Security flaws in Microsoft’s Azure ecosystem enable cybercriminals to create deceptive applications that imitate official services like the “Azure Portal.
Varonis found that Azure’s safeguards, designed to block reserved names for cross-tenant apps, could be bypassed using invisible Unicode characters.
By inserting characters like the Combining Grapheme Joiner (U+034F) between letters such as “Az͏u͏r͏e͏ ͏P͏o͏r͏t͏a͏l”, attackers created apps that appeared legitimate on consent screens.
This trick worked with over 260 such characters, including those in ranges like U+FE00 to U+FE0F. The ploy exploited the fact that many Microsoft apps lack verification badges, leading users to overlook warnings about third-party origins.
Azure applications, essentially software entities that integrate with Azure services, rely on user consent for permissions. Delegated permissions let apps act on a user’s behalf, accessing emails, files, and more, while application permissions grant standalone access.
When abused, these become potent attack vectors for initial access, persistence, and privilege escalation in Microsoft 365 environments.
Phishing Tactics Fuel The Threat
Varonis zeroed in on initial access methods, particularly illicit consent grants and device code phishing. In the former, phishing emails lure victims to fake file links that redirect to a consent page.
Once approved, attackers snag access tokens without needing passwords, granting them the victim’s resource privileges.
Device code phishing takes it further: Attackers generate a verification URI and code for a malicious app, tricking users into entering it on a legitimate-looking site. The attacker then polls for the token, hijacking the session.
These techniques thrive on deception. Consent pages for the spoofed apps displayed convincingly, especially when paired with Azure icons.
Forum discussions reveal users routinely dismissing “unverified” alerts, assuming they’re safe from Microsoft itself.
Prohibited names tested included staples like “Microsoft Teams,” “Power BI,” and “OneDrive SyncEngine,” underscoring the scope of potential impersonations.
Varonis disclosed the issues promptly; Microsoft fixed the initial Unicode bypass in April 2025 and a broader set in October 2025.
No customer action is required, as the updates safeguard tenants automatically. Still, experts urge organizations to monitor app consents rigorously, enforce least-privilege permissions, and educate users on phishing red flags.
This episode reinforces the need for layered defenses in cloud environments. As attackers evolve, so must vigilance lest a seemingly benign app consent unlock the door to chaos.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
