Azure subscription hijacking and cryptomining

The attack

  • The Azure AD break-glass account was compromised (e.g. the password was obtained from the dark web; brute-force password attack or re-used password from past SaaS hack like LinkedIn in 2012) and was used to logon to the victim-tenant Azure portal (via a VPN or TOR browser to hide their source IP-address).
  • A guest account was created (requires elevated permissions in Azure AD: Global Administrator, Guest Inviter or User Administrator) in the victim-tenant with an account from the attacker-tenant (e.g., this account needs a mailbox for to verify the invitation.
  • The newly created guest account got Owner permissions (requires elevated permissions in Azure: Owner or User Access Administrator) on the Azure subscription in the victim-tenant.
  • Logon from the attacker-tenant to the Azure portal (section subscriptions) and switch directory to the victim-subscription
  • Change directory to transfer the Azure subscription to the attacker-tenant (Azure AD).
  • Attacker deployed (10) Azure VMs (e.g. NVv4- (GPU) or Mv2-series) to mine cryptocurrency. See example for pricing (starting from …. )

Azure subscription

Protect (Prevention)

Multi Factor Authentication [MFA]

Block Access from untrusted locations


Final words




Chief Technology Officer @ Nedscaper

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Are you aware of the vulnerability in travel booking systems?

{UPDATE} 3D Hack Free Resources Generator

Business Logic issue in notification

Tachyon Protocol Weekly Report #40

CISO, how good are your Cybersecurity Reports?

{UPDATE} Wolf Treasure Hack Free Resources Generator

What is hashing?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Derk van der Woude

Derk van der Woude

Chief Technology Officer @ Nedscaper

More from Medium

Shooting Up: On-Prem to Cloud — Detecting “AADConnect” Creds Dump

Threat Intelligence as a Service

Parsing Azure Firewall logs in Microsoft Sentinel

Threat Modeling with STRIDE Method (Part III)