Time Table

Cloud platforms rely on deep trust between internal components—but what if that trust is broken? This talk presents the discovery and exploitation of CVE-2025-29972, a critical 9.9 CVSS flaw in Azure’s Storage Resource Provider. We reveal a multi-stage attack chain starting from a classic SSRF, used to hijack the identity metadata fetching process and leak Azure Active Directory (AAD) tokens for arbitrary tenants.

Our research introduces “Spray&Pray4Bind,” a novel DNS rebinding technique built to bypass modern caching defenses that render traditional rebinding ineffective. We walk through the full exploit: from SSRF to token abuse, lateral movement, and ultimately regenerating SFTP passwords—compromising tenant storage. Based on internal offensive research at Microsoft, this talk shows how broken trust in cloud services can lead to full compromise—and provides defensive insights for securing complex cloud environments.