Clankerusecase
Azure detection coverage
 ← Back to main site
Home/ Targets/ Azure

Azure detections

Clankerusecase tracks 88 detection use cases covering the Azure attack surface across 82 MITRE ATT&CK techniques.

Detections targeting Microsoft Azure — Activity Logs, Azure AD, Sentinel SecurityEvent / SigninLogs.

Open Detection Library → View on the matrix
88Use cases
82Techniques
60Articles
6Kill-chain phases

Top techniques on Azure (25)

T1190Exploit Public-Facing Application23T1078Valid Accounts10T1078.004Cloud Accounts9T1566.002Spearphishing Link8T1071.001Web Protocols8T1098Account Manipulation7T1195.002Compromise Software Supply Chain6T1567Exfiltration Over Web Service6T1528Steal Application Access Token5T1059.007JavaScript5T1550.001Application Access Token5T1556Modify Authentication Process4T1098.001Additional Cloud Credentials4T1566.001Spearphishing Attachment4T1098.005Device Registration4T1068Exploitation for Privilege Escalation4T1556.006Multi-Factor Authentication4T1072Software Deployment Tools4T1021.007Cloud Services4T1656T16564T1552.001Credentials In Files3T1621Multi-Factor Authentication Request Generation3T1204.001Malicious Link3T1136.003Cloud Account3T1105Ingress Tool Transfer3

Reconnaissance (1)

[LLM] MCPHub SSE user-segment fan-out — single source spawning sessions under multiple usernames Bespoke recon · alerting SPDD

Delivery (16)

Azure AD brute-force login Internal delivery · alerting DD Email attachment opened from external sender Internal delivery · hunting DSP Phishing-link click correlated to endpoint execution Internal delivery · alerting DSP Microsoft Teams external-tenant chat from unverified IT-helpdesk impersonator Internal delivery · hunting DSP [LLM] OAuth consent grant to unfamiliar third-party AI / SaaS app — Vercel-style trust chain attack Bespoke delivery · hunting DSΣDD [LLM] Phishing email click landing on Sniper Dz infrastructure (URL/click correlation) Bespoke delivery · alerting DSPDD [LLM] External MS Teams chat invite from IT-impersonating unmanaged or federated tenant Bespoke delivery · hunting DSPDD [LLM] Activity involving ommicrosoft.com Cloaked-Ursa Teams typosquat Bespoke delivery · alerting DSΣPDDCS [LLM] ChatGPT Plus payment-update phishing emails (display-name + subject lure) Bespoke delivery · alerting DSΣP [LLM] Claude 'Appeal Request' phishing email with PDF attachment lure Bespoke delivery · alerting DSΣP [LLM] UTA0355 device-code phishing: deviceCode auth flow with cross-IP token redemption Bespoke delivery · alerting DSPDD [LLM] First-time OAuth consent granting Drive/Mail read scope to non-sanctioned third-party app Bespoke delivery · hunting DSΣPDDCS [LLM] Silver Fox Japan tax-season lure: inbound email with Japanese HR/ESOP subject + gofile.io URL or RAR/ZIP Bespoke delivery · alerting DS [LLM] PlugX phishing lure — 'Meeting Invitation' email linking to gesecole.net ZIP Bespoke delivery · hunting DSΣPDD [LLM] Aikido npm phishing: inbound email containing jsDelivr link to flockiali/opresc/prndn/oprnm/operni Bespoke delivery · alerting DSΣPDD [LLM] Inbound email with HTML attachment linking to unpkg.com Beamglea package Bespoke delivery · alerting DSP

Exploitation (22)

[WEEKLY] Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint Internal exploit · alerting DSPDD [WEEKLY] Sub-admin grants Owner/Administrator role then grantee signs in from a different source within 60 minutes Internal exploit · alerting DSPDDCW [LLM] Ivanti Sentry command injection via /mics/api/v2/sentry/mics-config/handleMessage (CVE-2026-10520) Bespoke exploit · alerting DSΣPDDCS [LLM] SAP NetWeaver SAML XML signature wrapping anomaly (CVE-2026-44748) Bespoke exploit · hunting DSPDD [LLM] MFA approval within minutes of inbound external Microsoft Teams chat Bespoke exploit · alerting DSPDDCS [LLM] HTTP access to Shopper admin team-settings / Livewire endpoints (CVE-2026-47744) Bespoke exploit · hunting DSΣPDDCW [LLM] AVideo YPTSocket plugin XSS injection via webSocketSelfURI/page_title query strings Bespoke exploit · alerting DSΣPDD [LLM] Jupyter Enterprise Gateway /api/kernels POST with KERNEL_UID/GID body (CVE-2026-44180) Bespoke exploit · hunting SΣPDD [LLM] LiquidJS SSTI gadget tokens in inbound HTTP (CVE-2026-45618) Bespoke exploit · alerting DSΣPDDCS [LLM] Nezha CVE-2026-46716 exploit: POST /api/v1/cron with empty servers + CronCoverAll Bespoke exploit · alerting SΣPDD [LLM] zrok ProxyShare SSRF — request path begins with absolute URL (CVE-2026-45568) Bespoke exploit · hunting DSΣPDDCS [LLM] HAXcms CVE-2026-46395: unauthenticated GET to /system/api/connectionSettings Bespoke exploit · alerting SΣPDDCS [LLM] Marten CVE-2026-45288 regConfig SQL injection attempt in web traffic Bespoke exploit · alerting SΣPDD [LLM] MCPHub SSE endpoint accessed with arbitrary username in URL path (CVE-2025/GHSA-wf8q-wvv8-p8jf hunt) Bespoke exploit · hunting SΣPDD [LLM] MCPHub identity spoofing — admin-themed username in /<user>/sse path Bespoke exploit · alerting SΣPDD [LLM] Inbound exploit attempt to Cisco Catalyst SD-WAN Manager from known UAT-8616 / Cluster IPs Bespoke exploit · hunting DSΣPDDCS [LLM] FlowiseAI POST /api/v1/node-custom-function with NodeVM Sandbox-Escape Payload (CVE-2026-46442) Bespoke exploit · alerting SΣPDD [LLM] BodySnatcher (CVE-2025-12420) — Hardcoded 'servicenowexternalagent' Token Observed in HTTP Traffic Bespoke exploit · alerting DSΣPDDCS [LLM] ServiceNow Virtual Agent Invocation of Hidden AIA-Agent Invoker AutoChat Topic (CVE-2025-12420) Bespoke exploit · alerting DSPDDCS [LLM] Anomalous POST to Next.js Server Action / RSC endpoint with 5xx error clustering Bespoke exploit · alerting DSPDDCS [LLM] Next.js CVE-2025-29927 middleware bypass via x-middleware-subrequest header Bespoke exploit · alerting DSΣPDDCS [LLM] Struts CVE-2023-50164 path-traversal upload — HTTP exploit attempt Bespoke exploit · alerting DSΣPDD

Installation (9)

Azure AD member assigned Global Administrator role Internal install · alerting DD Azure AD MFA disabled for a user Internal install · alerting DD Azure diagnostic setting deleted Internal install · alerting DD Azure new owner added to service principal Internal install · alerting DD Azure SQL Server firewall rule created Internal install · alerting DD Azure user added to administrative group Internal install · alerting DD [LLM] Ivanti Sentry unauthenticated admin account creation (CVE-2026-10523) Bespoke install · alerting DSPDDCS [LLM] Bling Libra: Entra device join immediately after vishing-driven MFA registration Bespoke install · alerting DSPDD [LLM] Curious Serpens / APT29 ROADtools-pattern: device registration immediately following non-interactive token acquisition Bespoke install · alerting DSPDD

Command & Control (12)

[WEEKLY] OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay Internal c2 · alerting DSPDD [LLM] M365 / Entra sign-ins sourced from BRICKSTORM C2 IP 149.248.11.71 Bespoke c2 · hunting DSΣPDDCS [LLM] Outbound mail to or domain lookup of business-data-leaks[.]com (UNC3753 extortion infrastructure) Bespoke c2 · alerting DSΣPDDCS [LLM] ROADtools roadtx FOCI client-ID swap: refresh-token resource hop across MS Office FOCI app IDs Bespoke c2 · hunting DSPDD [LLM] Mini Shai-Hulud C2 callback to zero.masscan.cloud / 94.154.172.43 Bespoke c2 · alerting DSΣPDDCS [LLM] Outbound connection to TeamPCP C2 IP 83.142.209.194 Bespoke c2 · hunting DSΣPDDCS [LLM] AdaptixC2 'shadowcore' / Mythic C2 traffic to UAT-8616 infrastructure 194.163.175.135 Bespoke c2 · hunting DSΣPDDCS [LLM] FrostyNeighbor C2 callout to needbinding/nebao/algsat/sardk/alexavegas/lavanille Bespoke c2 · alerting DSΣPDDCS [LLM] Suspicious draft email manipulation against barrantaya.1010@outlook.com (BoxOfFriends Graph API C2) Bespoke c2 · hunting DSPDDCS [LLM] TeamPCP Trivy/KICS C2 callback to scan.aquasecurtiy.org / 45.148.10.212 Bespoke c2 · hunting DSΣPDD [LLM] axios npm RAT C2 beacon to sfrclak.com / 142.11.206.73:8000 Bespoke c2 · hunting DSΣPDD [LLM] TeamPCP supply-chain C2 — outbound to checkmarx[.]zone / 83.142.209.11 Bespoke c2 · hunting DSΣPDD

Actions on Objectives (28)

Azure Key Vault keys / secrets read Internal actions · alerting DD Azure storage soft-delete disabled Internal actions · alerting DD MFA fatigue / push-bombing Internal actions · alerting DSP OAuth consent / suspicious app grant Internal actions · alerting DSΣP [WEEKLY] Vendor / Third-Party OAuth App or SP Sign-in From Unbaselined Egress Followed by Bulk SaaS Object Read Internal actions · alerting DSPDD Azure AD FullAccessAsApp Permission Assigned ESCU actions · alerting P Azure AD Multi-Factor Authentication Disabled ESCU actions · alerting P Azure AD New MFA Method Registered For User ESCU actions · alerting P Azure AD Privileged Graph API Permission Assigned ESCU actions · alerting P Azure AD Service Principal New Client Credentials ESCU actions · alerting P Azure AD Service Principal Privilege Escalation ESCU actions · alerting P Azure Automation Account Created ESCU actions · alerting P Azure Automation Runbook Created ESCU actions · alerting P Azure Runbook Webhook Created ESCU actions · alerting P Microsoft Intune Device Health Scripts ESCU actions · hunting P Microsoft Intune DeviceManagementConfigurationPolicies ESCU actions · hunting P Microsoft Intune Manual Device Management ESCU actions · hunting P Microsoft Intune Mobile Apps ESCU actions · hunting P [LLM] AI-agent-driven mailbox auto-forwards messages to first-time-seen external recipient Bespoke actions · alerting DSPDD [LLM] Public GitHub repo creation matching Miasma 'adjective-creature-N' exfil pattern Bespoke actions · hunting DSPDD [LLM] Worm-injected .github/setup.js commit with 'chore: update dependencies [skip ci]' message Bespoke actions · alerting DSΣPDD [LLM] praisonai-platform: identity-swap chain — owner grant followed by login from the granted account Bespoke actions · hunting DSPDD [LLM] postmark-mcp BCC exfil to giftshop.club Bespoke actions · alerting DSΣPDDCS [LLM] MCPHub tool execution via spoofed identity — POST to /<user>/messages with JSON-RPC body Bespoke actions · alerting SΣPDD [LLM] Iran-aligned MFA push-bombing followed by new auth method registered (AA24-290A) Bespoke actions · alerting DSP [LLM] Shai-Hulud 3.0 'Goldox-T3chs' GitHub exfiltration marker observed Bespoke actions · alerting DSΣPDDCS [LLM] Bun/Node initiating multi-cloud secret-manager enumeration burst (Sha1-Hulud aL0 harvest) Bespoke actions · alerting DSPDDCS [LLM] Outbound email BCC'd to giftshop.club exfil domain (postmark-mcp backdoor) Bespoke actions · alerting DSΣPDD

Recent articles citing Azure-targeted detections

high FBI disrupts massive AI-powered phishing service using a million URLs
med New Agentjacking Attack Hijacks Your AI Coding Agent to Run Code From a Hacker’s Server
crit Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication
crit Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered
high Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit
high Google Sues Chinese Smishing Network Accused of Using Gemini AI in Phishing
crit China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade
med Hackers Abuse Legitimate NinjaOne RMM Software to Bypass Traditional Malware Detection
high Over 400 Arch Linux packages compromised to push rootkit, infostealer
crit Early Warning Signs of Supply-Chain Attacks Live in the Dark Web
high Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code
crit Rethinking MDR as Attackers and Defenders Embrace AI
crit LangGraph Flaw Chain Exposes Self-Hosted AI Agents to Remote Code Execution
high INTERPOL Operation Takes Down Sniper Dz Phishing Platform, Arrests Administrator
high Europol Disrupts AudiA6 Crypto Laundering Service Used by Ransomware Gangs
crit ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities
high New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets
crit New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files
crit The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm
high npm v12 delivers one of the biggest security improvements in years
crit [GHSA / CRITICAL] CVE-2026-48039: Meta Ads MCP: Unauthenticated HTTP MCP Tool Execution Leaks Operator Meta Access Token
crit Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories
high AI Broke Vulnerability Management. That's Why CISOs Are Moving Budget to BAS.
crit OceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack
high GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks
crit China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance
crit Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities
crit Langflow Vulnerability CVE-2026-5027 Exploited for Unauthenticated RCE
crit Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs
high 10 year old critical vulnerability in phpBB affecting tens of millions of users across thousands of forums
crit Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows
high Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility
high Pythagora-io/gpt-pilot Compromised on GitHub - Shai-Hulud Credential Stealer Blocked by Python Linter
crit Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled After Supply Chain Attack Targeting AI Coding Ag
high Meta to Use Off-Site Business Data for Feed and AI Personalization
crit Microsoft Restores Some GitHub Repos, Keeps Others Offline as Miasma Probe Continues
crit WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine
crit Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models
crit New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing
high Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer
crit LiteLLM Flaw CVE-2026-42271 Exploited in the Wild, Chains to Unauthenticated RCE
high When “Hi, This Is IT” Comes Through Microsoft Teams
crit One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public
crit Meta Blocks NSO Group's New WhatsApp Phishing Attack, Files Contempt Order
crit AI brands as bait: How threat actors are using the AI hype in social engineering
crit AI Phishing Is Crushing SOCs with Alert Volume: How to Reduce Tier 1 Overload
crit [GHSA / CRITICAL] CVE-2026-47430: Cordova Plugin InAppBrowser: iOS: Arbitrary Cordova callback IDs can be dispatched without validation from
crit VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances
crit UNC3753 Used Vishing and Physical Intrusions in U.S. Data Theft Extortion Campaign
high Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI
crit [GHSA / CRITICAL] CVE-2026-47744: Shopper: Authorization bypass and RBAC privilege escalation in team settings
high Securing CI/CD in an agentic world: Claude Code Github action case
crit [GHSA / CRITICAL] GHSA-8whc-2wmv-ww35: WWBN AVideo: Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPT
high Reporting from Vegas: Networking, AI, and good boys
crit Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp
high Node-gyp Supply Chain Compromise: A Self-Propagating npm Worm That Hides in binding.gyp
crit [GHSA / CRITICAL] CVE-2026-44180: Jupyter Enterprise Gateway: ContainerProcessProxy._enforce_prohibited_ids Bypass
crit Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign
crit The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2)
high Multiple redhat-cloud-services npm Packages compromised