The rise of fraudulent remote IT workers is forcing security teams to rethink a problem that used to sit mostly with HR: how do you tell a legitimate applicant from an infiltrator before you hand over trusted access? Microsoft’s latest guidance argues that the answer lies in correlating identity, cloud, email, collaboration, and SaaS telemetry early in the hiring lifecycle, not just after a compromise is already underway. The company says Jasper Sleet, a North Korea-aligned cluster, is increasingly using AI-assisted deception, stolen or fabricated identities, and repetitive application behavior to slip through remote hiring workflows and into enterprise environments.
The underlying story here is bigger than one threat actor or one SaaS platform. Remote and hybrid work normalized distributed hiring, digital onboarding, and lightweight verification, which expanded the attack surface for impersonation and social engineering. Microsoft says the same shifts that made hiring faster and more global also made it easier for adversaries to present polished resumes, pass remote interviews, and obtain legitimate accounts with real business access.
That matters because the objective is not always immediate theft. In many cases, the fake worker’s first win is simply getting hired, paid, and trusted. From there, the threat can evolve into data theft, extortion, malware placement, or long-term internal abuse that looks, at least superficially, like ordinary employee behavior.
Microsoft’s blog is especially notable because it frames the hiring pipeline as a detection surface. Instead of treating recruitment as separate from security operations, it maps observable attacker behavior across pre-recruitment, recruiting, and post-hire phases. That is a useful shift, because the indicators are not limited to endpoints or sign-ins; they extend into external career sites, recruiting APIs, conferencing tools, document-signing platforms, and payroll changes.
There is also a strategic reason for the timing. Public reporting over the last year has shown increasing concern about North Korean fake-worker operations, including the use of AI to improve resumes, disguise accents, and sustain long-term employment. Microsoft’s message is that defenders should stop assuming these campaigns are noisy, low-skill, or easily spotted by intuition alone. The better model is to look for patterns across systems and time.
That shifts the detection problem from classic perimeter security to behavioral and identity correlation. A legitimate candidate might access a recruiting portal once or twice, attend an interview, and sign a document. A fraudulent operator, by contrast, may exhibit repeated, overlapping, and highly standardized activity across multiple identities and roles, often from infrastructure tied to known threat operations.
In practical terms, that means the old heuristics are weaker than many organizations expect. A well-written résumé, fluent interview answers, and a plausible work history are no longer enough to establish trust. Security teams need to think in terms of corroboration rather than impression. That is the central lesson here.
That is a useful reframing for enterprises. Security teams often concentrate on endpoints, identities, and cloud workloads after an account exists. Microsoft is arguing that the earliest warning signals may appear much sooner, in how a candidate discovers roles, interacts with the recruiting portal, and repeats the same workflow from suspicious infrastructure.
In the pre-recruitment phase, the actor studies open roles and application workflows by interacting with externally exposed recruiting interfaces. Microsoft observed activity tied to Workday Recruiting Web Service endpoints and specific hrrecruiting API paths. The important point is not that the API calls exist — legitimate candidates may use them too — but that the same patterns repeated from known actor infrastructure and multiple external accounts are suspicious.
That makes the pre-hire phase deceptively hard to spot with generic job-applicant monitoring. A single applicant can look normal. A cluster of external accounts repeatedly probing the same roles, from correlated infrastructure, across similar timelines, is a very different signal. The subtlety matters.
Document signing is another useful point of interception. Microsoft says its Defender for Cloud Apps connector for DocuSign can help monitor suspicious external activity around offer letters and related onboarding paperwork. That is a good example of where workflow abuse becomes visible even when the applicant is still outside the firewall.
Microsoft says it has seen suspicious payroll changes and repeated impossible-travel alerts in the first months after onboarding. That is a major clue, because fake workers often need to interact with payroll or finance systems for payment redirection while also using remote access patterns that do not line up with the claimed work location. Those two signals, together, are stronger than either one alone.
The blog also points out that many organizations use externally reachable career sites connected to broader HR systems. That creates a public-facing front door for applicants, but it also creates a place where an attacker can test processes, extract role requirements, and measure how the organization handles submissions. The more standardized the workflow, the easier it may be for a malicious applicant to mimic it at scale.
Microsoft’s recommendation to leverage the Workday connector is therefore not just a product suggestion. It is a reminder that visibility is a prerequisite for trust. If the HR stack is treated as a blind spot, attackers can blend into the noise of legitimate applications. If it is instrumented properly, the organization has a chance to see patterned abuse early.
There is also an operational bonus: once the hiring pipeline becomes observable, it can be reviewed by both HR and security. That shared visibility can reduce the common problem where HR sees a reasonable candidate and security sees nothing because the data is siloed. Bridging that gap is one of the article’s quiet but important themes.
Identity telemetry becomes particularly important after hire. Microsoft says newly created accounts should be reviewed for alerts involving access from different locations, anonymous proxies, and unusual search or download activity in Microsoft 365 or other SaaS apps. The point is not that one remote location is inherently suspicious, but that location inconsistency plus timing plus activity type can reveal a false identity.
This is where Microsoft Defender XDR is positioned as a cross-domain layer. The blog emphasizes that it coordinates detection across endpoints, identities, email, and apps. In practical terms, that means a suspicious hire can be followed from interview communication to onboarding paperwork to sign-in behavior to data access, which is much more powerful than any one isolated log source.
The guidance also shows how connectors for Zoom, Webex, and DocuSign can widen the detection net. This is a strong reminder that a hiring campaign often spans multiple applications, each of which may hold a fragment of the story. Correlating those fragments is what turns weak signals into an actionable case.
It is also smart to treat communications as part of the hunt, not as a separate process. Interview scheduling, email exchanges, and conferencing invitations can all be used as correlation points. When those signals line up with the same external identities or IP ranges, the confidence level rises sharply. This is where hunting becomes triage.
For consumers, the impact is less direct but still meaningful. A company infiltrated by a fake worker may expose customer data, create downstream fraud opportunities, or degrade trust in the services and support channels customers rely on. The public rarely sees the hiring-stage compromise, but it can still end in data theft or abuse that touches consumer records.
This is also why the threat is not limited to technology companies. Microsoft notes the pattern can surface across industries, and the general problem is really about digital trust at scale. Any organization that uses SaaS-based HR, remote interviews, and cloud collaboration is potentially exposed.
The broader reputational risk is equally important. Organizations that become known as easy targets for infiltration may face higher scrutiny from partners, regulators, and future candidates. The hiring process then becomes not only a security concern, but a brand and governance concern as well. That is a hard lesson for boards and executives.
The point is not that AI makes the actor invincible. It makes the actor faster, more consistent, and more adaptable. The defensive response therefore cannot be a simple content filter or a single interview question. It has to be a layered verification process with enough friction to expose inconsistencies.
That continuity is what makes the threat especially dangerous. If the persona can survive the interview, the onboarding, and the first few weeks of employment, the organization may assume the identity is real and stop checking. The attack then benefits from the natural trust granted to people who appear to have settled in.
That also means defenders should be careful not to overfit on any single AI hallmark. AI-generated text can sound polished, but so can a well-prepared genuine candidate. The stronger approach is to look for combinations of signals that would be difficult to fake across time and systems.
A mature program will also treat threat intelligence as a layer, not a crutch. If a candidate’s infrastructure aligns with known Jasper Sleet activity, that increases suspicion. But the organization still needs its own telemetry to confirm whether the behavior is anomalous enough to act on. Threat intel raises priority; it does not replace evidence.
It is also a reminder that training matters. Microsoft specifically calls out social engineering awareness, which remains essential because human reviewers often become the last line of defense. The challenge is to train people to notice inconsistencies without turning the hiring process into such a burden that legitimate applicants are driven away.
There is also a privacy and governance tension. More monitoring in recruiting and onboarding can improve security, but it can also create employee-relations questions if the controls are not transparent and well-governed. The best programs will balance detection with clear policy, limited access, and a documented purpose for every signal collected. Security without governance is brittle.
Microsoft’s emphasis on telemetry-rich SaaS connectors suggests the future of defense is not just endpoint hardening, but identity and workflow observability. That includes recruitment systems, document signing, conferencing, onboarding, and early employee access patterns. The organizations that win here will be the ones that can connect the dots before a new account becomes a long-term internal foothold.
Source: Microsoft Detection strategies across cloud and identities against infiltrating IT workers | Microsoft Security Blog
Overview
The underlying story here is bigger than one threat actor or one SaaS platform. Remote and hybrid work normalized distributed hiring, digital onboarding, and lightweight verification, which expanded the attack surface for impersonation and social engineering. Microsoft says the same shifts that made hiring faster and more global also made it easier for adversaries to present polished resumes, pass remote interviews, and obtain legitimate accounts with real business access.That matters because the objective is not always immediate theft. In many cases, the fake worker’s first win is simply getting hired, paid, and trusted. From there, the threat can evolve into data theft, extortion, malware placement, or long-term internal abuse that looks, at least superficially, like ordinary employee behavior.
Microsoft’s blog is especially notable because it frames the hiring pipeline as a detection surface. Instead of treating recruitment as separate from security operations, it maps observable attacker behavior across pre-recruitment, recruiting, and post-hire phases. That is a useful shift, because the indicators are not limited to endpoints or sign-ins; they extend into external career sites, recruiting APIs, conferencing tools, document-signing platforms, and payroll changes.
There is also a strategic reason for the timing. Public reporting over the last year has shown increasing concern about North Korean fake-worker operations, including the use of AI to improve resumes, disguise accents, and sustain long-term employment. Microsoft’s message is that defenders should stop assuming these campaigns are noisy, low-skill, or easily spotted by intuition alone. The better model is to look for patterns across systems and time.
Why This Threat Is Different
The most important difference is that these actors are not trying to break in through a vulnerability in the traditional sense. They are trying to be accepted into the organization as a trusted insider, which means the normal trust-based controls of hiring can become the attacker’s greatest advantage. Once an applicant becomes an employee, many guardrails loosen by design.That shifts the detection problem from classic perimeter security to behavioral and identity correlation. A legitimate candidate might access a recruiting portal once or twice, attend an interview, and sign a document. A fraudulent operator, by contrast, may exhibit repeated, overlapping, and highly standardized activity across multiple identities and roles, often from infrastructure tied to known threat operations.
The operational advantage for attackers
Microsoft says Jasper Sleet has been observed using generative AI to research job postings, extract role-specific language, and produce convincing digital personas. That is a significant efficiency gain because it compresses what used to be a labor-intensive social-engineering process into a repeatable workflow. The result is not just more applications; it is better-tailored applications that can evade superficial screening.In practical terms, that means the old heuristics are weaker than many organizations expect. A well-written résumé, fluent interview answers, and a plausible work history are no longer enough to establish trust. Security teams need to think in terms of corroboration rather than impression. That is the central lesson here.
Why HR workflows are now security telemetry
Microsoft’s focus on Workday is not because Workday is uniquely vulnerable, but because it is a rich example of a mainstream HR SaaS platform with useful event logs. If attackers are using external career sites, recruiting APIs, interview tooling, and onboarding workflows, then the HR stack becomes a source of actionable telemetry. In other words, the hiring system is no longer just an administrative system; it is a detection surface.That is a useful reframing for enterprises. Security teams often concentrate on endpoints, identities, and cloud workloads after an account exists. Microsoft is arguing that the earliest warning signals may appear much sooner, in how a candidate discovers roles, interacts with the recruiting portal, and repeats the same workflow from suspicious infrastructure.
How the Attack Chain Works
Microsoft breaks the campaign into distinct phases, and that is one of the blog’s strongest contributions. The sequence shows that infiltration is not a single moment but a staged process, starting with job discovery and ending with legitimate internal access. Each stage leaves different traces, which means each stage can be hunted differently.In the pre-recruitment phase, the actor studies open roles and application workflows by interacting with externally exposed recruiting interfaces. Microsoft observed activity tied to Workday Recruiting Web Service endpoints and specific hrrecruiting API paths. The important point is not that the API calls exist — legitimate candidates may use them too — but that the same patterns repeated from known actor infrastructure and multiple external accounts are suspicious.
Pre-recruitment signals
The blog lists example endpoints such ashrrecruiting/accounts/*, hrrecruiting/jobApplicationPackages/*, hrrecruiting/validateJobApplication/*, and hrrecruiting/resumes/*. These are the sorts of routes that would normally be expected in a real recruitment flow, which is why detection depends on context rather than the endpoint alone. Repetition, origin, and association with known infrastructure become the decisive factors.That makes the pre-hire phase deceptively hard to spot with generic job-applicant monitoring. A single applicant can look normal. A cluster of external accounts repeatedly probing the same roles, from correlated infrastructure, across similar timelines, is a very different signal. The subtlety matters.
Recruiting-phase communications
Once the candidate is under review, the actor may use email and conferencing platforms to move forward in the process. Microsoft points to email, Teams, Zoom, and Cisco Webex as channels where suspicious communications can be correlated with suspicious IPs or external identities. This is where enterprise detection becomes cross-platform, because the hiring team may see one slice of the behavior while security tooling sees another.Document signing is another useful point of interception. Microsoft says its Defender for Cloud Apps connector for DocuSign can help monitor suspicious external activity around offer letters and related onboarding paperwork. That is a good example of where workflow abuse becomes visible even when the applicant is still outside the firewall.
Post-recruitment access
After hire, the threat changes character. The actor now has a legitimate account and, potentially, access to payroll, collaboration, and storage services like Teams, SharePoint, OneDrive, and Exchange Online. At that stage, the challenge is no longer whether the person is an employee on paper, but whether their actual behavior matches the identity they claimed to be.Microsoft says it has seen suspicious payroll changes and repeated impossible-travel alerts in the first months after onboarding. That is a major clue, because fake workers often need to interact with payroll or finance systems for payment redirection while also using remote access patterns that do not line up with the claimed work location. Those two signals, together, are stronger than either one alone.
Why Workday Matters as an Example
Workday is not the only relevant platform, but it is a useful case study because it exposes the kinds of logs defenders need. Microsoft says the platform’s event visibility makes it valuable for hunting and detection, especially when used with Defender for Cloud Apps. That combination is important because security teams often need both SaaS-native context and cross-domain threat intelligence.The blog also points out that many organizations use externally reachable career sites connected to broader HR systems. That creates a public-facing front door for applicants, but it also creates a place where an attacker can test processes, extract role requirements, and measure how the organization handles submissions. The more standardized the workflow, the easier it may be for a malicious applicant to mimic it at scale.
SaaS convenience versus abuse
This is the classic SaaS tradeoff. The same APIs and integrations that make hiring efficient also create rich telemetry and attack surface. If an organization exposes an externally accessible recruitment flow, it must assume that adversaries will study the workflow just as carefully as genuine applicants do.Microsoft’s recommendation to leverage the Workday connector is therefore not just a product suggestion. It is a reminder that visibility is a prerequisite for trust. If the HR stack is treated as a blind spot, attackers can blend into the noise of legitimate applications. If it is instrumented properly, the organization has a chance to see patterned abuse early.
What defenders can actually see
The value of the Workday connector lies in surfacing API activity and metadata around external accounts. That enables defenders to connect strange recruiting behavior with suspicious infrastructure or with known threat intelligence. Microsoft explicitly says this is useful for identifying fraudulent applications early, which is exactly where many organizations would prefer to catch the problem.There is also an operational bonus: once the hiring pipeline becomes observable, it can be reviewed by both HR and security. That shared visibility can reduce the common problem where HR sees a reasonable candidate and security sees nothing because the data is siloed. Bridging that gap is one of the article’s quiet but important themes.
Detection Opportunities Across Cloud and Identity
The Microsoft guidance is most persuasive when it moves beyond a single product and describes a multi-signal detection strategy. The organization does not need one perfect detector; it needs overlapping detectors that cover hiring, onboarding, and early employee activity. That is especially true when dealing with actors who intentionally use legitimate systems to avoid obvious alarms.Identity telemetry becomes particularly important after hire. Microsoft says newly created accounts should be reviewed for alerts involving access from different locations, anonymous proxies, and unusual search or download activity in Microsoft 365 or other SaaS apps. The point is not that one remote location is inherently suspicious, but that location inconsistency plus timing plus activity type can reveal a false identity.
Identity signals to prioritize
A good detection program will not rely on a single impossible-travel alert in isolation. Instead, it should combine location anomalies, sign-in patterns, device characteristics, and account age with the broader hiring context. That is especially relevant in the first 30 to 90 days after onboarding, when a newly hired remote worker may still be establishing a normal operational baseline.This is where Microsoft Defender XDR is positioned as a cross-domain layer. The blog emphasizes that it coordinates detection across endpoints, identities, email, and apps. In practical terms, that means a suspicious hire can be followed from interview communication to onboarding paperwork to sign-in behavior to data access, which is much more powerful than any one isolated log source.
Cloud app telemetry as a force multiplier
Defender for Cloud Apps is described as a key visibility layer because it can expose external user activity in SaaS platforms. That matters because fake workers often spend most of their time in cloud services rather than on managed endpoints. If the only controls are on the endpoint, much of the suspicious activity may never be seen.The guidance also shows how connectors for Zoom, Webex, and DocuSign can widen the detection net. This is a strong reminder that a hiring campaign often spans multiple applications, each of which may hold a fragment of the story. Correlating those fragments is what turns weak signals into an actionable case.
Hunting logic that actually helps
The most useful hunts will likely look for repeated access patterns, external accounts tied to known infrastructure, and early-posthire anomalies. Microsoft’s examples suggest defenders should look for activity that is technically valid but operationally implausible. That includes a new hire making payroll edits from suspicious infrastructure, or a candidate interacting with recruitment APIs in a way that is much more structured than normal applicant behavior.It is also smart to treat communications as part of the hunt, not as a separate process. Interview scheduling, email exchanges, and conferencing invitations can all be used as correlation points. When those signals line up with the same external identities or IP ranges, the confidence level rises sharply. This is where hunting becomes triage.
Enterprise Impact Versus Consumer Impact
For enterprises, the issue is obvious: a fake employee can be handed access to internal SaaS data, collaboration spaces, finance processes, and intellectual property. The risks extend beyond one compromised account because the employee identity itself can become a durable foothold. In many cases, the attacker gains exactly the privileges the organization intended to grant a legitimate worker.For consumers, the impact is less direct but still meaningful. A company infiltrated by a fake worker may expose customer data, create downstream fraud opportunities, or degrade trust in the services and support channels customers rely on. The public rarely sees the hiring-stage compromise, but it can still end in data theft or abuse that touches consumer records.
Why enterprises are the prime target
The fake-worker model pays best where access is valuable, remote work is routine, and onboarding can happen with minimal physical verification. That gives enterprises a structural disadvantage if they treat remote hiring like a lower-risk administrative function. The bigger and more distributed the organization, the easier it may be for a malicious worker to blend into normal employee noise.This is also why the threat is not limited to technology companies. Microsoft notes the pattern can surface across industries, and the general problem is really about digital trust at scale. Any organization that uses SaaS-based HR, remote interviews, and cloud collaboration is potentially exposed.
Why consumer trust still erodes
Customers may never know the name of the person who infiltrated a company’s hiring pipeline, but they will feel the consequences if that employee later touches sensitive systems. A fake worker who gains internal access could read support records, alter billing details, or enable broader compromise. Even when no consumer account is directly touched, the breach of trust can still be severe.The broader reputational risk is equally important. Organizations that become known as easy targets for infiltration may face higher scrutiny from partners, regulators, and future candidates. The hiring process then becomes not only a security concern, but a brand and governance concern as well. That is a hard lesson for boards and executives.
The Role of AI in the Fraud Pipeline
Microsoft’s blog reinforces a theme that has been emerging across threat intelligence in 2025 and 2026: AI is being used to scale deception, not just to write phishing emails. For fake-worker operations, AI can help research jobs, tailor applications, improve communications, and even sustain day-to-day work once the actor is hired. That makes the operation more durable and less human-labor-intensive.The point is not that AI makes the actor invincible. It makes the actor faster, more consistent, and more adaptable. The defensive response therefore cannot be a simple content filter or a single interview question. It has to be a layered verification process with enough friction to expose inconsistencies.
From résumé generation to long-term persistence
Microsoft and recent reporting indicate that fake-worker campaigns now use AI not only to write resumes and cover letters, but also to create realistic photos, mask accents, and support ongoing workplace communication. That is a major escalation because it means the deception does not stop at the offer letter. It continues through the daily rhythm of being an employee.That continuity is what makes the threat especially dangerous. If the persona can survive the interview, the onboarding, and the first few weeks of employment, the organization may assume the identity is real and stop checking. The attack then benefits from the natural trust granted to people who appear to have settled in.
The defensive implication
The best response is to raise the cost of consistency for the attacker. Cross-checking application details, verifying external communications, correlating device and location signals, and reviewing early payroll or access changes all make it harder for a fabricated identity to stay coherent. The goal is not perfection; it is friction.That also means defenders should be careful not to overfit on any single AI hallmark. AI-generated text can sound polished, but so can a well-prepared genuine candidate. The stronger approach is to look for combinations of signals that would be difficult to fake across time and systems.
What Security Teams Should Operationalize
Microsoft’s article is most actionable when translated into operational steps. The organization does not need to “hunt for North Korea” in the abstract; it needs to build repeatable review processes around recruitment, onboarding, and early employee activity. That requires coordination between security, HR, and the teams managing collaboration and cloud SaaS.A mature program will also treat threat intelligence as a layer, not a crutch. If a candidate’s infrastructure aligns with known Jasper Sleet activity, that increases suspicion. But the organization still needs its own telemetry to confirm whether the behavior is anomalous enough to act on. Threat intel raises priority; it does not replace evidence.
Suggested operational steps
- Instrument recruitment and onboarding systems so external account activity is visible.
- Correlate candidate communications across email, Teams, Zoom, Webex, and document-signing platforms.
- Review payroll or bank-detail changes from new hires as security-relevant events.
- Flag impossible-travel and proxy-based sign-ins during the early employment window.
- Compare candidate activity with known threat infrastructure and cluster intelligence.
Building a shared security-HR model
The article implicitly argues for a joint operating model. HR can validate candidate process details, while security can inspect source infrastructure, identity signals, and SaaS anomalies. That shared model is better than one team acting alone because fake-worker operations exploit the seams between departments.It is also a reminder that training matters. Microsoft specifically calls out social engineering awareness, which remains essential because human reviewers often become the last line of defense. The challenge is to train people to notice inconsistencies without turning the hiring process into such a burden that legitimate applicants are driven away.
Strengths and Opportunities
Microsoft’s guidance is strong because it translates a headline threat into concrete detection opportunities. It acknowledges that remote-worker infiltration is not a single-vector attack and shows how the problem spans SaaS, identity, email, collaboration, and onboarding. That makes the article unusually useful for defenders who need something more actionable than generic warnings.- It reframes hiring as a security control point, not just an HR workflow.
- It connects pre-recruitment behavior to post-hire compromise.
- It encourages cross-domain correlation instead of isolated alerting.
- It highlights the value of SaaS telemetry in a remote-first world.
- It gives defenders concrete places to hunt, including Workday, Teams, DocuSign, and identity logs.
- It shows how threat intelligence can be used to increase confidence, not just to enrich alerts.
- It reinforces the need for joint HR-security operations.
Risks and Concerns
The biggest risk is overconfidence. Organizations may assume that remote hiring fraud is rare or that traditional background checks are enough, when the real threat lies in sophisticated persona construction and repetitive workflow abuse. If teams only look for obvious red flags, they may miss the attacker who has carefully optimized for plausibility.- False positives could burden legitimate candidates and slow hiring.
- HR teams may resist additional review steps if they add friction.
- Some organizations may lack the logging needed to see recruiting abuse.
- Attackers can rotate identities, infrastructure, and communication channels.
- Post-hire compromise may be mistaken for normal remote-work behavior.
- Early signals may be split across separate tools and teams.
- Overreliance on a single vendor stack could leave blind spots elsewhere.
There is also a privacy and governance tension. More monitoring in recruiting and onboarding can improve security, but it can also create employee-relations questions if the controls are not transparent and well-governed. The best programs will balance detection with clear policy, limited access, and a documented purpose for every signal collected. Security without governance is brittle.
Looking Ahead
The likely next step is broader automation and broader targets. If AI continues to lower the cost of building convincing personas, then the fake-worker model will not remain confined to a few known clusters or a narrow set of roles. Organizations should expect more variation, more language sophistication, and more attempts to blend into ordinary recruiting flows.Microsoft’s emphasis on telemetry-rich SaaS connectors suggests the future of defense is not just endpoint hardening, but identity and workflow observability. That includes recruitment systems, document signing, conferencing, onboarding, and early employee access patterns. The organizations that win here will be the ones that can connect the dots before a new account becomes a long-term internal foothold.
What to watch next
- Expanded use of AI-generated personas and interview assistance.
- More cross-platform correlation between recruiting, email, and collaboration logs.
- Wider adoption of SaaS connectors for HR and onboarding tools.
- Increased focus on early-lifecycle account monitoring for new hires.
- More public guidance on how to balance hiring friction and security assurance.
Source: Microsoft Detection strategies across cloud and identities against infiltrating IT workers | Microsoft Security Blog
