Microsoft Details Multi-Stage Linux Intrusion Abusing F5 BIG-IP and Confluence Vulnerabilities
Attackers compromised an outdated F5 BIG-IP load balancer, pivoted to an internal Linux host, exploited a vulnerable Confluence instance, and conducted relay attacks against Active Directory in a sophisticated multi-domain campaign.
Microsoft Security has published a detailed analysis of a multi-stage intrusion that began with the compromise of an internet-facing F5 BIG-IP load balancer running an end-of-life version. From that edge appliance, the threat actor pivoted to an internal Linux host, exploited an unpatched Atlassian Confluence server, and conducted relay-style authentication attacks against Active Directory. The attack chain illustrates a growing trend where security boundary devices become initial access points, and identities—rather than endpoint vulnerabilities—are the primary target.
The initial foothold was established via SSH access from an F5 BIG-IP Virtual Edition (version 15.1.201000) hosted in Azure. This specific version reached end-of-life on December 31, 2024, meaning it no longer receives security patches. The threat actor authenticated using a privileged account with sudo rights and maintained hands-on-keyboard access throughout the campaign, never deploying explicit persistence mechanisms. Microsoft noted that operational constraints around patching windows for critical appliances often leave organizations exposed to known N-day vulnerabilities.
Once inside, the threat actor performed extensive reconnaissance. They used Nmap for horizontal and vertical network scanning, and the gowitness tool to capture screenshots of HTTP/HTTPS services. The actor also attempted common NTLM-based lateral movement techniques using tools such as enum4linux, netexec, smbclient, and responder. These initial attempts failed against Windows targets, likely due to the organization's use of Remote Trusted Path (RTP) protections that blocked unauthorized execution.
The breakthrough came when the threat actor identified an Atlassian Confluence server with unpatched vulnerabilities. Leveraging those flaws, they achieved remote code execution on the Confluence host. The attacker used the initial compromised Linux server as a staging point, and because the hardened Windows environment blocked direct payload execution, they had to iterate multiple times before successfully deploying their malicious code onto the Confluence instance.
From the compromised Confluence server, the threat actor conducted a relay-style authentication attack against Active Directory. By abusing the credentials and trust relationships associated with the SaaS application, they were able to move laterally into the identity infrastructure. This phase of the attack highlights how a single vulnerable application, when linked to directory services, can become a gateway to the entire enterprise authentication system.
Microsoft provides detection guidance for Microsoft Defender XDR, advanced hunting queries, and a full set of indicators of compromise (IOCs) in its post. The techniques observed align broadly with MITRE ATT&CK tactics including initial access (T1190), discovery (T1046), lateral movement (T1550), and credential access (T1557). The campaign underscores the importance of treating edge appliances, non-Windows systems, and cloud identities as critical security assets that require continuous monitoring and patching.
This incident reflects a broader industry shift toward identity-centric, multi-domain attack chains that span network infrastructure, endpoints, SaaS platforms, cloud workloads, and identity systems. As edge appliances increasingly store credentials, certificates, and authentication tokens, their compromise provides attackers with a durable foothold and visibility that bypasses traditional perimeter defenses. Organizations are urged to prioritize attack path analysis, retire deprecated devices, and enforce least-privilege principles across all identities.