![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 18%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGS%3C/text%3E%3C/svg%3E)
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 4%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
Hello, @Grinnell Support ! If there are 70 VMs in your subscription that you did not create and you've been locked out due to unusual activity, it sounds like your subscription was compromised. If you're unable to perform administrator actions (including creating a support ticket) that is likely because your account/login was also compromised (and may still be compromised) and as a result, your account may be frozen for security reasons. I'll cover a list of options available below.
What should I do if my Azure account is hacked or compromised?
If you can see that your subscription has been compromised or you've actively discovered a compromised subscription , then you'll want to:
- Determine if your Microsoft account is affected. There are instructions for recovering a hacked or compromised Microsoft account, dealing with locked accounts, and resetting your account password. If you still need help, you can complete the Microsoft account recovery form which will get a response within 24 hours. If all else fails, you can try reaching out over phone support or creating a ticket through a different account.
- Enable MFA if it is not already enabled. This is the single most effective step in preventing compromised accounts.
- Review all users/service principals in your subscription. Remove as many unnecessary users/service principals as possible and update the credentials for those that remain using strong passwords and multi-factor authentication. Depending on the attack, you may need to reset your password. Reviewing sign-in logs may help identify suspicious activity and you should also check Risky users in the portal. Read Recovering from systemic identity compromise for complete instructions.
- Confirm all of your contact information is still correct and up to date. This will be critical not only for alerts but also for account recovery if needed.
- Completely disable and delete compromised resources. If malware was left on your resources that you use credentials on such as a VM, you may be setting yourself up for compromising your accounts again. Reviewing activity logs and billing activity may help in identifying suspicious resources.
- Check your email for Terms of Use violation notifications. The email on file with your subscription will receive additional information regarding any Terms of Use violations.
Prevent this from happening moving forward by taking steps to secure your subscription:
Mitigate risks of credential guessing attacks
Almost all of the compromised admins in subscription compromised attacks did not have MFA enabled, which would helps to prevent guessing a user’s credentials. The following recommendations help significantly reduce the risk of credential guessing attacks.
- Require multi-factor authentication for all user’s access
- Block Legacy Authentication
- Implement user and sign-in risk-based policies.
- Eliminate weak passwords on-prem and in the cloud
Enable conditional access policies
Conditional access policies are evaluated and enforced every time an attacker attempts to sign-in. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices or trusted IP address requirements. In some cases, the attacker’s sign-ins were assessed as high risk. Conditional access can be used to block or require MFA for sign-ins that Azure AD Identity Protection detects are risky in real time.
Enable continuous access evaluation
Continuous Access evaluation (CAE) revokes access in real time when changes in user conditions trigger risks, such as when a user is terminated or moves to an untrusted location.
Create a break glass/emergency account
Creating an emergency access account is important to prevent you from being accidentally locked out.
Additional Reading:
- Microsoft azure account hacked
- I cannot remove a subscription from my own account, that was recently been hacked
- Account is hacked and permission to subscription has been blocked
- Recovering from systemic identity compromise
- Essential steps to confirm, contain, and secure a compromise
- Get help with your Microsoft account
- Hunt for compromised Azure subscriptions using Microsoft Defender for Cloud Apps
- How it works: Microsoft Entra multifactor authentication
I hope this has been helpful! Your feedback is important so please take a moment to accept answers.
If you still have questions, please let us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!