Luca Galuppi : 31 October 2025 15:24
AzureHound, part of the BloodHound suite, was born as an open-source tool to help security teams and red teams identify vulnerabilities and escalation paths in Microsoft Azure and Entra ID environments.
Today, however, it is increasingly used by criminal groups and state-sponsored actors for very different purposes: mapping cloud infrastructures, identifying privileged roles, and planning targeted attacks.
Written in Go and available for Windows, Linux, and macOS, AzureHound queries Microsoft Graph and Azure REST APIs to gather information about identities, roles, applications, and resources in your tenant.
Its operation, designed for legitimate purposes, is also useful for those who want to target:
In other words, AzureHound allows you to automate the reconnaissance phase that, in the past, required time and manual skills, transforming cloud reconnaissance into a fast and precise process.
During 2025, several cybercriminal groups adopted AzureHound for offensive purposes.
According to threat intelligence analysis, Curious Serpens (also known as Peach Sandstorm ), Void Blizzard , and the Storm-0501 group employed the tool to enumerate Entra ID environments, detect misconfigurations, and plan privilege escalations.
This demonstrates how tools designed for security can become an integral part of compromise campaigns, especially when cloud environments are not adequately monitored.
After gaining initial access to an Azure tenant through compromised credentials, phishing, or vulnerable service accounts, malicious actors run AzureHound to:
This visibility allows you to precisely plan next steps: from escalation to lateral movement, all the way to data exfiltration or ransomware deployment.
Organizations using Azure and Microsoft Entra ID should implement targeted controls to detect and block anomalous behavior related to the misuse of tools like AzureHound.
Monitor APIs for unusual enumeration patterns to Graph and REST APIs.
Create alerts on bulk queries or requests with suspicious user agents.
Restrict application and service principal permissions, adopting the principle of least privilege.
Apply MFA and stringent controls on accounts synced with elevated privileges.
Integrate hunting rules into SIEMs (such as Microsoft Sentinel or Defender XDR) to detect behaviors that may be related to automatic data collection.
AzureHound is a concrete example of how tools designed to improve security can become a weapon in the wrong hands.
Understanding how these tools are being abused is critical to building effective defense strategies, increasing visibility into cloud environments, and reducing response time in the event of a compromise.
Only by knowing the same techniques used by attackers is it possible to anticipate them and maintain control of your digital infrastructure.
Luca Galuppi