DISCARDED: Tales From the Threat Research Trenches
DISCARDED: Tales from the Threat Research Trenches is a podcast for security practitioners, intelligence analysts, and threat hunters looking to learn more about the threat behaviors and attack patterns. Each episode you’ll hear real world insights from our researchers about the latest trends in malware, threat actors, TTPs, and more.
Welcome to DISCARDED
DISCARDED: Tales From the Threat Research Trenches
From Phishing to Court Cases: How Microsoft Fights Back Against Hackers
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Hello to all our Cyber Pals!
Host Selena Larson is joined by Sean Farrell, Assistant General Counsel at Microsoft's Digital Crimes Unit (DCU), to pull back the curtain on how major cyber crime takedowns actually happen and how Microsoft uses civil lawsuits, criminal referrals, and global partnerships to disrupt some of the most damaging cyber crime operations in the world.
They discuss:
- What DCU does and Sean's path from FBI to AWS to Microsoft
- How civil claims like the CFAA and RICO are used to seize infrastructure
- The Fox Tempest takedown and its ties to Rhysida ransomware
- The global disruption of the Tycoon 2FA phishing-as-a-service operation
- How targets get chosen, and civil vs. criminal action
- Why naming victims changes the public narrative on cyber crime
- Arrests tied to Octo Tempest/Scattered Spider
- The risks of AI-generated sloppiness in legal and threat intel work
Disrupting cyber crime isn't about ending it for good, it's about raising the cost of doing business until bad actors run out of road.
Resources Mentioned:
https://www.microsoft.com/en-us/corporate-responsibility/customer-security-trust/digital-crimes-unit
https://blogs.microsoft.com/on-the-issues/2026/05/19/disrupting-fox-tempest-a-cybercrime-service/
https://www.proofpoint.com/us/blog/threat-insight/disruption-targets-tycoon-2fa-popular-aitm-phaas
For more information about Proofpoint, check out our website.
Subscribe & Follow:
Stay ahead of emerging threats, and subscribe! Happy hunting!
You're listening to Discarded: Tales from the Threat Research Trenches, a podcast by Proofpoint for security practitioners. Each episode you'll hear from security researchers, malware analysts, threat hunters, and more as we dive into what's going on in the world of cyber attacks and how defenders safeguard us from threats. Let's get into the show. Hello to all our cyber paddles, and welcome to the Proof Point Discarded Podcast. I'm your host, Selena Larson, here with a very special guest today, Sean Farrell, Assistant General Counsel of Microsoft's Digital Crimes Unit. Welcome, Sean.
SPEAKER_00Hello. I'm so excited to be here. Thank you for having me.
SPEAKER_02Yeah, me too. I'm excited that you're here too. And we have known each other sort of vaguely and from on the internet for a little bit, but we actually finally met in person back in February when we were working on the tycoon disruption. And that was really, really fun. And we got to spend some time together. And when I was there, I was like, you should come on my podcast. Your job is amazing. You're such a cool person. And so wow. So glad we made it happen. So welcome.
SPEAKER_00These are the nicest things that anyone's ever said to me. Thank you. Yeah, no, it was great meeting you. And I know we'll talk about that in person finally. And um, I know we'll talk about that disruption. But yeah, really excited to be here.
SPEAKER_02Awesome. So, as background, many of our listeners might be familiar because we have talked about uh DCU and in the context of some of the other operational takedowns you guys have been a part of. But for our listeners who might not be familiar, what is Microsoft's digital crimes unit and how does it work to enable threat actor takedowns?
SPEAKER_00Yeah, I'd love to talk about that and maybe a quick backstory on how I got to the DCU. So I uh I I've been an attorney. So for those that may not know what assistant general counsel is, and don't hold it against me. Uh, an attorney with Microsoft and the DCU for about four years now. Prior to that, I spent some time at AWS and Amazon. And before that, I spent time with the FBI. I started my career actually as an intelligence analyst doing counterterrorism work and then transitioned into uh the office of general counsel, where I sort of started up and ran the cyber law unit before I left. So shout out to all my FBI peeps and folks at Amazon as well. And so the digital crimes unit, we're kind of unique in industry where we sit in the legal section within Microsoft, and we've been around in various forums since I think roughly 2008. And what we do and what we focus on now and over the last you know decade at least is trying to bring to bear the powers of the judicial system, the legal system to combat cyber threats. I often say, if you hear me speak in other settings, we're sort of the external enforcement arm of what Microsoft does to combat cyber threats. And so we really try to raise the cost of doing business for bad actors. And there's kind of two primary ways, but there's a lot of color and nuance to this. But we work very closely with law enforcement, both domestically in the United States and internationally, providing criminal referrals, working with our partners in Mystic and Threat Intelligence to share information about cyber threats and nation-state threats as well. And then we also bring to bear where we can, and we can talk about this a little more later, how or why, if people are interested, we can also bring civil lawsuits against bad actors. If you think about it, it's a blessing and a curse, you know, sort of the ubiquity of Microsoft products and services. Unfortunately, bad actors will misuse our products and services at time or take advantage of using those to attack customers and things like that. And in those instances, we may have legal claims and legal standing to actually bring civil lawsuits that enable us to do things like take down infrastructure, uh, go after actor assets. And we often do that in parallel with law enforcement actions to hopefully have the actors both infrastructure disrupted, perhaps through what we do, but then also hopefully pursuing law enforcement actions as well. So that's a that's a quick high level of what we do.
SPEAKER_02Yeah, no, that's great. And I think a lot of people, when they think about disruptions or threat actor consequences or, you know, takedowns, I think there's a lot of people that think of, you know, the cops knocking on a door, seizing a server, you know, maybe going in handcuffs, maybe some, I don't know, some Hollywood-esque two people typing on the same laptop. But in reality, a lot of takedowns and disruptions are all about paperwork and legal things.
SPEAKER_00You're really making it sound very awesome.
SPEAKER_02Um, no, I think I think it's like the peak behind the curtain that people don't really realize is like the amount of work that goes into this from so many different parts of an organization. I mean, you are, you guys are really you're on the front lines, but in a different way than I think people realize.
SPEAKER_00Yeah. And the funny thing is, is having come from the government and doing work similar to this, people often don't realize that, you know, the work at the FBI or whatever organization you're at is also a lot of paperwork. And that's kind of how the wheels of justice move. And so the cool thing is though, and you know, I mentioned like actors misusing our products and services, is it and it's interesting, and maybe only interesting to lawyer people, but there are claims we can bring under like the Computer Fraud and Abuse Act, which is the federal anti-hacking statute. A lot of people don't realize there's both civil and criminal claims you could bring. So, as a private entity, I hope what we show is that you're not sort of helpless and wholly dependent on the government to take action. There are things you can potentially do. It takes time, money, and resources and commitment from an organization. And I think that's why this disruption we'll talk about, Tycoon and some others are so interesting, where we we got a coalition of private industry as well as folks from the government to come together and I think of it as sort of the the best fighter you can bring to the fight. Who can do best what? Who can do what best? How who can bring the most to bear against the bad actors? And how do you kind of divvy that up when you're thinking about disruption strategies?
SPEAKER_02Yeah, absolutely. Well, and I think you mentioned, I don't know if anyone else thinks it's cool. I think it's so exciting. I mean, when we were hanging out in the in New York at the law office, and I was just like, oh my gosh, what's happening? And I was on the edge of my seat and so excited to learn everything. I loved writing legal documents. Like I was like, this is so exciting. My my contribution to the case. And I was I was on cloud nine, let me tell you, it was honestly some of the most fun that I've had is working on like the legal, legal side of cyber. And everyone else was like, You're crazy.
SPEAKER_00Very excited. I I wanted you to be able to testify. I luckily or unluckily, if you're a lawyer, the judge signed our request without requiring testimony because you signed your name and we appreciate you and proof point stepping as a declarant with our partners at help Isaac to do that because it takes some risk in doing that. But yeah, your enthusiasm was awesome. And it was you were a little disappointed you didn't actually get to testify, but that's usually a good thing. We we try to avoid that at all costs if we can. But yeah, you were fired up. And next time, next time we'll make sure we'll our filings maybe won't be as good. And we'll try to judge will have some questions for you. So we'll make sure we get that.
SPEAKER_02Amazing. I'm ready. I'm ready. Well, so we will talk about Tycoon in just a second. That again did happen back uh earlier this year. But as we're currently recording this, it's the beginning of June, and DCU just published some new takedown information about and just had another disruption of a major cybercrime ecosystem and threat actor around Fox Tempest. So it's essentially a cyber criminal threat actor that provided a service for verified, quote unquote, maliciously verified uh software that was serving as a pathway for ransomware. And of course, you know, and maybe you can kind of use this case to explain how collaboration works between Microsoft, DCU, law enforcement, and maybe some of the other private sector partners to kind of work on this. Because I know, you know, ransomware is obviously a huge, huge, huge problem. And I think that a lot of efforts around disruptions focus on some of the most impactful types of cybercrime and how you can go after the source of things or the enablers of things like ransomware.
SPEAKER_00Yeah, I think that's been a big focus of DCU. I think since I joined and some of the disruptions we've kicked off, we've we've seen this explosion in what I think you know folks generally understand is cybercrime as a service, where you have threat actors who are it's kind of the McDonald's version of cybercrime, right? Like I I want to do a fishing attack, but I don't know how to do that. So I'm gonna you know go to the internet and find out who's selling fishing kits, who's enabling that. In this case, this this Fox Tempest actor was is pretty unique. And for those who may not be familiar, that's our Tempest means financially motivated threat actor and the mystic and Microsoft naming convention. And so this actor was kind of unique, broader ecosystem where they were getting fraudulent access to what we call um our artifact signing service. It's it's Microsoft's third-party code signing process, where as you as a partner, somebody want to come in, be able to enable others to get Microsoft code signing certificates. There's a whole process, KYC that you go through. And this actor had figured out a way to bypass that. And this actually came to our attention through our partners in Mystic. A lot of our cases may start through threat intelligence leads or leads from other partners. And we started looking into it and we uncovered that this was a pretty significant problem. And we we knew and we we spoke about in our court filings that this actor was selling to, you know, the the biggest customer of theirs was the Resita ransomware group. And what it was enabling was actors to deploy ransomware uh more effectively. Because if you have a code or a certificate that looks like a trusted code from stamped by Microsoft or a party that works with Microsoft, that can help you get in the front door, as you can imagine. And so it was significant and it was something we decided we need to take action against. And for us, I think the this one was interesting because we had already been working with the FBI and some other partners on Resita investigations. But one of the things we've tried to do with law enforcement too is try to make sure we're we're kind of aligned on what the threat environment looks like, if that makes sense. Because a lot of times, and again, I uh my partners in law enforcement, a lot of times they're always like, we got to go after Resita, you know, or whatever the ransomware flavor of the day is. And I'm like, well, Resetas a complex network of like the developers, the the affiliates. And here we have an enabler of that entire group that is, you know, we can see their payments on the blockchain, we can watch what they're doing, we know that they're buying, we can track it to other ransomware groups as well. So what we did is we started sharing additional threat intelligence with the partners we're already working with on Resita, and we're like, hey, we're looking at trying to disrupt this actor and taking down his infrastructure that we were able to track. It there was some overseas infrastructure initially, then it moved infrastructure here in the United States. And through our process of bringing civil legal claims, uh, the cool thing is we get to bring claims like Rico. People probably hear about Rico in the context of like the Sopranos. That, like the CFAA, it's a it's a statute designed to help disrupt organized crime groups, groups, but it also has civil components. You can bring a civil legal claim. And through through the series of claims we brought, I won't bore people with that, it enabled us to go to the court and say, hey, court, we know where this actor's infrastructure is. We're we want to go and make sure we can take it down. And we were able to work with that provider and actually obtain images of the servers that were running there that were being used by the actor and his customers, and introduce a host of other internal controls that affect effectively shut down this actor on our infrastructure.
SPEAKER_02Well, so I think it's interesting that you know the difference between the civil and the criminal because again, like people think of like handcuffs and knocking doors down, but the civil case is more about okay, who was targeted by this and how can we show that they deserve justice in some way? And so, in the report that you guys put out when you published on Fox Tempest, you mentioned that some of the impacts of this malware of race though were schools, hospitals, critical organizations worldwide. So you have the criminals that are doing really bad things, but you're in this way, I feel like with civil civil suits in particular, you can really focus on some of the victims there. Like you're so you're telling a judge, like, hey, this malware cost a school, you know, hundreds of thousands of dollars, or you know, a hospital, patients were impacted. And and and you're able to sort of illustrate that with and bring a case without necessarily having handcuffs on a person.
SPEAKER_00Well, yeah, two two things on that. So I think what's important to that the whole concept of like stopping the harm, the cool thing about the civil actions you can bring is you can get what is essentially equitable relief, where a judge can say, you say, Judge, this this thing that is happening is causing ongoing harm to us, others, our customers. And the great the judge can grant you relief, like, okay, well, whoever's hosting this activity needs to stop it. And perhaps you can seize and get copies of infrastructure that the actors are using. And so that it's really empowering. And the other part of it too is, and I think for and that's an important thing from a private sector standpoint, is there are oftentimes we coordinate and time things with law enforcement where we do our disruption at the same time that maybe they're kicking in a door and arresting somebody. There are times though where the harm is so significant where we just need to stop the harm, but it doesn't mean we're not working with law enforcement. And it certainly doesn't mean we're not continuing to work with law enforcement, and it certainly doesn't mean law enforcement isn't working right now to look into the actors behind this activity and and pursue potentially criminal actions against them. So I think it's an important thing for folks to realize is that you may see this, you may not know everything, and I can't say everything that's going on behind the scenes now, but in this case and other cases, there's still ongoing criminal actions that are being pursued, and we're still engaged on those efforts. And so it's not like we drop our lawsuit and walk away like the, you know, we we've saved the world. It's we recognize that, you know, for some of these threat actors, especially that they're gonna try to come back, and you ultimately may need a criminal action to disrupt them completely.
SPEAKER_02Well, and I feel like the civil cases also provide the public with an understanding of the full scope of the impact, also. And you can have it. I mean, not that cyber threat intelligence is about storytelling and creating a narrative, but I do think that's a good thing.
SPEAKER_00I would say everything is, but we'll we can talk about that more later. Like telling a good story, who cares, right?
SPEAKER_02Right, right, exactly. But I do think that, you know, a lot of times people are like, oh, well, it's just cybercrime, right? Like shrug, okay, whatever. And being able to illustrate the impact and identify victims and targets of these cases beyond just, you know, they're there the criminal suit obviously is really important and interesting because you have that individual and all of those impacts as well. But when you're actually filing paperwork, you can document the actual impact and say, we know that this happened to us, and a lot of really useful intelligence can be gleaned from lawsuits and that are going to the public record. And you can build a picture of who the targets were, when activity was happening, what the different techniques were that were being used on certain, you know, organizations or or verticals. And it is a very useful piece for threat researchers and and cyber threat intelligence analysts to look at those lawsuits and to understand how you guys are approaching that and what data goes into them, because it can help tell a story and paint a fuller picture of an adversary.
SPEAKER_00Yeah. And I think those, that's why those partnerships are so key. And we'll talk about this more with Tycoon. But when you get those insights from, you know, you know, for whatever it's worth, people may not care that Microsoft's a victim of cybercrime, but they do care when we're representing and working with hospitals or education sector others who are telling their story and we're giving a voice to. And honestly, like sometimes we may not be completely aligned with, you know, law enforcement on what's a strategic priority, but engaging in these kind of actions, I think brings their attention to like, oh, there's a collective of folks who were saying we should be looking at this thing and what's something we could do about it. That story may be buried otherwise, unless you're coming forward and proactively addressing it sort of as an industry.
SPEAKER_02Absolutely. Well, and I think we let's actually talk about Tycoon because you mentioned healthcare. And Al Baisak was one of the fellow declarants in this case against the Tycoon 2FA operator. And so to remind our listeners, Tycoon 2FA was a prominent attacker in the middle of a fishing kit, fishing as a service. And they were among the most high volume MFA fishing threats that Proof Point saw in our data, and certainly that Microsoft also saw in your data. So they were very, very high volume, millions of messages every month that were tycoon fishing. And the takedown, we can you can kind of describe the takedown, but since then, and I think it's really important to note too, and we can talk about this, that it's not necessarily a full takedown. It's very much a disruption of activity. And I think, you know, since then it's really knocked a major player like down, you know, cut cut the legs off a little bit. We still see some some activity, but it has had a huge, huge, huge impact. Um, but what can you maybe talk a little bit about the tycoon case in particular and working with the partners that you identify to help tell the story and help identify, you know, some some impacted victims and the impact on their organizations from the tycoon infrastructure?
SPEAKER_00Yeah, for sure. And you kind of hit at a high level, major and at the time the most impactful, largest fishing as a service entity out there. And again, for folks that don't know, I don't know how to do a fishing kit. I go to our friend Tycoon and buy the fishing kits, and he helps enable that activity at a very high level. So it really makes it a lot easier for anyone who wants to to commit cybercrime. You buy these off-the-shelf kits, whether it's malware signing as a service, like our Fox Tempest actor or Tycoon. It's just so easy. But in this case, what was cool about this in a lot of ways was we really came together as an industry group for the first time through our friends in Europol, EC3, for those who may be familiar, started up not that long ago, and I always mess up this acronym, so correct me if I got it wrong. It's the Cyber Intelligence Intelligence Extension Program, which is a collective of industry partners who are basically sitting with EC3 for the purposes of sharing and identifying potential targets for the purposes of these kind of joint public-private disruption actions. And so I think during the sprint, one of our analysts who's just fantastic and was our lead on this investigation, who likes to stay under coverage, so I won't say your name, but she helped lead that kind of industry group and coming together and saying, like, all right, what's out there that we can collectively say is a big problem? And so we're able to align with folks like Proof Point, SpyCloud, a host of others to say this is one of the most significant fishing as a service operations out there. Let's see what we can do about it. And that sort of started the wheels turning on coming up with, well, what does a disruption action look like? And then for us, you know, we we we again we're fortunate that we have the resources, the backing of our company to come forward and say, look, we can we can help pay for a lawsuit to seek some of these actions that I described earlier. Go to a judge, judge, this activity is enabling ransomware attacks. It's sort of that that you know initial access vector for a host of cybercrime. Whatever you're trying to do, phishing, whatever it might be, it can enable all of the cybercrime. If we can have an impact on this, we can have an impact not just on phishing activity itself, but whatever phishing leads to. And so we were able to, again, similar to claims that we've we've used in the past, judge these actors who are doing these attacker-in-the-middle attacks for those that may not be familiar with it in a very non-technical just description. Hey, you know, I'm I I get this message, and then there's a Microsoft pop-up. Give me your credentials. The actor sits in the middle, the kids enable them to steal those credentials you provide, and whatever else may be enabling that access, siphon it off to the customers that service. All of a sudden they've got your valid credentials. It's that identity theft that and and that identity-based attacks that we've seen so much of that, you know, you don't need a zero-day exploit. You don't need anything like that. You just need to trick somebody, unfortunately. And they're becoming more effective. And by virtue of the fact that for some of those kits, they were impersonating Microsoft, it looks like a Microsoft pop-up. That gives us that legal hook. And so we were like, look, we can bring an action. And then we worked collectively, and this is why Proof Point and other partners were so essential. Let's map out this actor's infrastructure and who can do what where. And this one was tough because I would say, and you know, feel free to chime in here too. It was a pretty widely distributed infrastructure network globally, where there were the phishing domains, there were what we call the control panel domains. The control panel domains are basically what you, as a customer of Tycoon's Who FA, he's giving to you. You log in, you've got your nice little UI. Oh, I want to do a phishing attack against Microsoft or I want to impersonate GoDaddy or whoever it is.
SPEAKER_02Yeah.
SPEAKER_00He gives that to you a template on how to do it. So we want to take down the control panels, but also have an impact on those other domains that are sitting out there as a part of the broader obfuscation network. And so we partnered through Europol and with all of our industry partners, another key partner was Cloudflare, who some of the actor the actors' infrastructure was hosted through. We were able to bring a legal action to the US where we were able to seize 330-some domains, these control panel domains. But then we farmed out the intelligence from this broader industry group to CERTs around the world, to law enforcement partners who then were able to effectuate actions and take down domains in their countries. And so what was cool about that, it was really a global effort. There was a lot of action. We've been sharing and continue to share intelligence about potential customers who are using the service, as well as the actor behind the service who we identified in coordination with partners in our court filings. And we're hoping there's going to be follow on actions criminally against these. But I don't know, what was your experience like? Like going through that. What are your thoughts on how it all came together?
SPEAKER_02I thought it was really great. So I think oftentimes, as a threat researcher or somebody that works in this industry, I mean, ideally what we all want to do is make crime go away, although I guess that's kind of our job security. But I think it's it's sometimes it can feel really overwhelming or disheartening to kind of do the same thing over and over again. You're like, oh my gosh, I'm still blocking these same criminals. Like they're still doing the same thing. And, you know, I we know all this information about a criminal. What can we do about it? I would like to clear this guy out of my feeds, you know. Like I would, I would like to have an impact. And so when the opportunity came up, I was like, this is great. Let me give you guys everything that we have on Tycoon that could be helpful because we would love to support this. Because fundamentally, I mean, yeah, we all we're we're a business. And so when what it comes down to is we're protecting our customers, right? And and if this is the biggest and most impactful fishing, MFA fishing cyber attack against our customers that we're seeing, we would like to stop that from happening. And to be empowered to do it felt great. Because even if it wasn't necessarily having this huge impact, it's like, wow, I've there's actually something happening. There's actually some consequences. There's the ability to disrupt activity. And what I thought was the best was a coming together of people. Because I think this industry can be sometimes competitive, or you know, people don't really talk to each other and information sharing is can be so close source. But I think that this opportunity really brought together somebody who had a different piece of the puzzle. And all of us together combined a full picture, and you're able to have that impact. And like you mentioned earlier, some of the law enforcement, overseas law enforcement, the Europe, the European partners and collaborators, they were able to do things that the private sector is not able to do with this information. And they can take that and run with it. So by having a lot of sharing, being really open, being very, very collaborative, you can have a sort of domino effect impact. It's not just, oh, you're taking down a set of domains. It's that you're taking down a set of domains. Now you have visibility into the infrastructure that can continuously be taken down and targeted. You can partner with law enforcement, you can build a picture of an actor, and it has this sort of, it's a catalyst really to action.
SPEAKER_00Yeah. And again, that part, and I'm I'm I'm not I'm not gonna remember all the names or was be able to recite everybody here. But one of the cool things too, we did is, you know, we put a splash page up on those domains that we seized so that when actors go to it, you see seized by Microsoft, Europol, and then a host of other partners who were all engaged there. So it's kind of sending a message that, like, hey, wow, this is a lot of a lot of folks who are focused on us.
unknownYeah.
SPEAKER_00Hopefully that that in of itself sends a deterrent message to bad actors. I would say the other thing too, you talked about the disruption and the impact. So we did see what's interesting about this one is like the the activity, there is Tycoon 2FA is not gone, but there has been a degradation of the actor services. We've seen, I don't have the latest numbers, but at least a 15%-ish reduction in attacks that we attribute to that actor. I don't know what the latest is you guys are seeing. There was more impact initially where the actor then had to shift all of his infrastructure. So this is this idea of like imposing costs. Like the actor moved off of Cloudflare, he had to move to overseas infrastructure. And some say, well, now you push them somewhere we can't do anything about it. Well, I think that actually helps defenders better spot what might be suspicious when better be able to block and and sort of do the back-end disruption actions following onto that. And then if you think of about it from an economic model, like, you know, if you're a retailer and you lose 15% of your sales, 20% of your sales for a year, you know, you're probably gonna go out of business, you know. And I think that's a good thing. And again, I the other thing too is like this actor has a bullseye on him, his customers do too. I think over time you're gonna see more law enforcement actions that spin out of this that will further degrade it. And just bringing that spotlight onto it for everybody, that's like just because you can't completely eliminate a threat doesn't mean you shouldn't try anything. It's kind of a concept of like learned helplessness. Like, what are we gonna do? Well, let's do this, let's impose some costs, let's make it harder for them. And then over time, I think you can degrade them even if somebody's not putting handcuffs.
SPEAKER_02For sure. Well, and I think that that's something that's important to bring up too, because certainly with the tycoon disruption, but others that I've seen in the past, people are like, oh, well, it didn't really fully go away. So it's is this really helpful? Is this really what we want to be doing? Is this how it's best to spend our time? I see, I mean, I see that a lot, especially, you know, Tycoon, like you mentioned, it's still around. And, you know, it's still doing things like now it's doing like device code fishing, like the Tycoon, the Tycoon Fast has like quote unquote newer capabilities. But like you were mentioning, the volume's way down, and the customers of it are gonna be mad at him and they're gonna try and do other things. So, what we are actually seeing is Tycoon is decreasing, but there is an increasing number of other MFA fishing kits. So, for example, like ODX is a good example, or Nova Cookies, things like that, where there's the threat actors are like, Well, I don't want to work with this guy. Like, I'm I'm gonna go find someone else that I can, you know, give my money to. And and in some in a way that that's kind of good because you see, all right, where where are the next targets? Like where who's who's who's the next thing that we should be focusing on? And obviously, still you want to fully take down and degrade as much as possible someone like Tycoon, but now you have a sort of reliable indicator of where the wind is blowing, once that like, you know, what what can we do next? And two, I think when we we talk about, you know, having that sort of the impact and and and what lawsuits and takedowns do is they show and tell a story of how harmful cybercrime is. And as SWAT researchers and people that work work in cybersecurity, I think we often lose sight of the victims. We lose sight of why we're doing this. We get so caught up in hunting infrastructure, reversing really interesting malware that we forget that every single attack has a person at the end of it. And those people will feel great if they feel some sort of justice is served, whether or not they don't care about, you know, the the the school that gets a tycoon fishing attack doesn't necessarily care that all their infrastructure moved to a completely different provider. They care like, hey, Microsoft and other companies and you know, law enforcement care about this.
SPEAKER_00And that is a huge and and that's like again, a shout out again to Health ISAC, who's been a partner for years. And we've worked with FSISAC. I think hopefully people on this call are generally from over the ISACs. But you know, especially when you work with these industry groups who even in our pleadings and our our civil lawsuit filings, it it can be difficult to get individual victims to come to the table because you know, there's there's risks. Everything involved in this recoming out publicly, putting your name on name on legal pleadings presents some risk, which you were willing and able to do. Thank you again, uh proof point, not as a victim, but as a uh a declarant providing information to help the lawsuit. But there's risks, and that's why with these industry groups, when they can give a voice to that whole sector and talk about the impact of fishing on the healthcare sector more broadly, on the financial sector, on the education sector. It's so essential because again, you know, that just it does empower that. And again, I think the more we can do to shine light and you know, at times even steer law enforcement focus and strategies based on hate, I know everybody wants to talk about the ransomware group, but these enablers of the entire cybercrime ecosystem, they're there and there's things we can do about it, and maybe we focus our effort there. And I think those stories help them immensely too.
SPEAKER_02So that actually brings me to my question of how are you all deciding who you go after? How do you decide on your targets?
SPEAKER_00Yeah, it's it's not it's art and science, it's not the easiest thing to do. We're unfortunately, as you guys know, and we're in a target-rich environment, right? So for us, it's we really rely on those inputs from both internally. You know, we'll get, you know, our Mystic team, our teams that are are in the security orgs or other parts of security orgs. What are they seeing? What's having the most impact on us and our customers? It's kind of a general starting point. So we'll have these internal escalations. We also, again, have inputs from law enforcement partners. We also work closely with like groups like the CIEP to Europol. And so we try to understand the whole landscape and see one, what's impacting us, and then where through a DCU style action can we have impact on the actors? Because there are limitations to the reach of US law, but we can partner with you know law enforcement and other government partners globally as needed. So I think that's the biggest thing for us. But it it takes some work, and there's not a perfect way to do this. We just we really try to measure impact on both sides. How is this impacting us? How is this actually impacting the broader cyber ecosystem as well? And then do we have levers we can pull from a legal standpoint to do something about it? And so yeah, we, you know, we'll share criminal referrals about threat actors, you know, more generally. But when it comes to actually figuring out are we going to spend the money and resources to bring a lawsuit to try to take down infrastructure in that, that's a that's a tougher calculus. I a real quick example, you know, and we talked about Tycoon. We had an another action um earlier this year, late last year. I can't remember the exact dates, it all blends together, against the raccoon 0365 fishing as a service. This one wasn't nearly as large globally as Tycoon, but it was an actor group out of Nigeria. We were quickly able to identify a path to disrupting them. They were having an outsized impact on Microsoft and our customers, and they're kind of an emerging threat. And they were kind of talking about like, hey, we're so excited that we're here. And we're they even talked about how they even talked about how Tycoon was their boy. And like they, they like, hey, no, if you're gonna go anywhere else, go to Tycoon because like we're besties or something, which is just the type, the other funny story. We were we a lot oftentimes in our investigations, we conduct test purchases where we'll get online with fake personas and buy the kits that these actors are selling or whatever they're selling. And the raccoon guy actually had the audacity to ask us for a tip in the context of our interactions with him. Like, okay, well, we're probably gonna pass on the tip for now, but great customer service, we really appreciate it. But anyway, with that action, we were able to identify both a pathway to a civil disruption that we knew would have high impact based on the way they were set up, and also again working with Cloudflare and some other partners. But we also partnered with the U.S. Secret Service who worked with Nigerian law enforcement, and it actually led to three arrests. And that was one where we we got rid of the problem completely. So that was both criminal and civil. It doesn't always work out that way, or maybe not all at the same time, but just another example of like what's possible in this space.
SPEAKER_02Yeah, yeah, it's huge. And I also feel like it's becoming increasingly popular to do it this way. I think back to, you know, like the emotet takedown and the trick bot takedowns when those happened in what like 2018, 2020. Yeah. And then there was like a subsequent emo emotet takedown. But there was like, oh my gosh, there's a takedown happening, and it was like groundbreaking, and everyone was like, what is gonna happen? We're not really sure. How does this work? And there was a lot of skepticism within the community. And I think I even initially was a little bit skeptical of takedowns at the time too, because I was like, oh well, you know, crime's gonna keep happening. I'm just such, you know, a negative Nancy over here. And so I remember that being a huge deal. And then by the time, you know, the QBOT takedown happened back in 2023, it was like, okay, like this is still a pretty big deal, but now it's happening a lot more. And now I feel like, especially, you know, with Microsoft and DCU team leading the charge. Um, but there's a lot of other organizations who are on board and and the the public in cybersecurity industry is like, wait a second, this is a good thing. We should push this so hard. And it might get to the point where disruptions happen and like literally no one cares because it's just or there's just not a lot of fanfare about it because this is just the expectation is we're gonna keep doing this, we're gonna keep hammering, and that's how we get better at defense and security.
SPEAKER_00I think it's it's great to see, and I agree, it's it's becoming more common. And look, at the end of the day, you can't scale this against such a vast adversary set of actors without more folks coming together and doing this. And so I think we're starting to build up muscle memory. I think there are, you know, there is enhanced collaboration with law enforcement and others to do these kind of things. And I think hopefully folks see the benefit. You know, it's like, you know, the FBI, even when working at the FBI, you had no illusions that you were gonna end a crime. You know, you're you that that's that's not the end goal or objective. You wanna you wanted to send a deterrent message, you want to take down and have high impact actions against the worst of the worst threat actors. And that's what we try to focus on. Like, you know, we're we'll do that. Hopefully that sends a message. Hopefully it deters others from engaging in or scares people from it's not worth it to the risk involved. So that's what you hope for. And so that's what we'll we'll keep pushing. And it's great to see other folks getting more involved.
SPEAKER_02Yeah. Well, so pivoting a little bit, you're talking about communications and you're talking about messaging. And one of the conversations that we had back in February when we were hanging out is how to communicate cybersecurity and and CTI and how important it is for there to be somebody that understands the technical side, understands the legal side, understands the impacts, and can talk to a range of different stakeholders about some of these things. And you mentioned that you saw yourself as an important sort of connector between teams. And you you talked about the importance of effective communication when talking to these different stakeholders, whether you're talking to a super technical threat researcher who's the one that's identifying this target to go after, or to more high-level decision makers that are putting their stamp of approval on things and saying, yes, let's do it. Can you can you talk about that? Like, how does your communication style change on and depending on who you're addressing? Like, how do you how do you tell these stories?
SPEAKER_00Yeah, I think and you mentioned storytelling earlier, and that's like one of my favorite law professors, you know, in an advocacy class, which is kind of like litigation, is everything you're doing is telling a story, right? And so you may laugh at this, but I'm gonna say I don't consider myself a technologist. I consider myself an attorney who's not afraid of technology and can work with like the technical experts to figure out what's going on and what can we do about it. But I think the hardest thing, and this is where we are not so different, you know, attorneys, technologists, however, wanted to find technical experts, attorneys. We're well, we both should be technical experts in our field, right? And the problem with that, some of the best attorneys I've ever worked with, the hardest thing is like translating all of that expertise for the audience you're trying to reach. And so that can be very difficult, especially when you're trying to reach your non-technical audience, whether it's non-technical from a legal or technical, technical or both perspectives. And a lot of times that's when you're dealing with executives, right? And so I was very fortunate in my FBI career that we did a lot of writing and briefing with executives. And the hardest thing for the real in the weeds experts to do is not tell everything, right? You have to be able to distill down the key findings, the decision points, where does risk lie, especially from a legal standpoint. Everything about the law is it's some risk quantification. How do you make sure your leadership knows what they need to know? What are, you know, they don't need the nuances of like a trespass to chattels claim that we're bringing the common law tort claim. I know everybody would love for me to talk about that for 20 minutes. I will not do that. I'll be honest, I I barely know what that means myself. Don't tell anybody that. And I think for us, it's that impact thing. So, like, all right, we're gonna put our name out there, we're gonna file a lawsuit, we're gonna name an actor. How confident are you in this? How did you make your determinations? This goes to threat intel too. You know, maybe at a high level, what are the claims you're bringing in? What do you think the impact's gonna be? Why do you think this is gonna work? And you really it and that's I think we're you know, hopefully folks in your council offices and other companies when you're you're trying to tell that message about, well, why are we partnering with Europol and what does this mean? And like being able to have that in a coherent way, to understand the threat, why we think what we're doing makes sense, is gonna work. I think that's a key thing for what I try to do. And I think everybody, and even for technologists and folks on the on that side, to to be able to distill down those highly complex investigations, attribution, whatever it may be, and technical findings on on cyber threats into something that can lead to an outcome and can convince others. It's sort of that influencing without authority. Why should we do this? And how do you tell a story to convince people that, yeah, we're not crazy, we need to do something here.
SPEAKER_02Absolutely. You know, it's so funny. When I first came into I my background is in journalism. And so when I first came into like vendor land, I was so intimidated because everybody I felt was so technical and so smart and so good at their jobs and you know, were were able to dive into the weeds and and and do really great things and and you know, be very technical. And I very I realized it took me a little bit, but I realized that that is a skill, but also taking a step back and being able to explain what they're doing to a person that doesn't know what they're doing is so important because most people don't have that skill. That's like like most people, like you're saying, are very technical. They like talking, they like getting into the weeds. And a lot of times people don't like cutting, trimming down their thoughts and trimming down the the key points and and uh the things that are that are gonna sell a stakeholder on taking an action.
SPEAKER_00We do these internal reviews before we take actions, and I love all the investigators and analysts and our team, they're great, but we get into knockdown drag out fights at times about the PowerPoints and how many slides are in there. And I'm like, we can't have a hundred slides to go to this 45-minute meeting. We need to trim this down. What does this audience care about? What do they need to know? But they're great because they're got it all there and that's all important and we need it for our cases, our investigations. But yeah, conveying that to in a to an audience in an effective way is so important.
SPEAKER_02Who was it? I can't remember who said it, but one of the best uh pieces of writing advice that I got is to kill your darlings and you know, make sure that like, you know, people are are putting their heart and soul and all their passion into their work, and whether it's something that's very technical or whether it's uh an article that you're writing or whether it's a hundred slide PowerPoint presentation, they're your darlings, it's your darlings, but the best thing that you can learn to do is to kill them and it'll make you I like the example of like letting the butterfly fly away, but if you just want to kill them, you could that's another approach as well. So oh, maybe maybe yours is a little bit better.
SPEAKER_00Yeah, so let's no, just kill them, just squash them into oblivion. But yes, it's the same, it's the same principle.
SPEAKER_02So, you know, we were talking about the importance of writing, whether you know it is in a lawsuit or whether it's general communications or whether you know you're you're it's a 100 slide PowerPoint presentation. And I think some of that's changed a little bit with uh AI generated CTI reporting. And actually, I've seen this um from the legal perspective as well, where you have um it's not going well in the legal realm.
SPEAKER_00Yeah, yeah, like lawsuits being filed that are just yeah, judges, judges are sanctioning attorneys for filing cases for folks we're not familiar with, just made-up cases and made-up quotations from case law that doesn't even exist. So that's not good. Yeah, you want to avoid that.
SPEAKER_02I'm so glad that you said that because I because I have heard the exact same thing. And, you know, the I've seen some of the of these fallouts and some of the reporting and some people that are getting fired, or some people that are like, you know, getting in trouble for questioning, like maybe we shouldn't be doing AI for all these things. So it's been it's like a huge mess. And so I'm I'm curious, like, do you think that the quality of uh cyber threat reporting has changed at all with this sort of rise of AI as you know, threat researchers are trying to identify and put out more information? Or do you think it is it it's like I don't know, are are we going the way of like the legal realm where judges are sanctioning lawyers for making things up?
SPEAKER_00Well, I I think the good tale from the legal side is that you have those humans who are involved in the process because the judicial system obviously involves you know attorneys from both sides, depending on the matter, and then a judge who is then making decisions, and the clerks in the judge's office who's reviewing something and saying, Oh, this case doesn't exist. So I AI is in you know, and we've all seen like the capabilities of AI are have grown exponentially since you know it we really started this journey a few years ago, and so it's incumbent upon the developers of those technologies for those, especially for those purpose-built capabilities, like illegal AI, whatever that is, whatever it looks like, and Microsoft's doing some great work there as well. But it needs to get better to not make up stuff, but then you need people involved. I I view AI and especially with things that are so significant, such as a legal action. If it can help me frame out, you know, a memo or a brief or something, and then give some suggestions, but include citations, and then you have a human who's actually checking those citations, not just trusting the the AI, whatever the AI is, to get it right, like you have to double check those things. But the thing about AI, it could it'll frame it out in a beautiful way, like, oh yeah, this all sounds good, but under the law. It can say whatever it wants unless you have precedent that you're pointing to to say, well, this is actually what another judge said or another decision held in this case. More broadly, I think I just worry, like the thing about AI, just like it's I think threat intel is a little tougher because in that, you know, world, there's such a push to just get stuff out. And it's kind of like the first to the table. There's not as much rigor, I think. Maybe there are within companies, but it's not the same as like an attorney goes to court. If you're a junior attorney, you're probably a partner reviewing it, then you go and you file it, and then a law clerk looks at it, then a judge looks at it. Multiple layers of human review, they're going to catch mistakes. And the worry is that if there's just a push, and I say I think it's actually you've probably seen this too, and like journalism or whatever subset of that is that's just pushing out AI junk, is you don't have that rigor in review. And so if AI is enabling you to help frame a story in an effective way, and you have that level of review by people that are fact-checking and you know, honestly, adding the human element to it, I think you do lose something where it's just completely AI generated. I I think it it I think it can be good. I just think right now we're not necessarily in that space.
SPEAKER_02Yeah, yeah. It's so it's so interesting because I I find that as well. There is just this rush to publish, and I feel like we're kind of in the wild west now with when it comes to CTI and threat research. And on my team, at least, we do have very rigorous review. I encourage my team not to use AI tools to write all of their reports uh and to have a human person be in the loop and make sure that they're adding, you know, sprinkling in their own flavor to it and making sure that it is being fact-checked and peer-reviewed by multiple layers. Because it is, I mean, it's it's to me, it's a lot more like quality over quantity is so much more important. And, you know, the and it kind of goes back to what we're talking about in terms of like partnerships when it comes to disruptions, because a lot of companies and organizations in law enforcement are relying on publicly available content to say this is the impact or this is a potential target for us, or you know, this is a new malware, this is a new threat actor that's emerging, or this is how we should prioritize things based off of how severe a vendor is saying it is. And so, you know, to to kind of be mindful about that when we're putting things out in the public eye, that our work is actually having an impact. And we don't necessarily want to lose that some of that value because we're just trying to increase the actual output in production. So I it's it's it's definitely a balance. But yeah, I think right now it's a it's an interesting time to be in this industry for sure.
SPEAKER_00Well, it's about trust, right? Like at the end of the day, like that's one of the main principles that we why DCU exists. It's to build trust with our customers, our partners, governments, and other folks to say, hey, we're doing these things, we're doing things the right way. And that trust, you know, you can do so much and you can lose trust very quickly, even if you spend a lot of time building it up. And if you just start pushing out a lot of AI junk and and you're caught for it and called out for it, that that does more harm than I think people realize.
SPEAKER_02Yeah, absolutely. So I have a couple last questions. I know we're almost at time. So speed run. Cool. What is one thing you would like to see improve in the industry when it comes to private and public sector collaboration?
SPEAKER_00I think just more actions, right? You know, and not everybody needs to be front and center necessarily, but you know, like, and I think us leveraging each other more effectively to actually fill those gaps. Um, you know, for Tycoon and Fox Tempest, one of our key essential partners, especially for Fox Tempest, was a company Re Security, who enabled our access to be able to make these test purchases to get access. And so that again, the best fight of the fight. Okay, well, we adorative visibility here, you know, we as Microsoft, we've got a lot of visibility, but you know, you guys and other partners in Tycoon were able to give a broader picture of who was being impacted even outside of our ecosystem. So I think that I think it's really how do we take intelligence sharing generally to more action-oriented? And I think maybe even us helping kind of like Tycoon identify strategic priorities, not just for us, but for government partners.
SPEAKER_02Yeah, yeah, no, that's a great point. I I also would love to see that. And if you're interested, folks, those listening, definitely check out DCU's website. They have a lot of great resources and information on um the work that they're doing and and sort of you know, some of these processes. So if you're curious in learning more, definitely do it. And of course the ISACs are wonderful partners as well to get involved in in some of those if you aren't already. So, final question for you, Sean. When it comes to uh Microsoft DCU and some of the takedown actions, or even beyond that, even beyond your whatever at any point in your career when it comes to cybercrime in some way, what is something that you are most proud of?
SPEAKER_00Yeah, I mean, I've been fortunate across government and industry to to work on some just really cool important stuff. I think for me, honestly, it's the work we did sort of from 2023 up till earlier this year against what we tracked as Octotempest, which was a subset of the actors were generally referred to as scattered spider that were conducting these major ransomware data theft and extortion attacks globally. And the work we were able to do both domestically with the FBI, our colleagues at the National Crime Agency in the UK, and others, it wasn't a situation where we brought a big civil lawsuit, but with us and other industry partners who were at the table sharing information, we ultimately led to the arrests of the the main, I won't call them leaders because they didn't really have a traditional, you know, hierarchical structure, but the main actors who were facilitating those major attacks, like MGM and Caesars in the summer of 2023, the UK retail attacks uh last year, the Transport for London attack, which was a critical infrastructure ransomware attack. We it was a it was not easy and there were complications. A lot of the actors were young, some of them under 18 years old. But we were able to eventually have all those key players arrested. And that, you know, the scattered spider ecosystem still exists, the calm. That's a whole other podcast we should do.
SPEAKER_01Yeah.
SPEAKER_00But uh that was the most impactful where we like literally actors who are conducting multi-hundred million dollar ransomware data thought to extortion actions are are now facing legal consequences, and hopefully that will stick.
SPEAKER_02Yeah, that's great. I I I love it. And honestly, one of the cool things about participating in disruptions or actions like this is one, it just makes me want to go to law school.
SPEAKER_00I hope you're saving your money.
SPEAKER_02Yeah, right, yeah. And two, I you you get a happy ending, which is something that isn't necessarily always all that common in uh in cybersecurity. It's nice to have, you know, uh good positive outcomes that have actual real-world impact. And it's so great to see DCU, your partners, um, Europol, certainly the work we do here at Proof Point and all the great folks that we are working with. It's great to have a group, people that actually cares about, you know, imposing costs and and finding justice for people who have been victimized by cybercrime because it's not going away, but hopefully the work that you guys are doing are are making people's lives a lot better.
SPEAKER_00Yeah, and thank you guys for what you do and and joining us in the Tycoon Takedown. And we'll, like I said, we'll get you to testify next time. Let's let's do more. Encourage folks who are interested. You know, there's a big community out here, and the more we can bring in to actually bring consequences to these bad actors, the the better. Yeah, and yeah, great stuff. And thank you for having me on.
SPEAKER_02Yeah, absolutely. Thank you so much, Sean. This was such a good conversation. I really appreciate it. It's been so nice to get to know you these past few months. Be a friend. Don't, yeah, just it hopefully we'll get to hang out again at another one of these uh lawsuits, and I'll make sure I have a good court outfit.
SPEAKER_00Nice. And uh yeah, I I even though I'm not a fan, go nicks for you.
SPEAKER_02So yes, go nicks. Have a great rest of your day, and thank you to all our listeners for tuning in. And as always, until next time, happy hunting. You've been listening to Discarded Tales from the Threat Research Trenches, a podcast by Proof Point. Never miss an episode by subscribing to the show in your favorite podcast player. Happy hunting.