Safety flaws in Microsoft’s Azure ecosystem allow cybercriminals to create misleading functions that imitate official companies just like the “Azure Portal”.
Varonis discovered that Azure’s safeguards, designed to dam reserved names for cross-tenant apps, may very well be bypassed utilizing invisible Unicode characters.
By inserting characters just like the Combining Grapheme Joiner (U+034F) between letters similar to “Az͏u͏r͏e͏ ͏P͏o͏r͏t͏a͏l”, attackers created apps that appeared reliable on consent screens.
This trick labored with over 260 such characters, together with these in ranges like U+FE00 to U+FE0F. The ploy exploited the truth that many Microsoft apps lack verification badges, main customers to miss warnings about third-party origins.
Azure functions, basically software program entities that combine with Azure companies, depend on person consent for permissions. Delegated permissions let apps act on a person’s behalf, accessing emails, recordsdata, and extra, whereas utility permissions grant standalone entry.
When abused, these change into potent assault vectors for preliminary entry, persistence, and privilege escalation in Microsoft 365 environments.
Phishing Techniques Gas The Risk
Varonis zeroed in on preliminary entry strategies, significantly illicit consent grants and machine code phishing. Within the former, phishing emails lure victims to pretend file hyperlinks that redirect to a consent web page.
As soon as authorized, attackers snag entry tokens with no need passwords, granting them the sufferer’s useful resource privileges.
System code phishing takes it additional: Attackers generate a verification URI and code for a malicious app, tricking customers into coming into it on a legitimate-looking website. The attacker then polls for the token, hijacking the session.
These strategies thrive on deception. Consent pages for the spoofed apps displayed convincingly, particularly when paired with Azure icons.
Discussion board discussions reveal customers routinely dismissing “unverified” alerts, assuming they’re secure from Microsoft itself.
Prohibited names examined included staples like “Microsoft Groups,” “Energy BI,” and “OneDrive SyncEngine,” underscoring the scope of potential impersonations.
Varonis disclosed the problems promptly; Microsoft mounted the preliminary Unicode bypass in April 2025 and a broader set in October 2025.
No buyer motion is required, because the updates safeguard tenants mechanically. Nonetheless, specialists urge organizations to observe app consents rigorously, implement least-privilege permissions, and educate customers on phishing pink flags.
This episode reinforces the necessity for layered defenses in cloud environments. As attackers evolve, so should vigilance lest a seemingly benign app consent unlock the door to chaos.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
