Hackers Exploit Azure Apps to Create Malicious Apps Impersonating Microsoft

Published 2025-10-22 14:51:16 | cyberpress.org
Azure Microsoft Cybersecurity Malicious Apps Sector: Information Technology Region: Global

🎙️ Paranoid Newscast

🎭
Credibility
65%
📊
Risk Score
56%
🎲
Likelihood
8/10
💥
Impact
7/10
🛡️
Priority
4/5
A recent investigation revealed a critical loophole in Azure applications that allowed hackers to create malicious apps using reserved Microsoft names. This vulnerability enabled attackers to gain unauthorized access and escalate privileges within Microsoft 365 environments, posing significant risks to organizations.

A recent investigation by Varonis Threat Labs uncovered a critical loophole that allowed attackers to create malicious Azure applications using reserved Microsoft names. By bypassing safeguards, hackers could register deceptive app names like “Azure Portal,” tricking users into granting dangerous permissions. This flaw enabled cybercriminals to gain initial access, maintain persistence, and escalate privileges within a Microsoft 365 environment, putting organizations at risk of data loss and reputational damage.

Azure applications are software entities that interact with Azure services and resources. They require user consent to delegate permissions, either acting on behalf of a user or operating under their own application permissions. Unfortunately, inadequate naming restrictions made it possible to impersonate trusted Microsoft services. Varonis researchers discovered that inserting hidden Unicode characters between letters, such as the Combining Grapheme Joiner (0x034F), allowed the name “Azure Portal” to slip past Azure’s reserved name filter.

After responsibly disclosing this finding, Microsoft patched the first vulnerability in April 2025 and closed additional loopholes in October 2025, neutralizing over 261 problematic characters and helping prevent future impersonation attacks. Varonis focused on two initial access techniques that leverage malicious Azure apps: illicit consent grants and device code phishing.

In the illicit consent scenario, an attacker sends a link that appears to point to a legitimate file. When the victim clicks, they are sent to a consent page for the rogue application. Once consent is granted, the attacker receives an access token and gains the same rights as the user without ever stealing their password. In device code phishing, the hacker registers an app allowing public client flow, generates a verification URI and codes, and tricks the victim into entering the code. Upon entry, the attacker retrieves the victim’s token.

Both methods exploit user trust and the appearance of legitimate Microsoft names, leading to confusion and overlooked warnings about unverified applications. Although Microsoft’s patches have closed the naming loopholes, organizations must take proactive steps to guard against similar threats.

First, restrict user consent for new applications by configuring the Entra admin center. Administrators can block all user consent or allow consent only for apps from verified publishers with low-impact permissions. Second, enforce least-privilege principles by ensuring that both users and applications hold only the necessary permissions for their roles. Third, implement continuous monitoring of Azure applications to detect anomalies such as unexpected creation of apps or the use of non-ASCII characters in names that could indicate malicious activity.