Open SesameOp: Abusing trusted AI platforms to host a C2 server

8 snips

Jan 14, 2026

Join threat experts Jonathan Checchi and Anna Seitz as they delve into the dangerous world of cloud-native ransomware. Jonathan explores how Storm-0501 has evolved its tactics, leveraging hybrid cloud environments to maximize impact. Meanwhile, Anna reveals the insidious SesameOp backdoor, which abuses trusted AI platforms for covert command-and-control operations. The conversation highlights the importance of monitoring identity behavior and implementing robust defenses like MFA to combat these sophisticated threats.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

INSIGHT

Ransomware Growing Up In The Cloud

Cloud-native ransomware uses cloud control planes and identity rather than traditional malware.
This expands attackers' impact radius across cloud and on-premise systems quickly.

ANECDOTE

Storm 0501's Evolution Timeline

Jonathan traces Storm 0501's evolution from Sabbath to BlackCat and cloud-native tactics.
The group shifted from on‑prem ransomware to exfiltrate-and-destroy cloud strategies in 2025.

INSIGHT

Hybrid Pivot Points Are High Value Targets

Hybrid cloud pivot points expose highly valuable, fragile on-prem systems to cloud-era attacks.
Attackers leverage identity to pivot between on‑prem and cloud for rapid, high-impact operations.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

To kick off Season 3 of Microsoft Threat Intelligence Podcast, host⁠ ⁠⁠Sherrod DeGrippo is joined by Microsoft security researchers Anna Seitz and Jonathan Checchi.

Our guests examine two developments shaping today’s threat landscape: the cloud-native evolution of ransomware group Storm-0501 and the SesameOp backdoor’s abuse of trusted AI platforms for stealthy command-and-control. The discussion highlights how identity, hybrid-cloud pivot points, and federated authentication enable high-impact attacks without traditional malware, and why policy-compliant platform abuse is becoming harder to detect.

Sherrod, Anna, and Jonathan provide guidance for defenders around enforcing MFA, tightening conditional access and identity controls, monitoring across cloud and on-prem environments, and partnering with platform providers to disrupt emerging attacker tradecraft.

In this episode you’ll learn:

What happens when threat actors gain control of highly privileged identities

Why monitoring identity behavior is as critical as monitoring endpoints

How attacker tactics are adapting to environments that blend cloud and on-prem systems

Some questions we ask:

What does recent threat activity tell us about where the landscape is headed?

How is Storm-0501 using federated authentication in their operations?

What should security teams focus on as AI becomes more integrated into systems?

Resources:

View Anna Seitz on LinkedIn

View Sherrod DeGrippo on LinkedIn

Related Microsoft Podcasts:

Afternoon Cyber Tea with Ann Johnson

The BlueHat Podcast

Uncovering Hidden Risks

Discover and follow other Microsoft podcasts at microsoft.com/podcasts

Get the latest threat intelligence insights and guidance at Microsoft Security Insider

The Microsoft Threat Intelligence Podcast is produced by Microsoft, Hangar Studios and distributed as part of N2K media network.