AzureHound, an open-source knowledge assortment software designed for reputable penetration testing and safety analysis, has grow to be a well-liked weapon within the fingers of refined risk actors.
The software, which is a part of the BloodHound suite, was initially created to assist safety professionals and pink groups establish and repair cloud vulnerabilities.
Nonetheless, malicious actors have more and more misused this functionality to map out Azure environments and uncover pathways for privilege escalation assaults.
The software operates by gathering knowledge by way of Microsoft Graph and Azure REST Software Programming Interfaces (APIs), permitting it to enumerate Entra ID and Azure environments to assemble details about identities and assets.
Written within the Go programming language and obtainable as precompiled variations for Home windows, Linux, and macOS, AzureHound proves significantly harmful as a result of it doesn’t should be run from inside a sufferer’s community.
Since each APIs are accessible externally, risk actors can launch discovery operations remotely after gaining preliminary entry to compromised techniques.
When risk actors achieve entry to a sufferer’s Azure atmosphere, they deploy AzureHound to automate discovery procedures that may in any other case require intensive handbook effort.
The software helps attackers uncover person hierarchies, establish high-value targets, and uncover misconfigurations or oblique privilege escalation alternatives that may in any other case stay hidden.
Execution of AzureHound to enumerate customers
By gathering complete inner Azure data, attackers can develop focused assault methods with surgical precision. The software outputs knowledge in JSON format, which may be ingested by BloodHound’s visualization capabilities.
This creates a graphical illustration of hidden relationships and assault paths inside the goal’s infrastructure, giving attackers a whole roadmap of the atmosphere they’ve infiltrated.
This mixture of automated discovery and visible evaluation transforms cloud reconnaissance from a time-consuming course of into an environment friendly operation. Latest risk intelligence reveals the widespread adoption of AzureHound throughout a number of adversary teams.
BloodHound illustration of obtainable key vaults
Unit 42 researchers have tracked the Iranian-backed group Curious Serpens, also referred to as Peach Sandstorm and energetic since at the least 2013, leveraging AzureHound to conduct inner discovery operations in opposition to goal Microsoft Entra ID environments.
In Could 2025, Microsoft disclosed that suspected nation-state risk actor Void Blizzard employed AzureHound throughout the discovery section of their campaigns to enumerate Entra ID configurations.
Extra just lately, in August 2025, Microsoft reported Storm-0501, a ransomware operator, utilizing AzureHound to enumerate goal Entra ID tenants whereas working in hybrid, multi-tenant Azure environments.
Organizations utilizing Azure and Microsoft Entra ID should acknowledge that instruments like AzureHound depart detectable proof when used maliciously.
Safety groups ought to give attention to detecting irregular API exercise, monitoring for suspicious enumeration patterns, and implementing robust id and entry controls.
AzureHound API take a look at requests
Understanding how risk actors misuse reputable instruments is crucial for constructing efficient detection capabilities and responding rapidly to compromise indicators in cloud environments.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
