Cybersecurity insights from industry experts.

6 Ways to Protect Your Organization Against LAPSUS$

Businesses need to educate employees the type of social engineering attacks used by hacking group DEV-0537 (LAPSUS$) and strengthen their security posture.

Microsoft Security, Microsoft

December 29, 2022

4 Min Read
A city with digital locks overlaid over the skyline.
Source: Video Flow via Shutterstock

The hacking group DEV-0537, also known as LAPSUS$, operates on a global scale using a pure extortion and destruction model without deploying ransomware payloads. Unlike other social engineering attackers, DEV-0537 publicly announces its attacks on social media and pays employees for login credentials and multifactor authentication (MFA) approval. In the past, the group has also used SIM-swapping to facilitate account takeovers, targeted personal employee email accounts, and intruded on crisis-communication calls once their targets have been hacked.

With some education on DEV-0537’s known tactics and strong cyber hygiene, businesses can guard themselves against future social engineering attacks.

Strengthen MFA Implementation

MFA is one of the primary lines of defense against DEV-0537. businesses shouldequire MFA for all users across all locations — regardless of whether they’re working remotely, from a trusted environment, or even from an on-premises system.

DEV-0537 often attempts to access networks via compromised credentials, so user and sign-in risk-based policies can protect against threats, such as new device enrollment and MFA registration. "Break glass" accounts and enterprise or workplace credentials should be stored offline rather than in a password vault or an online browser. Businesses can also leverage password protection to guard against easily guessed passwords.

Passwordless authentication methods can further reduce risks. Finally, you can use automated reports and workbooks to gain insight into risk distribution, risk detection trends, and opportunities for risk remediation.

Avoid telephone-based MFA methods to mitigate the risk of SIM-jacking — when attackers trick the mobile carrier into transferring the phone number to a different SIM card. Other MFA factors, such as voice approvals, simple push (instead, use number matching), and secondary email addresses, are also weak and can be bypassed. Prevent users from sharing their credentials and block location-based MFA exclusions — which allow bad actors to bypass the MFA requirements if they can fully compromise a single identity.

Require Healthy and Trusted Endpoints

Another way to guard against data theft is by requiring trusted, compliant, and healthy devices for access to resources. Cloud-delivered protection can further protect against rapidly evolving attacker tools and techniques, block new and unknown malware variants, and enhance attack surface reduction rules and tamper protection.

Leverage Modern Authentication Options for VPNs

Implementing modern authentication and tight conditional VPN access policies, such as OAuth or SAML, has previously been effective against DEV-0537. These strategies block authentication attempts based on sign-in risk — requiring compliant devices in order for users to sign in and tighter integration with your authentication stack to improve risk detection accuracy.

Strengthen and Monitor Your Cloud Security Posture

Because DEV-0537 uses legitimate credentials to attack networks and leak sensitive enterprise data, at first glance the group’s activity might appear consistent with typical user behavior. However, you can strengthen your cloud security posture by reviewing Conditional Access user and session risk configurations, configuring alerts to prompt a review on high-risk modification, and reviewing risk detections.

Improve Awareness of Social Engineering Attacks

Strong employee education is another way to protect your organization against social engineering attacks like DEV-0537. Your technical team should know what to look for and how to report unusual employee activity. Likewise, IT help desks should quickly track and report any suspicious users. Review your help desk policies for password resets for highly privileged users and executives to ensure they take social engineering into consideration.

Establish Operational Security Processes in Response

One hallmark tactic of DEV-0537 is to monitor and eavesdrop on incident response communications in the event of a cybersecurity breach. Companies should monitor these communication channels closely, and attendees should be routinely verified.

In the event that your organization is hacked by DEV-0537, follow tight operational security practices. Develop an out-of-band communication plan for incident responders that can be used for multiple days while an investigation occurs, and ensure response plan documentation is closely guarded and not easily accessible.

Microsoft will continue monitoring DEV-0537’s activities, and we will share additional insights and recommendations as the situation evolves.

Read more Partner Perspectives from Microsoft.

Read more about:

Partner Perspectives

About the Author(s)

Microsoft Security


Protect it all with Microsoft Security.

Microsoft offers simplified, comprehensive protection and expertise that eliminates security gaps so you can innovate and grow in a changing world. Our integrated security, compliance, and identity solutions work across platforms and cloud environments, providing protection without compromising productivity.

We help customers simplify the complex by prioritizing risks with unified management tools and strategic guidance created to maximize the human expertise inside your company. Our unparalleled AI is informed by trillions of signals so you can detect threats quickly, respond effectively, and fortify your security posture to stay ahead of ever-evolving threats.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights