![Live from Black Hat: Ransomware, Responsible Disclosure, and the Rise of AI [Microsoft Threat Intelligence Podcast] — CyberWire Daily cover](https://megaphone.imgix.net/podcasts/ed598a4c-81c8-11f0-b7a8-838b548b52bf/image/de42cff255e7436f87668db0949201cb.jpg?ixlib=rails-4.3.1&max-w=3000&max-h=3000&fit=crop&auto=format,compress)
Loading summary
A
Foreign.
B
Welcome to the Microsoft Threat Intelligence Podcast. I am Shara de Grippo, Director of Threat Intelligence Strategy here at Microsoft, and this week we're coming to you live from black hat with three mini episodes in one. First, we'll chat with MSRC's Tom Gallagher about our Bug Bounty program and round two of the Zero Day Quest. Then we shift into a chat about the current ransomware landscape with the Erics. After that, we'll wrap up with a talk about phishing and social engineering with members of Microsoft's incident response.
A
Hello, everyone. I am Sarah debrupo, Director of Threat Intelligence Strategy here at Microsoft. I am joined by one of my most favorite people, Tom Gallagher, Vice President of Engineering and quite importantly, the head of the Microsoft Security Response Center. Welcome. Tall.
C
Thanks for having me here, Sarah.
A
It's so good to see you. I've tried to get you on my podcast several times and it has not happened. Why is that? That's your first question.
C
I look forward to our conversation today.
A
Oh, that was very difficult. It was really good. So give me just a rundown of msrc, the Microsoft Security Response Center. What's the main responsibilities and mission there? What do you guys do?
C
There's a lot of different things that we do, but the main thing is any security vulnerability that's found by somebody outside of the company gets reported through the msrc. And then we go and triage that. We do a technical assessment. We work with the product teams to get that issue mitigated, and then we work with the researchers so that they can publicly disclose the information. In some cases, we'll pay a bunch bounty for them to reward.
A
So when somebody reports a bug, they get to disclose it, or did they disclose it in partnership with Microsoft? How does that work?
C
Yeah, any issue standard is coordinated upon disclosure, which means that the person that finds it reports it to the vendor, and then the vendor and the researcher work together to make sure that customers are protected. And then when that issue is mitigated, the researcher is free to go and talk about it. That way, customers are protected, but the researcher is also able to publicly discuss it at conferences like Black Hat and push research among the community forward, because we all learn from each other.
A
I love that. And I know that you and your team, like Stephanie and Alex and others, have really good relationships with the researchers, the bug hunters. And what is that like? What is that group of people like? How would you describe them?
C
I would describe them as very diverse. We have a very wide set of researchers around the world. If you look at the last Year of bug bounty submissions, you have people from 59 different countries that have submitted vulnerabilities. We also like you have people that are still in high school all the way to people that are well experienced, close with PhDs. So everybody brings a different angle, different perspectives and we really benefit from from them.
A
Now in the past couple of years I have sort of seen the advent of being a bull researcher or a bug hunter as somebody's just entire source of income. People say, you know what, I am kicking it on bug bounties. I'm making a lot of money on this across the board. And they just do that full time. How much of the community is like that? Like, is that a real thing?
C
That is definitely a real thing. Some of those folks are a part of our program and they submit to us, some exclusively, some will submit to us and also some other bug bounty programs. There's a pretty wide array of how much people are involved. There's people like you're describing who get up and they look for bugs all day long. They come up with techniques, they'll try it against Microsoft, they'll try it against other vendors and they'll try to monetize that and that is the way that they make their money. But then you also have people that may be doing it for fun on the side, on the weekends, late at night. Some of these folks are just learning they may not have a job in Infosec yet and you know, all kinds of different.
A
And that goes back to that diversity you were talking about across hobbyists and professionals and early in career, super senior and all that kind of stuff. And help me understand too with MSRC is that every Microsoft product like pretty much everything.
C
So we take vulnerability submissions for anything that's Microsoft awesome. We pay out, we try to incentivize research in certain areas. And so those are going to be the areas that we have bunk bounty for. We do not have everything under bug bounty.
A
And I know that last year, year there was a new program called Zero Day Quest and that was announced by Satya in November 2024 in Chicago at the big Ignite conference, the Microsoft conference. And tell me what Zero Day Quest is exactly.
C
So Zero Day Quest, we did it for the first time in April of this year. We had a qualifying period where we said, hey, these are areas that we want to see people do research in. They were focused on cloud and AI. We asked people to submit bugs in those areas and then we took the top people and we invited them to an in person event at Redmond.
A
Oh what happened at this in person event? Sounds fun.
C
Yeah, so it was a lot of fun. We had the researchers on campus, it's our main campus, so a lot of the product development is there. So we had people working hard to find vulnerabilities. Our team would in person go and assess them. It was really great for our team to be able to go and tap the researcher on the shoulder and say, hey, we want to understand this a little bit more. Then we would submit the bug to the product team for them to go and address. And then in many cases we would say, you know, these folks are here on campus and, you know, the product team would show up and say, hey, how did you find this bug? What's going on? And so the engineers that are actually developing the features learned a bunch about, you know, that hacker mindset, how people are approaching trying to find security vulnerabilities. And then the researchers were like, hey, can you tell me a little bit.
D
More about the architecture?
C
How does this work? How does that work? So that they could further their research and own where they're going to go and look to find vulnerabilities.
A
That's so full because it compresses that timeline from bug finds, a bug fix into what, a day, the, you know, the fix.
C
So certainly the, the submission to go and triage was like super quick. The mitigation of an issue is going to vary depending on what that product is. And we have to be very intentional not to be too fast and break things, but certainly our time to mitigate is something that's very important to come to me.
A
I think it's really interesting since I've come to Microsoft, seeing just really the scale of Microsoft deployment. A lot of people think about like Windows or Edge browser or obviously Azure, but Microsoft has such a massive split print, not just within the Windows ecosystem, but Was it Mac, iOS, Android, across IoT devices? And you're taking all those bugs in across any Microsoft product. That's huge. How many bugs do you say come in a day?
C
We don't publicly talk about the number of bugs that are coming in.
A
Are you tired for snap?
C
I would say that we are very smart about how we triage things. So if we're going to use technology to go through, not every submission that we get is like a critical issue. And we're using a lot of AI now to go and triage things and prioritize and work through all of the issues that are important.
A
I've heard a lot about AI. It seems to be very popular. Tell me now you've talked before about the ethics around responsible disclosure. Kind of help me understand how MSRC implements those kinds of values.
C
Yeah. So everything that we do is to protect customers. Right. And Microsoft, that's another way to protect customers. The first part is that coordinated vulnerable disclosure that we talked about earlier, where people are going to partner together to get the issue fixed before we go and disclose. The other thing is we want to be intentional with how people engage and what, you know, how far they go with their research. You know, we don't want people to find a vulnerability and then start using that to touch customer data and things like that.
A
Right.
C
One of the things that we did during Zero Day Quest is we set up these things we called Flash challenges where we said, you know, can you go and read this email? Can you go and find the ability to look at the SharePoint document and things like that so that people could go a little bit further than they normally would, but it's all within a contained boundary that would be responsible.
A
I love that. I think that, you know, having such a massive footprint like Microsoft does, being committed to ethical, responsible disclosure is kind of our like mantle foundationally in the world. Like to protect the global digital landscape, we have to be willing to have rigor and discipline and approach things in a really clear ethical way. Which I think is fantastic with MSRC and everything that I've done with MSRC because I've worked with your group quite a bit. That value is in every person and every project and everything that we do there. So it's pretty cool. So how does all of these pool things like Zero day quest, bug bounties? How do all of these kind of contribute back into the big focus of Microsoft, which is security and the secure future initiatives?
C
Yeah, one of the pillars is to accelerate response and remediation. I'm the pillar owner for that.
A
You're the pillar owner? What kind do you have a crown or a scepter or what do you get? What do you get for being a pillar owner? I get a bag of concrete.
D
I get a lot of work.
C
So certainly we put a lot of energy into helping everyone across the company understand the vulnerabilities to accelerate the ability to mitigate those issues quickly. But if you think about the longer timeline, you know, security really starts from the time somebody envisions what a feature would look like. It's well before somebody's writing code and you know, threat modeling, all of it. All those things happen at Microsoft. By the time a security researcher is finding an issue, that means the landscape could have changed. There are new threats that are understood. The researcher may have a different perspective on things than we did. And so that's all feedback. That's the feedback channel that we use to change the way we think about things. So it might be, you know, we missed something. Let's go at some static analysis rules. It could be. Let's make sure that people that are doing threat modeling consider this perspective when we're going and designing new features. So it's all just a feedback.
A
It's a great partnership, I think, between Microsoft's Career Response center and our Microsoft software engineers. Software developers. I work through your group doing a lot of workshops for those software developers. And it's a really different mindset working with somebody who considers them a, considers themselves a software engineer versus people like us who kind of are security people. And I always say, you know, the developers are the makers and we're kind of the breakers on the security side. And sometimes I just wish I could live in that software developer world where I just wanted to give people cool features all the time instead of feeling a little disruptive, where I'm going to try to find problems and bring them up.
C
Well, I think it's a great partnership. I worked on the office team for 23 years and we were shipping features but I was always responsible for how do we do this in a fast way, but in a secure way. And so it's really about building that awareness, building the partnerships with the software engineers because they're going to be well equipped to go and address the issue if they're aware of how to go and do that.
A
I love the way that Microsoft handles these things because we have the scale that we have. Let me ask you now, Zero Day Quest, are we going again in 2025?
C
And we started the next phase. It's a qualification phase. We opened it up on Monday. That's through October 4th. You should check our blog. We're accepting submissions right now. Basically the way that you submit is find a vulnerability in cloud and AI products. Submit those, you're going to get paid for them. We have even multipliers for critical issues that are being filmed. And then we'll take the COP people and invite them for that in person experience that we described before.
A
And that'll be in Redmond again at campus. Amazing. It's absolutely worth it. If you're listening, search up Zero Day Quest, Microsoft, go get involved and check that out. And finally there is New Hat Asia in Big Dalaru coming up. How do you feel about that? When is that?
C
I'M very excited. So we, we have three, three hello Hat events around the world now. It started in Redmond, we've had an event in Israel for several years, and then recently we started one in India and it's been such a big success that we're expanding to attract the broader region and it's called Duluth Deja.
A
Fantastic. So those are some things for the audience to go check out right now. Get on your computer and look up Zero Day Quest, Microsoft and Blue Hat Asia coming up soon. Tom, I have one final question for you. What is something that you would love to see more of from the research community this year?
C
I think there's still a big opportunity to do more AI research. I think there's a lot of folks with a lot of talent around application security and that's a great mindset. What we'd like to do is see more people pivot to think about the AI problem. The researchers that work in the AppSoc space have a great mindset. If they apply that same mindset to AI, I think it'll unlock a lot of different things. Some of the things that we're doing is we're providing additional training. We have videos out, we have information about that. It's a different type of problem and so you just have to think about it a little bit differently. But the core competencies are really the same thing.
A
One of the things that I think is so cool about AI bug hunting is that you could do a lot of it in natural language. So the bar to entry really is anybody can do it. That's right. And I want to put a particular call out to my social engineers out there, because combining your social engineering experience with natural language capabilities, getting into AI systems, you can hit bugs that you maybe not. You maybe could not have hit otherwise.
E
That's right.
A
Without a social engineering background.
C
That's right. And you don't have to get sweaty like you would social engineering.
A
A real person, you don't need a clipboard or anything like that, just a computer or little typey, typey fingers.
C
And if you fail, you just try again. It's not like social engineering in the real world where you get shut down.
A
Absolutely. You can keep trying. I love it. Tom Gallagher, thank you so much for joining us. That was vice President of Engineering from the Microsoft Security Response Center, Tom Gallagher. I'm Sarah De Grippo, Director of Threat Intelligence Strategy at Microsoft, coming to you live from black hat to 2025. Thanks for joining me, Tom.
C
Thanks, Sarah. It was great.
A
Welcoming to the stage. My close friends that I Have known for a very long time. Eric Olsen, principal security researcher and Eric, senior security researcher. I've heard that you guys like crime, True or false?
C
True.
F
Not committing crime, but crime.
E
Yes.
A
Gotta make that distinction. Don't want to commit the crimes, want to research the crimes.
E
Exactly.
A
Yeah. Okay, so let's talk about ransomware. Ransomware is one of my most favorite things to research and never do because it really had falled over like the past 10 years to become this thing that used to be an individual situation where like a computer would get printed to. Now they're shutting down entire organizations operationally. So help me understand. I'll start with you. Like, help me understand what you're seeing on the ransomware ecosystem.
D
Yeah, I think what we've been seeing lately is that when they come in, they seem to know where they want to go a lot faster than they used to. So whether that's going straight towards nice servers or targeting the backups and trying to inflict the damage fast and early.
E
Because they have a better chance of.
D
Getting the ransom payment rather than just encrypting a few workstations, which doesn't really motivate the company to want to pay. And I think another thing that's really been brought up is the they seem to have the accounts when they come in, they don't need to do a lot of privilege escalation. I don't know if that's the right rise of ransomware brokers and access brokers. Giving them credentials. The initial access is usually really fast. And then we'll see them do things such as building the tick attacks or trying to drop other persistence mechanisms to keep us from kind of stamping them out. But the speed, I think is the real thing. That's changed the last two, three years for us.
A
That's really interesting when we talk about speed. For years, the DBIR for Verizon would have have stats on dwell time, which is essentially the time from when a threat actor gets access to a network, how long it takes before they actually do the inputs to intake with the lady who shut down the organization. And year after year, dwell time would get shorter and shorter. And I remember dwell Times of 10 days, dwell times of seven days. And as those got shorter, I think we're seeing dwell times now in hours.
D
Yeah, we. I worked a case a few weeks ago and it was about 30 to 40 minutes from when they came in. When we had the first VPN log time stamp to when they started hitting the backgrounds was around 40 minutes. So it's very quick now.
A
Are you seeing the same kinds of things with the ransomware that you're looking at?
F
Yeah, it's been interesting. So we see abuse of common exploits. So good example is Citrix Bleed cu, which is more recent. So you'll see them jump from some exploit like that and then once they get in the network, set up shop, click the tool attendees and in a lot of instances these folks know the tools better than the customers. So they're like, hey, we can. You're using a software deployment mechanism.
E
Guess what?
F
We have people who are experts in this and they're able to just get.
E
In, get it deployed and get out.
A
I think that's something that we've seen too in especially when it comes to social engineering. Threat actors really do seem to know the organizations, the people, the business processes in a lot of cases better than the employees themselves. They're able to really understand, hey, if we rans up this organization or this company, will we get a pay, will we get paid? Do they have the money, do they have the capability and how exactly would we get that access? And I think that it's really, it's a shift over the past decade. Decade of kind of a spray and pray ransomeware like locky was in 2015 to now. It's really targeted, it's really specific and intentional. Do you have any insight into how these ransomware actors are choosing their targets?
F
It varies. It really varies. It could be open source intelligence and they're just going to be scans of unsubscisse. I mean it's RDQ exposed, some other remote access protocol exposed. It could be through some social engineering credential theft. We've seen like a forum gets compromised, there's some abuses for something like let's say codes and that person gets, you know, honked down the limiting Adobe executable and it's actually not as the first stage of own access into the organization.
A
And something that I think is interesting now too about the way ransomware operates is we're seeing a lot of, you know the phrase we used to use was double extortion, but I think now we're saying we'll see extortion. How are we seeing that playing out with not just encryption for pay, decryption for pay, but additional extortion techniques of the same organization at the time?
D
Yes, I think there's the data that comes component of them actually exfilling proprietary data before doing the encryption. So they have kind of two options, right? Like we'll release your data to the public and you're going to sit there with everything encrypted. So I think it's mostly what I've seen recently is the extortion of their proprietary native.
A
I think looking forward in terms of ransomware, I think something that really is on the horizon is the use of AI and you might say like, well, where do you put AI in the attack chain essentially for a ransomware event? And I think what we're going to see is usefulness of vintage data breaches, ransomware actors going, pulling down old data breach archives, putting them through an LLM or an SLM locally and saying, hey, help me figure out their weaknesses. Help help me figure out based on these data breaches where I could potentially do a ransomware event on this particular organization. Or you know, look through this and see if there's extortion tactics that maybe we can use. Maybe if you get an email dunk, look for email conversations that talk about mergers and acquisitions or maybe a supervisor being inappropriate with one of their employees and we could use that part of kind of extortion. So it's get a really epic accelerate these threat actors ability to understand the businesses like we were talking about before, they're going to be a lot quicker in that.
D
Going back to your earlier question too of how they get in sometimes I think, and you've probably seen this too also, if the company's using a third party MSB and they compromise that sometimes the way they pick their targets is whatever employee they compromised in that third party, that's who they go after. The employee has access to these four companies to do normal administration work, they go after them. I think we've seen a lot of those seemingly seem like they start from the managed service provider and then go into a company. So I think there's going with it. I think there's a kind of a bright spot in it though. We have seen a lot of customers getting smart to having their backups disconnected from their main network. We worked at it recently where they hit the A6I servers, they were going to pivot to their backup so they just cut the line right away. They seemingly were able to save themselves. So as we see like the ransomware at the dwell time get faster, I think the customers responses are actually getting pretty, pretty fast as well.
A
Yeah, and a good point on the.
F
Use of AI is now quality all of this information at your fingertips so you can go back and say, okay, hey, this company was impacted by this previous vulnerability of some software and now a new version comes around so they.
E
Can go back and play back that.
F
You know, repeat that playbook and say, okay, hey, the customer is vulnerable this time. What's the chance they're now also vulnerable with this new version?
A
And that I think breaks up that important conversation around software supply chain or provider supply chain, where your vendors of providers are just as much of a target as you are, if not more. Because ultimately those vendors, whether they sell you software, they sell you services, you use their platforms. If threat actors know that those service providers and software sellers are vulnerable, it's a lot easier to compromise a hosting platform or like you said, an MSSP and then go downstream to all of those customers that make excellent targets for these threat hackers, especially to ransomware.
D
Yeah, and I think from the customer side too, they don't really know how the script he's managed on the other side. They may do everything right on their side, but they're kind of leaving that vulnerability out there in some way.
A
Yeah, I think that cuts back to like one of the least fun and cool parts of security, which is like vendor audits, like making sure your vendors are doing the boring parts of security and that you have, you know, as a P3 of visibility into those vendors and understand their approach, security, what they think is important, how they do the things they do. I want to talk a little bit about the business of ransomware. We always say ransomware is an ecosystem. You're not fighting a single threat after group, you're fighting an entire organized ecosystem. What have you seen in terms of the organization of these ransomware threat actor groups, how they operate?
D
Don't know if I have a specific answer on that. I think the access group broker side though, is maybe where I've seen that evolve a little bit. Because before it was always kind of an exploit at like an edge device or compromised credentials of, you know, you can be a social engineering or something. But now it's. We're seeing cases where none of that really seemingly happens in the logs. They just kind of log in with an account. So it's, did they buy those credentials from an access broker somewhere else with the permissions that they need and just log in and do what they had to do?
C
So the.
F
Yeah, also you have disagreements between different ransomware groups and they break the leg, form their own ransomware group and maybe take that as a moment to, you know, introduce some changes of their law in the way that products that they want to use, have used and then hit it that way.
A
If there's definitely an element of kind of cutthroat, no honor among thieves would have Hunts a lot of these rans workers. And the way that most of us know that is we read the slide the or various other leaks that have come out of these groups where we can really see the inner workings of, hey, this guy's getting paid more than I was getting paid. I want a raise. Or, you know, we're doing it this way. I don't think that's the most effective. Let's make a change here. As Big said, no, I don't like that school. We're gonna. We're gonna splinter or we're gonna shut it down.
F
They're not getting a big enough cut.
A
They're not getting a big enough cut. I've also seen instances where, like, it'll be, you know, one person working for multiple ransomware groups at a time because they just sort of know what to do and they take on as many jobs as they can. What do customers need to know in terms of ransomware? You say double, and then customers need to get handled for greed.
D
I think would be having a plan to disconnect critical systems backups stored in a manner that's not connected to your normal production environment. So you're not totally Greek yielded. And if you it'll get a hold of it in time. And then another thing I always want when we're on instant response gigs is the VPN and the firewall logs, especially for any kind of historical compromise. Not having those logged anywhere really limits how they got in and where they came from and to really track if there's any other processor. So I think disconnected backups and having proper logging, I think is so for.
A
All of you listening, you're going to need to do proper logging and backups. Things like network segmentation and making sure that your heat can and fireball laws are accessible. So we are really talking the language of like 2002. Yeah. That people haven't taken care of us.
F
Have recommendations also equally important, you know, realizing where your sensitive data is at. Because the ransomware folks, they definitely know. And when we start when they send you an email and they're like, hey.
E
Look at all this data.
F
I said, and, you know, maybe the customer is like, hey, little cat and mouse, I'll send me a proof of life. I don't believe you tell me you took my data and they send you a text file. Like, hey, look, here's all the data I took. And now you're that company going, all.
E
Right, I see this data.
F
I don't recognize this.
E
Where did it come from? Inside my network.
F
And then they can't find it.
A
So you can't verify whether or not this redactor really has what they say.
F
They have, or even proving that the data was exfil because maybe that segment was not logged or audited and there was no, no evidence.
A
So there really is just such a big element, I think, of social engineering aspect for ransomware. Whether it's, you know, the initial entry leverages text messages or calling, whatever threats, or if it's at the, you know, encryption stage where they say, oh, we really do have this data. And then the organization has to decide whether or not they believe that's true.
E
Yeah.
A
All right, we are going to wrap up now. I want to see thank my two guests, Eric Oldman, principal security researcher and Eric Lawler, senior security researcher at Microsoft. I am Sheridan, criminal director for Intelligence Strategy. Thank you for joining me at Black Hat 2025. Hello and welcome to the Microsoft booth at Black Hat. Wow. Okay. We're going to talk about credential phishing and social engineering, two of my most favorite topics. And with me, I have fantastic guests from Microsoft. Travis Schack, principal security researcher, and my good friend Eric Olson, also principal security researcher. I am Sarah de Graveau, director of threat intelligence strategy at Microsoft. And let's get into it. Travis, I'm going to start with you. What exactly is social engineering, but definitely should be.
G
Can you hear me? So social engineering is just a tactic that threat actors use to get you to do something, to provide something. Lots of different techniques involved in that. We'll probably talk a lot about the phishing as far as the email side with the phishing and some other techniques.
A
So, Eric, I'll ask you, what examples of social engineering have you seen that threat hackers actually sent out there into the world?
E
Well, so social engineering, actually probably a really good one, is everyone who's got a text message that says, hey, you have a tool due, click this link. Or UPS says, oh, don't forget your package, click this link. And I know everyone's got that.
A
So you should click the link. Right.
E
If you're a researcher, maybe. But no, definitely not click the link.
A
Only if it's for research purposes.
E
Yeah, exactly.
A
And so people get those all the time. I think a lot of people listening are probably pretty smart and just deleting the message or ignore it. What happens if you click on the toll link? What is it varies?
E
Could be something that's like, hey, put in your email address and password and you're like, oh, well, I use the same password for everything. Naturally. So let me Just put in my password. And now they got your password. And they could either, you know, go to some credential broker or you know, that threat actor was hoping that you would put in your password and then now they have it.
A
So what kind of scale are we looking at when we talk about things like social engineering for credential theft? Like how many of these messages are getting sent, how many people are clicking on them? Is this actually profitable?
E
Very much so profitable and probably way too many to count. I know I have family members who send me emails all the time. They're like, Eric, is this spam? I'm like, yes, it is a phishing email. Please tell me that you did not click the link, you didn't provide your password or any of the other info that it asked for. And I think one of the things that's changed is that with the use of AI, so previously, you know, you get an email and you're like, oh, this is unrealistic because either the English isn't correct or the grammar doesn't match up with something that would be said in person. So now through the use of AI and like using deep fakes, you're like, all right, this is kind of believable if you're not looking for other indicators like hey, it came from a random email address. That's not the company that said they sent it.
A
Right. And I think that people don't understand them for the most part. Things like Credential Phish are really the beginning of an attack. So Travis, walk me through, like once the threat actor has your username and password, let's say you did fall for it, you put it in the landing page. What happens after that?
G
Yeah, so typically they want to use that information once they capture it. And if you don't have multi factor authentication on that account, they're going to gain access to whatever systems where you use those credentials. So whether it's work related, personal related, banking, they're going to try everywhere, social media, they're going to try everything to try to get users credentials to gain some kind of access.
A
So I guess that leads me to my next question, Eric. How do we prevent this stuff? Stuff like what's the way to stop it?
E
Well, you know, I was reading something earlier that was talking about, about corporate training and you get, you know, we get it too. And it'll be a video like hey, click on this thing or watch this video about something. And you know, for the most part a lot of folks probably just tune it out because they're like, hey, I have 40 hours of training I have to do. It's videos and I think it'd be much better served for some kind of like micro learning, like a simulation where you're like, hey, you click on this area of the email that looks suspicious. So I know that you know if you get an email at the company that you'll be a good, a good cybersecurity person because everybody can do a little bit of security and be like, hey, this is no good. And then report it and okay. Nope, not clicking it.
A
So what else, Travis, can we do in terms of prevention? How do we stop this stuff?
G
Yeah. Besides the user education. But then you're still going to have some failures there. Then you got to rely on some of the technology side of the house. That's where multifactor authentication is going to help. Adding in that second layer of authentication tools like Defender for Office 365 is going to help with that. So really the multi factor authentication is probably one of the biggest protections that we can have.
E
Yeah, because. And you know, for phishing and actually social engineering too, it's not necessarily starting with breaking the system, it's breaking trust of the person who's on the other side. And then you have to hope that all the other security controls and tools and things that you have at your disposal are what, you know, stops the next step.
A
Yeah, I think too, like you mentioned, AI and I've been thinking a lot about this. I think that a lot of the AI tools that we have available to us today really are these large language models, generative text. They can create images and they can create text. And I think we are seeing threat actors leverage AI tools to create really good social engineering org. But something I think about too is all of those data breaches that have happened over the last several years, those are out there available for threat actors to take and it would be really easy, I feel, for a threat actor to download a bunch of BREIS data, whether it's emails or credentials or corporate ip, and then run those through an LLM and say to the LLM, if I was going to try to trick someone from this company, how could I do that? What is something that people in this company are concerned about that would cause this to click? I don't know that we've seen that yet, but it makes sense to me that threat actors are thinking about leveraging AI as that kind of tooling.
E
Yeah, definitely speeds up the breaking trust bit.
A
Right. It makes things go faster. And I think it does. I think AI really something that is important to think about when you're rebranding. It is the A can very easily stand for acceleration. Just making things a lot faster that we used to do manually. Or even when you did it with code, you could do it even faster today than you can with writing most scripts. Because what do you see? Think about bodies of text, which is what LLMs specifically are really great at, handling the amount of different types of usernames and passwords and data that's out there. Writing a regular expression for that to like grep through a giant database of text is really hard. Like that regular expression is probably impossible to create. So with an LLM, you've now got that natural language interface and you could say, hey, go through this and find me anything that would be interesting if I was a hacker. Basically.
E
Yeah, yeah.
A
So help me understand. We talk about social engineering in terms of emotion, emergency and habit. Any examples of social engineering that you thought were really clever to do?
E
Really good use of like audio or deepfakes is actually audio deep fakes listening to. I don't remember what it was. There was something in the news, a politician in the US and they deep faked his voice and then used his voice to call other politicians. And I mean, unless I guess, you talk to the person every day, you could easily be tricked. They're breaking your trust and you're like, okay, this sounds believable. Or at least they have enough context about what they want that it sounds believable. And you're like, okay, you lower your shield down and you know, just allow, you know, allow the conversation to continue.
A
Yeah, Travis, what have you seen?
G
I'd have to say what Eric said. You're starting to see the phishing becoming more successful because they are getting better at calling. Right. We see a lot of help desks being targeted and typically used to be able to like decipher, like, is this person really real or not? But now with the voice generation stuff and with the AI coming in, helping with the grammar mistakes and making that more believable, but it's. You just do that.
E
And I think AI has definitely helped you be more relatable because you're like, hey, well, I know that you like this specific thing, so you don't start the conversation with what you want. You start the conversation with something to build trust first and kind of get that person to lower their barrier. And then you come in for your ask.
A
Absolutely. I think, you know, we see multi chain relationships tips with social engineering. We see things like just a single email sent out a really Good example that I talk about a lot is, you know, it's on sort of email letterhead like with a thick file and graphics and everything that says we're in a law firm. And it says, hey, I'm from this LLP law firm. If your spouse has contracted me to prepare your divorce papers, go ahead and click here to view our first draft of your divorce papers. And I think, Billy, anybody married, single, happy, unhappy? There are so many reasons for people to click on things like that.
E
Yeah, absolutely. Prey on their fear.
A
Yeah. Curiosity.
E
Yeah.
G
Lack of jobs right now. Right. I was a former Sizz my. The last company where I was a ciso, our HR VP got impersonating and we're basically offering jobs to people and then scamming them out of money through Google sites. And it was really hard to stop that front of because they thought that it was actually from our organization. So today you see a lot of, like a lot of my friends are saying, hey, I just got this recruiter, they just sent me something about a job. You think this is real? So you're going to use the current times, whatever's going on. And so you really have to be aware of what's happening right now and how threat actors can you leverage that.
E
Yeah. And even something like, hey, take a look at this job description and it's in a word doc or a PDF and the person on the other side has malicious intent. And you know, you're looking for a job so of course you're going to have, you're going to have an interest on opening up the email and looking at the attachment.
A
I also think too there's, you know, threat actors have been able to really be smart about who they're targeting in terms of looking at data that's available, either open source data or data that's out of reach. Say, oh, like this group of high value individuals all have the following thing in common. I could kind of write a similar or send that out to all of them and see what comes back to me. I know of an example where one of those big email platforms, one of those marketing platforms, an account on one of those was compromised and the threat actor said, great, I've got access to all these people. It was a newsletter about wine of the month, it was a wine review newsletter. And the threat actor said, you know, great, I have access to this, I can send from it. I'm going to look through these individuals and see who's maybe a high net worth, who has high access that I want to maybe compromise them. So I can get further access. And the threat actor sent out a wine newsletter that said, click here for a free bottle of wine.
E
Hopefully they sent the wine.
A
You got hacked. Bait and switch. But it makes sense, right? If you know even a little bit about your target, you can social engineer them so much more effectively. And, you know, there's everything across the spectrum of threat actors. You do deep, deep research on their targets. They understand them. They tailor perfect, perfect social engineering and floors directly at that individual. And then there's those massive campaigns of spray a prey where the threat actors like, I'm just going to send this to everybody and just hope for the best.
E
Yeah.
A
So I think social engineering is something we can never overlook. And I'll kind of leave everyone with this. If you're looking at an email and it's telling you to do something immediately, that is probably social engineering. Anytime that an email says you must act now, hurry, going fast, all those kinds of things, generally you should be a little suspicious.
E
Yeah, definitely.
A
All right. I want to thank Travis Shack and Eric Olson, both principal security researchers at Microsoft, for joining me. Sharon Negrippo, director of threat intelligence strategy here at Black Hat 2025, to talk about social engineering and physics. Thank you both.
E
Thanks for having us.
G
Thank you.
B
This week on the Microsoft Threat Intelligence Podcast, join us live at Black Hat, where you'll hear about bug bounty programs, ransomware, and all kinds of incident response tactics. Be sure to listen in and follow us@msthreatintelpodcast.com or wherever you get your favorite podcasts.
Episode: Microsoft Threat Intelligence Podcast
Date: September 1, 2025
Host: Shara de Grippo, Director of Threat Intelligence Strategy, Microsoft
This special live episode, recorded at Black Hat 2025, delivers a trio of expert conversations focusing on the cutting edge of cybersecurity threats and defense. The show dives into Microsoft’s bug bounty and Zero Day Quest programs, the rapid evolution of ransomware and extortion, and the current state of phishing and social engineering. Across these segments, the rising impact of AI in both attack and defense takes center stage, with practical insights for security professionals at every level.
Guests: Tom Gallagher (VP Engineering, Head of MSRC)
Timestamps: 00:05 – 15:36
MSRC’s Core Role
"Any security vulnerability that's found by somebody outside of the company gets reported through the MSRC. We triage, assess, and work with the product teams to fix it, and then we coordinate public disclosure."
— Tom Gallagher [01:24]
On Coordinated Vulnerability Disclosure
"The person that finds it reports it to the vendor ... the issue is mitigated, the researcher is free to go and talk about it."
— Tom Gallagher [01:58]
Diversity and Motivation in the Research Community
"You have people from 59 different countries ... people still in high school to well-experienced, close with PhDs."
— Tom Gallagher [02:41] "Some ... get up and look for bugs all day long ... that's the way that they make their money."
— Tom Gallagher [03:37]
Scope and Triage
"We're using a lot of AI now to triage things and prioritize ... not every submission that we get is like a critical issue."
— Tom Gallagher [07:39]
Program Structure and Impact
"It compresses that timeline from bug finds, a bug fix into what, a day?"
— Shara de Grippo [06:29] "The mitigation of an issue is going to vary ... but certainly our time to mitigate is very important."
— Tom Gallagher [06:40]
Ethics and Responsible Disclosure in Practice
“People could go a little bit further than they normally would, but it’s all within a contained boundary.”
— Tom Gallagher [08:44]
Security Starts Early, But Research Is Key Feedback
"That's the feedback channel that we use to change the way we think about things."
— Tom Gallagher [10:16]
Building Security Culture Across Development and Response Teams
"They’re going to be well-equipped to address the issue if they're aware of how to do that."
— Tom Gallagher [11:55]
Call to Action
"Find a vulnerability in cloud and AI products. Submit those—you're going to get paid for them ... the top people get that in-person experience."
— Tom Gallagher [12:30]
Expanding Global Engagement
What’s Needed from the Community?
"We’d like to see more people pivot to the AI problem ... apply that same mindset to AI."
— Tom Gallagher [13:56]
"Combining your social engineering experience with natural language capabilities, getting into AI systems, you can hit bugs ... you maybe could not have hit otherwise."
— Shara de Grippo [14:36]
Guests: Eric Oldman (Principal Security Researcher), Eric Lawler (Senior Security Researcher)
Timestamps: 15:37 – 28:43
Acceleration of Attacks
"It was about 30 to 40 minutes from first VPN log to hitting the backups."
— Eric Oldman [18:10]
Operational Intelligence of Threat Actors
"They have a better chance of getting the ransom payment rather than just encrypting a few workstations."
— Eric Lawler [17:02]
Trends in Access and Persistence
"They have the accounts when they come in; they don't need to do a lot of privilege escalation."
— Eric Lawler [17:02]
Evolution of Extortion
"They have kind of two options, right? We'll release your data to the public and you're going to sit there with everything encrypted."
— Eric Lawler [20:45]
AI-Accelerated Reconnaissance
“Ransomware actors going, pulling down old data breach archives ... help me figure out their weaknesses. ...help me figure out, based on these data breaches, where I could potentially do a ransomware event.”
— Shara de Grippo [21:05]
Attack Playbook Replay and Supply Chain Risks
"They can go back and play back that—you know, repeat that playbook."
— Eric Oldman [23:15]
Targeting Service Providers for Maximum Impact
"If the company's using a third-party MSP and they compromise that, sometimes ... that's who they go after."
— Eric Lawler [22:16] "Your vendors of providers are just as much of a target as you are, if not more."
— Shara de Grippo [23:38]
Ransomware as an Ecosystem
Group infighting (“no honor among thieves”) and specialization among access brokers, affiliates, and developers drive rapid evolution.
"We have disagreements between ransomware groups and they break off, form their own ... introduce some changes ... and hit it that way."
— Eric Oldman [25:36]
Proactive Defenses
"Having a plan to disconnect critical systems ... backups not connected to your normal production environment ... proper logging ... are so key."
— Eric Lawler [26:45]
Know Your Crucial Data and Vendor Hygiene
Many organizations are unaware of data exfiltration until ransom proof appears. Vendor risk management remains unglamorous but essential.
"Making sure your vendors are doing the boring parts of security ... have a P3 of visibility into those vendors."
— Shara de Grippo [24:25]
Guests: Travis Shack (Principal Security Researcher), Eric Olson (Principal Security Researcher)
Timestamps: 28:43 – 42:24
Defining Social Engineering
"Social engineering is just a tactic that threat actors use to get you to do something, to provide something."
— Travis Shack [29:41]
Everyday Examples
"Everyone who's got a text message that says, hey, you have a toll due, click this link ... everyone’s got that."
— Eric Olson [30:15]
Massive Volume and High Effectiveness
“Very much so profitable and probably way too many to count.”
— Eric Olson [31:28]
AI Supercharges Social Engineering
“Now through the use of AI ... this is kind of believable if you’re not looking for other indicators.”
— Eric Olson [32:16]
What Happens Post-Compromise?
Stolen credentials grant system access—without MFA, attackers quickly pivot to sensitive systems (personal, work, banking, social media).
"If you don’t have multifactor authentication ... they're going to gain access to whatever systems where you use those credentials."
— Travis Shack [32:37]
Why User Education Alone Isn’t Enough
"Besides the user education ... that's where multifactor authentication is going to help ... technology side of the house."
— Travis Shack [34:02]
Top Recommendations
AI Risks and the Future
"Download a bunch of BREIS data ... run those through an LLM ... trick someone from this company, how could I do that?"
— Shara de Grippo [35:00]
Abuse of Context, Emotion, and Habit
Emails/Fakes exploiting urgency, fear, or curiosity (e.g., “Your spouse has begun divorce proceedings—click here”) or personalized job scams during economic uncertainty.
"A really Good example ... a law firm ... Divorce papers—click here ... there are so many reasons for people to click on things like that.”
— Shara de Grippo [38:26]
Deepfake-Aided Vishing and Help Desk Scams
Deepfaked audio of politicians used for social engineering; attackers now easily bypass human intuition, especially targeting internal help desks.
"You're starting to see the phishing becoming more successful ... lot of help desks being targeted ... now with voice generation and AI ... it's harder to decipher."
— Travis Shack [37:42]
Range from Targeted to Spray Attacks
On Global Research Community and Diversity:
"We have people from 59 different countries... people that are still in high school all the way to people with PhDs."
— Tom Gallagher [02:41]
On the Impact of AI in Triage and Security Response:
"We're using a lot of AI now to triage things and prioritize and work through all of the issues."
— Tom Gallagher [07:39]
On the Acceleration of Ransomware Attacks:
"It was about 30 to 40 minutes from when they came in ... to when they started hitting the backups."
— Eric Oldman [18:10]
On Threat Actors Knowing Organizational Processes:
"They're able to really understand... will we get a pay, will we get paid, do they have the capability, and how exactly would we get that access?”
— Shara de Grippo [18:57]
On Defensive Priorities Against Ransomware:
"Having a plan to disconnect critical systems ... proper logging, I think, is so key."
— Eric Lawler [26:45]
On AI Increasing Attacker Sophistication:
"The use of AI... now you can go back, repeat that playbook, and see if the customer is vulnerable this time."
— Eric Oldman [23:15]
On the Human Element of Security:
"Everybody can do a little bit of security ... be like, hey, this is no good. And then report it and ... not clicking it."
— Eric Olson [33:57]
On AI’s Role as an Accelerator:
"AI really...the A can very easily stand for acceleration—just making things a lot faster that we used to do manually."
— Shara de Grippo [35:54]
Closing Thought:
As threat actors rapidly innovate, especially with AI at their disposal, defensive strategies must evolve just as quickly—melding cutting-edge technology, global collaboration, and a perpetual focus on human factors.