By Anshuman Das in Talks

The Zombie App-ocalypse: Disrupting Cloud Non-Human Identities

The Zombie App-ocalypse: Disrupting Cloud Non-Human Identities
Joshua Bahirvani, a Senior Security Research at Microsoft, delivered a Tech Talk on "The Zombie ‘App-ocalypse’: Disrupting Cloud Identities" at VULNCON 2025. As an expert in non-human identities (NHIs), he shared a powerful strategic approach known as disruption through game theory. In his talk, he explored how NHI security is essential for uncovering malicious threats that human-centric multi-factor authentication (MFA) often misses. He stressed that, as adversaries employ complex tactics like token theft and multi-tenant flooding, security professionals must understand how to investigate and respond to these attacks.

The Rise of the Non-Human Identity (NHI)

In the modern cloud environment, security is no longer just about protecting human users. According to the sources, Non-Human Identities (NHIs)—which include applications, tokens, tenants, agents, and vendor software automations—now outnumber human users in a typical enterprise by a ratio of 17 to 1. These identities are often highly privileged because automation requires deep access to databases, servers, and repositories.

Unlike human identities, NHIs frequently lack Multi-Factor Authentication (MFA), making them a "blind spot" for defenders,. To categorize these threats, the sources introduce three types of "Ghosties":

  • The Compromised Ghosty (Blue): Legitimate identities that have been breached.
  • The Malicious Ghosty (Orange/Red): Identities designed specifically for malicious activity.
  • The Dominant Ghosty (White): High-importance identities that can be used for persistence or lateral movement.

Anatomy of an NHI Attack

Adversaries have shifted from "hacking" to simply "logging in" using leaked credentials. The sources highlight two primary attack patterns:

  1. Long-Term Persistence (The APA Method): In one real-world case, an adversary used a leaked token from 2020 to log in three years later. Once inside, they targeted "dominant" applications to reset secrets and maintain access. By pivoting through the cloud's Key Vault, they discovered production tokens that had been active since 2015. This allowed the attacker to switch the context of a production application to access alternative APIs, effectively evading detection for months
  2. Multi-Tenant Flooding (The APB Method): This tactic targets test tenants, which often lack the strict security hygiene of production environments. In this scenario, an adversary uses a password spray to enter a test tenant and then "jumps" into the production tenant. To stay under the radar, the attacker may consent to 20 or more different applications. This allows them to spread their API calls across multiple identities, keeping individual activity below the thresholds that would trigger network anomaly detectors.

Beyond Detection: The Strategy of Disruption

Detection is necessary, but it is not enough to win the "infinite game" of security,. The sources argue that defenders must move toward Strategic Disruption—taking automated actions as a detection occurs to equalize the playing field. By applying Game Theory, defenders can choose a phased approach to "quarantine" threats without disrupting business uptime,. These strategies include:

  • Minimax Strategy: Minimizing the adversary's maximum profit by revoking API permissions.
  • Stackelberg Strategy: Countering an adversary's move by disabling sign-ins for specific service principals.
  • Nash Equilibrium: Reaching a state where the cost of the attack exceeds the benefit, often achieved by removing secrets or service principal credentials.

The Defender’s Arsenal

When an NHI is flagged, the sources list several "weapons" available to defenders to disrupt the attack:

  • Revoking Access Tokens: Instantly ending an active session.
  • Disabling Sign-ins: Preventing the identity from authenticating to further resources.
  • Removing Permissions: Stripping the identity down to the most basic "least privilege" access.
  • Deleting Service Principals: The "hammer" used for identities confirmed to be purely malicious

Conclusion: A Global Effort

Cloud security is a "team sport". Because applications can be registered across multiple tenants, a malicious identity in one environment is often active in others,. Strategic disruption involves not only taking action within one's own tenant but also reporting and clustering behaviors across tenants. By sharing this data with cloud providers, defenders can contain "zombie" identities globally, ensuring that when the game is on the defenders hold the advantage

🗒️
Analogy for Understanding: Think of NHI security like a massive automated warehouse. You have a few human managers (Human Identities) who use high-security thumbprint scanners to get in. However, you also have 17 times as many small conveyor belts and delivery robots (NHIs) that use simple physical keys. If a thief steals a key to a robot that hasn't been used in years, they can enter through a small service hatch and start moving packages without ever being seen by the manager. Strategic Disruption is like having a system that automatically locks that specific service hatch and disables that specific robot the moment its movement pattern looks suspicious, rather than just sounding an alarm and waiting for a human to arrive.