When Your Partner Betrays You - Trusted Relationship Compromise In The Cloud
Sebastian Walla
fwd:cloudsec North America 2025 · Day 1 · Track 2 - Crestone
Sebastian Walla, a cloud threat intelligence analyst at CrowdStrike, presented two real-world case studies of **trusted relationship compromises** in Azure, both conducted by the China-nexus threat actor **Murky Panda** (tracked by Microsoft as **Silk Typhoon**). The talk demonstrated how a nation-state adversary exploited the inherent trust between organizations and their SaaS providers and cloud solution providers (CSPs) to gain access to downstream customer environments, ultimately reading emails without triggering alerts in the victim tenants. Walla provided detailed hunting queries and detection techniques for identifying this initial access vector, which remains rare in cloud environments but has emerged at least three times since 2024.
AI review
Real-world nation-state tradecraft from CrowdStrike's threat intel on Murky Panda / Silk Typhoon, showing how a single SaaS or CSP compromise cascades to every downstream tenant. The DAP mechanism granting Global Admin to all downstream customers is a structural nightmare, and the fact that MFA wasn't enforced for cross-tenant CSP access until Microsoft got embarrassed is peak cloud security. Solid threat intel work with immediately usable hunting queries.