Azure-Threat-Detection

From Compromise to Detection: Uncovering Azure Attacks with Upwind

Amit Genkin headshot

By Amit Genkin

Dec 19, 2025

In the past decade, the cloud revolution evolved into a major movement – one that introduced a new and complex attack surface. Attackers are increasingly targeting public cloud environments, leveraging misconfigurations and native cloud features to gain initial access, establish persistence, and achieve their malicious objectives.

In this article, we dive into attack vectors in Azure environments, common exploitation techniques, and the critical role of cloud native logging mechanisms, specifically Microsoft Entra ID and Azure Activity logs.

Understanding Azure Structure

The Azure environment is fundamentally a hierarchy of control and resources, governed by the Resource Manager control plane.

The Azure environment has two main layers, Cloud Infrastructure and Identity Management. These are made up of key Azure-specific components, including:

  • Microsoft Entra ID: Manages users, groups, applications, and permissions mechanisms. 
  • Tenant: The top-level identity boundary in Azure that represents an organization.
  • Management Group: A container for multiple subscriptions, managed under the tenant. Controls assigned here grant influence over all contained subscriptions.
  • Subscription: A logical container linking Azure services to an account, which defines billing and security boundaries.
  • Resource Group: Logical scope for applications, operations and permissions.
Azure-Threat-Detection-Diagram

Access to all resources is managed through Role-Based Access Control (RBAC), which defines permissions at various scopes. Identity permissions in Microsoft Entra are managed at the tenant level and can impact access across all subscriptions within the tenant.

From Initial Access to Exfiltration: What Does an Attacker’s Path Really Look Like?

Understanding how attackers progress through an environment is essential for building any real defense strategy. Every intrusion, whether sophisticated or opportunistic, follows a sequence. 

  1. First, the attacker must gain initial access. 
  2. Once inside, they expand their foothold by establishing persistence, performing privilege escalation, and conducting lateral movement to reach more valuable systems. 
  3. Skilled adversaries weave these actions together while using defense evasion techniques to stay hidden. 
  4. And while the methods vary, the end goal rarely does: attackers typically want to exfiltrate sensitive data, cause business disruption, or leverage their access for financial or political gain.
typical-data-flow-2

A clear example of this full attack path is the DEV‑0537 Group intrusion, also known as LAPSUS$. In this campaign, the actor gained initial access primarily through stolen or compromised credentials, often sourced from brute-force activity, password spraying, or previously leaked credentials. Once inside the environment, they established deeper control by enumerating users and resources, assigning elevated roles, and creating or modifying accounts to grant themselves persistent administrative access.

Lateral movement was achieved by abusing legitimate remote access tools and management interfaces, allowing them to pivot between systems, access additional workloads, and reach high-value targets while appearing as normal administrative activity. Throughout this process, they carefully maintained persistence and minimized detection by blending into expected identity and access patterns. Their ultimate objective was large-scale data exfiltration and destruction, targeting sensitive business data such as intellectual property, financial records, customer information, and internal operational documents, before in many cases deleting backups and disrupting systems to maximize operational impact and complicate recovery.

But not all attacks rely on long, stealthy chains of techniques. Some aim for immediate, large-scale impact. A striking example is the largest DDoS attack ever recorded against Microsoft Azure, where the adversary attempted to overwhelm Microsoft infrastructure with traffic equivalent to streaming 3.5 million Netflix movies at once. In these cases, attackers skip the slower progression of privilege escalation or lateral movement and instead focus directly on service disruption.

Both extremes, complex identity-based intrusions and brute-force infrastructure attacks, reinforce the same reality: defenders must be prepared not only to prevent initial access but also to detect and respond to attacker behavior throughout every stage of the kill chain.

Upwind’s Azure Detection Engine

Upwind’s Azure Detection Engine helps security teams detect suspicious activity and potential threats by continuously analyzing Entra ID operations, RBAC changes, and resource activity across subscriptions and resource groups. By correlating log data with contextual insights and risk prioritization, Upwind enables teams to identify high-risk actions and misconfigurations before they lead to larger breaches.

attack-path-Azure-b

Let’s take the Storm‑0501 attack path and examine how most of its stages could have been detected using the Upwind Azure Detection Engine. Storm‑0501 was a financially motivated threat campaign that targeted Azure and hybrid cloud environments by abusing compromised credentials to gain initial access, followed by rapid reconnaissance, privilege expansion, and exploitation of cloud resources.

This progression, from credential compromise and environment discovery to privilege expansion and data access, closely reflects real-world cloud attack behavior and demonstrates how cloud-native telemetry can be used to identify each phase of the intrusion.

Real-World Attack Detection: Stopping Storm-0501

Stage 1: Initial Access Detection

The attackers gained their first foothold by using compromised hybrid identities and Entra Sync accounts to authenticate into Azure, effectively bypassing many perimeter controls and blending in as legitimate users. Upwind could detect this by flagging anomalous or risky use of Entra ID actor tokens, like sign‑ins or token usage that deviate from normal patterns or occur from unfamiliar IPs or geolocations.

Stage 2: Persistence via Identity Backdoor

To maintain long-term access, the attackers created persistent identity backdoors by modifying service principals and updating identity objects. Upwind could detect such identity infrastructure modifications, like changes to service principal ownership or application-level permissions, helping identify hidden backdoor identities before they are misused.

image-220

Stage 3: Environment Reconnaissance

Once inside, the attackers performed reconnaissance using AzureHound, a tool designed to map relationships and permissions in Azure environments and consequently find potential attack paths and escalations. Upwind detects activity characteristic of reconnaissance tools, including AzureHound, marking unusual or bulk metadata queries as potentially malicious.

image-221

Stage 4: Preparation for Data Access

The adversaries adjusted storage or resource configurations to make data extraction easier, for example, by weakening access controls or exposing storage accounts publicly. Upwind could catch such misconfigurations or exposure events, like alerting when storage accounts are made public.

Screenshot-2025-12-10-at-6.16.44-AM

Stage 5: Impact and Destructive Actions

In the final phase, the attackers destroyed critical resources, deleting VMs, key vaults, networks, or other infrastructure, to disrupt operations, hinder recovery, and amplify impact. Upwind detects these destructive operations by tracking deletion or removal events across critical resource types, signaling a probable active attack or ransomware‑style activity.

image-223
Azure-Attack-Stages-c
Attackers leverage compromised Entra ID identities to gain access, establish persistence through identity backdoors, recon the environment, weaken controls for data access, and ultimately destroy resources. Upwind detects and disrupts each stage.

Safeguard Your Azure Environment with Upwind

The Azure breaches of recent years, including Storm-0501, Midnight Blizzard, and Lapsus$, share a troubling reality: the telemetry needed to detect these attacks existed in Azure logs from the first moment of compromise. Organizations were generating the right data but lacked the capability to transform that data into timely, actionable insights.

Upwind’s Detection Engine addresses this fundamental challenge through purpose-built detections that understand Azure attack patterns, contextual correlation that reveals attack chains hidden in noise, and risk-based prioritization that focuses security teams on genuine threats. The detections described in this article represent real attack techniques used against some of the world’s largest companies, and Upwind is designed to provide the advance warning security teams need to stop breaches before they escalate.

Ready to see how Upwind protects Azure environments from advanced threats? Schedule a demo to experience our Detection Engine in action.

From Compromise to Detection: Uncovering Azure Attacks with Upwind

Further Reading

AI Vulnerabilities
Research

AI Vulnerabilities vs. Traditional Vulnerabilities: How the AI Attack Surface Changes Security

Screenshot 2024-09-25 at 9.12.26 AM

By Avital Harel

Dec 12, 2025

Artificial intelligence is rapidly becoming embedded in core engineering workflows. Organizations are integrating LLMs into customer-facing applications, code generation pipelines, triage automation, and even parts of their CI/CD and cloud-management ecosystems. But the moment AI crossed into production, a new reality emerged: AI vulnerabilities behave fundamentally differently from traditional software vulnerabilities. They don’t follow the […]

Critical Security Alert: Unpatched Gogs RCE
Research

CVE-2025-8110: Unpatched Gogs RCE Vulnerability Actively Exploited in the Wild

Yuval Elarat

By Yuval Elarat

Dec 11, 2025

Executive Summary CVE-2025-8110 is an actively exploited, unpatched Remote Code Execution (RCE) vulnerability affecting all Gogs versions ≤ 0.13.3. The flaw allows authenticated users to bypass path-traversal protections through a symlink-based file-write bypass, enabling arbitrary file overwrite on the host server and ultimately full system compromise. With no official patch available and exploitation occurring in […]

metadata spoofing
Research

CVE-2025-66570 in cpp-httplib – Critical Header Shadowing Vulnerability Explained

Screenshot 2024-09-25 at 9.12.26 AM

By Avital Harel

Dec 05, 2025

A critical vulnerability (CVE-2025-66570, GHSA-xm2j-vfr9-mg9m) has been identified in cpp-httplib, a popular single-header C++ HTTP/HTTPS library used in many lightweight services, internal tools, and embedded applications. Prior to version 0.27.0, cpp-httplib incorrectly accepts and processes certain reserved header names directly from client requests, including: REMOTE_ADDR,REMOTE_PORT,LOCAL_ADDR,LOCAL_PORT. Because these values are parsed before httplib injects the server’s […]

Footer-Logo-07_03_2025

Stay In Touch

This field is for validation purposes and should be left unchanged.

Product

CNAPP
CSPM
CWPP
Container Security
Identity Security
Vulnerability Management
DSPM
CADR
API Security
GenAI Security

General

About
Contact
Careers
We are hiring!
Events
Case Studies
Get A Demo

Social

X
LinkedIn
Instagram

Resources

UpwindTV
Feed
Glossary
Integrations
Newsroom

Documentation

Privacy Policy
Terms of Use

© 2025 Upwind Security