Based on recent attacks, we need to talk about a troubling pattern that’s emerging. A common scenario is playing out in hybrid cloud environments that security teams need to address urgently. Adversaries like Scattered Spider are getting more popular due to this attack pattern.
Most companies today are moving employee identity to the cloud, often via Microsoft Entra ID, formerly known as Azure Active Directory. It’s a natural progression, but it creates a complicated scenario. When you have some applications in the cloud and others on-premises, there have to be connections between them. You need something that allows any application to talk to another—and that’s exactly where the problem lies.
If the Cloud instance gets compromised, which can happen through something as simple as a rudimentarily targeted spear phishing attempt, attackers may connect through there directly into your internal network, if it is not properly secured. We’ve seen this exact pattern play out in several high-profile retail sector incidents recently. The attack methodology is distressingly consistent:
Attackers obtain legitimate credentials via social engineering
They use those credentials to connect to Cloud services
Once in the cloud environment, they connect to internal servers, re-using the same credentials
They move laterally and elevate to admin privileges
Finally, they deploy ransomware, steal information, or accomplish whatever their ultimate goal is
Oh! And let’s not forget the back doors they are definitely adding to your system, to be able to return when and where they desire at a later date.
This is the nightmare security scenario.
The “Impossible” Attack Vector
The method is always the same. More and more companies are being breached this way—through what was once considered an “impossible” attack vector. Cloud and on-prem environments were once disconnected, but now with hybrid scenarios and tools like Entra Connect, the game has changed completely.
The key issue is that Active Directory is now in the Cloud. Microsoft is pushing everyone there with promises of better security, better efficiency, and better performance. But is it actually safer? Recent evidence suggests otherwise. The truth is stark: Microsoft is pushing everyone toward cloud-hosted identity, but the current implementation isn’t secure enough on its own, as organizations need to have tight access controls
Once attackers compromise identities in AD in the Cloud, they can behave as normal employees because they have legitimate credentials. It’s a nightmare scenario that makes it nearly impossible for traditional security measures to detect anything suspicious. We’re not talking about malware or vulnerability exploitation—we’re talking about legitimate credentials being used as if by a normal employee, with the same tools any employee would use.
“It’s a nightmare scenario that makes it nearly impossible for traditional security measures to detect anything suspicious.”
For large enterprises with tens of thousands of employees and millions of connections per second, it’s virtually impossible to distinguish between malicious actors and real employees. They’re often using legitimate system tools, like Living Off the Land Binaries (LOLBins), which makes detection nearly impossible.
In a recent high-profile retail breach, the attackers were even monitoring the same chat channels that the security team was using to discuss remediation and recovery, allowing them to stay one step ahead. That’s how deep these compromises can go when undetected.
These techniques are actively being used by sophisticated threat actors. Groups like Scattered Spider and Black Basta are known to compromise cloud environments and then jump to internal networks. Microsoft’s own security team has documented how STORM-0501 has been expanding ransomware attacks specifically targeting hybrid cloud environments.
The Only Pre-Crime and Lateral Movement Solution
This is where CounterCraft’s deception technology provides two key advantages.
First, we offer what I like to call “Pre-Crime” detection. We can deploy assets in the cloud that will detect if someone is trying to attack our cloud assets, or if someone is compromising AD in the cloud. Our solution alerts security teams when someone is attempting to compromise identities.
How? The attackers will inevitably try to use different identities during reconnaissance, and we can detect this activity both externally in the cloud and internally in your network. Because these are deception identities that no legitimate user should be accessing, we can immediately identify malicious behavior.
We place applications in the cloud that no one should be interacting with. When these assets are touched, we know something’s wrong. During the information gathering and discovery phase, attackers will find our breadcrumbs and applications, try to use them, and we quickly identify that something is unusual about this user.
High-Fidelity Detection and Actionable Threat Intelligence
Since no legitimate user should be interacting with our assets, we provide extremely rapid detection with virtually no false positives. We don’t need to manage millions of events—if something interacts with our deception environment, we trigger an immediate alert.
This is a critical advantage over EDRs and traditional security tools that struggle to identify the needle in the haystack among millions of daily notifications. When attackers use legitimate credentials and behave like normal employees, traditional tools can’t differentiate between legitimate and malicious activity.
But rapid detection is not the only important goal. Being able to gather key threat intelligence from those attacks and use it in real time for detecting their activity in the rest of the organization is crucial to respond to any adversary. We can gather lots of TTPs (tools, techniques and procedures) as IOCs (Indicators of Compromise) from our assets, that will be fed in real time to other security products (like SOAR, SIEM, EDR, etc.) to enhance our security posture.
A Proactive Strategy That Works for AD & Hybrid Environments
If we deploy CounterCraft’s AD campaign in the cloud alongside our pre-breach detection assets, we can detect this activity and warn security teams before attackers reach the internal network. This is crucial because once they’re inside with admin credentials, they effectively control everything.
The solution is to create a defensive perimeter that catches attackers during the early reconnaissance stages, when they’re first exploring the cloud environment and before they make the jump to your on-premises network.
Active Directory Deception Campaign
The pattern is clear: hybrid AD environments create new attack surfaces that traditional security tools simply aren’t designed to protect. As more organizations adopt Microsoft Entra and create these hybrid environments, we’re seeing more successful attacks leveraging this exact methodology.
Deception technology provides a uniquely effective countermeasure by creating a detection layer that’s invisible to legitimate users but unavoidable for attackers. By deploying fake assets and identities strategically throughout your cloud environment, you can detect compromise attempts before they reach your critical internal systems.
The key is acting now—before your organization becomes the next case study in this growing trend of hybrid Active Directory attacks.
For more information on how CounterCraft can help protect your hybrid Active Directory environment, contact our team for a demonstration.
