cd /blog
AzureAZ-500Cloud SecurityIdentitySIEMThreat Intelligence

#Azure Security in 2025: Real Threats and AZ-500 Defenses

A practical look at the most dangerous attack vectors targeting Azure environments right now, mapped to the AZ-500 control domains — identity, network, data, and detection.

5 min read 948 words

The Threat Landscape Has Shifted to the Control Plane

Most successful cloud breaches in 2024–2025 didn’t touch a single VM. Attackers found a smarter path: compromise an identity, escalate privileges inside Entra ID, pivot through management APIs, and silently exfiltrate data or deploy ransomware — all without ever touching the OS layer.

Understanding why this works is the foundation of AZ-500 and the foundation of real Azure defense.

1. Identity is the New Perimeter

The Attack: Token Theft and Lateral Movement

Modern phishing campaigns bypass MFA by stealing OAuth tokens directly from the browser or intercepting the redirect in adversary-in-the-middle (AiTM) attacks (e.g., Evilginx, Modlishka). Once an attacker has an access token, they have full API access for its lifetime — regardless of MFA.

Victim → Evilginx proxy → Azure AD
                ↑ Token captured here

Real-world example: Storm-0558 (2023) used forged authentication tokens to access Microsoft 365 mail of 25+ organisations, including US government accounts.

The Defense

  • Conditional Access Policies with sign-in frequency and continuous access evaluation (CAE) — Entra ID revokes tokens in near-real-time on risk signals
  • Phishing-resistant MFA: FIDO2 security keys or Windows Hello for Business, not TOTP
  • Named Locations + Compliance Policies: block sign-ins from non-compliant or non-managed devices
  • Privileged Identity Management (PIM): no standing privileged roles — just-in-time activation only
// Conditional Access — require compliant device for any admin role
{
  "conditions": {
    "users": { "includeRoles": ["Global Administrator", "Security Administrator"] },
    "devicePlatforms": { "includeAll": true }
  },
  "grantControls": {
    "operator": "AND",
    "builtInControls": ["compliantDevice", "mfa"]
  }
}

2. Misconfigured Storage and Key Vaults

Publicly accessible Azure Blob Storage containers remain one of the top data breach vectors. Attackers use automated scanners that probe storage account names derived from leaked source code or company names.

What Gets Exposed

  • SAS tokens hardcoded in application configs pushed to GitHub
  • Blob containers with PublicAccessLevel: Blob on production accounts
  • Key Vault secrets accessible to over-permissioned managed identities

The Defense

# Audit public blob access across all storage accounts
az storage account list --query "[?allowBlobPublicAccess==true].{Name:name, RG:resourceGroup}" -o table

# Disable public access on a specific account
az storage account update \
  --name mystorage \
  --resource-group myRG \
  --allow-blob-public-access false

For Key Vault:

  • Enable soft-delete and purge protection — mandatory for all production vaults
  • Use RBAC authorization (not legacy access policies)
  • Enable Private Endpoints — no public network access
  • Rotate secrets automatically via Key Vault references in App Service / AKS

3. Lateral Movement via Managed Identity Abuse

Azure Managed Identities eliminate credential management — but a compromised workload (VM, App Service, container) inherits all permissions assigned to its identity.

The Attack

# From inside a compromised VM/container, query IMDS for a token
import requests

response = requests.get(
    "http://169.254.169.254/metadata/identity/oauth2/token"
    "?api-version=2018-02-01&resource=https://management.azure.com/",
    headers={"Metadata": "true"}
)
token = response.json()["access_token"]
# Now call ARM API with full permissions of the identity

An over-permissioned identity (e.g., Contributor at subscription scope) turns a single workload compromise into a full subscription takeover.

The Defense

  • Apply least privilege: use custom roles scoped to specific resource groups or individual resources
  • Audit identity permissions regularly with Azure Policy and Access Reviews
  • Monitor IMDS token requests — legitimate apps request tokens infrequently; anomalies indicate compromise

4. Network Security and Zero-Trust Segmentation

Common Misconfigurations

  • NSG rules with Source: Any on ports 22/3389 on internet-facing subnets
  • Unrestricted outbound — malware can beacon C2 freely
  • No inspection between Azure subnets — lateral movement is frictionless

The Defense: Hub-and-Spoke with Azure Firewall

Internet → Azure Firewall (DNAT + IDPS) → Hub VNet
                                              ├── Spoke A (Web tier) — NSG: 443 only
                                              ├── Spoke B (App tier) — NSG: 8080 from Spoke A only
                                              └── Spoke C (Data tier) — NSG: 1433 from Spoke B only

Enable Azure Firewall Premium IDPS signatures for east-west traffic inspection. Use Private Link for all PaaS services (SQL, Storage, Key Vault) — eliminates public endpoints entirely.

5. Detection: Microsoft Sentinel and Defender for Cloud

Without detection, prevention controls are just slow-downs. The AZ-500 control domain for security operations centres on two tools:

Microsoft Sentinel (SIEM + SOAR)

// KQL: Detect impossible travel (sign-in from two countries < 1 hour apart)
SigninLogs
| where TimeGenerated > ago(1h)
| summarize Locations = make_set(Location), Count = count() by UserPrincipalName
| where array_length(Locations) > 1
| project UserPrincipalName, Locations, Count

// KQL: Detect mass secret enumeration from a single identity
AzureActivity
| where OperationNameValue has "Microsoft.KeyVault/vaults/secrets/list"
| summarize Count = count() by Caller, bin(TimeGenerated, 5m)
| where Count > 10

Defender for Cloud

  • Enable CSPM (Cloud Security Posture Management) — continuous compliance scoring against CIS Azure Benchmark and NIST 800-53
  • Enable CWPP (Cloud Workload Protection) on all VMs, containers, and SQL servers
  • Review Secure Score weekly — each recommendation maps to a concrete misconfiguration

AZ-500 Domain Map

DomainCoverage
Manage Identity & AccessEntra ID, PIM, Conditional Access, Managed Identities
Secure NetworkingNSGs, Azure Firewall, Private Link, VPN/ExpressRoute
Secure Compute/Storage/DBVM hardening, Storage security, SQL TDE, Key Vault
Manage Security OperationsSentinel, Defender for Cloud, Log Analytics, Incident Response

Takeaway

The AZ-500 isn’t a checkbox exercise — it’s a map of how attackers actually move through Azure environments. The controls exist because each attack path is real and documented. Mastering identity security, least-privilege architecture, and detection engineering will stop the vast majority of cloud breaches before they escalate.