{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/trusted-relationship/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Defender","HPE Operations Agent","HPE Operations Manager"],"_cs_severities":["high"],"_cs_tags":["third-party-compromise","trusted-relationship","lateral-movement","credential-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft","HPE"],"content_html":"\u003cp\u003eIn May 2026, Microsoft Incident Response investigated an intrusion where the attacker leveraged a compromised third-party IT services provider to gain access to a target environment. The attack avoided noisy exploits and custom malware, instead focusing on the abuse of legitimate and trusted administrative mechanisms, such as the HPE Operations Agent (OA). By operating through established trust relationships and authentication processes, the attacker was able to blend their malicious activity seamlessly into routine operations. This approach enabled the threat actor to establish a durable access, steal credentials, and establish a persistent foothold within the environment without triggering immediate alerts. The investigation highlighted the risks associated with implicit trust paths in third-party management relationships and the potential for attackers to abuse these relationships to move laterally within an environment using legitimate access and tooling.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access via Third-Party Compromise:\u003c/strong\u003e The attacker compromised a third-party IT services provider responsible for managing the target\u0026rsquo;s infrastructure.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLeveraging HPE Operations Agent (OA):\u003c/strong\u003e The attacker abused the HPE OA, a legitimate IT management tool, to execute scripts and binaries on managed hosts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eScript Execution:\u003c/strong\u003e The attacker used the HPE OA framework to execute VBScripts on multiple servers, including web servers and domain controllers.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eWeb Shell Deployment:\u003c/strong\u003e A web shell named \u003ccode\u003eErrors.aspx\u003c/code\u003e was deployed on internet-exposed web servers (WEB-01 and WEB-02), although the initial deployment mechanism remains undetermined.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Interception:\u003c/strong\u003e The attacker introduced credential interception capabilities on domain infrastructure to harvest and reuse credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker leveraged harvested credentials and covert connectivity to move laterally across devices, including sensitive assets.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker established persistent access on internet-facing servers, enabling repeated access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRe-establishing Persistence:\u003c/strong\u003e After initial detection, the attacker returned to previously established access points to re-enable persistence and deploy additional tooling.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful intrusion allowed the threat actor to maintain a long-term presence within the target environment, conduct credential theft, and move laterally to access sensitive assets. The abuse of trusted relationships and legitimate tools made the attack difficult to detect, allowing the attacker to operate undetected for an extended period. This highlights the potential for significant damage resulting from third-party compromise and the need for robust monitoring and security measures to detect and prevent such attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for unusual executions originating from the HPE Operations Agent (OA) using the \u0026ldquo;Detect Suspicious HPE Operations Agent Activity\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eInspect web server logs for the presence of web shells, such as \u003ccode\u003eErrors.aspx\u003c/code\u003e, on internet-exposed servers based on file creation events.\u003c/li\u003e\n\u003cli\u003eReview and audit third-party access and trust relationships to minimize the attack surface and identify potential points of compromise.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) and least privilege principles to limit the impact of credential theft.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T16:06:58Z","date_published":"2026-05-12T16:06:58Z","id":"https://feed.craftedsignal.io/briefs/2026-05-third-party-compromise/","summary":"A threat actor compromised a third-party IT services provider and abused legitimate IT management tools like HPE Operations Agent to conduct a stealthy campaign focusing on long-term access, credential theft, and persistent footholds within a target environment.","title":"Third-Party Compromise Leading to Stealthy Intrusions via Trusted IT Management Tools","url":"https://feed.craftedsignal.io/briefs/2026-05-third-party-compromise/"}],"language":"en","title":"CraftedSignal Threat Feed — Trusted-Relationship","version":"https://jsonfeed.org/version/1.1"}