AzureHound, an open-source data collection tool designed for legitimate penetration testing and security research, has become a favored weapon in the hands of sophisticated threat actors.
The tool, which is part of the BloodHound suite, was originally created to help security professionals and red teams identify and fix cloud vulnerabilities.
However, malicious actors have increasingly misused this capability to map out Azure environments and discover pathways for privilege escalation attacks.
The tool operates by collecting data through Microsoft Graph and Azure REST Application Programming Interfaces (APIs), allowing it to enumerate Entra ID and Azure environments to gather information about identities and resources.
Written in the Go programming language and available as precompiled versions for Windows, Linux, and macOS, AzureHound proves particularly dangerous because it does not need to be run from within a victim’s network.
Since both APIs are accessible externally, threat actors can launch discovery operations remotely after gaining initial access to compromised systems.
When threat actors gain access to a victim’s Azure environment, they deploy AzureHound to automate discovery procedures that would otherwise require extensive manual effort.
The tool helps attackers discover user hierarchies, identify high-value targets, and uncover misconfigurations or indirect privilege escalation opportunities that might otherwise remain hidden.
By gathering comprehensive internal Azure information, attackers can develop targeted attack strategies with surgical precision. The tool outputs data in JSON format, which can be ingested by BloodHound’s visualization capabilities.
This creates a graphical representation of hidden relationships and attack paths within the target’s infrastructure, giving attackers a complete roadmap of the environment they have infiltrated.
This combination of automated discovery and visual analysis transforms cloud reconnaissance from a time-consuming process into an efficient operation. Recent threat intelligence reveals the widespread adoption of AzureHound across multiple adversary groups.
Unit 42 researchers have tracked the Iranian-backed group Curious Serpens, also known as Peach Sandstorm and active since at least 2013, leveraging AzureHound to conduct internal discovery operations against target Microsoft Entra ID environments.
In May 2025, Microsoft disclosed that suspected nation-state threat actor Void Blizzard employed AzureHound during the discovery phase of their campaigns to enumerate Entra ID configurations.
More recently, in August 2025, Microsoft reported Storm-0501, a ransomware operator, using AzureHound to enumerate target Entra ID tenants while operating in hybrid, multi-tenant Azure environments.
Organizations using Azure and Microsoft Entra ID must recognize that tools like AzureHound leave detectable evidence when used maliciously.
Security teams should focus on detecting abnormal API activity, monitoring for suspicious enumeration patterns, and implementing strong identity and access controls.
Understanding how threat actors misuse legitimate tools is essential for building effective detection capabilities and responding quickly to compromise indicators in cloud environments.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
