Cloud Threats Memo: Iranian Threat Actors Continue to Exploit Azure

Microsoft researchers observed APT33 (Peach Sandstorm) running an April–July 2024 campaign that used LinkedIn for target reconnaissance, password-spraying to compromise accounts, and deployed a new multi-stage backdoor named Tickler whose command-and-control infrastructure was hosted in attacker-controlled or compromised Microsoft Azure subscriptions (notably leveraging accounts in the education sector); the report also cites a similar Azure-based campaign by UNC1549 and describes how Netskope controls can mitigate cloud-hosted C2 and malware delivery.