The podcast discusses the activities and tactics of a threat actor called Octo Tempest, such as SIM swapping, SMS phishing, and living off the land. It highlights their bespoke and persistent nature, as well as the importance of separating high-privileged accounts. Other topics include assuming compromised passwords, testing security controls, and the need for help desk protocol.
46:15
forum Ask episode
web_stories AI Snips
view_agenda Chapters
auto_awesome Transcript
info_circle Episode notes
insights INSIGHT
Persistence Over Exotic Exploits
Octo Tempest is highly persistent and reimagines tried techniques rather than relying on sophistication alone.
Researchers call them “advanced” for persistence and ingenuity, escalating TTPs from 2022 through 2023 to upskill repeatedly.
question_answer ANECDOTE
Waking To A SIM Swap Cut Off
A victim woke up with no cell service and discovered they’d lost access because their phone number had been SIM swapped.
The attack defeated SMS-based 2FA and prevented account recovery during initial intrusion.
insights INSIGHT
SMS Phishing Avoids Enterprise Visibility
Attackers favor SMS phishing because enterprises often lack visibility into personal-device messages.
They craft employee-specific SMS landing pages to bypass email filters and MDM coverage gaps.
Get the Snipd Podcast app to discover more snips from this episode
On this week's episode of The Microsoft Threat Intelligence Podcast, Sherrod DeGrippo is joined by Microsoft threat research experts to talk about the activities of a threat actor known as Octo Tempest (which overlaps with research associated with 0ktapus, Scattered Spider, and UNC3944) and the blog released by Microsoft threat intelligence and Microsoft incident response groups. The discussion covers various tactics, techniques, and procedures Octo Tempest employs, such as SIM swapping, SMS phishing, and living off the land rather than using traditional malware. Octo Tempest is portrayed as a highly bespoke and hands-on threat actor, often engaged in "keyboard-to-keyboard combat" and showing extreme persistence even after being detected.
In this episode you’ll learn:
Techniques used to modify email rules and evade defensive tools
The contrast between tailored attacks and automated targeted threat actors
Why organizations should separate high-privileged accounts from normal user accounts
Some questions we ask:
Is there an end game for OctoTempest, and is it always ransomware?
What is the importance of assuming the first-factor password is already compromised?
How can organizations test controls and alerting for their security posture?
Microsoft Threat Intelligence Podcast