2025-08-05 –, Florentine A
We have exposed offensive capabilities in the azbridge tool, which has been available in Azure's GitHub repository since 2018. This tool is an utility connecting isolated assets. Our research demonstrates how an attacker can weaponize this tool.
azbridge supports attackers in establishing covert C2 channels, exfiltrating data, and enabling lateral movement while evading scrutiny by perimeter defenses. It leverages back-end services that serve Azure Relay endpoints (*.servicebus.windows.net) and encapsulates malicious traffic in TLS-encrypted connections to *.cloudapp.azure.com endpoints, defeating egress filtering and proxy inspection.
We demonstrate how attackers can use it to maintain persistent network access, bypass network security controls, and conduct post-exploitation using Microsoft's tool. More sophisticated adversaries can re-implement the functionality of this tool in their tradecraft (e.g., implants). For our defensive side friends, we provide initial recommendations on recognizing these techniques to defend against adversaries exploiting legitimate infrastructure.
While not a 0-day, as of 03/14/2025, there are no reports of adversaries using azbridge, and no researchers have reported this tool's potential for abuse. Therefore, we believe it is a novel use case or at least one that has not been publicly discussed.
This talk showcases our research into Microsoft's azbridge tool and how it can be weaponized for offensive operations. We discovered that this legitimate Azure Relay utility, which has been publicly available since 2018, can be repurposed using its default configuration to create covert command and control channels, exfiltrate data, and facilitate lateral movement across networks.
What makes this particularly dangerous is that azbridge leverages Microsoft's own infrastructure, with traffic being routed through Microsoft domains (*.servicebus.windows.net and *.cloudapp.azure.com). These connections are TLS-encrypted and appear legitimate to most security tools, allowing attackers to bypass egress filtering, proxy inspection, and other network security controls.
We will demonstrate scenarios including:
- Setting up covert C2 channels that communicate using
Azure Relayservices - A custom C2 implant loader implementation that uses
Azure Relayfor communications
For defenders, we'll provide detection strategies, including network traffic analysis techniques, Azure service monitoring approaches, and recommended security controls to mitigate these threats.
The implications of this research are significant as there are currently no documented cases of adversaries using this technique in the wild, making this presentation a first look at what could become a significant threat vector.
Robert is a seasoned offensive security professional with more than a decade of experience in Information Security.
He started his career in the U.S. Marine Corps, working on secure telecommunications. Robert holds a master's degree in Cybersecurity, numerous IT certifications, and a background as an instructor at higher education institutions like the New Jersey Institute of Technology and American University.
Robert is committed to sharing his knowledge and experiences for the benefit of others. He enjoys Brazilian steakhouses and cuddling with his pugs while writing Infrastructure as Code to automate Red Team Infrastructure.
Robert is the Red Team Lead @ Humana, Inc.