Restless Guests: From Subscription to Backdoor Intruder
Simon Maxwell-Stewart
Cloud Village @ DEF CON 33 · Day 1 · Cloud Village
In "Restless Guests: From Subscription to Backdoor Intruder," Simon Maxwell-Stewart unveils a critical, often overlooked attack vector within Microsoft Azure environments. The talk details how a Business-to-Business (B2B) guest user, despite possessing minimal or no explicit permissions within a target Azure tenant, can leverage billing roles from their *home tenant* to create and subsequently own Azure subscriptions in the *resource tenant*. This capability, initially an undocumented feature, challenges conventional security assumptions about the isolation and control of guest accounts.
AI review
Genuine original research born from a real-world incident, not a CTF scenario or theoretical exercise. Maxwell-Stewart uncovered a concrete, reproducible attack chain — cross-tenant subscription creation via billing roles — that most Azure administrators have never considered, and he built tooling to prove it works. The defensive mitigations are specific and actionable, which is rarer than it should be.