The Event Grid tap: a rogue subscription that hides in fan-out

Event Grid fans events out to many subscribers, so adding one more subscriber breaks nothing. That is exactly why a rogue subscription pointed at an attacker webhook is a quiet, durable tap.

How the attack works

Using write access to Event Grid, the attacker adds a new event subscription on a production system topic and points its delivery webhook at an external endpoint the org does not own. Every matched event is now copied off-tenant. Because the fan-out is one-to-many, the existing pipeline keeps working and nothing breaks. Delivery metrics soon show successful deliveries to the external endpoint alongside the legitimate handlers, and the mirrored events include blob-created and resource-write notifications that reveal data locations and change activity. In ATT&CK terms this is T1098, Account Manipulation, for persistence, with T1530, Data from Cloud Storage, and T1119, Automated Collection.

Why it works

Anyone with broad Event Grid contributor rights could add a subscription to any topic with any delivery endpoint. The legitimate pipeline never stops, so the tap produces no outage and no obvious symptom.

How to fix it

The subscription is the tap, not the endpoint. Blocking the external endpoint at the network is trivially bypassed by repointing the still-present subscription. Delete the rogue event subscription so no events are matched and delivered, then tighten the Event Grid RBAC that allowed the write and alert on every eventSubscriptions write. Constrain delivery to approved destinations going forward. Scope what leaked from Event Grid delivery diagnostic logs and metrics, bounded between the subscription create and delete times, since the configuration filter is not a delivery record.

Practice it

We built this as a GraphLattice Range scenario so teams can rehearse the silent tap, the delete-the-subscription containment, and the RBAC fix that stops a re-add.