Detection strategies across cloud and identities against infiltrating IT workers
ID: 126c16d7-1242-5010-8fe9-cec13f8dff72
STIX ID: report--126c16d7-1242-5010-8fe9-cec13f8dff72
Feed Name: Microsoft Security
Date Published: 2026-04-21
Date Updated: 2026-04-28
Author: Microsoft Defender Security Research Team and Microsoft Threat Intelligence
Microsoft Defender research describes 'Jasper Sleet', a North Korea‑aligned threat actor that uses fabricated or stolen identities and AI-generated personas to infiltrate organizations by applying for and onboarding into remote IT roles via HR SaaS (Workday). The report outlines observed activity across pre‑recruitment (probing Workday Recruiting APIs), recruitment (external communications and document signing), and post‑recruitment (onboarding, payroll changes, access to internal SaaS), provides detection/hunting queries and mitigation guidance to identify fraudulent candidates and risky new hires.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.