Cloud Security Podcast
How Attackers Stay Hidden Inside Your Azure Cloud
In this episode, Ashish sits down with Christian Philipov, Principal Security Consultant at WithSecure, to explore the stealth tactics threat actors are using in Azure and why many of these go undetected.
Christian breaks down the lesser-known APIs like Ibiza and PIM, how Microsoft Graph differs from legacy APIs, and what this means for defenders.
- The 3 common ways attackers stay stealthy in Azure
- Why read-only enumeration activity often isn’t logged
- What detection is possible and how to improve it
- How conditional access and logging configuration can help defenders
- Why understanding Microsoft Graph matters for security ops
Guest Socials: Christian's Linkedin
Podcast Twitter - @CloudSecPod
If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:
If you are interested in AI Cybersecurity, you can check out our sister podcast - AI Cybersecurity Podcast
Questions asked:
(00:00) Introduction
(02:09) A bit about Christian
(02:39) What is considered stealthy in Azure?
(04:39) Which services are stealthy in Azure?
(06:25) PIM and Ibiza API
(12:53) The role of Defender for Cloud
(18:04) Does the Stealthy API approach scale?
(19:26) Preventing Stealthy API attacks
(21:49) Best Practices for Prevention in Azure
(25:47) Behaviour Analysis in Azure
(29:31) The Fun Section
Resources spoken about during the interview:
Christian's fwd:cloudsec talk - Staying Sneaky in Microsoft Azure
- Broadcast on:
- 10 Apr 2025
In this episode, Ashish sits down with Christian Philipov, Principal Security Consultant at WithSecure, to explore the stealth tactics threat actors are using in Azure and why many of these go undetected.
Christian breaks down the lesser-known APIs like Ibiza and PIM, how Microsoft Graph differs from legacy APIs, and what this means for defenders.
- The 3 common ways attackers stay stealthy in Azure
- Why read-only enumeration activity often isn’t logged
- What detection is possible and how to improve it
- How conditional access and logging configuration can help defenders
- Why understanding Microsoft Graph matters for security ops
Guest Socials: Christian's Linkedin
Podcast Twitter - @CloudSecPod
If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:
If you are interested in AI Cybersecurity, you can check out our sister podcast - AI Cybersecurity Podcast
Questions asked:
(00:00) Introduction
(02:09) A bit about Christian
(02:39) What is considered stealthy in Azure?
(04:39) Which services are stealthy in Azure?
(06:25) PIM and Ibiza API
(12:53) The role of Defender for Cloud
(18:04) Does the Stealthy API approach scale?
(19:26) Preventing Stealthy API attacks
(21:49) Best Practices for Prevention in Azure
(25:47) Behaviour Analysis in Azure
(29:31) The Fun Section
Resources spoken about during the interview:
Christian's fwd:cloudsec talk - Staying Sneaky in Microsoft Azure