Threat Actors Weaponize AzureHound for Cloud Enumeration
Category:Threat Alerts / Cloud Security
AzureHound, a legitimate BloodHound penetration testing tool, is being weaponized by nation-state actors including Iranian Curious Serpens and Russian Void Blizzard. What's concerning: the tool queries Microsoft Graph and Azure REST APIs to gather detailed information about users, groups, permissions, roles, and resources—mapping entire Azure tenants from external locations. What makes it powerful: requires no special network positioning since both APIs are externally accessible, and integration with BloodHound visualization software transforms API data into graphical attack paths showing privilege escalation and lateral movement opportunities. Threat actors deploy post-compromise to rapidly enumerate user hierarchies, identify Global Administrators, map role assignments, and locate critical infrastructure (storage accounts, key vaults). Recent campaigns show sophisticated adversaries incorporating AzureHound to accelerate attack timelines and operate efficiently within victim environments. Defense requires monitoring for specific commands: list users, list groups, list role-assignments, list storage-accounts executed rapidly or by unexpected accounts.
CORTEX Protocol Intelligence Assessment
This demonstrates how legitimate security tools become attacker force multipliers. AzureHound's effectiveness stems from Azure's design: centralized API access enables comprehensive visibility for both defenders and attackers. The external accessibility of Graph and Azure REST APIs means attackers need only compromised credentials—no VPN or internal network access required. BloodHound's visualization capability is the game-changer: what would take days of manual reconnaissance now takes minutes.
Strategic Intelligence Guidance
- Immediate detections: alert on AzureHound command patterns (user enumeration, role listing, storage account discovery) especially from unexpected accounts or rapid sequences.
- Principle of least privilege: minimize Global Administrator assignments, use PIM for just-in-time elevation, regularly audit role assignments.
- Conditional access policies: enforce MFA, restrict access based on location/device compliance, implement continuous access evaluation.
- Monitor Graph API activity: unusual query patterns, high-volume enumeration, access to sensitive scopes (Directory.Read.All, User.Read.All).
- Treat developer credentials like production admin: they often have broad Azure access for deployment automation—protect accordingly.
Vendors
Threats
Targets
Intelligence Source: Threat Actors Abuse AzureHound Tool to Enumerate Azure and Entra ID Environments | Oct 31, 2025