Reports 18 Min Read

Active Directory and Windows Infrastructure as a Malware Tool

A good starting point for non-IT executives and managers to understand what hackers are really up to is the Verizon Data Breach Investigation Report (DBIR). This yearly summary of security incidents and breaches has become the go-to resource for the industry. In their 2021 report, some of the major long-term trends are still evident: over 80% of breaches are still conducted by external actors and their overwhelming motive is, as always, financial. As in past years, hacking is at the top of threat actions—that is, where a “black hat” is cleverly finding and taking advantage of vulnerabilities to break into systems.

However, the DBIR team has noticed there’s a new attack pattern that has become popular—just behind traditional hacking. It starts out with a sneaky social engineering approach in which an email, text message, or web site persuades the victim to click on a document or link.

Innocent enough, but through clever malware the victim has now allowed the attacker to enter the internal corporate network—no hacking required. We know this as the nuisance phish mail that seems legitimate but our security training —we hope!—has taught us not to open the embedded document.

In this whitepaper, we will go through the ways in which Active Directory and Windows Infrastructure is being used as a malware tool, and what you can do to improve your security in this area.