Researchers Detailed New Threat-Hunting Techniques to Detect Azure Managed Identity Abuse

As these identities are increasingly implemented across Azure services, they present an expanding attack surface that may allow adversaries to pivot across environments, gain unauthorized access to Microsoft Graph, and extract sensitive data from various Azure resources. Beyond detection, the research also details practical guidance for incident investigation and response, including cross-correlation techniques between Azure Sign-in logs, Activity logs, and Microsoft Graph telemetry to trace the full scope of potential compromises. This high-fidelity detection method identifies when a managed identity makes anomalously high numbers of requests to Microsoft Graph API endpoints – behavior consistent with reconnaissance activity by threat actors who have gained unauthorized access to MI tokens. By providing these detection methodologies, security teams gain vital capabilities to identify potential compromises before attackers can fully exploit their access to cloud environments and sensitive resources. Cybersecurity experts have unveiled sophisticated techniques to identify potential abuse of Azure Managed Identities (MIs), addressing a critical but often overlooked security concern in cloud environments. Azure MIs streamline credential management by eliminating the need for manual secret handling, yet this convenience creates new attack vectors that sophisticated threat actors can exploit to escalate privileges and access sensitive resources. These queries range from high-fidelity detections, such as identifying explicit token requests from virtual machines, to broader behavioral analyses that flag when MIs access unusual resources or exhibit anomalous authentication patterns. This detection approach proves particularly effective because legitimate MIs typically display predictable, limited request patterns to Graph resources, making anomalous enumeration attempts stand out. Hunters researchers noted that while MIs offer significant security advantages by eliminating static credentials, their potential misuse can be particularly damaging since they operate with the implicit trust of Azure’s authentication framework. The query establishes behavioral thresholds by analyzing request patterns, flagging cases where managed identities make suspicious numbers of distinct calls to the Graph API within a short timeframe. The techniques, documented in a comprehensive research paper by Team Axon, focus on identifying unauthorized access and malicious use of MIs rather than just detecting their existence. The research builds upon previous work, particularly Karl Fossaen’s DEF CON 32 talk titled “Identity Theft is Not a Joke, Azure!” which initially raised awareness around MI abuse vectors. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.

This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 14 May 2025 13:35:04 +0000


Cyber News related to Researchers Detailed New Threat-Hunting Techniques to Detect Azure Managed Identity Abuse

What Is Cyber Threat Hunting? - Cyber threat hunting involves proactively searching for threats on an organization's network that are unknown to traditional cybersecurity solutions. A recent report from Armis found that cyber attack attempts increased by 104% in 2023, underscoring ...
1 year ago Techrepublic.com
Top 7 Cyber Threat Hunting Tools for 2024 - Cyber threat hunting is a proactive security measure taken to detect and neutralize potential threats on a network before they cause significant damage. To seek out this type of threat, security professionals use cyber threat-hunting tools. With ...
1 year ago Techrepublic.com
What is Azure Identity Protection and 7 Steps to a Seamless Setup - As a result, tools such as Microsoft's Azure Identity Protection have become a staple in protecting against compromised identities, account takeover, and misuse of privileges. Azure Identity Protection is a security service that provides a robust ...
1 year ago Securityboulevard.com
Penetration Testing And Threat Hunting: Key Practices For Security Leaders - Security leaders should view penetration testing and threat hunting not as discrete activities but as essential components of a mature security program that evolves from passive defense to active threat detection and mitigation. Penetration testing ...
1 month ago Cybersecuritynews.com Hunters
How to perform a proof of concept for automated discovery using Amazon Macie | AWS Security Blog - After reviewing the managed data identifiers provided by Macie and creating the custom data identifiers needed for your POC, it’s time to stage data sets that will help demonstrate the capabilities of these identifiers and better understand how ...
7 months ago Aws.amazon.com
Researchers Detailed New Threat-Hunting Techniques to Detect Azure Managed Identity Abuse - As these identities are increasingly implemented across Azure services, they present an expanding attack surface that may allow adversaries to pivot across environments, gain unauthorized access to Microsoft Graph, and extract sensitive data from ...
2 weeks ago Cybersecuritynews.com Hunters
How to Create a Threat Hunting Program for Your Business - A threat hunter's job is to proactively seek out potential problems and stop them before they have a chance to harm a company's network. Here's how businesses can create their own threat hunting programs and why it's important to do so. As well as ...
1 year ago Cyberdefensemagazine.com Hunters
Taking the complexity out of identity solutions for hybrid environments: Identity Fabric and orchestration - For the past two decades, businesses have been making significant investments to consolidate their identity and access management platforms and directories to manage user identities in one place. Instead, businesses must learn how to consistently and ...
1 year ago Securityintelligence.com
Five business use cases for evaluating Azure Virtual WAN security solutions - To help organizations who are evaluating security solutions to protect their Virtual WAN deployments, this article considers five business use cases and explains how Check Point enhances and complements Azure security with its best-of-breed, ...
1 year ago Blog.checkpoint.com
How to Overcome the Most Common Challenges with Threat Intelligence - Today's typical approach to threat intelligence isn't putting organizations in a place to do that. Instead, many threat intelligence tools are delivering too much uncurated and irrelevant information that arrives too late to act upon. Organizations ...
1 year ago Cyberdefensemagazine.com Hunters
Best MDR (Managed Detection & Response) Solutions - 2025 - Cybereason Managed Detection and Response solutions provide 24/7 threat monitoring, advanced endpoint protection, and rapid incident response. Cynet MDR solutions provide automated threat detection and response, ensuring comprehensive security ...
2 months ago Cybersecuritynews.com
Azure Serial Console Attack and Defense - This is the second installment of the Azure Serial Console blog, which provides insights to improve defenders' preparedness when investigating Azure Serial Console activity on Azure Linux virtual machines. While the first blog post discussed various ...
1 year ago Msrc.microsoft.com
The Latest Identity Theft Methods: Essential Protection Strategies Revealed - Identity theft has evolved far beyond the days of stolen mail and dumpster diving. Today's identity thieves employ sophisticated techniques, including account takeovers and government benefit fraud, making it essential for you to stay vigilant to ...
1 year ago Hackread.com
How Strata Identity and Microsoft Entra ID solve identity challenges in mergers and acquisitions - In particular, there is an immediate and profound impact on the identity and access management postures of both companies. While most combined organizations aspire to eventually consolidate their identity systems, this is a challenging and ...
1 year ago Microsoft.com
Identity as a Service - Let us introduce Identity as a Service, a revolutionary identity management strategy that aims to improve security, simplify user interfaces, and enable frictionless access to online resources. Organizations can use IDaaS platforms to access identity ...
1 year ago Feeds.dzone.com
Unseen Threats: Identity Blind Spots and Misconfigurations in Cybersecurity - It's rather obvious to most in the IT sector that cybercriminals consistently and successfully exploit stolen or weak online identities to gain unauthorized access to businesses of all types. It's these identities in an enterprise that are clearly ...
1 year ago Cybersecurity-insiders.com
Azure Service Tags tagged as security risk, Microsoft disagrees - Security researchers at Tenable discovered what they describe as a high-severity vulnerability in Azure Service Tag that could allow attackers to access customers' private data. Service Tags are groups of IP addresses for a specific Azure service ...
11 months ago Bleepingcomputer.com
10 Best EDR Tools ( Endpoint Detection & Response) - 2025 - What is good?What Could Be Better ?Provides comprehensive endpoint monitoring.Some users might find the installation and configuration process of the solution tedious.Protect your entire security stack with in-depth threat intelligence.Some users ...
2 months ago Cybersecuritynews.com
20 Best Endpoint Management Tools - 2025 - What is Good?What Could Be Better?Comprehensive endpoint security against many threats.The user interface may overwhelm some users.Machine learning for real-time threat detection.Integration with existing systems may be complex.A central management ...
1 month ago Cybersecuritynews.com
Microsoft fixes critical Azure CLI flaw that leaked credentials in logs - Microsoft has fixed a critical security vulnerability that could let attackers steal credentials from GitHub Actions or Azure DevOps logs created using Azure CLI. The vulnerability was reported by security researchers with Palo Alto's Prisma Cloud. ...
1 year ago Bleepingcomputer.com
2023 Updates in Review: Malware Analysis and Threat Hunting - Throughout ReversingLabs' 14-year history, our products have constantly excelled and improved to tailor the needs of our customers and match the changing cybersecurity threat landscape. This past year, we have delivered key improvements to ...
1 year ago Securityboulevard.com Hunters
URL Hunting: Proactive Cybersecurity Designed to Improve Outcomes - Lately, our sales teams have found a message that's resonating within the business community: IT administrators are looking for more proactive ways to identify and evaluate threats within their company's email data. They want to be able to extend ...
1 year ago Cyberdefensemagazine.com
From Trend to Mainstay: The Unstoppable Force of Managed Services - There's no denying that IT managed services are being embraced across businesses of all sizes as a path to achieve business goals. As technologies becomes increasingly complex and the lines between siloed architectures become blurred, companies are ...
1 year ago Feedpress.me
Azure MACC Credits Gathering Dust? Use Them to Get the Best Prevention-First Security - As we enter 2024, your organization may have unused MACC or Azure commit-to-consume credits as your annual renewal date draws near. Whether you have credits that will soon expire or are starting to plan your Azure spend for the next 12 months, Check ...
1 year ago Blog.checkpoint.com
SailPoint unveils two sets of new offerings to help companies grow their identity security program - SailPoint unveiled two sets of new offerings designed to give customers options as they build their identity program, while driving customer success throughout their identity journey. First, the company is extending the family of SailPoint Identity ...
1 year ago Helpnetsecurity.com