https://daniyalahmed.dev/tags/azure/Recent content in Azure on Daniyal Ahmed | Red Team & Cloud SecurityHugo -- gohugo.ioen-usdaniyal.ahmed@microtechx.com (Daniyal Ahmed)daniyal.ahmed@microtechx.com (Daniyal Ahmed)Sun, 03 May 2026 00:00:00 +0000https://daniyalahmed.dev/posts/living-off-the-cloud---logic-apps-as-covert-c2-and-persistence/Sun, 03 May 2026 00:00:00 +0000daniyal.ahmed@microtechx.com (Daniyal Ahmed)https://daniyalahmed.dev/posts/living-off-the-cloud---logic-apps-as-covert-c2-and-persistence/The attacker did not deploy malware. They did not use a custom C2 framework. They used Azure Logic Apps — the same service your HR team uses for onboarding automation. The traffic was indistinguishable from a legitimate business workflow. The managed identity had Key Vault access. The persistence survived the incident response team’s VM wipe. And it ran for 11 days before anyone looked at Logic Apps. This article is about what that attack looks like, why it is so hard to detect, and how to build the detection framework that most organizations have never configured.https://daniyalahmed.dev/posts/entra-default-user-permissions-the-open-app-registration-problem/Thu, 30 Apr 2026 00:00:00 +0000daniyal.ahmed@microtechx.com (Daniyal Ahmed)https://daniyalahmed.dev/posts/entra-default-user-permissions-the-open-app-registration-problem/In your Entra ID tenant right now, every one of your users can register an application, assign it Mail.Read permission, consent to it themselves, and start reading their own email programmatically with no admin approval, no alert, and no audit flag. That is the default configuration Microsoft ships. This article asks: who has already done this, what did they access, and how do you find out? This is not a vulnerability in the traditional sense.https://daniyalahmed.dev/posts/hybrid-identity-penetration-testing-laboratory-attack-guide/Wed, 29 Apr 2026 00:00:00 +0000daniyal.ahmed@microtechx.com (Daniyal Ahmed)https://daniyalahmed.dev/posts/hybrid-identity-penetration-testing-laboratory-attack-guide/This is my most ambitious lab yet. Multiple attack techniques, a complete initial access methodology, attack and defense, AD setup in Azure, hybrid identity setup and full compromise from zero credentials to cloud persistence. Before we touch a single command I want to walk through every concept that underpins what happens in the lab. This series rewards people who understand why a technique works, not just people who can copy and paste commands.https://daniyalahmed.dev/posts/syncjacking-from-on-prem-foothold-to-cloud-global-admin/Sun, 26 Apr 2026 00:00:00 +0000daniyal.ahmed@microtechx.com (Daniyal Ahmed)https://daniyalahmed.dev/posts/syncjacking-from-on-prem-foothold-to-cloud-global-admin/SyncJacking How a Domain User Became Your Cloud Global Administrator On January 13, 2026, Microsoft confirmed that an attacker with a standard domain user account can become your cloud Global Administrator in under three minutes, with no alert fired. They first reported this attack in 2022. For three years the answer was: “by design”. Many of you are already familiar with attack techniques like session hijacking or clickjacking methods that exploit trust in established mechanisms to take over user interactions and identities.