SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Commercial airplane flying stormy clouds digital padlocks warning symbols cyber threats airline industry
#
Ransomware
#
Cloud Security
#
Phishing

Octo Tempest targets airlines as Microsoft warns of new cyber risks

Yesterday
Author image
By Melvin Hipolito, Editor

Microsoft has reported that the cybercriminal group Octo Tempest has shifted its focus to the airlines sector following recent attacks on retail, food services, hospitality, and insurance organisations.

The observed pattern is consistent with Octo Tempest's usual strategy of targeting a single sector for several weeks or months before moving on to new industries. Microsoft Security products are being regularly updated to address these evolving threats.

Octo Tempest activity

Octo Tempest, also known by names such as Scattered Spider, Muddled Libra, UNC3944, and 0ktapus, is financially motivated and employs a variety of methods in its attacks. Initial access is typically achieved through social engineering, including impersonation of legitimate users, as well as contacting support desks via phone, email, and messaging platforms. The group also uses SMS-based phishing through adversary-in-the-middle domains, which are crafted to appear as legitimate organisational sites.

Additional tactics include the use of tools such as ngrok, Chisel, and AADInternals, impacting hybrid identity infrastructures, and exfiltrating data to support extortion or ransomware activities. Recent attacks have seen the deployment of DragonForce ransomware, with a focus on VMWare ESX hypervisor environments. Unlike previous incidents, recent attacks have also impacted both on-premises accounts and infrastructure at the initial stage prior to shifting to cloud environments.

Detection strategies

Microsoft Defender provides detection coverage for Octo Tempest activity across all segments of the security portfolio, including endpoints, identities, SaaS applications, email and collaboration platforms, and cloud workloads. The following detection capabilities have been mapped against Octo Tempest's tactics, techniques, and procedures recently observed:

  • Initial access: Detection of unusual password resets within virtual environments
  • Discovery: Monitoring for suspicious credential dumping, account enumeration, and reconnaissance activities across NTDS.dit, DNS, SMB, SAMR, and LDAP
  • Credential access and lateral movement: Monitoring use of tools such as Mimikatz and ADExplorer, suspicious Azure role assignments, and potentially malicious device registrations
  • Persistence and execution: Identifying trusted backdoor installations and persistent ADFS backdoors
  • Actions on objectives: Detection of data exfiltration and prevention of ransomware deployment via Microsoft Defender capabilities

Microsoft notes that the list above is not exhaustive and that a full set of detection options remains available through the Microsoft Defender portal.

Attack disruption and incident response

"Attack disruption is Microsoft Defender's unique, built-in self-defense capability that consumes multi-domain signals, the latest threat intelligence, and AI-powered machine learning models to automatically predict and disrupt an attacker's next move by containing the compromised asset (user, device). This technology uses multiple potential indicators and behaviors, including all the detections listed above, possible Microsoft Entra ID sign-in attempts, possible Octo Tempest-related sign-in activities and correlate them across the Microsoft Defender workloads into a high-fidelity incident."

According to Microsoft, when Octo Tempest techniques are identified, attack disruption will disable compromised user accounts and revoke active sessions, isolating the threat. Security operations centre teams are advised to follow up with incident response actions to ensure threats are fully remediated.

Proactive defence approaches

Organisations are also encouraged to use Microsoft Defender's advanced hunting capabilities to proactively identify, trace, and respond to Octo Tempest-related activities. Analysts can query both Microsoft and non-Microsoft data sources using tools such as Microsoft Defender XDR and Microsoft Sentinel, and receive exposure insights from Microsoft Security Exposure Management. The Exposure Graph enables defenders to assess user targeting and potential impacts of compromise.

"Microsoft Security Exposure Management, available in the Microsoft Defender portal, equips security teams with capabilities such as critical asset protection, threat actor initiatives, and attack path analysis that enable security teams to proactively reduce exposure and mitigate the impact of Octo Tempest's hybrid attack tactics."

Security teams are advised to classify critical assets in the Microsoft Defender portal, create custom rules, and use initiatives to address specific threats including those posed by Octo Tempest and ransomware groups. The 'Chokepoint' view in the attack path dashboard allows teams to spot helpdesk-linked accounts that Octo Tempest is known to target and take remediating steps accordingly.

Recommended security measures

Microsoft has issued a set of basic security recommendations to mitigate exposure and limit the risk from groups such as Octo Tempest:

  • Identity security: Enable multifactor authentication (MFA) for all users, enforce phishing-resistant MFA for administrators, restrict overprovisioned identities in cloud environments, and use Microsoft Entra Privileged Identity Management.
  • Endpoint security: Activate cloud-delivered and real-time protection with Microsoft Defender Antivirus, turn on tamper protection, and use attack surface reduction rules to block credential stealing and related malicious techniques.
  • Cloud security: Enable purge protection for Key Vaults, use just-in-time network access control for virtual machines, encrypt data with customer-managed keys, activate logging for Azure Key Vault, and ensure Azure Backup is enabled for virtual machines.
"In today's threat landscape, proactive security is essential. By following security best practices, you reduce the attack surface and limit the potential impact of adversaries like Octo Tempest. Microsoft recommends implementing the following to help strengthen your overall posture and stay ahead of threats:"

The recent focus on the airlines sector by Octo Tempest highlights the ongoing shift in cybercriminal tactics and the need for robust, layered security measures. Organisations are encouraged to regularly reassess their security strategies, apply recommended safeguards, and utilise updated detection and disruption technologies to manage evolving threats.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Bitdefender, Scale Computing partner to enhance edge security
Vectra AI appoints Chua Hock Leng to lead APJ region growth
Windows Server 2025 flaw lets attackers persist in Active Directory
MSPs face rising demand for security, strategy & 24/7 support
Netskope One DSPM now available via AI Agents on AWS Marketplace

Top stories

Phishing attacks in Q2 2025 exploit trust in internal emails
SquareX unveils field manual to tackle rising browser threats
Okta, NCC Group partner for enhanced CIAM & cyber security
Poor printer security leaves firms exposed according to HP report
AWS makes a series of AI moves including $100 million investment