Microsoft's self-styled "Head of Deception." Ross Bevington said that Vole had created a "hybrid high interaction honeypot" on the now-retired code.microsoft.com "to collect threat intelligence on actors ranging from less skilled cybercriminals to nation-state groups targeting Microsoft infrastructure."

According to BleepingComputer, Vole uses the collected data to map malicious infrastructure, gain a deeper understanding of sophisticated phishing operations, disrupt campaigns at scale, identify cybercriminals, and significantly slow down their activity.

Bevington and his team fight phishing by using deception techniques, such as using entire Microsoft tenant environments as honeypots with custom domain names, thousands of user accounts, and activities like internal communications and file-sharing.

He said the active approach consists of visiting active phishing sites identified by Defender and typing in the credentials from the honeypot tenants. Since the credentials are not protected by two-factor authentication and the tenants are populated with realistic-looking information, attackers have an easy way in and start wasting time looking for signs of a trap.

Microsoft says it monitors roughly 25,000 phishing sites daily, feeding about 20 per cent of them with the honeypot credentials; CAPTCHA or other anti-bot mechanisms block the rest.

Once the attackers log into the fake tenants, which happens in five per cent of the cases, it turns on detailed logging to track every action they take, thus learning the threat actors' tactics, techniques, and procedures. Intelligence collected includes IP addresses, browsers, location, behavioural patterns, whether they use VPNs or VPSs, and what phishing kits they rely on

The deception technology wastes an attacker 30 days before they realise they breached a fake environment. Microsoft collects actionable data that other security teams can use to create more complex profiles and better defences.