Microsoft has issued a stark warning about a sophisticated threat group named Jasper Sleet, which is leveraging stolen and fabricated identities to infiltrate organizations by posing as legitimate IT professionals. This North Korea-linked phishing attack, also known as cloud reconnaissance or supply chain attack, exploits the widespread adoption of remote work and cloud-based HR platforms to gain unauthorized access to sensitive corporate data, posing a significant risk to businesses globally.
The group’s methodology involves creating convincing fake professional personas, often augmented by AI-generated content, to secure remote IT positions. Once onboarded, they gain access to internal systems, moving laterally within cloud environments to exfiltrate data or execute further malicious activities. This tactic represents a concerning evolution in cyber threats, targeting the human element within the hiring process itself.
Jasper Sleet Exploits Hybrid Work Models via Fake IT Identities
The shift towards remote and hybrid work models, accelerated by the COVID-19 pandemic, has fundamentally altered hiring practices. Companies now increasingly rely on digital interviews, online onboarding procedures, and remote access tools, creating a fertile ground for threat actors. Jasper Sleet has masterfully capitalized on this paradigm shift, meticulously building fake professional identities to bypass security protocols and secure trusted positions within target organizations.
Microsoft’s threat intelligence research reveals that Jasper Sleet systematically targets companies that utilize popular HR management software, such as Workday. The threat actor actively monitors external career sites to identify open positions, then employs generative AI to analyze job descriptions. This allows them to craft tailored resumes and cover letters that align with specific skill requirements, making their fraudulent applications highly convincing to HR departments.
This deliberate and calculated approach distinguishes Jasper Sleet’s operations from opportunistic attacks. By thoroughly researching target companies and mimicking the language used in job postings, the group ensures their fabricated personas are meticulously designed to evade initial recruitment screenings. This sophisticated preparation is key to their success in gaining a foothold within an organization.
Infiltration Tactics: From HR Platforms to Cloud Environments
Once Jasper Sleet gains employment, they navigate the standard onboarding process, including setting up payroll accounts. Crucially, this grants them access to essential internal communication and collaboration tools, such as Microsoft Teams, SharePoint, OneDrive, and Exchange Online. Microsoft has observed a notable increase in “impossible travel” alerts, a common indicator of suspicious remote employee activity, within the initial months after onboarding period for these compromised accounts.
This access allows the threat actor to move relatively unimpeded through the organization’s cloud infrastructure. Their objective is to locate and exfiltrate sensitive files, potentially leading to data theft, corporate espionage, or extortion. The scope of this threat is broad, impacting any organization that employs remote workers and relies on cloud-connected HR platforms for recruitment and employee management.
The implications of this strategy are significant. Jasper Sleet isn’t targeting a niche industry; rather, their method provides a scalable way to infiltrate diverse organizations. The group’s ability to establish a legitimate presence within a company’s network before initiating malicious activities makes detection considerably more challenging. This highlights the critical need for enhanced collaboration between HR and cybersecurity departments.
How Jasper Sleet Operates Within HR Platforms
A particularly revealing aspect of Jasper Sleet’s modus operandi is their precise exploitation of HR software workflows. In the preliminary stages of recruitment, Microsoft observed the group making programmatic API calls to Workday’s Recruiting Web Service endpoints. These endpoints are often accessible through external career portals, allowing the threat actor to gather intelligence on job postings, active applications, and even questionnaires.
The pattern of these API calls is what sets this activity apart from legitimate job seeking. Microsoft noted the consistent and repetitive nature of these calls from multiple external accounts targeting the same API endpoints. Such behavior deviates significantly from the typical interaction a genuine applicant would have with a hiring portal, raising immediate red flags for vigilant security and HR teams.
During the active recruiting phase, Jasper Sleet engages with hiring managers and recruiters through typical communication channels, including email and video conferencing tools like Microsoft Teams, Zoom, and Cisco Webex. This impersonation extends to the final stages, where, after being hired, the threat actor signs into their newly created Workday account. They then proceed to update payroll details, with these post-onboarding sign-in activities often originating from IP addresses previously flagged as associated with Jasper Sleet infrastructure.
Microsoft has released recommendations for organizations to mitigate this threat. A unified approach involving both security and HR teams is paramount, as this campaign bridges both functional areas in ways neither can effectively address in isolation. Enabling connectors within Microsoft Defender for Cloud Apps is crucial. These connectors provide visibility into activities within Workday, DocuSign, Zoom, and Cisco Webex.
By monitoring API events, tracking external account behavior, and cross-referencing suspicious IP addresses against threat intelligence, organizations can identify potential compromises. Any anomalies related to newly hired employees, such as login attempts from anonymous proxies or multiple geographic locations within a short timeframe, should be promptly investigated. Furthermore, comprehensive training for HR personnel and employees on social engineering tactics is essential.
Recruitment teams need to be equipped to recognize suspicious interview behavior. This includes candidates who consistently avoid video engagement, provide inconsistent background details, or exhibit unusual haste in setting up payroll information. Early detection of these indicators before a hiring decision is finalized is significantly more effective than attempting to identify and neutralize the threat after the actor has already secured access to the internal network, underscoring the proactive stance required.