https://daniyalahmed.dev/tags/c2/Recent content in C2 on Daniyal Ahmed | Red Team & Cloud SecurityHugo -- gohugo.ioen-usdaniyal.ahmed@microtechx.com (Daniyal Ahmed)daniyal.ahmed@microtechx.com (Daniyal Ahmed)Sun, 03 May 2026 00:00:00 +0000https://daniyalahmed.dev/posts/living-off-the-cloud---logic-apps-as-covert-c2-and-persistence/Sun, 03 May 2026 00:00:00 +0000daniyal.ahmed@microtechx.com (Daniyal Ahmed)https://daniyalahmed.dev/posts/living-off-the-cloud---logic-apps-as-covert-c2-and-persistence/The attacker did not deploy malware. They did not use a custom C2 framework. They used Azure Logic Apps — the same service your HR team uses for onboarding automation. The traffic was indistinguishable from a legitimate business workflow. The managed identity had Key Vault access. The persistence survived the incident response team’s VM wipe. And it ran for 11 days before anyone looked at Logic Apps. This article is about what that attack looks like, why it is so hard to detect, and how to build the detection framework that most organizations have never configured.