Microsoft Threat Intelligence has identified an evolution in the tactics of Silk Typhoon, a Chinese state-sponsored espionage group, now increasingly focusing on compromising IT solutions, remote management tools, and cloud applications to gain initial access. By exploiting unpatched vulnerabilities in edge devices and abusing stolen credentials and API keys, Silk Typhoon infiltrates downstream customer environments, including cloud services. Their tradecraft involves exploiting zero-days, lateral movement from on-premises networks to cloud infrastructure, and abusing service principals and multi-tenant applications for data exfiltration.
Silk Typhoon has consistently demonstrated rapid adoption of zero-day vulnerabilities, exploiting public-facing devices before organizations can patch them. Recent observations in 2025 revealed their exploitation of a zero-day in Ivanti Pulse Connect VPN (CVE-2025-0282). Historical attacks trace back to exploits in Microsoft Exchange servers (CVE-2021 series), Palo Alto GlobalProtect Gateway (CVE-2024-3400), and Citrix NetScaler ADC/Gateway (CVE-2023-3519). In addition to direct exploitation, Silk Typhoon abuses exposed credentials discovered through reconnaissance, including credentials found on public repositories like GitHub, enabling password spray attacks and account takeovers. Once inside, they conduct extensive reconnaissance, establishing persistence through web shells and resetting default accounts to maintain control.
Following successful on-premises compromise, Silk Typhoon moves laterally into cloud environments by targeting AADConnect (Entra Connect) servers. This enables them to escalate privileges, access both on-premises and cloud environments, and ultimately exfiltrate data from services like Exchange Online, OneDrive, and SharePoint using MSGraph and EWS APIs. They leverage service principals and OAuth applications already consented in the tenant, adding their own credentials for persistence. The group also uses multi-tenant applications to pivot across environments, further expanding their reach. To evade detection, they operate through covert networks, leveraging compromised devices including Cyberoam appliances, Zyxel routers, and QNAP devices, which obfuscate their true origin.