From on-premises to cloud: Graph-powered detection of hybrid attacks with Microsoft exposure graph

Microsoft

May 29, 2025

Enterprises face an ever-evolving landscape of cybersecurity threats that require robust and adaptive defense strategies to protect multiple threat surfaces. Many organizations manage their resources across different realms, including on-premises and cloud environments, and create complex infrastructures, where interconnections between services, resources, and identities become vital.

If not managed with caution and diligence, these interconnections can pose significant risks. Threat actors may exploit them to take over realms, conduct identity theft, exfiltrate data, engage in ransomware extortion, or engage in other malicious activities.

Organizations deploy a variety of solutions to safeguard their workloads, whether they are on premises, or in the cloud. Many have adopted integrated platforms that offer a unified view of their security environment. Solutions like Security Information and Event Management (SIEM) and Extended Detection and Response (XDR) are now essential. However, a significant gap emerges when dealing with attacks that span multiple layers within the enterprise, crossing various realms, where each realm lacks the context of the others, and shared entities (IP Address, User, and more) are non-existent. This limitation prevents the SOC teams from identifying the comprehensive attack chain, where the contextual correlation of low-medium confidence signals across the realms is essential, and effectively responding to such complex, multi-faceted threats.

In this blog, we explain how the exposure graph, an integral part of our pre-breach security exposure solution, supercharges our post-breach threat protection capabilities to detect and respond to such multi-faceted threats. This contextual enrichment allows SOC teams to uncover and determine that the low-medium confidence signals across the realms are part of the same attack—from the earliest compromise of the first realm to the last. This is possible by correlating indicators of compromise with shared possible attack paths on the graph that cross the on-premises and move to the cloud, and vice-versa. We will emphasize on-hybrid attacks that move from on-premises environments to the cloud.

Recognizing the Complexity of Hybrid Threats

Exposure management solutions, such as Microsoft Exposure Management, have already identified the need to surface risks that cross these realms. These solutions are now exposing hybrid attack paths, providing the necessary context to understand and mitigate threats that span different layers and realms—in this case, on-premises and cloud—within the enterprise (read more).

The exposure graph supercharges threat protection capabilities by focusing on a specific attack scenario that highlights this gap: a device compromise leading to an Azure environment takeover. In such scenarios, context is key to creating a holistic picture of the larger kill-chain.

In this scenario, a device which isn’t joined to Entra is compromised using the threat actor’s payload delivery and an N-day exploit, allowing the threat actor to gain an initial foothold on the device. The threat actor then discovers an unexpired Entra session cookie residing in the browser. They perform credential theft and extract the cookie using known attack tools, with a goal to steal and assume the identity and permissions of the user that the cookie is tied to.

After hijacking the cookie, the threat actor manages to compromise the user by replaying the cookie from their own device and pivoting to the cloud, successfully satisfying the multifactor authentication (MFA) requirement. The threat actor then discovers that this user is assigned with the Global Administrator Entra role, which results in a highly destructive on-premises to cloud privilege escalation. This might not be coincidental, as the user was targeted as part of a spear-phishing campaign, which resulted in the payload delivery and the initial access.

The threat actor then shifts their focus to Azure, targeting the organization’s valuable data that resides in the cloud realm. They perform the elevate access operation within the Azure portal, thereby gaining privileged permissions over all Azure subscriptions in scope, allowing them to take over Azure. Finally, the threat actor commits mass data exfiltration from the discovered Azure storage accounts that reside in the Azure compromised subscriptions. This stolen data can later be sold on the dark web or used to commit ransomware extortion.

Graph-based contextual detection & response

In the above scenario, the threat actor’s pivot from on-premises to the cloud may easily be a blind spot, as there is no shared indication that the device sequence of events is related to the cloud sequence of events, because the former occurs in the context of the local account while the latter occurs in the context of the Entra identity. This prevents SOC teams from correlating operations across different realms (on-premises and cloud), as there are no shared entities. In addition, each realm detection capability might have low-medium confidence individually, but with context enrichment and cross-realm signal correlation, the result can be a high confidence threat detection capability that SOC teams can respond to effectively.

As suspicious operations are detected within the device during the attack, including reconnaissance and discovery, credential theft, execution, and more, these detections often lack the context of the cloud user with an active logon session inside the device. Conversely, suspicious activity detected within Azure also lacks the context of previous suspected operations that occurred on the device.

To bridge the gap, we utilize the Enterprise Exposure Graph to integrate both contexts and formulate a comprehensive picture of the destructive campaign, with high confidence. By enriching the XDR capabilities, we can correlate events through shared paths in the graph, allowing us to consolidate the device compromise, credential theft, and the cloud compromise and operations into a single, cohesive incident.

Hybrid attack detection and response: How does this all work?

The Enterprise exposure graph collects information about assets, users, secrets, workloads, and more. Secrets can be in the form of user tokens and cookies, cloud resource access keys, and more. One of the unique features of the graph is its ability to connect users and devices, using secrets (user cookies and tokens). By leveraging the capabilities of secret scanning on both on-premises and cloud machines within Microsoft Security Exposure Management (MSEM), the exposure graph surfaces connections between a device and a user.

In the above attack scenario, when the ‘device’ ‘contains’ an Entra session cookie (also known as ‘entra-userCookie’ in the Microsoft exposure graph) within the browser, where the cookie ‘can authenticate as’ the user, the connection appears in the graph. For more details, please refer to our previous blog.

We use these graph-based connections and context enrichments within Microsoft Defender XDR to detect destructive cross-realm attacks. By correlating events based on the connections between the endpoint device and the user's identity, we can generate a high-confidence unified alert, or an incident that correlates different alerts. This provides a comprehensive description of the attack, showing how a single threat actor moved from the device to the cloud.