto Tempest frequently communicates with target organizations and their personnel directly after encryption to\r\nnegotiate or extort the ransom—providing “proof of life” through samples of exfiltrated data. Many of these\r\ncommunications have been leaked publicly, causing significant reputational damage to affected organizations.\r\nAdditional tradecraft and techniques:\r\nUse of the third-party services like FiveTran to extract copies of high-value service databases, such as\r\nSalesForce and ZenDesk, using API connectors\r\nExfiltration of mailbox PST files and mail forwarding to external mailboxes\r\nRecommendations\r\nHunting methodology\r\nOcto Tempest’s utilization of social engineering, living-off-the land techniques, and diverse toolsets could make\r\nhunting slightly unorthodox. Following these general guidelines alongside robust deconfliction with legitimate\r\nusers will surface their activity:\r\nIdentity\r\nUnderstand authentication flows in the environment.\r\nCentralize visibility of administrative changes in the environment into a single pane of glass.\r\nScrutinize all user and sign-in risk detections for any administrator within the timeframe. Common alerts\r\nthat are surfaced during an Octo Tempest intrusion include (but not limited to): Impossible Travel,\r\nUnfamiliar Sign-in Properties, and Anomalous Token\r\nReview the coverage of Conditional Access policies; scrutinize the use of trusted locations and exclusions.\r\nReview all existing and new custom domains in the tenant, and their federation settings.\r\nScrutinize administrator groups, roles, and privileges for recent modification.\r\nReview recently created Microsoft Entra ID users and registered device identities.\r\nLook for any anomalous pivots into organizational apps that may hold sensitive data, such as Microsoft\r\nSharePoint and OneDrive.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/\r\nPage 8 of 15\n\nAzure\r\nLeverage and continuously monitor Defender for Cloud for Azure Workloads, providing a wealth of\r\ninformation around unauthorized resource access.\r\nReview Azure role-based access control (RBAC) definitions across the management group, subscription,\r\nresource group and resource structure.\r\nReview the public network exposure of resources and revoke any unauthorized modifications.\r\nReview both data plane and management plane access control for all critical workloads such as those that\r\nhold credentials and organizational data, like Key Vaults, storage accounts, and database resources.\r\nTightly control access to identity workloads that issue access organizational resources such as Active\r\nDirectory Domain Controllers.\r\nReview the Azure Activity log for anomalous modification of resources.\r\nEndpoints\r\nLook for recent additions to the indicators or exclusions of the EDR solution in place at the organization.\r\nReview any generation of offboarding scripts.\r\nReview access control within security products and EDR software suites.\r\nScrutinize any tools used to manage endpoints (SCCM, Intune, etc.) and look for recent rule additions,\r\npackages, or deployments.\r\nScrutinize use of remote administration tools across the environment, paying particular attention to recent\r\ninstallations regardless of whether they are used legitimately within the network already.\r\nEnsure monitoring at the network boundary is in place, that alerting is in place for connections with\r\ncommon anonymizing services and scrutinize the use of these services.\r\nDefending against Octo Tempest activity\r\nAlign privilege in Microsoft Entra ID and Azure\r\nPrivileges spanning Microsoft Entra ID and Azure need to be holistically aligned, with purposeful design\r\ndecisions to prevent unauthorized access to critical workloads. Reducing the number of users with permanently\r\nassigned critical roles is paramount to achieving this. Segregation of privilege between on-premises and cloud is\r\nalso necessary to sever the ability to pivot within the environment.\r\nIt is highly recommended to implement Microsoft Entra Privileged Identity Management (PIM) as a central\r\nlocation for the management of both Microsoft Entra ID roles and Azure RBAC. For all critical roles, at\r\nminimum:\r\nImplement role assignments as eligible rather than permanent.\r\nReview and understand the role definition Actions and NotActions – ensure to select only the roles with\r\nactions that the user requires to do their role (least privileged access).\r\nConfigure these roles to be time-bound, deactivating after a specific timeframe.\r\nRequire users to perform MFA to elevate to the role.\r\nOptionally require users to provide justification or a ticket number upon elevation.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/\r\nPage 9 of 15\n\nEnable notifications for privileged role elevation to a subset of administrators.\r\nUtilize PIM Access Reviews to reduce standing access in the organization on a periodic basis.\r\nEvery organization is different and, therefore, roles will be classified differently in terms of their criticality.\r\nConsider the scope of impact those roles may have on downstream resources, services, or identities in the event of\r\ncompromise. For help desk administrators specifically, ensure to scope privilege to exclude administrative\r\noperations over Global Administrators. Consider implementing segregation strategies such as Microsoft Entra ID\r\nAdministrative Units to segment administrative access over the tenant. For identities that leverage cross-service\r\nroles such as those that service the Microsoft Security Stack, consider implementing additional service-based\r\ngranular access control to restrict the use of sensitive functionality, like Live Response and modification of IOC\r\nallow lists.\r\nSegment Azure landing zones\r\nFor organizations yet to begin or are early in their modernization journey, end-to-end guidance for cloud adoption\r\nis available through the Microsoft Azure Cloud Adoption Framework. Recommended practice and security are\r\ncentral pillars—Azure workloads are segregated into separate, tightly restricted areas known as landing zones.\r\nWhen deploying Active Directory in the cloud, it is advised to create a platform landing zone for identity—a\r\ndedicated subscription to hold all Identity-related resources such as Domain Controller VM resources. Employ\r\nleast privilege across this landing zone with the aforementioned privilege and PIM guidance for Azure RBAC.\r\nImplement Conditional Access policies and authentication methods\r\nTTPs outlined in this blog leverage strategies to evade multifactor authentication defenses. However, it is still\r\nstrongly recommended to practice basic security hygiene by implementing a baseline set of Conditional Access\r\npolicies:\r\nRequire multifactor authentication for all privileged roles with the use of authentication strengths to\r\nenforce phish-resistant MFA methods such as FIDO2 security keys\r\nRequire phishing-resistant multifactor authentication for administrators\r\nEnforce MFA registration from trusted locations from a device that also meets organizational requirements\r\nwith Intune device compliance policies\r\nUser and sign-in risk policies for signals associated to Microsoft Entra ID Protection\r\nOrganizations are recommended to keep their policies as simple as possible. Implementing complex policies\r\nmight inhibit the ability to respond to threats at a rapid pace or allow threat actors to leverage misconfigurations\r\nwithin the environment.\r\nDevelop and maintain a user education strategy\r\nAn organization’s ability to protect itself against cyberattacks is only as strong as its people—it is imperative to\r\nput in place an end-to-end cybersecurity strategy highlighting the importance of ongoing user education and\r\nawareness. Targeted education and periodic security awareness campaigns around common cyber threats and\r\nattack vectors such as phishing and social engineering not only for users that hold administrative privilege in the\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/\r\nPage 10 of 15\n\norganization, but the wider user base is crucial. A well-maintained incident response plan should be developed and\r\nrefined to enable organizations to respond to unexpected cybersecurity events and rapidly regain positive control.\r\nUse out-of-band communication channels\r\nOcto Tempest has been observed joining, recording, and transcribing calls using tools such as OtterAI, and\r\nsending messages via Slack, Zoom, and Microsoft Teams, taunting and threatening targets, organizations,\r\ndefenders, and gaining insights into incident response operations/planning. Using out-of-band communication\r\nchannels is strongly encouraged when dealing with this threat actor.\r\nDetections\r\nMicrosoft 365 Defender\r\nMicrosoft 365 Defender is becoming Microsoft Defender XDR. Learn more.\r\nNOTE: Several tools mentioned throughout this blog are remote administrator tools that have been utilized by\r\nOcto Tempest to maintain persistence. While these tools are abused by threat actors, they can have legitimate use\r\ncases by normal users, and are updated on a frequent basis. Microsoft recommends monitoring their use within the\r\nenvironment, and when they are identified, defenders take the necessary steps for deconfliction to verify their use.\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects this threat as the following malware:\r\nHackTool:Win32/Mimikatz\r\nHackTool:Win64/Mimikatz\r\nBehavior:Win32/BlackCatExec\r\nRansom:Win32/Blackcat\r\nRansom:Linux/BlackCat\r\nBehavior:Win32/BlackCat\r\nRansom:Win64/BlackCat\r\nTurning on tamper protection, which is part of built-in protection, prevents attackers from stopping security\r\nservices.\r\nMicrosoft Defender for Endpoint\r\nThe following Microsoft Defender for Endpoint alerts can indicate associated threat activity:\r\nOcto Tempest activity group\r\nThe following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can\r\nalso be triggered by unrelated threat activity.\r\nSuspicious usage of remote management software\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/\r\nPage 11 of 15\n\nMimikatz credential theft tool\r\nBlackCat ransomware\r\nActivity linked to BlackCat ransomware\r\nTampering activity typical to ransomware attacks\r\nPossible hands-on-keyboard pre-ransom activity\r\nMicrosoft Defender for Cloud Apps\r\nUsing Microsoft Defender for Cloud Apps connectors, Microsoft 365 Defender raises AitM-related alerts in\r\nmultiple scenarios. For Microsoft Entra ID customers using Microsoft Edge, attempts by attackers to replay\r\nsession cookies to access cloud applications are detected by Microsoft 365 Defender through Defender for Cloud\r\nApps connectors for Microsoft Office 365 and Azure. In such scenarios, Microsoft 365 Defender raises the\r\nfollowing alerts:\r\nBackdoor creation using AADInternals tool\r\nSuspicious domain added to Microsoft Entra ID\r\nSuspicious domain trust modification following risky sign-in\r\nUser compromised via a known AitM phishing kit\r\nUser compromised in AiTM phishing attack\r\nSuspicious email deletion activity\r\nSimilarly, the connector for Okta raises the following alerts:\r\nSuspicious Okta account enumeration\r\nPossible AiTM phishing attempt in Okta\r\nMicrosoft Defender for Identity\r\nMicrosoft Defender for Identity raises the following alerts for TTPs used by Octo Tempest such as NTDS stealing\r\nand Active Directory reconnaissance:\r\nAccount enumeration reconnaissance\r\nNetwork-mapping reconnaissance (DNS)\r\nUser and IP address reconnaissance (SMB)\r\nUser and Group membership reconnaissance (SAMR)\r\nSuspected DCSync attack (replication of directory services)\r\nSuspected AD FS DKM key read\r\nData exfiltration over SMB\r\nMicrosoft Defender for Cloud\r\nThe following Microsoft Defender for Cloud alerts relate to TTPs used by Octo Tempest. Note, however, that\r\nthese alerts can also be triggered by unrelated threat activity.\r\nMicroBurst exploitation toolkit used to enumerate resources in your subscriptions\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/\r\nPage 12 of 15\n\nMicroBurst exploitation toolkit used to execute code on your virtual machine\r\nMicroBurst exploitation toolkit used to extract keys from your Azure key vaults\r\nMicroBurst exploitation toolkit used to extract keys to your storage accounts\r\nSuspicious Azure role assignment detected\r\nSuspicious elevate access operation (Preview)\r\nSuspicious invocation of a high-risk ‘Initial Access’ operation detected (Preview)\r\nSuspicious invocation of a high-risk ‘Credential Access’ operation detected (Preview)\r\nSuspicious invocation of a high-risk ‘Data Collection’ operation detected (Preview)\r\nSuspicious invocation of a high-risk ‘Execution’ operation detected (Preview)\r\nSuspicious invocation of a high-risk ‘Impact’ operation detected (Preview)\r\nSuspicious invocation of a high-risk ‘Lateral Movement’ operation detected (Preview)\r\nUnusual user password reset in your virtual machine\r\nSuspicious usage of VMAccess extension was detected on your virtual machines (Preview)\r\nSuspicious usage of multiple monitoring or data collection extensions was detected on your virtual\r\nmachines (Preview)\r\nRun Command with a suspicious script was detected on your virtual machine (Preview)\r\nSuspicious Run Command usage was detected on your virtual machine (Preview)\r\nSuspicious unauthorized Run Command usage was detected on your virtual machine (Preview)\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the following Microsoft Sentinel Analytics template to identify potential\r\nAitM phishing attempts:\r\nPossible AitM Phishing Attempt Against Azure AD\r\nThis detection uses signals from Microsoft Entra ID Identity Protection and looks for successful sign-ins that have\r\nbeen flagged as high risk. It combines this with data from web proxy services, such as ZScaler, to identify where\r\nusers might have connected to the source of those sign-ins immediately prior. This can indicate a user interacting\r\nwith an AitM phishing site and having their session hijacked. This detection uses the Advanced Security\r\nInformation Model (ASIM) Web Session schema. Refer to this article for more details on the schema and its\r\nrequirements. \r\nThreat intelligence reports\r\nMicrosoft customers can use the following reports in Microsoft products to get the most up-to-date information\r\nabout the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the\r\nintelligence, protection info, and recommended actions to prevent, mitigate, or respond to associated threats found\r\nin customer environments.\r\nMicrosoft Defender Threat Intelligence\r\nOcto Tempest\r\nOcto Tempest uses social engineering and AADInternals to compromise cloud identities\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/\r\nPage 13 of 15\n\nMicrosoft 365 Defender Threat analytics  \r\nActor profile: Octo Tempest\r\nThreat insights: Octo Tempest uses social engineering and AADInternals to compromise cloud identities\r\nHunting queries\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If\r\nthe TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the\r\nMicrosoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.\r\nMicrosoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the\r\npost exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.\r\nSuspicious sign-in followed by MFA modification\r\nAccount MFA modifications\r\nOkta SSO phishing detection\r\nOkta rare MFA operations\r\nOkta login from different locations\r\nOkta user password reset\r\nSharePointFileOperation via clientIP with previously unseen user agents\r\nSharePointFileOperation via devices with previously unseen user agents\r\nSharePointFileOperation via previously unseen IPs of risky ASN’s\r\nSharePointFileOperation via previously unseen IPs\r\nAnomalous AAD account manipulation\r\nNew external user granted admin\r\nAnomolous sign-ins based on time\r\nNew account added to admin group\r\nAuthentication methods changed for privileged account\r\nRare run command PowerShell script\r\nAzure NSG administrative operations\r\nRare operations of create and update of snapshots\r\nAdFind usage\r\nAnomalous listing of storage keys\r\nStorage account key enumeration\r\nPotential Microsoft Security services tampering\r\nPotential Microsoft Defender tampering\r\nOffice mail forwarding\r\nMultiple users Office mail forwarding\r\nFurther reading\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/\r\nPage 14 of 15\n\nListen to Microsoft experts discuss Octo Tempest TTPs and activities on The Microsoft Threat Intelligence\r\nPodcast.\r\nVisit this page for more blogs from Microsoft Incident Response.\r\nFor more security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on X (formerly Twitter)\r\nat https://twitter.com/MsftSecIntel.\r\nNovember 1, 2023 update: Updated the Actions of objectives section to fix the list of anonymous file-hosting\r\nservices used by Octo Tempest for data exfiltration, which incorrectly listed Sh.Azl. It has been corrected to\r\nshz.al.\r\nSource: https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-des\r\ntruction/\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE", "Malpedia" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/" ], "report_names": [ "octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434485, "ts_updated_at": 1775791909, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/675dd06adff55df31c37dc6376691f0a6600797a.pdf", "text": "https://archive.orkl.eu/675dd06adff55df31c37dc6376691f0a6600797a.txt", "img": "https://archive.orkl.eu/675dd06adff55df31c37dc6376691f0a6600797a.jpg" } }