Microsoft Details Stealthy Intrusion Abusing HPE Operations Agent via Compromised Third-Party IT Provider
Microsoft Incident Response reveals a campaign where attackers compromised a third-party IT services provider and abused legitimate HPE Operations Agent to deploy scripts and steal credentials without triggering alerts.
Microsoft Incident Response has published a detailed analysis of a stealthy intrusion that leveraged a compromised third-party IT services provider and the legitimate HPE Operations Agent (OA) tool to gain persistent access to a victim environment. The attack, which unfolded over approximately four months, did not rely on any vulnerability in HPE OA itself. Instead, the threat actor exploited the implicit trust granted to the third-party provider and abused the signed, enterprise-approved management tool to execute scripts and binaries that blended seamlessly into routine administrative activity.
The intrusion began when the threat actor compromised the third-party IT services provider that had been delegated management of the HPE Operations Manager (HPOM) platform. Using this access, the actor deployed VBScripts through HPOM onto managed hosts, including two internet-exposed web servers where a web shell named Errors.aspx was later discovered. Microsoft noted that the initial deployment mechanism for the web shells could not be determined, but the execution path through HPOM was identified via threat intelligence linking a workstation to a known malicious domain.
Over the following weeks, the threat actor established credential interception capabilities on domain infrastructure, harvesting credentials to expand access across devices. By days 24–32, persistent access was established on internet-facing servers, allowing the actor to maintain repeated access even after individual artifacts were removed. Between days 40 and 60, the actor leveraged harvested credentials and covert connectivity to move laterally across devices, including highly sensitive assets. Credential harvesting was further expanded on domain controllers around days 54–55 to ensure continued access during authentication and password change events.
After initial detection around day 104, the threat actor returned to previously established access points to re-enable persistence and deploy additional tooling. Microsoft Incident Response was finally engaged on day 123 to investigate the full scope of the compromise. The attack aligns with MITRE ATT&CK technique T1199 – Trusted Relationship, where adversaries exploit established trust relationships to extend access without relying on exploit-driven techniques.
Microsoft emphasized that no vulnerability in HPE OA was exploited; the attack succeeded by abusing the legitimate functionality of the tool within the context of a trusted third-party relationship. This approach allowed the malicious activity to remain indistinguishable from normal operations, delaying detection significantly. The company provided detection guidance for Microsoft Defender, including specific hunting queries to identify abuse of HPE OA and anomalous third-party management activity.
This incident highlights a growing trend in sophisticated intrusions where attackers avoid noisy exploits and custom malware, instead operating through systems that organizations already trust. By compromising third-party providers and abusing legitimate administrative tools, threat actors can achieve long-term access and credential theft while evading traditional security controls. Microsoft recommends organizations carefully review third-party access privileges, monitor for anomalous use of management tools, and implement strict controls on delegated administrative relationships.