A threat actor has remained inside one organization’s network for more than 100 days, and almost everything they touched was already trusted.
The news comes from Microsoft Incident Response, which was called in on day 123 of the intrusion and found no exploits, no novel malware, and no exploitation of firewall configurations.
Microsoft said the attackers gained initial access through a compromised third-party IT services provider, then used HPE Operations Agent (an approved, signed enterprise management tool already running across the customer’s environment) to push VBScripts, deploy web shells, and harvest credentials. There was no vulnerability in HPE OA itself.
Microsoft explained in an advisory published on May 12, 2026, that the customer had outsourced management of the operational platform to a service provider, which is operationally common, but extends the trust boundary outside the organization. Once that boundary was breached, the threat actor’s scripts ran indistinguishably from routine admin work.
Credential interception came next. On domain controller DC01, the attackers registered a malicious network provider DLL (mslogon.dll) that abused the NPLogonNotify and NPPasswordChangeNotify APIs to capture cleartext usernames, passwords, and password-change events as users signed in.
On DC01 and a second domain controller, DC02, they also deployed a malicious LSA password filter (passms.dll) performing the same credential capture via a different extensibility hook.
Lateral Movement Through Ngrok and RDP
With harvested credentials in hand, the attackers turned to ngrok. Encrypted tunnels exposed internal SQL servers and domain controllers to the internet without touching the perimeter firewall, then routed Remote Desktop Protocol (RDP) sessions back through SQL-01 to mask the real source infrastructure.
Windows Management Instrumentation (WMI) handled remote execution from the compromised web servers.
Web shell persistence survived through modified application pages rather than new services. Two of the affected web servers had no EDR coverage at all, which is why Microsoft Incident Response could not determine how the initial web shell landed.
Trusted systems “can become enforcement gaps when visibility is limited or validation is assumed.” Microsoft said.
“Defenders should adopt a posture of deliberate verification. Trust your vendors and tooling but validate their behavior within your environment,” the advisory read.
