Attack Hidden in Plain Sight: Tenant-Level Security Analysis Unmasks Malicious Activity
2025-03-31
A security team uncovered a seemingly ordinary user login that masked a sophisticated attack targeting 24 users. The attacker used the Microsoft Azure CLI, attempting logins from a Mexican data center with no more than two attempts per user to avoid brute-force detection. They also utilized IPs from the 2001:0470:c8e0::/48 range to evade IOC-based detection. By analyzing login activity at the tenant level, rather than focusing on individual users, the team successfully identified the attack. This highlights the importance of tenant-wide log analysis to uncover malicious activities hidden within seemingly normal user behavior.
Read more