If you enjoy reading about cloud threat actors, you might also enjoy our training or investigating your own cloud incidents with Cloud Labs.
Overview
Silk Typhoon, also known as HAFNIUM, is assessed to be a Chinese state-affiliated threat actor first identified in early 2021, driven by espionage motives and targeting sectors such as defense, transportation, media, NGOs, and healthcare. The threat actor gained prominence for exploiting four zero-day vulnerabilities in Microsoft Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) in March 2021, enabling unauthenticated remote code execution and widespread compromise of on-premises Exchange servers. This campaign allowed Silk Typhoon to deploy web shells for persistent access and data exfiltration, targeting thousands of organizations globally.
In February 2025, the threat actor exploited a zero-day vulnerability (CVE-2025-3928) in Commvault’s Metallic Microsoft 365 backup SaaS platform on Microsoft Azure, using web shells to access client secrets and infiltrate customers’ Microsoft 365 environments, showcasing their focus on cloud-based supply chain attacks. By targeting IT supply chains, Silk Typhoon leverages trusted vendor relationships to compromise downstream cloud environments.
Silk Typhoon demonstrates cloud-fluent tactics by exploiting on-premises footholds to pivot into cloud environments, targeting Microsoft Entra Connect servers to synchronize and escalate privileges between Active Directory and Entra ID for lateral movement. Once in the cloud, the group manipulates service principals and OAuth applications with administrative consents to abuse Microsoft Graph and Exchange Web Services (EWS) APIs for targeted exfiltration of email, OneDrive, and SharePoint data.
TTPs
All of the details below are also available in our GitHub repository, which provides background on each observed technique along with corresponding MITRE ATT&CK mappings, making it easy to map these insights directly to your cloud logs.
Cloud Campaign – Tactics Accordion
Click a tactic to view the procedure details.
Tactic
ID
Technique
Initial Access
T1190
Exploit Public-Facing Application
Commvault Campaign: The threat actor exploited CVE-2025-3928, a zero-day vulnerability in Commvault Web Server,
to gain unauthorized access to Commvault’s Azure environment, targeting a public-facing application to
establish initial access.
Initial Access
T1195
Supply Chain Compromise
Commvault Campaign: The threat actor abuses stolen API keys and credentials associated with privileged
access management, cloud app providers, and cloud data management companies, allowing access to these
companies’ downstream customer environments.
Initial Access
T1078.004
Valid Accounts: Cloud Accounts
Commvault Campaign: Silk Typhoon leveraged leaked corporate passwords found on public repositories, such as GitHub,
to successfully authenticate to corporate SaaS accounts, gaining initial access to cloud environments.
Lateral Movement
T1210
Exploitation of Remote Services
General: The threat actor moves laterally from on-premises to cloud environments by targeting
Entra Connect (formerly AADConnect) servers, which synchronize on-premises Active Directory with
Entra ID, to escalate privileges and gain access to both environments.
Lateral Movement
T1550.002
Use of Alternate Authentication Material: Pass the Hash
General: The threat actor dumps Active Directory credentials and steals passwords from key vaults
to facilitate lateral movement from on-premises to cloud environments.
Lateral Movement
T1199
Compromise Application: Multi-Tenant Applications
General: The threat actor compromises multi-tenant applications, enabling movement across tenants
and access to additional resources for data exfiltration.
Privilege Escalation
T1078.002
Valid Accounts: Domain Accounts
General: The threat actor escalates privileges by compromising Entra Connect servers,
enabling access to both on-premises and cloud environments.
Credential Access
T1528
Steal Application Access Token
Commvault Article: The threat actor accessed client secrets for Commvault’s Metallic M365 backup SaaS solution
hosted in Azure, allowing unauthorized access to customers’ M365 environments via hijacked service principals.
Persistence
T1098.001
Create or Modify System Process: Service Principal
General: The threat actor manipulates service principals by adding their own passwords to existing
consented applications or creating new Entra ID applications, often named to blend into the environment
using legitimate service or Office 365 themes, to maintain access and facilitate data theft.
Commvault Campaign: The threat actor potentially manipulated or used stolen client secrets to maintain access
to M365 environments, leveraging compromised application credentials to persist in the cloud environment.
Persistence
T1505.003
Server Software Component: Web Shell
Commvault Campaign: The threat actor deployed web shells to gain unauthorized access
to the cloud-hosted web server.
Defense Evasion
T1036
Masquerading
General: The threat actor names created Entra ID applications to blend into the environment using
legitimate services or Office 365 themes to evade detection.
Commvault Campaign: The threat actor’s activities involved exploiting a vulnerability in a trusted SaaS
application (Commvault’s Metallic), blending malicious actions with legitimate application functionality
to evade detection.
Collection
T1213.002
Data from Information Repositories: SharePoint
General: The threat actor abuses service principals and OAuth applications with administrative permissions
to exfiltrate data from SharePoint via the MSGraph API.
Collection
T1114.002
Email Collection: Remote Email Collection
General: The threat actor uses compromised applications with access to the Exchange Web Services (EWS) API
or MSGraph API to steal email data.
Collection
T1213.003
Data from Cloud Storage: OneDrive
General: The threat actor leverages service principals and OAuth applications to exfiltrate data
from OneDrive via the MSGraph API.
Command and Control
T1071.001
Application Layer Protocol: Web Protocols
Commvault Campaign: The exploitation of CVE-2025-3928 involved creating and executing web shells,
indicating the use of web-based protocols (e.g., HTTP requests) for command and control within
the compromised Azure environment.
Incident Response Steps
Below are several high-impact steps to prepare for and respond to the TTPs mentioned above. The list isn’t exhaustive, but it highlights key areas where defenders can focus their efforts. Click each step to view additional details.
1. Exploit Public-Facing Application
Detect and mitigate unauthorized access via web server vulnerability.
Investigate
Harden
Review Azure Activity Logs and web server logs (IIS/Nginx) for suspicious calls or requests.
Correlate alerts from Microsoft Defender for Cloud.
Analyze affected Azure VMs for post-exploitation activity.
Patch known vulnerabilities and isolate compromised instances.
Deploy WAF rules and enforce least-privilege access with Azure RBAC.
2. Supply Chain Compromise
Detect and neutralize misuse of stolen API keys/credentials.
Investigate
Harden
Audit Entra ID and Azure IAM logs for unauthorized access or unusual app activity.
Review Defender for Identity alerts for anomalous credential use.
Trace credential origin and scope using Azure Resource Graph.
Rotate compromised credentials and enforce MFA across all accounts.
Restrict access by IP and enforce credential hygiene policies with Azure Policy.
3. Server Software Component: Web Shell
Detect and eradicate web shell deployments.
Investigate
Harden
Analyze IIS/Nginx logs and Microsoft Defender File Integrity Monitoring for suspicious script activity.
Check EDR logs for unusual processes or web server behavior.
Investigate script upload patterns and access anomalies.
Block script uploads using Web Application Firewall (WAF) and enforce execution policies.
Deploy EDR and enable real-time log streaming into Microsoft Sentinel.
4. Data Exfiltration from Repositories
Detect and prevent data exfiltration from cloud repositories.
Investigate
Harden
Monitor Unified Audit Logs for file access, downloads, and Graph API activity.
Use Defender for Cloud Apps to detect abnormal downloads or OAuth abuse.
Review Entra ID and Exchange Mailbox Audit Logs for suspicious sharing or forwarding.
Enforce Conditional Access and Data Loss Prevention (DLP) policies across M365 services.
Apply encryption and integrate audit logs with Microsoft Sentinel.
Getting Help
If you spot any of these TTPs or indicators in your environment, or just want to become incident-ready in the cloud, contact our team. We’ll help you tighten your Azure, M365 or Entra defenses, refine your IR runbook, and stay ahead of Silk Typhoon or other cloud-focused adversaries.
About Invictus Incident Response
We are an incident response company and we ❤️ the cloud and specialize in supporting organizations in preparing and responding to a cyber attack. We help our clients stay undefeated!
