Third-Party IT Provider Breach Enabled Stealthy Enterprise Intrusion
Microsoft Incident Response detailed a stealthy intrusion in which a threat actor gained access through a compromised third-party IT services provider and then abused trusted enterprise management tooling to operate inside the victim environment. Rather than relying on software exploits, the actor used HPE Operations Manager and HPE Operations Agent to run scripts, deployed web shells on internet-facing servers, and targeted systems including WEB-01, WEB-02, DC01, DC02, and SQL-01. Microsoft said the activity was discovered after a prolonged dwell time, with incident responders engaged on day 123.
The attacker focused on persistence, credential theft, and lateral movement by abusing legitimate Windows mechanisms and valid accounts. Microsoft reported the use of a malicious network provider DLL and a malicious password filter DLL on domain controllers to intercept credentials, while RDP, WMI, and ngrok tunnels were used to move through the environment and bypass perimeter controls. Microsoft said no vulnerability in HPE Operations Agent was involved; the intrusion instead exploited trusted operational relationships, prompting recommendations for stronger EDR coverage, egress filtering, enhanced monitoring, and tighter validation of third-party and identity trust paths.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Attackers exfiltrate Microsoft 365 data with rclone and deploy ransomware
After expanding access with valid accounts and credential theft, the attackers used a compromised Microsoft 365 admin account to obtain OAuth2 tokens, access SharePoint and OneDrive with rclone, and exfiltrate large volumes of files over two days. The intrusion then culminated in ransomware deployment on compromised servers, with a ransom note named "!! READ_ME!!.txt" indicating encryption activity.
Microsoft publishes investigation and mitigation guidance
On May 12, 2026, Microsoft published its case study describing the third-party compromise, the attacker tradecraft, and recommended mitigations including EDR deployment, egress filtering, stronger monitoring, and validation of third-party and identity trust paths.
Microsoft Incident Response engaged on day 123 of intrusion
Microsoft Incident Response became involved on day 123 of the compromise, indicating the intrusion had remained stealthy and persistent for an extended period before investigation.
Attackers expand access using valid accounts and remote admin tools
Microsoft said the campaign relied on valid accounts, RDP, WMI, and ngrok tunnels for lateral movement and to bypass perimeter controls, including access to systems such as SQL-01.
Credential interception established on domain controllers
The actor installed a malicious network provider DLL and a malicious password filter DLL on domain controllers DC01 and DC02 to intercept credentials and maintain long-term access.
Web shells deployed on internet-facing servers
The intruders established persistence on internet-facing systems by deploying web shells on servers identified as WEB-01 and WEB-02, enabling continued remote access.
Attackers use HPE management tooling for remote execution
After gaining access, the actor used trusted enterprise management tools including HPE Operations Manager and HPE Operations Agent to execute scripts across the victim environment. Microsoft stated the activity did not involve any vulnerability in HPE Operations Agent.
Threat actor compromises a third-party IT services provider
Microsoft Incident Response reported that the intrusion began with a threat actor abusing access obtained through a compromised third-party IT services provider, leveraging an existing trusted relationship rather than exploiting a software vulnerability.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
A 6-step guide for responding to the Foxconn ransomware/supply chain incident | perspective | SC Media
scworld.com
Open sourceMicrosoft Warns of Attackers Using Trusted HPE Operations Agent for Malware-Free Intrusions - Cyber Security News
cybersecuritynews.com
Open sourceUnusual Data Exfiltration Paths: Leveraging Rclone for SharePoint Data Theft - YLabs
labs.yarix.com
Open sourceUndermining the trust boundary: Investigating a stealthy intrusion through third-party compromise | Microsoft Security Blog
microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
F5 BIG-IP Breach Led to Linux Pivot, Confluence RCE, and AD Relay Attempts
Microsoft reported a multi-stage intrusion that began with the compromise of an internet-facing **F5 BIG-IP** appliance and expanded into broader enterprise access. The attacker used the edge device to obtain SSH access to an internal Linux host, then carried out reconnaissance with tools including **Nmap**, **gowitness**, and other open-source utilities. Microsoft said the actor also downloaded a custom scanner, detected as `HackTool:Linux/MalPack.B`, from `206.189.27[.]39`, and used the Linux foothold to identify an unpatched internal **Atlassian Confluence** server. The attacker exploited Confluence for remote code execution, shifted payload staging to an FTP server on the initial Linux host after other delivery methods were blocked, and extracted credentials from Confluence configuration files. Those credentials were then used in attempts to move into Windows identity infrastructure through relay-style attacks against **Active Directory**, including Kerberos relay activity and exploitation of `CVE-2025-33073`, while the actor also tested SSL/TLS exposure with **testssl**. Microsoft said the case shows how end-of-life edge appliances, unpatched internal applications, and weak identity protections can combine into a single attack chain spanning network appliances, Linux systems, enterprise applications, and domain services.
May 25, 2026
Attackers Abuse RMM Tools and Bomgar RCE to Breach MSPs and Deploy Ransomware
Threat actors increasingly abused legitimate remote monitoring and management (RMM) software for initial access, persistence, credential theft, and defense evasion, with Huntress reporting that RMM abuse accounted for 24% of incidents it observed and surged 277% over the prior year. Campaigns used signed tools including **Action1**, **ScreenConnect**, **HeartbeatRM**, **AnyDesk**, **Atera**, and **SimpleHelp**, often chaining multiple products together to fragment telemetry and complicate containment. Delivery methods included phishing lures themed around the Social Security Administration and invitations, GitHub-hosted payloads, Cloudflare-protected sites, Windows-only filtering, and mobile-only credential harvesting pages; Huntress also observed low-maturity operators using LLM-generated scripts, VPS infrastructure, proxy tooling, combo lists, and utilities designed to hide RMM software from uninstall lists. Huntress also linked a sustained rise in compromises involving **Bomgar** instances to exploitation of **`CVE-2026-1731`**, a critical remote code execution flaw in BeyondTrust products, with attackers targeting outdated deployments to access victim networks and pivot into downstream customer environments. Reported incidents hit MSPs and software providers, including a ransomware attack affecting three downstream companies and another MSP breach that forced the isolation of 78 businesses while attackers moved into four customer environments. In affected networks, intruders created privileged accounts, added users to **Domain Admins**, ran reconnaissance with **NetScan** and **`nltest.exe`**, deployed suspicious drivers such as **PoisonX.sys** and **HRSword.exe**, and in several cases launched **LockBit** or a likely leaked-builder variant, underscoring the need to patch BeyondTrust systems, tightly govern trial and remote-access tooling, and monitor for unauthorized RMM activity.
Apr 30, 2026
Chinese State-Backed Espionage Campaign Breached Global Service Providers and Customer Networks
Australia’s ACSC and CISA warned that Chinese state-sponsored actors compromised networks worldwide as part of a broad espionage operation that targeted IT service providers and then leveraged that access to reach downstream customer environments. U.S. government reporting tied the activity to Chinese cyber actors associated with the Ministry of State Security, describing a long-running campaign that stole intellectual property and sensitive data from organizations across at least 12 countries and sectors including information technology, energy, healthcare, communications, and critical manufacturing. The intrusions relied on stolen administrative credentials, abuse of digital certificates, and post-compromise tooling including **PowerShell**, **PowerSploit**, **REDLEAVES**, and **PLUGX** to maintain persistence and move laterally. Authorities said the malware used techniques such as **DLL side-loading**, in-memory execution, and **RC4**-encrypted command-and-control over port `443`, including spoofed domains masquerading as Windows update infrastructure, and urged defenders to strengthen privileged account protections, network segmentation, logging, and monitoring for suspicious administrative share activity and protocol mismatches.
May 27, 2026