Type
Campaign
Actors
Pub. date
July 8, 2025
Initial access
Exposed secret
Impact
Data exfiltration
Observed techniques
Status
Finalized
Last edited
Jul 16, 2025 1:30 PM
In early 2024, a Darktrace customer’s Azure environment was compromised after attackers stole access tokens linked to an external consultant’s account, obtained via cracked software. Using these tokens, the attacker authenticated into the Azure environment, modified security rules to allow inbound SSH traffic, and created a rogue virtual machine for persistent access and potential resource hijacking. Weeks later, the attacker registered new MFA information and sent an anomalous collaboration invite to an external Gmail address to further entrench their presence.