Multiple security research teams reported DNS-related abuse paths that can be weaponized for denial-of-service and authentication relay. Unit 42 described how Azure Private Endpoint/Private Link DNS behavior can be leveraged—accidentally or maliciously—to disrupt access to Azure resources by effectively “over-privatizing” name resolution, creating a DoS condition for services such as Storage Accounts, Key Vault, Cosmos DB, Azure Container Registry, Function Apps, and OpenAI accounts. Their assessment suggested the exposure is not rare in the wild (they observed 5%+ of Azure storage accounts in configurations susceptible to this DoS pattern) and noted Microsoft guidance around internet fallback as a partial mitigation, alongside recommendations to scan environments for susceptible configurations.
Separately, Cymulate detailed a Kerberos authentication relay technique via DNS CNAME abuse in Windows/Active Directory environments: an on-path attacker can influence DNS CNAME resolution so Windows clients request Kerberos service tickets for attacker-chosen SPNs, enabling relays to services like SMB/HTTP when signing or Channel Binding Tokens (CBT) are not enforced. Cymulate stated Microsoft acknowledged the behavior and responded by improving target-service resilience, including backported CBT support for HTTP.sys in supported Windows Server versions (released in a January patch cycle). A third report from Positive Technologies analyzed an RCE path in Windows Telephony Service (TAPI) via arbitrary file write from a low-privileged client, which is a distinct Windows local/service exploitation topic and not part of the DNS/Kerberos abuse story.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Cymulate publicly detailed a Kerberos authentication relay technique that abuses DNS CNAME responses to coerce victims into requesting service tickets for attacker-chosen SPNs. The write-up showed how this can enable user impersonation, lateral movement, privilege escalation, and possible RCE against services lacking signing or CBT protections.
Palo Alto Networks Unit 42 reported a denial-of-service condition in Azure where linking a Private DNS zone to a virtual network can force name resolution through that zone and break connectivity if required records are missing. The issue can be triggered accidentally by administrators or vendors, or intentionally by an attacker with Azure access, and may affect services including Storage, Key Vault, Cosmos DB, ACR, Function Apps, and OpenAI accounts.
In January 2026 security updates, Microsoft added and backported Channel Binding Token support for HTTP.sys across supported Windows Server versions, tracked as CVE-2026-20929. This reduced exposure to HTTP-based Kerberos relay scenarios stemming from the CNAME abuse technique.
Cymulate Research Labs reported to Microsoft that Windows Kerberos clients follow DNS CNAMEs when constructing SPNs during TGS requests, enabling a relay technique if an attacker can tamper with DNS responses. Microsoft confirmed the behavior and opted to address exposure mainly through service-layer protections rather than changing the underlying client behavior.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.