Presenters

Source

Azure Attacks Unpacked: Real-World Threats and Lessons Learned 🚀

In today’s rapidly evolving digital landscape, staying ahead of cyber threats is paramount. Aleksandra Drobnjak’s insightful session, “Azure Attacks Unpacked: Real-World Threats and Lessons Learned,” draws directly from the Microsoft Digital Defense Report (MDDR) 2025 to provide a practical, actionable guide to navigating the complexities of Azure security. This isn’t just a recap of a report; it’s a deep dive into how attackers are succeeding and what we can do to defend ourselves.

The Shifting Sands of Identity Attacks ⏳

While modern Multi-Factor Authentication (MFA) remains a powerful defense, reducing compromise risk by over 99%, attackers are not giving up on credentials. Astonishingly, over 97% of current identity attacks still rely on password spraying or brute-force attempts. However, the landscape is shifting. Attackers are increasingly exploiting authentication flows, tokens, sessions, trusted applications, and even user behavior. This signals a clear move from password attacks to identity and session abuse, an area where many environments are still playing catch-up.

Practical First Steps: What You Can Check Now 🛠️

Before diving deeper, let’s equip you with immediate actions:

  • Account Brute Force Attempts: In Microsoft Defender for Cloud Apps, set up activity policies for unusual frequency of failed logins to trigger alerts or governance actions. Be aware that attackers are also employing slow password sprays to evade detection.
  • Legacy Authentication: Monitor Azure AD sign-in logs and filter by client app legacy authentication clients. In the Microsoft 365 admin center, navigate to Settings > Org Settings to verify if basic authentication protocols (SMTP, POP3, IMAP) are allowed.
  • Conditional Access: Review the reporting status of policies blocking legacy authentication across Exchange, ActiveSync, and other clients in Azure AD.
  • Geographic Restrictions: Consider blocking countries where your organization never conducts business.
  • Unmanaged Devices: Limit activities from unmanaged or non-compliant devices after thorough testing.
  • Sign-in Logs: Review sign-ins using legacy authentication in Azure AD monitoring and health workbooks.

Important Note: If you lack access to these settings, collaborate with your security team or consider a peer programming session. Always refer to the latest Microsoft documentation, as interfaces can change.

Beyond Password Spraying: Novel Attack Vectors 👾

The MDDR highlights an ever-growing array of novel attack paths, especially in hybrid environments where on-premises and cloud identities intersect. We’ll explore 10 real-world techniques, from social engineering to cloud-native post-exploitation.

1. Phishing in Collaboration Tools: The Internal Deception 🎣

Email phishing is well-known, but attackers are now leveraging collaboration tools like Microsoft Teams where messages feel more internal and trusted. They might start with email bombing to create chaos, then follow up on Teams or even with a call, impersonating IT support for a “quick fix.” This can lead to users being guided to start a Windows Quick Assist session, download malicious tools, or click on links, granting attackers local user access.

Defense:

  • Control Exposure: Limit external Teams communication and monitor for impersonation.
  • Educate Users: Emphasize that IT will never ask for Quick Assist sessions or tool installations via Teams.
  • Secure Messaging: Enable reporting of suspicious messages and calls within Teams, and ensure messages are scanned for unsafe links.
  • Limit Approved Software: Restrict the use of remote monitoring and management (RMM) tools to only approved ones.

2. Clicky-Fix: The “Problem Solvers” 🖱️

This social engineering tactic presents a fake error or issue, then guides users to resolve it by pasting obfuscated commands into the Windows Run window (Win+R). These commands, often executed via PowerShell or cmd, download and run malicious payloads directly into memory, making them fileless and harder to detect. Attackers exploit the human desire to fix problems quickly.

Defense:

  • User Awareness: Train users that copying and pasting commands from unknown sources is as risky as clicking malicious links.
  • Technical Controls: Implement constrained language mode for PowerShell to limit abuse. Review startup and run applications.
  • Environment Hardening: Use Microsoft Defender SmartScreen with Microsoft Edge to block access to malicious sites.

3. Attack Surface Exploitation: The Exposed Flaw 🌐

Attackers relentlessly scan the internet for public-facing vulnerabilities and misconfigurations. This includes unpatched applications, misconfigured instance metadata services, exposed API endpoints, and valid secrets in IDE extensions. The window between vulnerability disclosure and exploitation is shrinking rapidly.

Defense:

  • Visibility and Inventory: Continuously discover and track all publicly accessible services, APIs, and storage accounts.
  • Threat Modeling: Integrate threat modeling into pipelines, considering frameworks like *Mozilla’s Risk Assessment (RA)**.
  • Treat Misconfigurations Seriously: Address unauthenticated access, unencrypted data, and overly permissive configurations with the same urgency as known vulnerabilities.
  • DevSecOps: Implement repeatable configurations, scan manifests, and harden image layers. Tools like Doly cube and Bench can help.
  • Secrets Management: Use tools like Traff and Talisman to identify secrets in code and pipelines. Pin and verify third-party tools, pulling them into internally controlled registries.
  • Runtime Monitoring: Utilize Microsoft Defender for Cloud for continuous visibility and threat detection.
  • Backups: Maintain secure, isolated, “write-once, read-many” backups.
  • Community Collaboration: Engage with bug bounty programs to leverage external security researchers.

4. Device Code Flow Phishing: The Legitimate-Looking Trap 📲

This attack bypasses traditional credential theft. Attackers initiate a login to a Microsoft account, request a device code, and trick the victim into entering this code on a seemingly legitimate Microsoft sign-in page. The victim completes MFA, believing they are signing in themselves, but unknowingly grants the attacker access and tokens.

Defense:

  • Control Device Code Flow: If not needed, block or restrict its usage via Conditional Access.
  • Monitor Sign-ins: Use Azure AD sign-in logs and risky sign-in reports to detect unusual device code authentication activity.
  • Token-Based Detection: Look for anomalous token usage and unexpected device registrations.
  • User Awareness: Educate users that receiving a code they didn’t initiate, especially for external invitations or support requests, is suspicious. The risk is approving a real login for someone else.
  • Revoke and Reauthenticate: If compromise is suspected, revoke tokens and force reauthentication.

5. Session Hijacking: The Token Takeover 🔑

Once a user logs in, tokens (access, refresh, session cookies) are issued. These act as proof of authentication, allowing continued access without re-entering credentials or MFA. Attackers aim to steal these tokens to hijack active sessions.

How Attackers Get Tokens:

  • Adversary-in-the-Middle (AitM): Techniques like evilginx capture session cookies after MFA.
  • Info Stealers/Malware: These extract tokens from browser storage or memory.
  • Web Vulnerabilities: Cross-site scripting (XSS) can read tokens, and Cross-Site Request Forgery (CSRF) can abuse authenticated sessions.
  • Compromised Tools: Tokens can leak through pipelines, logs, or hardcoded in configurations.

Defense:

  • Conditional Access: Enforce authentication from compliant devices and trusted networks.
  • Token Protection: Implement token binding to cryptographically tie tokens to a specific device.
  • Continuous Access Evaluation (CAE): Reassess security posture during active sessions and revoke access if risk increases.
  • Endpoint Hardening: Enable Credential Guard and LSA protection to make memory scraping harder.
  • Detection: Monitor for session anomalies, such as the same session from different locations or unusual token usage.
  • Revoke and Reauthenticate: If token compromise is suspected, revoke tokens and sign users out of all sessions.

6. Consent Fishing: The Permission Grab 🤝

Instead of credentials, attackers target user permissions. They register malicious applications in their own Azure tenant, request broad permissions (e.g., mail.read, files.read), and then use social engineering to trick users into granting these permissions via a legitimate-looking Microsoft consent screen. The application then gains API-level access, persistent even after password resets.

Defense:

  • Visibility in Azure AD: Monitor audit logs for consent to application or permission grants.
  • Governance: Restrict application consent, limit permissions to low-risk scopes, and require admin approval for sensitive actions. Implement risk-based step-up consent.
  • Continuous Review: Regularly audit existing applications and their permissions.
  • Detection & Response: Utilize Microsoft Defender for Cloud Apps and App Governance to identify risky applications and behavior.
  • Reporting: Report suspicious OAuth applications to the Microsoft Security Response Center (MSRC).

7. Temporary Access Pass (TAP) Abuse: The “Legitimate” Bypass 🎫

Temporary Access Passes (TAPs) are strong authentication methods designed for onboarding or recovery. However, if an attacker impersonates a user and convinces the help desk to issue a TAP, they bypass the entire authentication chain without needing credentials or MFA.

Defense:

  • Scope TAPs Tightly: Disable TAPs if not needed, or limit them to specific users/scenarios with short lifetimes and one-time use.
  • Secure Service Desk Processes: Implement strong identity verification at the help desk.

8. One-Time Passcodes (OTPs) and SIM Swapping: The “Verified” Compromise 📞

SMS-based OTPs are still widely used but susceptible to SIM swapping, where an attacker takes over a user’s phone number and receives all SMS messages, including OTPs. Even time-based OTPs can be compromised through MFA fatigue or phishing.

Defense:

  • Reduce Reliance on Weak OTPs: SMS OTPs should not be considered strong authentication. Migrate to phishing-resistant methods.
  • Monitor Authentication Behavior: Look for unusual OTP requests or repeated MFA prompts.
  • User Awareness: Users must understand that OTPs are credentials. If someone asks for a code they didn’t initiate, it’s an attack.
  • SIM Swap Prevention: While difficult for end-users to control, be aware of the risks. Some mobile carriers have implemented additional verification steps.

9. Workload Identity Compromise: The Non-Human Threat 🤖

Modern environments rely heavily on non-human identities (applications, services, scripts) for automation. These identities often have high privileges and cannot perform MFA, making them prime targets. Compromising a workload identity allows attackers to act as a trusted service within Azure.

Defense:

  • Visibility: Inventory all workload identities, service principals, managed identities, and their permissions.
  • Least Privilege: Limit permissions to exactly what is required.
  • Secure Credentials: Store secrets securely, rotate them regularly, and never hardcode them.
  • Conditional Access for Workloads: Monitor sign-ins for anomalies like unusual locations or API usage. Leverage Azure AD Identity Protection for workload identity detection.

10. Location Proximity and MFA Fatigue: The Blended Attack 📍

Attackers use location proximity emulation (proxies, VPNs, compromised routers) to make their login attempts appear close to the legitimate user. Combined with MFA fatigue, where they repeatedly trigger MFA prompts until the user approves one out of exhaustion or confusion, this becomes a potent attack.

Defense:

  • Conditional Access Policies: Evaluate sign-in risk, device compliance, and behavioral patterns.
  • Prevent Blind MFA Approvals: Use number matching or similar features to ensure users know what they are approving.
  • Monitor Patterns: Look for repeated MFA prompts, unusual sign-in locations, and spikes in authentication attempts.
  • Plan for Failure: Implement “break glass” accounts and ensure diverse MFA methods for administrators to prevent lockouts.
  • Personal Accounts: Add email aliases as primary sign-in identities and consider disabling passwordless sign-in to reduce MFA bombing exposure.

Post-Exploitation: Living Off the Land and Staying Invisible 👻

Once attackers gain access, their goal is control, persistence, and invisibility. They often leverage legitimate tools and built-in features, a concept known as “living off the land.”

  • Azure Run Command: Allows attackers to execute PowerShell or shell commands directly on VMs without dropping obvious malware.
  • Frameworks: Tools like Cobalt Strike, Impact, Sliver, and Brute Ratel mimic legitimate protocols and traffic to evade detection.
  • Dynamic Group Manipulation: Attackers may alter group memberships or audit logs to weaken visibility.
  • RMM Tool Abuse: Legitimate remote management tools are weaponized for persistence.
  • Info Stealers: Malware families like Luma, Redline, and Raccoon Stealer are now used for initial access to harvest credentials and tokens early on.

Defense:

  • Behavioral Detection: Shift from signature-based detection to monitoring for unusual activities like unexpected script execution, credential access patterns, and outbound tunneling.
  • Activity Logs: Monitor operations like run command, role assignments, and service principal changes.
  • Application Control: Restrict the use of approved tools and enforce up-to-date endpoint protection.
  • Endpoint Hardening: Features like Core Isolation protect against credential theft.
  • Reduce “Living Off the Land”: Monitor and restrict the use of built-in tools like PowerShell and WMI.
  • Secure Backups: Ensure isolated, tested backups and protected logs to prevent tampering.

The Core Takeaway: Trust is the New Target 🎯

Across all these attack vectors, a clear pattern emerges: attackers are not breaking authentication; they are abusing legitimate flows, trusted services, and built-in functionality. The focus must shift from just protecting passwords to understanding and securing how trust is established and maintained within your environment.

Top Three Focus Areas:

  1. Reduce Unnecessary Exposure: Disable legacy authentication, restrict risky flows like device code, and apply least privilege across all identities.
  2. Monitor Behavior, Not Just Logins: Analyze post-authentication activity, token usage, API activity, and changes in roles and permissions. Plan and automate response actions.
  3. Prepare for Persistence and Resilience: Assume breaches will happen. Protect logs, maintain isolated backups, and have strategies to prevent account lockouts.

Staying Current: Regularly consult the Microsoft Digital Defense Report, threat intelligence podcasts, and security RSS feeds. Engage with the security community and report suspicious activity to improve defenses for everyone.

By understanding these evolving threats and implementing robust, layered defenses, we can build more resilient Azure environments and stay one step ahead of the attackers.

Appendix