---
title: "Malicious Actors Use Azure Serial Console to Gain Unauthorized Access to Microsoft VMs | DuoCircle"
description: "Microsoft Azure’s virtual machines (VMs) have fallen victim to what cybersecurity experts consider to be one of the most sophisticated financially-motivated."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/data-privacy/malicious-actors-use-azure-serial-console-to-gain-unauthorized-access-to-microsoft-vms/"
---

Quick Answer

Mandiant identified UNC3944, an attack group active since at least May 2022, breaching Azure tenants through a multi-stage chain: SMS phishing (smishing) for admin credentials, SIM swapping to intercept SMS-based MFA codes, social engineering to impersonate the admin to Microsoft help desks for additional MFA codes, then persistence through Azure Extensions add-ons and command execution via Azure Serial Console over the serial port. The group historically created the POORTRY kernel-mode driver and STONESTOP loader, signed with stolen Microsoft hardware-developer certificates. Targets cluster in finance, telecom BPO, and managed security services. Mitigation requires moving past SMS-based MFA to phishing-resistant factors (FIDO2, hardware keys), restricting Serial Console access via Conditional Access, monitoring for unusual extension installations, and training help-desk staff on caller verification beyond the standard knowledge questions.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fdata-privacy%2Fmalicious-actors-use-azure-serial-console-to-gain-unauthorized-access-to-microsoft-vms%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Malicious%20Actors%20Use%20Azure%20Serial%20Console%20to%20Gain%20Unauthorized%20Access%20to%20Microsoft%20VMs&url=undefined%2Fblog%2Fdata-privacy%2Fmalicious-actors-use-azure-serial-console-to-gain-unauthorized-access-to-microsoft-vms%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fdata-privacy%2Fmalicious-actors-use-azure-serial-console-to-gain-unauthorized-access-to-microsoft-vms%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fdata-privacy%2Fmalicious-actors-use-azure-serial-console-to-gain-unauthorized-access-to-microsoft-vms%2F&title=Malicious%20Actors%20Use%20Azure%20Serial%20Console%20to%20Gain%20Unauthorized%20Access%20to%20Microsoft%20VMs "Share on Reddit") [ ](mailto:?subject=Malicious%20Actors%20Use%20Azure%20Serial%20Console%20to%20Gain%20Unauthorized%20Access%20to%20Microsoft%20VMs&body=Check out this article: undefined%2Fblog%2Fdata-privacy%2Fmalicious-actors-use-azure-serial-console-to-gain-unauthorized-access-to-microsoft-vms%2F "Share via Email") 

![DuoCircle blog post image](https://media.mailhop.org/duocircle/images/2023/05/SPF-record-checker-7009.jpg) 

_Microsoft Azure’s virtual machines (VMs) have fallen victim to what [cybersecurity](/) experts consider to be one of the most **sophisticated financially-motivated** cyberattacks. The security breach has sent shockwaves through the cybersecurity community, raising serious questions about the security of cloud computing environments._

Cybersecurity researchers from Mandiant have identified a well-organized malicious group with extensive Azure environment know-how. The attack vectors have launched an online assault using **SIM-swapping** and [phishing](/content/phishing-prevention/what-is-phishing) techniques to break into virtual machines. _Their potential to exfiltrate sensitive data on large-scale cloud platforms puts enterprise-level data at risk._

Mandiant, in its [report](https://www.mandiant.com/resources/blog/sim-swapping-abuse-azure-serial), stated that they have been keeping track of the group, identified as **‘UNC3944’**. The cybersecurity researchers further added that the malicious group has been operational since May 2022 or even before.

## Cloud Storage Spaces at Risk with Unauthorized Access

Mandiant has also pointed out the [vulnerability](/email-hosting/apache-log4j-zero-day-vulnerability-how-to-detect-it-precautions-you-need-to-take/) of data stored in cloud spaces. The threat vector has demonstrated its **capability to evade** software detections while accessing sophisticated platforms like Azure Cloud.

The key motive of this malicious group is to **steal valuable data** by exploiting cloud storage spaces for financial gain. Naturally, enterprise data is at risk, with organizations counting on cloud storage spaces becoming potential victims of **data extortion**.

[![cloud storage threats](https://media.mailhop.org/duocircle/images/2023/05/spf-record-1.jpg)](https://media.mailhop.org/duocircle/images/2023/05/spf-record-1.jpg)

The malicious group can compromise **administrative credentials** through its smishing (SMS-based phishing) campaigns. They may also gain control of [Azure tenants](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-ad-define), analyze Azure configurations, carry out data thefts, and access data in the VMs.

It’s worth noting that the same attack vector successfully leveraged **signed drivers** to exploit Microsoft’s environments. The threat actors have been bent on infiltrating businesses’ databases in sectors like finance, telecom BPO, and managed security services. They have already carried out **phishing attacks** through SMSs on their targets.

In the past, UNC3944 has created the POORTRY (kernel-mode driver) and STONESTOP (loader) toolkits for [evading security mechanisms](https://www.bleepingcomputer.com/news/microsoft/microsoft-signed-malicious-windows-drivers-used-in-ransomware-attacks/). The attackers used the **stolen hardware developer** of Microsoft to sign their kernel drivers into the accounts.

## How Does the New Cyberattack Module Work?

The [attack vectors](https://www.securitymagazine.com/articles/99141-three-out-of-top-four-attack-vectors-are-connected-to-authentication) have demonstrated **outright sophistication** while launching new online assaults on cloud platforms. At the outset, malicious actors run phishing campaigns through SMS. That enables them to obtain the passwords of the admin accounts of Microsoft Azure.

The second stage of the well-organized [cyberattack](https://www.bbc.com/news/uk-northern-ireland-65297324) module involves running a **SIM-swapping attack**. It enables the attackers to gain access to the MFA codes via SMS.

However, the cybersecurity researchers aren’t sure how the group carries out the [SIM swaps](https://www.cpomagazine.com/cyber-security/sim-swap-attacks-on-the-rise-twitter-hack-nabs-ceo-jack-dorseys-account/). They conjecture that the attackers probably know the victim’s phone number. They may be conspiring with unscrupulous telecom employees, thereby **illegally porting numbers**.

## The Attackers Impersonate Admins to Deceive Microsoft

Besides the above steps of attack, the [threat actors](/email-security/threat-actors-attack-thousands-of-computers-following-the-ion-incident/) would also impersonate the **Microsoft administrator**. It grants them access to the desk agents to obtain the MFA code. Next, they could deploy this code to access Azure’s target environment.

Once infiltrating into the [cloud environment](https://www.cloudcomputing-news.net/news/2023/feb/28/98-6-of-companies-have-misconfigurations-in-their-cloud-environments/), the attackers would **gather information** and create new accounts or modify the existing ones of Azure. The nature of their operation largely depends on their goals and who the victim is.

Next, the attackers **conceal the gathered data** using Extensions add-ons. They also gain access to the VMs through Azure Serial Console to run commands over the serial port.

The cybersecurity researchers consider the new attack module ‘**quite unique**.’ It could successfully dodge most traditional methods to detect unauthorized access to the Azure environment. Ultimately, the attackers gain full administrative access to the [virtual machines](https://www.redhat.com/en/topics/virtualization/what-is-a-virtual-machine). 

Once they access Microsoft’s VMs, they remain stealthy on the network by executing several additional moves. Their ability to linger on the network in stealth mode empowers them further to **exfiltrate sensitive data** over time.

## How Does Cloud Security Stand in the Wake of the Attack?

Expressing concerns about [cloud security](/email-security/cloud-security-strategies-businesses-need-to-follow-in-2022/), Mandiant added that the attack vectors have a deep understanding of the cloud environment of Azure. _Combined with **social engineering skills**, their high level of technical knowledge makes the malicious players quite dangerous._

Identifying the knowledge gap while using cloud technologies at the organizational level is crucial. Deploying **inadequate security** mechanisms enables the attack vectors to exploit the vulnerabilities easier.

[![Cloud Security ](https://media.mailhop.org/duocircle/images/2023/05/sendgrid-alternative-9007.jpg)](https://media.mailhop.org/duocircle/images/2023/05/sendgrid-alternative-9007.jpg)

## Final Words

The authorities need to look beyond MFAs and SMSs to **strengthen** their line of defense. With online threats gaining sophistication consistently over the years, it’s time for [CEOs](https://www.cnbctv18.com/technology/as-businesses-shift-to-cloud-ceos-need-to-prioritise-cybersecurity-pwc-15666621.htm) and business heads to consult **managed security services**.

The intensity of attacks and intelligence of the malicious players tend to outwit the most sophisticated **defense mechanisms**. One must wait and see whether Microsoft will develop a more vigilant and proactive stance to **prevent** future unauthorized data access attempts.

## Topics

NewsSecurityUpdates 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  Privacy 5m  Are MortalKombat Ransomware and Tengyun Snake Attacks Emerging Email Threats?  Jul 20, 2023 ](/blog/data-privacy/are-mortalkombat-ransomware-and-tengyun-snake-attacks-emerging-email-threats/)[  Privacy 6m  Hacker Taunts TikTok After Stealing Over 2 Billion Records in a Massive Data Breach  Sep 19, 2022 ](/blog/data-privacy/hacker-taunts-tiktok-after-stealing-over-2-billion-records-in-a-massive-data-breach/)[  Privacy 7m  IntelBroker Threat Actors Steal Sensitive Data of 11 Million Weee Customers  Feb 20, 2023 ](/blog/data-privacy/intelbroker-threat-actors-steal-sensitive-data-of-11-million-weee-customers/)[  Privacy 4m  Microsoft Uncovers Banking AitM Phishing and BEC Attacks Targeting Financial Giants  Jun 19, 2023 ](/blog/data-privacy/microsoft-uncovers-banking-aitm-phishing-and-bec-attacks-targeting-financial-giants/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Malicious Actors Use Azure Serial Console to Gain Unauthorized Access to Microsoft VMs","description":"Microsoft Azure’s virtual machines (VMs) have fallen victim to what cybersecurity experts consider to be one of the most sophisticated financially-motivated.","url":"https://www.duocircle.com/blog/data-privacy/malicious-actors-use-azure-serial-console-to-gain-unauthorized-access-to-microsoft-vms/","datePublished":"2023-05-25T16:32:37.000Z","dateModified":"2025-05-08T19:47:19.000Z","dateCreated":"2023-05-25T16:32:37.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/data-privacy/malicious-actors-use-azure-serial-console-to-gain-unauthorized-access-to-microsoft-vms/"},"articleSection":"data-privacy","keywords":"News, Security, Updates","wordCount":765,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2023/05/SPF-record-checker-7009.jpg","caption":"DuoCircle blog post image","width":900,"height":581},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"Privacy"},{"@type":"ListItem","position":3,"name":"Malicious Actors Use Azure Serial Console to Gain Unauthorized Access to Microsoft VMs","item":"https://www.duocircle.com/blog/data-privacy/malicious-actors-use-azure-serial-console-to-gain-unauthorized-access-to-microsoft-vms/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"Privacy","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Malicious Actors Use Azure Serial Console to Gain Unauthorized Access to Microsoft VMs","item":"https://www.duocircle.com/blog/data-privacy/malicious-actors-use-azure-serial-console-to-gain-unauthorized-access-to-microsoft-vms/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Malicious Actors Use Azure Serial Console to Gain Unauthorized Access to Microsoft VMs","description":"Microsoft Azure’s virtual machines (VMs) have fallen victim to what cybersecurity experts consider to be one of the most sophisticated financially-motivated.","url":"https://www.duocircle.com/blog/data-privacy/malicious-actors-use-azure-serial-console-to-gain-unauthorized-access-to-microsoft-vms/","datePublished":"2023-05-25T16:32:37.000Z","dateModified":"2025-05-08T19:47:19.000Z","dateCreated":"2023-05-25T16:32:37.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/data-privacy/malicious-actors-use-azure-serial-console-to-gain-unauthorized-access-to-microsoft-vms/"},"articleSection":"data-privacy","keywords":"News, Security, Updates","wordCount":765,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2023/05/SPF-record-checker-7009.jpg","caption":"DuoCircle blog post image","width":900,"height":581},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```