Introduction
Microsoft Azure powers critical operations for thousands of organisations, and that makes it a high-value target.
But not all attacks come with sirens blaring. Many of the most dangerous threats don’t knock loudly. They quietly
slip through the cracks, blend in with normal operations, and linger undetected for weeks or months.
A while ago, during a review of an enterprise Azure environment, we uncovered something unsettling: an automation
script silently moving data around using legitimate credentials, and no one had noticed. That’s the kind of stealth
attackers count on, and this article is all about those tactics.
In this deep dive, we’ll explore how attackers hide in plain sight within Azure, how they exploit built-in tools, and what
security engineers can do to stop them. From role abuse and token persistence to hidden exfiltration methods,
this is your guide to staying ahead of stealthy threats.
How Attackers Stay Sneaky in Azure
Let’s walk through the key ways attackers maintain low profiles in Azure, and how they turn your tools against you.
1. Exploiting Misconfigured Permissions and Roles
Once an attacker gains access, they look for one thing first: loose permissions. In environments where roles are
over-provisioned, attackers don’t need to break anything. They can escalate privileges with what’s already available.
Why it works:
In fast-moving teams, engineers often assign broader access just to get things working. It’s understandable, but
dangerous. These permissions become a silent enabler for attackers.
Tactic in action:
Instead of creating noisy new accounts, attackers will hijack existing service identities. It’s subtle, it’s effective,
and it’s hard to spot.

2. Using Azure’s Native Tools Against You
Here’s a scary thought: an attacker doesn’t need malware. They can automate data exfiltration using Azure Functions,
Logic Apps, or Automation Runbooks - the same tools your engineers rely on.
Why it works:
These are legitimate services, and many orgs don’t monitor them closely. That gives attackers the perfect cover.
Tactic in action:
They might create a function that runs silently at 3 a.m., pulling down sensitive data or modifying access settings,
without tripping any alarms.

3. Abusing Azure Diagnostics and Logs
Logs are only useful when they’re complete and untampered. Unfortunately, attackers know that too, and often
their first move is to disable or restrict logging.
Why it works:
Many resources in Azure don’t have logging turned on by default, or logs are only retained for a short time.
Tactic in action:
Attackers shorten log retention or turn off specific diagnostics. If no one notices, they can erase their tracks entirely.

4. Leveraging Insecure Storage Accounts and Keys
Storage accounts are high-value targets. If attackers can find an access key, they can bypass normal authentication
and go straight to the data.
Why it works:
Access keys are often hardcoded in scripts or exposed in public repos. Once leaked, they offer persistent, invisible access.
Tactic in action:
An attacker with a key doesn’t need to log in. They simply use the key to pull data, and traditional monitoring tools won’t flag it.

5. Persistence via Long-Lived Tokens
Even if you catch the initial breach, it may not be over. Attackers often maintain access through tokens that
continue to work for hours or days.
Why it works:
Without short expiry settings and proactive monitoring, tokens can fly under the radar, giving attackers a quiet backdoor.
Tactic in action:
They steal a token from a compromised app and reuse it across services. If token reuse isn’t tracked, they’ll stay
connected indefinitely.

Defending Against Stealthy Azure Attacks
Let’s flip the script. Here’s how to detect and stop the tactics we just covered, before they become a major incident.

1. Enforce Least Privilege + Regular Audits
- Tighten every role. Use just-in-time (JIT) access via Privileged Identity Management (PIM) and
regularly review what permissions are actually needed. - Pro tip: Set alerts for newly granted admin roles or changes to critical accounts in Azure Monitor.
2. Watch Azure Native Tools Like a Hawk
- Limit who can use Azure Functions, Logic Apps, or Automation. These should be tightly scoped and
reviewed regularly. - Set up alerts for high-frequency function executions or sudden changes in Logic Apps. Those are red flags.
3. Lock Down Logging and Monitor for Tampering
- Enable logging for all major resources: Activity Logs, Diagnostic Logs, AD Sign-in Logs, and custom logs
from services. - Store them in immutable storage if possible. If an attacker tries to shorten log retention or disable logs,
you should get a notification - immediately.
4. Ditch Access Keys for Managed Identities
- Access keys are legacy. Switch to Managed Identities or Azure AD-based access for storage accounts
and resources. - Review access logs regularly. Set thresholds for large data exports or access from new geographies.
5. Control Token Lifetime and Watch for Reuse
- Keep token lifetimes short. Use Azure AD Conditional Access to require reauthentication, especially
for high-privilege users. - Monitor token reuse. If the same token starts accessing services from multiple locations, act fast.
Monitoring Tools That Help You Detect Stealthy Activity
Here’s what you should be using right now to stay ahead:
- Azure Sentinel: For correlating logs and flagging suspicious patterns across your environment.
- Azure Security Center: For real-time risk assessments and integration with Sentinel.
- Azure Monitor: For watching metrics and setting up alerts based on custom thresholds.
- Azure AD Identity Protection: To detect risky sign-ins and trigger conditional policies.
- Azure Policy: Enforce security baselines, like always-on logging and encryption-at-rest.
- Log Analytics: Run custom queries to find suspicious access, log gaps, and anomalies.

Why Attackers Don’t Always Succeed
Even stealthy attacks have weaknesses. Here’s where you catch them:
- Privilege Escalation Attempts: Flag role changes or PIM escalations with conditional access.
- Token Reuse: Use identity protection to monitor where and how tokens are being used.
- Tampering with Logs: Gaps in logs, disabled services, or retention changes should trigger alerts immediately.
Conclusion
Attackers don’t always break in with brute force. The smarter ones blend in, but that doesn’t mean you have to let them.
Here’s what to lock down:
- Least privilege + audits
- Native tool monitoring
- End-to-end logging
- Access control for storage
- Secure, monitored token use
With tools like Azure Sentinel, AD Identity Protection, and proper logging, you can tip the balance in your favour,
and kick stealthy attackers out before they settle in.
Related Resources
Find your Tribe
Membership is by approval only. We'll review your LinkedIn to make sure the Tribe stays community focused, relevant and genuinely useful.
To join, you’ll need to meet these criteria:
> You are not a vendor, consultant, recruiter or salesperson
> You’re a practitioner inside a business (no consultancies)
> You’re based in Australia or New Zealand