The Landfall Stealer: Inside the 118-Day Malware Campaign That Hijacked Your Cloud

Listen to this Post

Featured Image

Introduction:

Unit 42 researchers have uncovered “Landfall,” a sophisticated and persistent malware campaign that has been actively exploiting trusted on-premises to cloud identity federation for over 118 days. This attack bypasses traditional defenses by leveraging stolen credentials to establish a permanent foothold within Azure AD environments, turning cloud identity into the new battleground for cyber espionage and data theft. Understanding its mechanics is no longer optional for any organization operating in a hybrid cloud environment.

Learning Objectives:

  • Decipher the Landfall attack chain from initial compromise to persistent data exfiltration.
  • Master the critical audit commands to detect malicious service principals and consent grants in Azure AD.
  • Implement hardening strategies to prevent identity federation attacks and secure cloud tenants.

You Should Know:

1. The Initial Compromise: Phishing and Credential Theft

The Landfall campaign typically begins with a classic yet effective phishing email, leading to the theft of user credentials. Once the attacker has a valid username and password, they attempt to sign in to the victim’s cloud environment. The initial access is often gained through a standard interactive sign-in, which may be protected by Multi-Factor Authentication (MFA). However, the attackers’ true objective is not the user’s account itself, but the administrative permissions required to manipulate the identity fabric of the tenant.

  1. Bypassing MFA with Trusted IPs and Conditional Access
    To circumvent MFA prompts that could alert the user, attackers behind Landfall have been observed registering and exploiting “Trusted IPs” within the victim’s Conditional Access policies. By adding a malicious IP range to the trusted locations, any sign-in attempt originating from that range can be configured to not require MFA.

Azure AD PowerShell Command:

 Get the current Conditional Access policies (requires appropriate permissions)
Get-MgIdentityConditionalAccessPolicy

Step-by-step guide: This PowerShell command, part of the Microsoft Graph PowerShell module, lists all Conditional Access policies in the tenant. Security teams must regularly audit these policies, specifically focusing on the `conditions.locations.includeLocations` property to identify any recently added, unfamiliar, or overly broad trusted IP ranges. A policy that excludes MFA for a new IP block is a major red flag and a key indicator of this stage of the Landfall attack.

3. Establishing Persistence via Malicious Service Principals

The core of the Landfall attack is the creation of a malicious Service Principal (Enterprise Application) within Azure AD. Using stolen high-privilege credentials, the attacker creates a new application and grants it powerful, persistent API permissions (e.g., Mail.Read, Files.ReadWrite.All, User.ReadWrite.All).

Azure AD PowerShell Command:

 List all Service Principals and their key properties
Get-MgServicePrincipal | Select-Object DisplayName, AppId, ServicePrincipalType, AccountEnabled

Step-by-step guide: This command enumerates all service principals in the directory. To hunt for threats like Landfall, filter and scrutinize this list for:
ServicePrincipalType equal to `Application` (indicating an app-only principal, which is highly persistent).
DisplayNames that are suspicious or mimic legitimate services.

Recently created principals (`CreatedDateTime`).

Any unauthorized or unknown application with high-privilege permissions must be investigated and immediately disabled.

  1. The Golden Ticket to Data: Abusing Application Consent
    Landfall operators trick the system into granting administrative consent to their malicious application. This creates a permanent OAuth grant, allowing the attacker’s service principal to access data without the continued need for the stolen user credentials.

Azure AD PowerShell Command:

 Get all OAuth2 permission grants (consents)
Get-MgOauth2PermissionGrant | Where-Object { $_.ClientId -eq "<Suspicious-AppId>" }

Step-by-step guide: This command is vital for detecting illicit consent grants. Replace `` with the Application ID found in the previous step. Review the `Scope` property—it often reveals excessive permissions like `full_access` or .all. Regularly auditing all consent grants, especially those approved by administrators, is a critical defense-in-depth measure against this persistence technique.

  1. Operational Silence: Living Off the Land with Microsoft Tools
    Once persistence is established, Landfall actors avoid deploying traditional malware. Instead, they “live off the land” by using built-in Microsoft tools and APIs for their operations. They use the granted permissions to access Microsoft Graph API endpoints directly for data exfiltration.

cURL Command (Simulating Malicious API Call):

 Example of a malicious actor using a stolen access token to read mail via Microsoft Graph
curl -H "Authorization: Bearer <ACCESS_TOKEN>" "https://graph.microsoft.com/v1.0/me/messages"

Step-by-step guide: This cURL command demonstrates how an attacker, having obtained a valid access token for their malicious service principal, can programmatically access victim data. The `` is acquired through the OAuth 2.0 client credentials flow. Defenders must monitor for anomalous application activity logs in Azure AD, looking for a service principal performing mass data access operations, which is a clear sign of exploitation.

  1. Cloud Forensics: Hunting for Landfall in Your Logs
    Detection requires a proactive hunt in Azure AD Sign-In Logs and Audit Logs. Queries should focus on service principal sign-ins and the creation of new applications.

Kusto Query Language (KQL) for Azure Sentinel/Microsoft Defender:

// Hunt for successful service principal sign-ins
SigninLogs
| where AppId != "00000003-0000-0000-c000-000000000000" // Filter out Microsoft Graph PowerShell
| where ResultType == "0"
| where ServicePrincipalName contains "@" // SPNs with '@' are often suspicious
| project TimeGenerated, AppDisplayName, ServicePrincipalName, IPAddress, ResourceDisplayName

Step-by-step guide: This KQL query helps identify sign-ins performed by service principals, which is atypical for regular user activity. The line `where ServicePrincipalName contains “@”` is a high-fidelity filter for finding suspicious principals that may have been crafted to look like user identities. Correlate these logs with the `AuditLogs` for `Add service principal` events to build a complete attack timeline.

7. Mitigation and Hardening: Disabling the Attack Vector

The most effective mitigation is to enforce strict governance over application registration and consent. Disabling user consent entirely and requiring administrative review for all applications is a best practice.

Azure AD PowerShell Command:

 Disable user consent for applications
Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions @{
"AllowedToCreateApps" = $false
"AllowedToCreateSecurityGroups" = $false
"PermissionGrantPoliciesAssigned" = @()
}

Step-by-step guide: This PowerShell command modifies the tenant’s authorization policy to prevent users from registering applications and granting consent. This action centralizes control, forcing all new applications and permission requests to go through an administrative review process. This single configuration change can completely block the consent phishing and malicious service principal creation techniques used in the Landfall campaign.

What Undercode Say:

  • Identity is the New Endpoint: The Landfall campaign proves that the primary attack surface has decisively shifted from user endpoints to cloud identity and access management (IAM) systems. Defenders must re-prioritize their security focus and tools towards monitoring Azure AD, Conditional Access, and service principals with the same rigor previously applied to EDR.
  • Persistence Over Payload: The attackers’ focus on creating a permanent, credential-independent backdoor via service principals is a masterclass in cloud persistence. It demonstrates that modern adversaries are thinking in terms of “identity persistence” rather than just maintaining access to a compromised machine.

The 118-day duration of the Landfall campaign is not a failure of detection technology but a failure of proactive hunting in the correct domains. Most security operations centers are not yet optimized to hunt for threats within their IAM layer. The attackers exploited this visibility gap. The technical sophistication is moderate, but the operational impact is severe because it targets the core trust mechanism of the cloud. Organizations that do not implement strict application governance and continuous monitoring of service principal activity are operating with a critical blind spot, leaving their entire digital estate vulnerable to long-term, undetected compromise.

Prediction:

The Landfall campaign is a blueprint for the future of cloud-centric cybercrime. We predict a rapid commoditization of these techniques, with attack tools and scripts becoming widely available in underground markets. This will lower the barrier to entry, enabling less sophisticated threat actors to launch similar identity-based attacks. In the next 12-18 months, we anticipate a significant rise in incidents involving malicious OAuth applications and service principal abuse, forcing a industry-wide shift towards Zero-Trust architecture and automated identity threat detection and response (ITDR) solutions. Cloud identity will become the most contested and critical security control plane.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Unit42 Unit – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky