Microsoft details multi-stage Linux intrusion

Microsoft detailed on May 22 a multi-stage intrusion that started with an internet-facing F5 BIG-IP appliance and expanded from Linux systems into identity infrastructure, according to a threat report published by the Microsoft Defender Security Research Team. The company said the compromised device was an Azure-hosted BIG-IP Virtual Edition running version 15.1.201000, an end-of-life release. Microsoft said the attacker then pivoted to an internal Linux host, exploited a Confluence server, stole credentials and carried out Kerberos relay activity tied to CVE-2025-33073. ### How did the intrusion begin? Microsoft said the first confirmed step was SSH access from a network device identified as an F5 BIG-IP load balancer into a Linux host inside the target environment. Device inventory tied that source to an Azure-hosted appliance running version 15.1.201000, which Microsoft described as a BIG-IP Virtual Edition image used in cloud deployments. (microsoft.com) The May 22 report said edge appliances remain attractive entry points because they sit on the perimeter, are highly trusted internally and can hold credentials, certificates, session material and identity integrations. Microsoft said that combination can let attackers move past traditional controls once the appliance is compromised. (microsoft.com) ### Where did Confluence fit into the attack chain? Microsoft said the attacker pivoted from the edge device to an internal Linux host and then compromised a vulnerable Confluence instance. The company said that step gave the attacker access to credentials stored or handled by the SaaS application, which were then used in later identity-focused activity. (microsoft.com) The Microsoft report described the operation as spanning network infrastructure, endpoints, SaaS platforms, cloud workloads and identity systems. That sequence, as Microsoft laid it out, moved the intrusion from a Linux foothold into broader enterprise control paths rather than stopping at a single host. (microsoft.com) ### What was CVE-2025-33073 used for? Microsoft said the attacker conducted relay-style authentication attacks against Active Directory and specifically cited exploitation of CVE-2025-33073 during Kerberos relay activity. The company said the incident showed how credentials taken from internal web applications can be reused in cross-system authentication attacks. (microsoft.com) Microsoft’s Security Update Guide lists CVE-2025-33073 in its vulnerability catalog, and the company’s threat report tied that flaw to the identity-compromise phase of the intrusion. Microsoft did not identify the victim organization in the public post. ### How far did the attacker get? Microsoft said the attack chain ultimately reached Active Directory after beginning on Linux infrastructure. (microsoft.com) The company’s public summary said the operation was “identity-focused” and that the attacker attempted lateral movement after the initial foothold on the F5 appliance and Linux host. (msrc.microsoft.com) The May 22 post warned that edge-device compromises can expose trusted relationships across directories, cloud services and identity providers. Microsoft said organizations should treat edge devices, non-Windows systems and cloud identities as security-critical assets and monitor them together rather than as separate silos. (microsoft.com) ### What did Microsoft publish for defenders? Microsoft included mitigation guidance, advanced hunting queries, indicators of compromise and MITRE ATT&CK mappings in the May 22 blog post. The company said Microsoft Defender detected, blocked and reconstructed the intrusion, and it published the attack flow and threat-actor activity chain in the same report. (microsoft.com) Microsoft’s next public reference point is that May 22 Security Blog entry, which includes the detection guidance, IOCs and product-specific hunting details for defenders reviewing similar F5, Linux and Confluence exposure paths. (microsoft.com)