The expendable extension name: Azure VMAccess naming chaos, password resets, and a detection gap

Sysdig Threat Research Team identified that Azure VMAccess extensions can be deployed with arbitrary, caller-controlled resource names (the {name} segment in /virtualMachines/{vm}/extensions/{name}), enabling anyone with Microsoft.Compute/virtualMachines/extensions/write permissions to reset VM passwords and persist while evading activity-log based detections; Microsoft's documented telemetry did not fire in tests and Microsoft deemed the behavior "not a security vulnerability." The report outlines tool/documentation naming inconsistencies, shows activity-log omissions, maps the issue to MITRE ATT&CK masquerading, and recommends detection alternatives such as matching on the extensions/write operation, correlating with the Extensions API/Resource Graph for publisher/type, and alerting on extension writes to sensitive VMs.