Hackers Exploit Azure to Evade Detection in Cloud Attacks

The appeal of the cloud is undeniable: flexibility, scalability, and global access. But these same strengths are now being exploited by cybercriminals. In recent months, Microsoft has uncovered an advanced campaign using Azure’s elasticity to launch distributed attacks, erase tracks, and quickly scale within corporate environments.

This phenomenon, dubbed Cloud Shadows by experts, shows how a single misconfiguration or compromised credential can trigger a massive attack chain.

The Dark Side of Cloud Elasticity

Modern cloud environments are constantly changing: multiple services, containers, ephemeral virtual machines, and dynamically assigned permissions. While this enables business agility, it also makes monitoring harder and exposes invisible gaps.

Microsoft Defender detected a campaign starting in June 2025, where attackers infiltrated poorly configured or weakly protected Azure environments.

They began by exploiting educational and Pay-As-You-Go accounts—the most vulnerable due to lacking secure passwords, multi-factor authentication (MFA), or active monitoring.

How the Attack Works

This technique doesn’t rely on sophisticated malware, but rather abuses Azure’s native tools.

Once attackers gain access—via brute force or adversary-in-the-middle techniques—they create new resource groups and temporary VMs that operate only for a few hours.

These ephemeral machines, running within Azure’s legitimate ecosystem, bypass traditional security systems. From there, they launch password spraying attacks against thousands of Azure tenants.

“Their infrastructure was so volatile it disappeared before leaving a trace,” said Microsoft researchers. “At a glance, it looked like legitimate traffic.”

Learn more: What is a hybrid cloud backup and how does it work?

Camouflage Power: Multi-Tenant and Multi-Hop Attacks

A key to the campaign’s success was its multi-tenant, multi-hop design:

1. Multi-hop: Compromised VMs served as jumping points, hiding origin IPs.

1. Multi-tenant: Attackers controlled multiple Azure tenants, spreading operations to resist takedowns or detection.

Every compromised account became a launchpad, and each tenant—an attack front.

From Infiltration to Fraud: The Real Goal

With access secured, attackers used Azure resources to send mass spam, phishing, and financial scam campaigns.

They deployed VMs to send millions of spoofed emails from seemingly legitimate addresses, redirecting users to fraudulent sites (e.g., via rebrand.ly links) posing as surveys or app downloads.

A dangerous tactic was distributing fake Android apps, like modified versions of WhatsApp (FM WhatsApp or Yo WhatsApp). These apps stole contacts, files, and messages while mimicking communication with legitimate WhatsApp servers.

Even sextortion and digital blackmail incidents were reported using stolen data.

Password Spray and Fraud Campaign (Source: Microsoft)

Persistent Presence in the Cloud

Attackers didn’t settle for temporary access—they aimed to maintain long-term control, even if anomalies were detected.

They used three advanced techniques:

Fake OAuth Applications

1. Created apps named Azure-CLI-2025 or MyNewApp within the compromised tenant.

1. These apps had admin permissions and generated tokens to retain access—even if original credentials were revoked.

Quota Manipulation

1. Submitted fake requests to Microsoft to increase CPU quotas, allowing them to deploy more VMs.

1. Some attack clusters ran 150+ VMs simultaneously.

Abuse of AI and Storage Services

1. Leveraged Azure ML Workspaces and notebooks to run malicious scripts disguised as AI training jobs.

1. Used Azure Blob Storage for data exfiltration due to its global accessibility.

1. Stored stolen passwords and tokens in Azure Key Vaults, ensuring long-term persistence.

The result: a highly automated, elastic, and resilient attack ecosystem—nearly invisible within a legitimate environment.

You might also be interested in: What is a cloud backup?

The Damage

In just days, a single attacker instance managed to:

1. Target 1.9 million users globally

1. Compromise 51,000+ accounts and 35 Azure tenants

1. Deploy 154 virtual machines, 86 used for brute-force attacks

1. Trigger 800,000+ fake security alerts

1. Send 2.6 million+ spam and phishing emails

All using Microsoft Azure’s legitimate infrastructure, which made detection far more difficult.

Quota Abuse and ML service usage and Oauth Backdoors (Source: Microsoft)

Lessons & Recommendations from TecnetOne

These attacks are a clear warning: cybercriminals now move within the cloud as fluidly as legitimate services. At TecnetOne, we recommend:

Strengthen Identity Protection

1. Always enable MFA

1. Protect tokens and monitor risky logins

1. Disable inactive or rarely used accounts—especially PAYG and educational ones

Apply Least Privilege

1. Regularly audit roles and permissions

1. Avoid giving global admin rights to users or apps

1. Monitor guest users and directory changes

Monitor Resource Usage

1. Treat quotas like credit limits: alert on spikes or multi-region increases

1. Watch for suspicious support tickets requesting capacity increases

Detect and Respond Early

1. Use Microsoft Defender for Cloud or equivalent

1. Set alerts for unusual VM, OAuth app, or notebook creations

1. Investigate and revoke any suspicious access immediately

Reduce the Attack Surface

1. Delete unused tenants or subscriptions

1. Report abuse via Microsoft Security Response Center (MSRC)

Conclusion: The Cloud Is Powerful, But Not Foolproof

The cloud offers speed, scale, and flexibility—but as this campaign shows, those same strengths can be weaponized.

Modern attackers don’t rely on traditional malware. They use your infrastructure against you.

At TecnetOne, we believe visibility, education, and smart automation are the keys to cloud defense. The future is cloud-based—but security must evolve with it.