Cryptojacking Attack Patterns Checklist for Administrators and Security Professionals: Microsoft

Cloud cryptojacking disguises itself as cloud computing resource abuse, where threat actors exploit legitimate tenants for cryptocurrency mining using their computing power.

Cloud computing abuse leads to financial losses as targeted organizations bear substantial compute fees from cryptojacking, with some incurring over $300,000.


Despite varying cloud provider practices, cloud cryptojacking attacks can occur if a threat actor compromises an identity to create compute. 

That’s why the security experts at Microsoft recently revealed the deployment patterns for defenders to detect and counter such attacks.

Cryptojacking Attack

For cloud cryptojacking, attackers require compromised credentials, emphasizing the importance of credential hygiene and cloud hardening. 

They may also escalate the privileges if needed, even hijacking existing subscriptions to conceal their actions.

After accessing the tenant, threat actors generate abundant computing, favoring fast-core types for cryptocurrency mining. They install cryptomining software in newly created VMs and connect them to mining pools for operation.

Cryptojacking Attack Patterns

Cryptojacking mandates a specific level of cloud environment access. Cloud cryptojacking’s success may lead to hefty charges, deplete crucial resources, and interrupt services for the tenant. 

In short, the following three elements are vital to combat such attacks:-

  • Prevention
  • Detection
  • Mitigation 
Cryptojacking attack (Source – Microsoft)

For this attack, threat actors require access to tenant credentials with the virtual machine contributor role or a path to such an account. They exploit various methods like phishing, leaked credentials, and device compromise. 

Microsoft investigations suggest that multi-factor authentication is often absent, and leaked credentials might be the prevalent vector.

The threat actors use their virtual machines in legitimate tenants for operational infrastructure after getting access by employing living-off-the-land strategies within the cloud environment, requiring no external infrastructure.

Initial access (Source – Microsoft)

The threat actor hijacks the subscription to determine available permissions after gaining access to the tenant and performing reconnaissance.

Subscription hijacking enables threat actors to evade detection, migrating to a target tenant where they hold sufficient privileges.

Once in a tenant, threat actors create compute using existing core quota or riskily increase quotas for higher performance, targeting GPU compute for effective cryptocurrency mining.

Most abused GPU computing cards

Here below, we have mentioned all the GPU compute cards that are abused most:-

  • NVIDIA V100
  • NVIDIA A100 (40GB)

After deploying compute resources, actors exploit Azure VM extensions like NVIDIA or AMD GPU Driver Extension for quicker GPU driver installation, enhancing mining operations.

Top mining domains

Here below, we have mentioned all the top mining domains that the security researchers at Microsoft observe:-

  • nanopool[.]org
  • nicehash[.]com
  • supportxmr[.]com
  • hashvault[.]pro
  • zpool[.]ca
  • herominers[.]com
  • f2pool[.]com
  • minexmr[.]com
  • moneroocean[.]stream
  • miner[.]rocks


Here below, we have mentioned all the recommendations that are offered by the cybersecurity analysts at Microsoft:-

  • Separation of privileged roles.
  • Multifactor authentication.
  • Risk-based sign-in behaviors and conditional access policies.
  • Limit unused quota and monitor for unexpected quota increases.
  • Monitor for external Azure IP addresses authenticated with your tenant.
Sujatha is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under her belt in Cyber Security, she is covering Cyber Security News, technology and other news.