Use of Azure APIs by a likely malicious caller
Description
AlphaSOC detected Azure API operations initiated from an IP address that exhibits characteristics of malicious infrastructure. This includes IP addresses listed on threat intelligence blocklists, connections through anonymous networks like Tor or Freenet, or requests potentially associated with penetration testing tools. Threat actors often leverage such infrastructure to obscure their identity and location while attempting to gain unauthorized access to cloud resources, escalate privileges, or exfiltrate data.
Impact
Malicious callers may gain unauthorized access to Azure resources and sensitive information, potentially leading to data breaches. The adversary may be able to view, modify, or delete sensitive data, manipulate resources, escalate privileges within the Azure environment, or leverage Azure services for malicious purposes such as cryptomining or launching further attacks against other targets.
Severity
| Severity | Condition |
|---|---|
Medium | Use of Azure APIs by a likely malicious caller |
Investigation and Remediation
Review Azure Activity logs to identify the specific API operations performed by the suspicious caller, including the actions taken, resources accessed, and timestamps. Identify the Azure user account, service principal, or managed identity associated with the activity. Verify whether the activity was authorized and performed by a legitimate user or service. If the activity is confirmed as unauthorized, immediately revoke the compromised credentials, disable affected accounts, and reset authentication tokens. Assess the scope of potential compromise by examining all actions performed by the suspicious caller. Implement conditional access policies and require additional authentication factors. Review and strengthen network security controls to prevent future access from known malicious infrastructure.