ACCORDING to Microsoft Incident Response, a stealthy intrusion leveraged trusted operational relationships and authentication processes via a compromised third-party IT services provider to establish long-term access. The campaign unfolded through an approved and signed enterprise management tool, HPE Operations Agent, operating under a third-party HPOM framework, with the threat actor conducting scripts and binaries in a manner indistinguishable from normal activity.
Credential theft was achieved by registering a legitimate network provider, mslogon, on the domain controller DC01 and by abusing Windows Credential Manager APIs, NPLogonNotify and NPPasswordChangeNotify, to capture credentials during sign-ins and password changes.
Malicious components, including passms[.]dll and msupdate[.]dll, were deployed on DC01 and DC02 to intercept credentials, encode them, and exfiltrate data via SMB and email, while web shells on WEB-01 and WEB-02 enabled persistent access and command execution.
The incident timeline describes a 106-day campaign with stages from initial access through lateral movement, persistence, and eventual monitoring of trusted paths, underscoring the need for deliberate verification ofVendor and tooling trust and enhanced detection of third-party abuse.