Malicious Execution Methods in Azure Security

Adversaries are watching. Are you ready? Azure OpenAI from an Attacker's Perspective. As defenders strengthen their cloud defenses, adversaries analyze the same architectures to find gaps to exploit. Let’s take a quick look at Azure OpenAI Service—a goldmine for both innovation and potential missteps. What Stands Out for an Attacker? 1️⃣ Data Residency & Isolation: While data remains customer controlled and maybe double encrypted, attackers might target storage misconfigurations in the Assistants / Batch services, where prompts and completions reside temporarily. Weak RBAC configurations could expose sensitive files and logs stored in these areas. 2️⃣ Sandboxed Code Interpreter: The isolated environment ensures secure code execution, but attackers might attempt to exploit vulnerabilities in sandbox boundaries or inject malicious payloads to gain access to sensitive data during runtime. 3️⃣ Asynchronous Abuse Monitoring: It is a critical component for detecting misuse but also a potential data-retention bottleneck. Attackers may target monitoring APIs or exploit the X day retention to obscure their tracks or hijack historical prompts for sensitive insights. 4️⃣ Fine Tuning Workflows: Customers love the exclusivity of fine-tuned models, but attackers could leverage phishing attacks to hijack API keys or access fine-tuning data that resides in storage. Compromising a fine-tuned model could reveal proprietary insights or customer IP. 5️⃣ Batch API Vulnerabilities: With batch processing in preview, this could be a point of weakness for bulk data manipulation attacks or injection-based techniques. Monitoring batch jobs for anomalies is crucial. As enterprises adopt Azure OpenAI Service to supercharge their operations, it is critical to stay ahead of evolving attacker techniques. Every layer of this architecture—from encrypted storage to sandboxed environments—presents opportunities and challenges. For defenders, understanding these risks is the first step in hardening the fortress. #security #artificialintelligence #cloudsecurity

When attackers stop targeting your system and start targeting the content it trusts, design flaws surface fast. CVE-2026-2256 in ModelScope’s MS-Agent framework is a direct example. Six regex-based denylist filters were placed in front of a Shell tool that could execute OS commands. All six were bypassed. Not by breaking the operating system. Not by defeating authentication. The attacker embedded malicious instructions inside documents, logs, and research inputs the system was already configured to process. The system followed its rules. The rules were the problem. This pattern shows up repeatedly in enterprise deployments. A filter gets added. A scanner gets inserted. A policy gets written. The underlying assumption stays intact. Denylist filtering assumes you can define danger in advance. That assumption fails once untrusted content can trigger execution. The effective attack surface becomes any content the system can read and act on. At the time of writing, there is no confirmed vendor patch. But the larger issue is not one framework. It is architectural repetition. Two assumptions tend to drive current deployments: 1. The model will interpret intent correctly and avoid harmful actions. 2. A filtering layer in front of tool invocation provides sufficient control. Neither holds under adversarial pressure. Security cannot sit on top of behavior. It has to define the boundaries of capability. That means: Explicit allowlists for tool invocation. Strict least-privilege execution contexts. Independent validation of every state-changing action. Input inspection alone does not control execution. If you are running execution-enabled systems in production, review three areas this week: • Inventory every tool that can be invoked. Confirm explicit allowlisting. • Verify processes run under tightly scoped accounts with minimal permissions. • Map all ingestion paths that can influence execution. Any system that can execute commands inside your infrastructure is a privileged component. Treat it that way. Execution authority is expanding faster than constraint design.

This is a new one, an infection chain calling itself a human verification step, but ultimately leading to a ZIP download containing a malicious “voicemessage” batch-file dropper. We recently handled a case where a user downloaded a ZIP from the payload delivery lure page hxxps[://]victoria-horizon-studios-ocean[.]trycloudflare[.]com/voicemail/436573/download?evenbright. The included batch file, voicemessage_expir\.bat, used basic string obfuscation to hide its actual PowerShell command lines and then wrote several staging files into %LOCALAPPDATA%\Temp, including a VBS script and PowerShell content with random filenames. These stagers eventually executed a more sophisticated backdoor running inside a hidden PowerShell window in an infinite loop, with a random delay between 5 and 15 seconds to reduce pattern visibility. Commands were delivered over WebSocket messages from the C2, received as JSON, and executed via powershell\.exe -NoProfile -NonInteractive -Command "& { <command> }". The backdoor returned stdout and stderr inside an AES-encrypted envelope, after an ECDH key exchange. Prevention in strictly controlled environments can include blocking the download of certain file types that commonly serve as script carriers, as well as preventing the execution of untrusted batch, VBS, or PowerShell content through application control. Restricting or disabling script interpreters in environments where they are not needed also significantly reduces exposure. From a detection and threat-hunting angle, useful signals include batch execution from unusual paths such as Downloads, PHP or VBS files being written into the Temp directory, VBS execution events, PowerShell being spawned by cscript\.exe after appropriate baselining, and PowerShell invoking unexpected file types such as \.php. Happy hunting. #ThreatIntel #ThreatHunting #Infostealer #CyberSecurity #MalwareAnalysis #DFIR #IncidentResponse

A critical security flaw has been discovered in certain Azure Active Directory (AAD) setups where appsettings.json files—meant for internal application configuration—have been inadvertently published in publicly accessible areas. These files include sensitive credentials: ClientId and ClientSecret Why it’s dangerous: 1. With these exposed credentials, an attacker can: 2. Authenticate via Microsoft’s OAuth 2.0 Client Credentials Flow 3. Generate valid access tokens 4. Impersonate legitimate applications 5. Access Microsoft Graph APIs to enumerate users, groups, and directory roles (especially when applications are granted high permissions like Directory.Read.All or Mail.Read) Potential damage: Unauthorized access or data harvesting from SharePoint, OneDrive, Exchange Online Deployment of malicious applications under existing trusted app identities Escalation to full access across Microsoft 365 tenants Suggested Mitigations Immediately review and remove any publicly exposed configuration files (e.g., appsettings.json containing AAD credentials). Secure application secrets using secret management tools like Azure Key Vault or environment-based configuration. Audit permissions granted to AAD applications—minimize scope and avoid overly permissive roles. Monitor tenant activity and access via Microsoft Graph to detect unauthorized app access or impersonation. https://lnkd.in/e3CZ9Whx

A single local admin can now compromise your entire Azure tenant. This is the reality of CVE-2026-20965 in Windows Admin Center. The flaw was in the Azure SSO implementation. Improper token validation collapsed all security boundaries. Here’s how it worked: • An attacker with local admin on one WAC-managed VM could dump its certificate. • They could then capture a legitimate admin's token. • By forging a Proof-of-Possession PoP token, they could target any other machine in the tenant. • This enabled Remote Code Execution RCE and lateral movement across subscriptions. The core failure? The `WAC.CheckAccess` token was unscoped. It granted tenant-wide access once validated. Microsoft has patched it in Windows Admin Center Azure Extension v0.70.00. If you haven't updated, you are exposed. This vulnerability turns a single machine breach into a tenant-wide compromise . How is your team securing your infrastructure against this type of exploitation? Let’s discuss in the comments below. #Azure #Vulnerability

Everyone’s talking about MCP. No one’s talking about how it connects attackers to your systems. MCP acts as a bridge between an LLM and APIs, file systems, or other tools. But that bridge can open entirely new attack vectors that bypass traditional security controls. Key risks to watch for: 1. Remote Code Execution (RCE) via Command Injection If an MCP tool concatenates user input directly into a shell command (os.system(f"convert {filepath} ...")), attackers can append extra commands like "image.jpg; cat /etc/passwd". The shell treats the semicolon as a separator and executes both commands. Impact: Full system compromise, data theft, or lateral movement across the network. 2. Data Exfiltration via Prompt Injection Attackers can hide malicious instructions inside MCP tool metadata (e.g., its description). When passed to the LLM as trusted context, it executes them, for example, sending conversation history to a malicious URL. Impact: Stealthy data leakage that bypasses application-layer defences. 3. Privilege Escalation via Leaked Tokens MCP servers often store OAuth tokens or API keys for third-party services. If an attacker exploits RCE or path traversal, they can read these secrets from memory, environment variables, or insecure config files. Impact: Ability to impersonate the AI tool or its users, with full access to connected systems. 4. Man-in-the-Middle via Server Spoofing Without enforced mutual TLS and host verification, an attacker can spin up a rogue MCP server, intercepting and manipulating all traffic between agents and the real server. Impact: Loss of confidentiality and integrity for all queries, responses, and sensitive data. 5. Supply Chain Attacks on MCP Libraries Compromising a popular open-source MCP library (PyPI, npm) allows malicious code to spread to every system that uses it. This code may stay dormant until triggered, then deploy ransomware or exfiltrate credentials. Impact: A single poisoned dependency can cause widespread, hard-to-trace breaches. Securing MCP in production: ↳ Treat MCP as a critical attack surface: threat-model every endpoint, tool, and context object. ↳ Implement Zero Trust: strict authentication & authorization for all agent and tool calls. ↳ Enforce least privilege: Only give tools the minimum permissions they require, and audit regularly. ↳ Validate and sanitize all inputs: Avoid passing raw user data to system shells. ↳ Harden the supply chain: Verify MCP dependencies, pin versions, and scan continuously. ↳ Mandate mTLS for all AI agent ↔ MCP server communication. ↳ Maintain immutable logs and continuous monitoring for anomaly detection. MCP’s utility is undeniable, but without proactive security engineering, it’s a ready-made entry point for attackers. Over to you: Have you seen any security failures with MCPs in your setup? ♻️ Found this useful? Repost to help others upskill!

I’ve been told I have a knack for sniffing out 𝗗𝗲𝗽𝗲𝗻𝗱𝗲𝗻𝗰𝘆 𝗖𝗼𝗻𝗳𝘂𝘀𝗶𝗼𝗻 bugs... And recently, that instinct led me to a Critical Vulnerability in Microsoft’s production infrastructure. By analyzing HAR files and reverse-engineering the build traffic, I claimed an internal package and achieved confirmed 𝗥𝗲𝗺𝗼𝘁𝗲 𝗖𝗼𝗱𝗲 𝗘𝘅𝗲𝗰𝘂𝘁𝗶𝗼𝗻 (𝗥𝗖𝗘) inside their Azure build agents. 𝗛𝗲𝗿𝗲 𝗶𝘀 𝘁𝗵𝗲 𝗶𝗻𝘁𝗲𝗿𝗲𝘀𝘁𝗶𝗻�� 𝗽𝗮𝗿𝘁: Microsoft Security Response Center resolved this quickly and awarded a bounty (kudos to the team for the 21-minute triage!)... However, the classification was "𝗦𝗽𝗼𝗼𝗳𝗶𝗻𝗴" (𝗜𝗺𝗽𝗼𝗿𝘁𝗮𝗻𝘁) rather than "𝗥𝗖𝗘" (𝗖𝗿𝗶𝘁𝗶𝗰𝗮𝗹). 𝗧𝗵𝗲 𝗟𝗼𝗴𝗶𝗰: Since the entry point is "spoofing" an internal library identity, the bug class dictates the severity... 𝗧𝗵𝗲 𝗥𝗲𝗮𝗹𝗶𝘁𝘆: I had code execution on the build pipeline. From there, I could dump secrets or poison the supply chain. It raises a question for us as an industry: 𝗦𝗵𝗼𝘂𝗹𝗱 𝘀𝗲𝘃𝗲𝗿𝗶𝘁𝘆 𝗯𝗲 𝗯𝗮𝘀𝗲𝗱 𝗼𝗻 𝘁𝗵𝗲 𝗧𝗲𝗰𝗵𝗻𝗶𝗾𝘂𝗲 (𝗦𝗽𝗼𝗼𝗳𝗶𝗻𝗴) 𝗼𝗿 𝘁𝗵𝗲 𝗜𝗺𝗽𝗮𝗰𝘁 (𝗥𝗖𝗘)? I wrote a detailed engineering breakdown of how I built the automation to find this. 𝗥𝗲𝗮𝗱 𝘁𝗵𝗲 𝗳𝘂𝗹𝗹 𝗰𝗮𝘀𝗲 𝘀𝘁𝘂𝗱𝘆: https://lnkd.in/g2ASXf4Y Curious to hear thoughts from other Red Teamers and Triage engineers. #CyberSecurity #BugBounty #SupplyChainSecurity #Microsoft #RCE #Infosec #MSRC

��️ I created four new #KQL #detection rules that flag potential lateral movement to Virtual Machines using Azure Custom Script Extension or Run Commands. These can be used as a detective control against compromised cloud admin accounts that use these features to deploy malicious processes on Virtual Machine via the #Azure control plane. 👉 Detect Custom Script or Run Command deployment by risky user 👉 Detect executable drops via Azure custom script extension 👉 Detect first time Azure Custom Script or Run Command deployment 👉 Detect process drops via Azure Custom Script Extension performing lateral movement 🔎 Link to the rules can be found in the comments. #DefenderXDR #MicrosoftSentinel #Kusto

🛡️ Chinese hackers use Visual Studio Code tunnels for remote access. Because traffic to VSCode tunnels is routed through Microsoft Azure and all involved executables are signed, there's nothing in the process to raise alarms by security tools. As the technique might be getting traction, defenders are advised to monitor for suspicious VSCode launches, limit the use of remote tunnels to authorized personnel, and use allowlisting to block the execution of portable files like code.exe. Finally, it's advisable to inspect Windows services for the presence of 'code.exe,' and look for unexpected outbound connections to domains like *.devtunnels.ms in network logs. https://lnkd.in/gAvKE4ts