Listen to this Post
Introduction
Cyberattacks are no longer dominated by loud ransomware payloads or easily identifiable malware. Modern threat actors increasingly prefer stealth over destruction, blending directly into legitimate enterprise activity to avoid triggering alarms. Instead of exploiting vulnerabilities with aggressive tactics, attackers are now abusing trusted relationships, administrative platforms, and built-in authentication systems that organizations rely on every day.
A recent investigation by Microsoft
Incident Response exposed a highly sophisticated intrusion campaign that perfectly demonstrates this evolution. The attackers operated through a compromised third-party IT services provider and leveraged legitimate enterprise management software to quietly establish persistence, intercept credentials, and move laterally through the environment for months without attracting immediate attention.
The incident highlights a growing reality in enterprise security: trust itself has become one of the most dangerous attack surfaces.
Attackers Used Trust Instead of Traditional Malware
According to the investigation, the threat actor avoided noisy exploitation techniques and instead abused operational trust already established inside the victim environment. The campaign centered around the use of the legitimate HPE Operations Agent platform, commonly deployed in enterprise environments for monitoring, automation, and systems administration.
Importantly, there was no vulnerability in the HPE software itself. Instead, attackers gained access through a compromised third-party service provider responsible for managing the customer’s infrastructure.
This distinction is critical because it demonstrates how attackers increasingly bypass technical defenses by compromising the human and operational trust chains surrounding organizations.
By leveraging legitimate management infrastructure, the attackers could execute scripts, deploy binaries, and conduct reconnaissance in ways that appeared almost identical to routine administrative operations. Security tools and defenders initially interpreted the activity as normal enterprise management behavior.
This attack aligns closely with the MITRE ATT&CK technique known as “Trusted Relationship” (T1199), where adversaries abuse preexisting trusted access paths to infiltrate target environments.
The Intrusion Timeline Shows a Slow and Strategic Campaign
The attack unfolded gradually over several months, emphasizing patience and operational discipline rather than rapid destruction.
On Day 1, the attackers established their foothold using the compromised third-party provider. Because the activity originated through legitimate systems, it did not immediately raise alerts.
Between Days 9 and 14, credential interception capabilities were introduced on domain infrastructure. The attackers deployed malicious authentication components capable of capturing usernames and passwords during normal login activity and password changes.
By Days 24 to 32, persistence mechanisms were established on internet-facing web servers using web shells and modified application pages. This ensured continued access even if individual malicious files were removed.
Between Days 40 and 60, the attackers moved laterally using harvested credentials and covert tunneling tools. High-value systems including SQL servers and domain controllers became accessible.
Days 54 and 55 saw additional credential interception tools deployed directly onto domain controllers, reinforcing long-term persistence.
Even after initial detection efforts began, the attackers returned around Days 104 to 106 to reestablish persistence and deploy additional tooling.
Finally, on Day 123, Microsoft Incident Response was formally engaged to investigate the compromise.
The timeline illustrates a carefully coordinated operation designed for endurance rather than immediate impact.
Web Servers Became the Initial Beachhead
The investigation identified two compromised internet-facing servers named WEB-01 and WEB-02 as the earliest known infected systems.
Both systems contained malicious web shells named Errors.aspx. Investigators could not determine exactly how the shells were initially deployed, but evidence strongly suggested they were delivered through the trusted HPE Operations Manager infrastructure.
The attackers later modified legitimate application files such as Signoff.aspx to load additional hidden payloads, including a secondary web shell named ghost.inc.
These web shells enabled:
Remote Command Execution
The attackers could execute PowerShell scripts and administrative commands remotely.
File Upload and Download
Malicious payloads and tools could be staged or retrieved without relying on traditional malware delivery techniques.
Persistence
Because legitimate application files were modified rather than entirely replaced, the malicious changes blended naturally into normal server operations.
This approach dramatically reduced the likelihood of detection.
Credential Theft Became the Core Objective
Once initial access was secured, the attackers focused heavily on credential interception.
Using the same trusted HPE management infrastructure, they deployed a malicious network provider DLL called mslogon.dll directly onto domain controllers.
This DLL abused legitimate Windows authentication APIs such as NPLogonNotify and NPPasswordChangeNotify.
Whenever users logged in or changed passwords:
Usernames and passwords were captured in cleartext
Old and new password combinations were intercepted
Credentials were written to hidden storage locations on disk
The attackers essentially transformed the Windows authentication process into a credential harvesting engine.
Later in the intrusion, an additional malicious DLL named passms.dll was registered as a password filter within the Local Security Authority Subsystem Service (LSASS).
Password filters are legitimate Windows extensibility mechanisms, making this technique extremely stealthy.
Whenever passwords changed, the malicious DLL intercepted the credential data and encoded it before storage and exfiltration.
Another module, msupdate.dll, handled transferring the stolen credentials over SMB shares and even supported email-based exfiltration using SMTP.
The attackers disguised the stolen data inside files with names like icon02.jpeg to further avoid suspicion.
ngrok Helped Hide Remote Access Activity
One of the most interesting aspects of the campaign was the attackers’ use of ngrok
.
Instead of exposing Remote Desktop Protocol (RDP) services directly to the internet, the attackers established encrypted tunnels from internal systems outward to ngrok infrastructure.
This provided several advantages:
Bypassing Firewall Restrictions
No inbound firewall ports needed to be opened.
Concealing Attacker Infrastructure
Connections appeared to originate from legitimate ngrok tunnels instead of suspicious external IP addresses.
Persistent Covert Access
Even highly restricted environments could still be remotely accessed through encrypted outbound tunnels.
The attackers deployed ngrok across multiple systems using Windows Management Instrumentation (WMI) and remote execution methods.
Combined with stolen high-privilege credentials, this allowed them to move laterally across the enterprise with minimal visibility.
The Campaign Demonstrates the New Reality of Enterprise Intrusions
Perhaps the most alarming aspect of this incident is how little traditional malware was required.
The attackers relied almost entirely on:
Legitimate enterprise management platforms
Native Windows authentication mechanisms
Valid administrative credentials
Approved remote access tools
Trusted operational relationships
Every action blended naturally into expected enterprise behavior.
This represents a major challenge for modern security operations centers because legacy defenses are heavily optimized to detect malicious binaries, exploit chains, or suspicious executables.
When attackers operate entirely inside trusted systems, behavioral anomalies become the only reliable detection layer.
Microsoft’s Recommended Defenses
Microsoft outlined several defensive recommendations following the investigation.
Deploy Full EDR Coverage
Every endpoint, especially internet-facing servers and domain controllers, should have endpoint detection and response protection enabled.
Adopt Default-Deny Outbound Filtering
Organizations should restrict outbound traffic so systems can only communicate with explicitly approved destinations.
Reduce Unnecessary Software
Unused tools and services expand the attack surface and create additional opportunities for abuse.
Improve Logging and Monitoring
Web servers and authentication systems require enhanced visibility to identify subtle modifications and suspicious behavior.
Strengthen Third-Party Oversight
Organizations must validate the activity of service providers and management platforms rather than assuming trusted systems are inherently safe.
Monitor Authentication Extensions
Password filters, network provider DLLs, and LSASS modifications should be continuously audited for unauthorized changes.
What Undercode Say:
This incident is a perfect example of how enterprise security has fundamentally changed. The old model of “block malware and patch vulnerabilities” is no longer enough because attackers increasingly operate inside legitimate workflows.
The most dangerous attackers today do not look malicious.
They look administrative.
That is the real problem.
By abusing HPE Operations Agent and trusted third-party relationships, the attackers effectively weaponized the organization’s own infrastructure against itself. Security teams often whitelist management systems because blocking them could disrupt operations. Threat actors understand this dynamic extremely well.
The campaign also exposes a major weakness in modern enterprise trust models. Many organizations extend enormous privileges to external providers without implementing strong behavioral validation or segmentation controls. Once that trust boundary is compromised, attackers inherit enormous operational freedom.
The credential interception methods observed here are particularly advanced because they abuse native Windows extensibility mechanisms rather than injecting obvious malware into memory. Registering malicious network provider DLLs and password filters inside LSASS creates an extremely stealthy persistence layer that can survive password resets, reboots, and many traditional remediation attempts.
Another critical lesson involves visibility gaps.
Microsoft noted that some affected web servers lacked EDR coverage entirely. This is still surprisingly common in enterprise environments where operational concerns or legacy infrastructure limitations prevent full monitoring deployment. Attackers actively search for these blind spots because they provide ideal staging grounds for persistence and lateral movement.
The use of ngrok is also very important strategically.
Security teams frequently focus on inbound attack vectors, but outbound encrypted tunnels are increasingly becoming the preferred persistence mechanism for sophisticated actors. Tools like ngrok, Cloudflare Tunnel, and Tailscale can create covert access paths that bypass perimeter-focused defenses almost completely.
This campaign further demonstrates that stealth today depends less on malware obfuscation and more on behavioral camouflage. If activity resembles legitimate administration, many detection systems will ignore it entirely.
Another interesting element is the patience demonstrated throughout the timeline. The attackers maintained operational discipline for more than 100 days. That suggests objectives beyond quick financial gain. Campaigns of this nature are often associated with strategic intelligence gathering, long-term espionage, or preparation for future operations.
The reliance on trusted operational tooling also creates difficult political and operational problems for defenders. Blocking or heavily restricting enterprise management systems can disrupt business continuity, making aggressive defensive measures difficult to implement.
This forces defenders toward more mature behavioral analytics, identity monitoring, and anomaly detection strategies.
Traditional antivirus alone is insufficient in these scenarios.
The investigation also reinforces why Zero Trust architectures continue gaining importance. Organizations can no longer assume that trusted vendors, authenticated users, or approved tools are automatically safe. Continuous verification must replace implicit trust.
Identity infrastructure itself has become one of the most valuable attack surfaces in modern networks. Once attackers gain durable credential interception capability at the domain controller level, they essentially control the environment indefinitely unless comprehensive remediation occurs.
The broader implication is clear:
Future enterprise attacks will likely become quieter, slower, and more operationally invisible.
Security teams that only search for obvious malware infections may completely miss the next generation of advanced intrusions.
Fact Checker Results
✅ Microsoft confirmed the attackers abused legitimate enterprise management tools rather than exploiting vulnerabilities in HPE Operations Agent itself.
✅ The campaign used malicious DLLs like mslogon.dll and passms.dll to intercept credentials during normal Windows authentication workflows.
❌ There is no evidence in the report that ransomware deployment or destructive payloads were used during this intrusion.
Prediction
🔮 Threat actors will increasingly target managed service providers and outsourced IT vendors because compromising one trusted relationship can unlock access to multiple enterprise environments simultaneously.
🔮 Enterprise tunneling tools and remote access services such as ngrok will continue appearing in advanced intrusion campaigns due to their ability to bypass perimeter-focused defenses.
🔮 Future security products will rely more heavily on identity behavior analytics and trust validation rather than traditional malware signature detection alone.
🕵️📝Let’s dive deep and fact‑check.
References:
Reported By: www.microsoft.com
Extra Source Hub (Possible Sources for article):
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
