Microsoft describes how Jasper Sleet, a North Korea-aligned fraudulent IT worker operation, exploits remote hiring workflows to gain trusted organizational access. The actors use stolen or fabricated identities, AI-assisted personas, and role-specific applications to enter recruiting pipelines and, after hiring, obtain legitimate accounts and access to SaaS data. Microsoft observed activity against Workday Recruiting Web Service endpoints from known actor infrastructure, including repeated access to job posting, application, questionnaire, resume, and validation APIs. After onboarding, suspicious signals include Workday and payroll setup from actor-linked infrastructure, impossible-travel alerts, anonymous proxy use, and searches or downloads across Microsoft 365 services. The guidance emphasizes correlating HR SaaS, email, meeting, identity, and cloud-app telemetry so security and HR teams can detect suspicious candidates before and after hire.