Malicious Execution Methods in Azure Security

Adversaries are watching. Are you ready? Azure OpenAI from an Attacker's Perspective. As defenders strengthen their cloud defenses, adversaries analyze the same architectures to find gaps to exploit. Let’s take a quick look at Azure OpenAI Service—a goldmine for both innovation and potential missteps. What Stands Out for an Attacker? 1️⃣ Data Residency & Isolation: While data remains customer controlled and maybe double encrypted, attackers might target storage misconfigurations in the Assistants / Batch services, where prompts and completions reside temporarily. Weak RBAC configurations could expose sensitive files and logs stored in these areas. 2️⃣ Sandboxed Code Interpreter: The isolated environment ensures secure code execution, but attackers might attempt to exploit vulnerabilities in sandbox boundaries or inject malicious payloads to gain access to sensitive data during runtime. 3️⃣ Asynchronous Abuse Monitoring: It is a critical component for detecting misuse but also a potential data-retention bottleneck. Attackers may target monitoring APIs or exploit the X day retention to obscure their tracks or hijack historical prompts for sensitive insights. 4️⃣ Fine Tuning Workflows: Customers love the exclusivity of fine-tuned models, but attackers could leverage phishing attacks to hijack API keys or access fine-tuning data that resides in storage. Compromising a fine-tuned model could reveal proprietary insights or customer IP. 5️⃣ Batch API Vulnerabilities: With batch processing in preview, this could be a point of weakness for bulk data manipulation attacks or injection-based techniques. Monitoring batch jobs for anomalies is crucial. As enterprises adopt Azure OpenAI Service to supercharge their operations, it is critical to stay ahead of evolving attacker techniques. Every layer of this architecture—from encrypted storage to sandboxed environments—presents opportunities and challenges. For defenders, understanding these risks is the first step in hardening the fortress. #security #artificialintelligence #cloudsecurity

🚨 node-ipc is compromised again. Three new malicious versions just dropped: 9.1.6, 9.2.3, and 12.0.1. Socket’s AI scanner flagged them as malware within three minutes of publication. The attack vector: a dormant maintainer account (atiertant) was likely taken over via an expired email domain. The attacker registered the lapsed domain, triggered an npm password reset, and gained publish rights to a package with millions of historical downloads. The payload is a credential stealer embedded in the CommonJS entrypoint (node-ipc.cjs). It activates on require(“node-ipc”), not through a postinstall script. Here’s what it does: • Fingerprints the host (OS, arch, hostname, uname) • Harvests 113-127 credential file patterns depending on platform (AWS, GCP, Azure, SSH keys, Kubernetes configs, npm tokens, .env files, shell histories, macOS Keychain databases, and more) • Dumps the entire process.env, capturing every CI secret and cloud credential in memory • Builds a gzip archive in a temp directory • Exfiltrates everything over DNS TXT queries to bt[.]node[.]js, using a bootstrap resolver at sh[.]azurestaticprovider[.]net:443 (a deliberate lookalike of Microsoft’s Azure Static Web Apps domain) The DNS exfiltration is chunked. A 500 KB archive generates roughly 29,400 TXT queries. The body is XOR-encrypted with a SHA-256 keystream, base64-encoded, alphabet-substituted, and split into 31-character chunks before hex-encoding into DNS labels. Header, data, and footer queries use xh, xd, and xf prefixes respectively. The malware forks a detached child process (env var __ntw=1) so credential theft runs silently in the background. It also exposes a __ntRun export, meaning any downstream code that calls require(“node-ipc”).__ntRun() can trigger a second collection/exfiltration cycle. ESM-only consumers using the import path are not affected by the reviewed package metadata. CommonJS consumers are. This is the same package involved in the 2022 protestware incident. It has a history. If you use node-ipc: • Do not install 9.1.6, 9.2.3, or 12.0.1 • Audit your lockfiles for these versions • If you loaded the CommonJS entrypoint, treat all environment variables, SSH keys, cloud credentials, npm tokens, and local secrets as compromised. Rotate immediately. • Hunt for DNS TXT queries to bt[.]node[.]js and sh[.]azurestaticprovider[.]net in your network logs • Check for temp files matching <tmp>/nt-<pid>/<machineHex>.tar.gz Credit to Ian Ahl (@TekDefense) for first publicly identifying the expired-domain account takeover vector. Developing story. Full technical breakdown and IOCs on the Socket blog: https://lnkd.in/dZfd6Nj2

A single local admin can now compromise your entire Azure tenant. This is the reality of CVE-2026-20965 in Windows Admin Center. The flaw was in the Azure SSO implementation. Improper token validation collapsed all security boundaries. Here’s how it worked: • An attacker with local admin on one WAC-managed VM could dump its certificate. • They could then capture a legitimate admin's token. • By forging a Proof-of-Possession PoP token, they could target any other machine in the tenant. • This enabled Remote Code Execution RCE and lateral movement across subscriptions. The core failure? The `WAC.CheckAccess` token was unscoped. It granted tenant-wide access once validated. Microsoft has patched it in Windows Admin Center Azure Extension v0.70.00. If you haven't updated, you are exposed. This vulnerability turns a single machine breach into a tenant-wide compromise . How is your team securing your infrastructure against this type of exploitation? Let’s discuss in the comments below. #Azure #Vulnerability

Attackers are bypassing MFA and weaponizing admin consent at scale with ConsentFix v3, a tool that automates the entire OAuth attack chain against Azure environments. This new variant targets Microsoft 365 and Azure AD by tricking users into granting permissions to malicious third-party apps. Once approved, attackers gain persistent, hard to detect access to email, files, and APIs, no passwords or MFA bypass required. The automation makes it faster and harder to spot than traditional phishing. 1. Audit existing OAuth grants review all third-party app permissions in Entra ID (Azure AD) (include in SIEM). 2. Enforce admin consent: disable user consent for apps requiring high-risk permissions. 3. Implement Conditional Access policies block untrusted apps and require device compliance. 4. Enable OAuth app governance use Microsoft Defender for Cloud Apps to detect anomalous app activity. #OAuthSecurity #EntraID #ConsentPhishing #CloudSecurity #AzureAD

Imagine: An agentic workflow just got hijacked in your org, and the user has no idea. In previous experiments, we’ve shared how agentic systems can be compromised via prompt injection and covert code execution by malicious users: 💥 𝗘𝘅𝗽𝗹𝗼𝗶𝘁 𝟭: 𝗪𝗼𝗿𝗸𝗳𝗹𝗼𝘄 𝗼𝘃𝗲𝗿𝗿𝗶𝗱𝗲 𝘃𝗶𝗮 𝗽𝗿𝗼𝗺𝗽𝘁 𝗶𝗻𝗷𝗲𝗰𝘁𝗶𝗼𝗻 A benign-looking prompt with a hidden override message and injected fields (execution_mode & verbatim_output_payload) bypassed schema checks and hijacked the workflow. 💥 𝗘𝘅𝗽𝗹𝗼𝗶𝘁 𝟮: 𝗖𝗼𝘃𝗲𝗿𝘁 𝗰𝗼𝗱𝗲 𝗲𝘅𝗲𝗰𝘂𝘁𝗶𝗼𝗻 𝘃𝗶𝗮 𝗱𝗲𝗹𝗮𝘆𝗲𝗱 𝗶𝗻𝗷𝗲𝗰𝘁𝗶𝗼𝗻 A disguised Python script passed through the system as a “diagnostic task,” then executed via shared memory - silently leaking .env credentials. This time, we looked at something new: What happens when the user is innocent… but the data isn't? 💥 𝗘𝘅𝗽𝗹𝗼𝗶𝘁 𝟯: 𝗖𝗼𝗺𝗽𝗿𝗼𝗺𝗶𝘀𝗲 𝘃𝗶𝗮 𝘁𝗿𝘂𝘀𝘁𝗲𝗱 𝗰𝗼𝗻𝘁𝗲𝗻𝘁 We show how malicious instructions hidden in trusted content (e.g., HTML from a web page) can propagate through shared memory and trigger a full compromise. - The user simply asks a question - The system leaks sensitive files behind the scenes Fixes include : Prompt hardening, strict schema enforcement and external data sanitization. Securing agentic AI means validating both external inputs and internal message flows between agents. 👉 The full breakdown, and steps to defend against all 3 exploits, are in our latest report. https://lnkd.in/dy9EJq6f

🎣 Tycoon & Sneaky2FA Phishing Kits Leveraging Trusted Microsoft Cloud Infrastructure ANY.RUN recently highlighted new Tycoon and Sneaky2FA phishing kits being deployed on trusted cloud infrastructure (link in comments). During my own enrichment using ANY.RUN’s intelligence lookup, I identified multiple instances of these kits hosted on Azure Blob Storage following the pattern: secure1drvd0c*[.]blob[.]core[.]windows[.]net One example, secure1drvd0c993608575[.]blob[.]core[.]windows[.]net, was checked against VirusTotal—0 out of 93 engines flagged it as malicious. This reinforces how effectively these kits blend into legitimate cloud services to evade detection. You can also see another example of Google Map being abuse to redirect this malicious blob address. For defenders using Microsoft Defender for Office (MDO), the following KQL query can help you identify whether any of these phishing URLs have reached your tenant in the past 45 days: EmailUrlInfo | where TimeGenerated > ago(45d) | where UrlDomain matches regex @"secure1drvd0c.*\.blob\.core\.windows\.net" Stay vigilant—phishing kits abusing trusted cloud platforms continue to evolve, and proactive hunting is essential.🫡 #Cybersecurity #Tycoon #Sneaky2FA #Phishing #ThreatHunting #AzureSecurity

Reports coming in on a new phishing campaign leveraging Azure Monitor!👀 We're currently seeing a rapidly accelerating phishing campaign where attackers are using compromised Azure tenants to send "official" emails through Azure Monitor. These mails are posing as receipts or invoices for products like "Windows Defender" and urge users to call a phone number. It's highly likely that these numbers are then connected to a call center that's trying to scam victim organizations or individuals out of money💰 The problem with attacks like this is that they bypass almost all email filters due to using a legitimate Azure service, making detecting and hunting for malicious emails difficult 🤔 We've seen these "Living off the cloud" techniques become more and more prevalent over past couple of years ☁️ You can still use Advanced Hunting in Defender XDR to hunt for these mails with the following KQL query to see if there is a rapid influx of emails: EmailEvents | where SenderMailFromAddress =~ "noreply-azure[@]microsoft.com" | where Subject has "Azure Monitor" Stay safe out there! 🛡️ #MicrosoftSecurity #Phishing #Cybersecurity

🛡️ I created four new #KQL #detection rules that flag potential lateral movement to Virtual Machines using Azure Custom Script Extension or Run Commands. These can be used as a detective control against compromised cloud admin accounts that use these features to deploy malicious processes on Virtual Machine via the #Azure control plane. 👉 Detect Custom Script or Run Command deployment by risky user 👉 Detect executable drops via Azure custom script extension 👉 Detect first time Azure Custom Script or Run Command deployment 👉 Detect process drops via Azure Custom Script Extension performing lateral movement 🔎 Link to the rules can be found in the comments. #DefenderXDR #MicrosoftSentinel #Kusto