Undermining the trust boundary: Investigating a stealthy intrusion through third-party compromise

Microsoft investigated a sophisticated intrusion where attackers leveraged a compromised third-party IT services provider and legitimate HPE Operations Manager/Agent tooling to execute VBScripts and web shells, register malicious authentication components (mslogon.dll, passms.dll) on domain controllers to harvest credentials, and deploy tunneling (ngrok) for covert RDP and lateral movement; the report describes the attack timeline, TTPs, detection/hunting queries, and mitigation recommendations.