Microsoft Warns Jasper Sleet Uses Fake IT Worker Identities to Infiltrate Cloud Environments

A North Korea-linked threat group is quietly getting hired by real companies. Jasper Sleet, a threat actor tied to North Korea, has been building fake professional identities and using them to land legitimate remote IT jobs, giving them direct access to cloud environments and sensitive internal data.

The shift to remote and hybrid work after the COVID-19 pandemic changed how companies hire people. Organizations began relying heavily on online interviews, digital onboarding, and remote access tools.

This opened a new window for threat actors. Jasper Sleet saw this shift as an opportunity and began using stolen or fabricated identities, combined with AI-assisted techniques, to pose as real job candidates and get hired into trusted positions inside target organizations.

Microsoft analysts and researchers identified and tracked Jasper Sleet’s behavior across cloud environments and HR platforms, noting how the group systematically targets companies that use widely adopted HR software like Workday.

According to Microsoft Threat Intelligence, the threat actor accesses external career sites to survey open roles and then uses generative AI to study job postings, extract required skills, and build tailored fake digital personas that can pass recruitment screening.

In other words, these are not random attacks. The group researches the target company, matches the language of the job listing, and submits convincing applications designed to fool hiring teams.

Once hired, Jasper Sleet completes normal onboarding steps, sets up payroll accounts, and gains access to internal tools like Microsoft Teams, SharePoint, OneDrive, and Exchange Online.

Microsoft has observed a spike in impossible travel alerts linked to new hires in the initial months after onboarding, which signals suspicious remote IT worker behavior.

The group can then move freely through the organization’s cloud environment, access sensitive files, and in some cases carry out data theft or extortion.

The scale of this threat is wider than it might seem, Jasper Sleet is not just targeting one type of company.

Any organization that hires remote workers and uses cloud-connected HR platforms is potentially at risk. Microsoft has published this research to help security and HR teams catch suspicious candidates early, before they are ever given access.

How Jasper Sleet Operates Inside HR Platforms

The most telling aspect of Jasper Sleet’s approach is how precisely they exploit HR software workflows.

In the pre-recruitment phase, Microsoft observed the group making programmatic API calls to Workday’s Recruiting Web Service endpoints, which are accessible through external career sites.

These calls accessed data about job postings, active applications, and questionnaires, which illustrates the suspicious API call patterns observed from known Jasper Sleet infrastructure.

What separates this activity from a regular job seeker is repetition. Microsoft observed the group using multiple external accounts to access the same API endpoints in a consistent and repeating pattern. This kind of behavior does not match how a normal applicant interacts with a hiring portal.

During the recruiting phase, Jasper Sleet communicates with hiring teams through email and video conferencing tools like Microsoft Teams, Zoom, and Cisco Webex.

After being hired, the threat actor signs into the newly created Workday account and updates payroll details from known Jasper Sleet infrastructure, which captures post-onboarding sign-in activity from flagged IP addresses.

Microsoft recommends several steps that organizations can take to reduce exposure to this threat. Security and HR teams should work together, since this campaign bridges both functions in a way that neither team can address alone.

Organizations should enable connectors in Microsoft Defender for Cloud Apps to gain visibility into Workday, DocuSign, Zoom, and Cisco Webex activity.

These connectors allow security teams to track API events, monitor external account activity, and cross-reference suspicious IP addresses against threat intelligence feeds.

Any events tied to newly hired employees that originate from anonymous proxies or multiple geographic locations should be flagged and investigated quickly.

HR teams and employees should also receive training on social engineering. Employees involved in hiring should know how to recognize suspicious interview behavior, such as candidates who avoid turning on their cameras, give inconsistent background details, or show unusual urgency around payroll setup.

Catching these red flags early, before a hire is finalized, is far more effective than detecting the threat after the actor already has access.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.