.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Suspicious Azure command line interface (CLI) activity
Organization: Government industry, 1300 employees, Spain
Solution: Sophos MDR, + Microsoft 365 Mgmt. Activity Integration, + Microsoft 365 Graph Security Integration
Adversary behavior
The attacker attempts to access the customer's cloud environment using the Microsoft Azure Command Line Interface (CLI). This technique allows the threat actor to programmatically interact with cloud resources, potentially enabling them to enumerate users, modify configurations, exfiltrate data, or escalate privileges within the Azure environment—all while appearing to use legitimate administrative tools.
Threat detection
A case is automatically created at 09:06 UTC based on suspicious activity detected where the user agent is set to 'node-fetch' with the application 'Microsoft Azure CLI'. This specific user agent has been observed in previous campaigns and is an indicator of compromise. Sophos automation is used to deliver the fastest response possible, using event data ingested through the M365 Management Activity integration.
Investigation
The high-fidelity detection determines that the login activity is anomalous compared to normal user activity. By leveraging Sophos automation, this case does not require a Sophos MDR analyst to conduct an investigation prior to escalating to the customer—enabling an immediate response based on the confidence of the detection and the known threat indicators.
Response
Sophos MDR immediately informs the customer of the findings at 09:07 UTC, including the user and location, and recommends the customer revokes session tokens, resets user credentials, reviews and applies MFA, and reviews conditional access policies. The customer responds at 10:33 UTC and confirms that the activity was not expected and implements the recommendations provided. Through automated detection and rapid escalation, Sophos MDR enables the customer to contain the threat in under 90 minutes—preventing unauthorized cloud access and strengthening Azure security posture.