Type
Campaign
Actors
Unknown
Pub. date
July 8, 2025
Initial access
Exposed secret
Impact
Data exfiltration
Observed techniques
Valid creds abuseCredential theftMFA enrollment
References
https://www.darktrace.com/blog/defending-the-cloud-stopping-cyber-threats-in-azure-and-aws-with-darktrace
Status
Finalized
Last edited
Jul 16, 2025 1:30 PM
In early 2024, a Darktrace customer’s Azure environment was compromised after attackers stole access tokens linked to an external consultant’s account, obtained via cracked software. Using these tokens, the attacker authenticated into the Azure environment, modified security rules to allow inbound SSH traffic, and created a rogue virtual machine for persistent access and potential resource hijacking. Weeks later, the attacker registered new MFA information and sent an anomalous collaboration invite to an external Gmail address to further entrench their presence.