DETECTION strategies across cloud and identities against infiltrating IT workers, published on 21 April 2026, outlines how remote and hybrid work has expanded hiring and onboarding, increasing reliance on online identity verification and remote access. The piece flags Jasper Sleet, a North Korea-aligned threat actor, as a claims threat, noting they pose as legitimate hires using stolen or fabricated identities and AI-assisted deception to gain access and facilitate data theft or follow-on compromise.
In pre-recruitment, the actor is seen accessing Workday Recruiting Web Service endpoints from external accounts to identify open roles, with API calls to hrrecruiting/accounts/*, hrrecruiting/jobApplicationPackages/*, hrrecruiting/validateJobApplication/*, and hrrecruiting/resumes/*, a pattern detectable by Defender for Cloud Apps’ Workday connector.
During recruitment, they communicate with hiring teams via email and conferencing tools such as Teams, Zoom or Cisco Webex, and defenders can look for anomalous external communications and leverage connectors for Zoom or Cisco Webex to surface suspicious activity.
Post-hiring, the actor signs in to newly created Workday accounts to manage payroll details, with alerts on impossible travel indicating suspicious remote IT worker behaviour in the first months of onboarding, according to Microsoft Defender Security Research Team and Microsoft Threat Intelligence.