Microsoft has initiated legal action against an unidentified group of defendants, referred to as “Does,” for allegedly developing a malicious software tool designed to bypass safety filters and exploit its Azure OpenAI Service. The lawsuit, filed following an internal investigation, accuses the group of systematic API key theft and operating a “hacking-as-a-service” scheme to generate illicit and offensive content.
The “De3u” Exploit Explained
According to the complaint, Microsoft discovered in July 2024 that cybercriminals were illicitly accessing Azure OpenAI credentials. The defendants reportedly utilized a client-side tool dubbed de3u, which facilitated the use of stolen API keys to access DALL-E image generation models. This tool allowed users to bypass Microsoft’s mandatory safety protocols and content filtering systems, which typically flag or block prohibited prompts.
The lawsuit claims that de3u was specifically engineered to route communications to Microsoft’s systems while preventing the Azure service from revising or rejecting prompts that violated acceptable use policies. The project’s code, previously hosted on the Microsoft-owned platform GitHub, has since been taken offline.
Legal Grounds and Corporate Response
Microsoft is charging the defendants with multiple violations, including breaches of the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, and federal racketeering laws. The company is currently seeking injunctive relief and unspecified damages.
In a formal blog post, Microsoft confirmed that a court has authorized the seizure of a website deemed “instrumental” to the defendants’ operation. This move is intended to help investigators map out the monetization of the service and dismantle the group’s remaining technical infrastructure.
Strengthening Azure Security
Beyond the legal battle, Microsoft has implemented unspecified countermeasures and added new safety mitigations to the Azure OpenAI Service. While the company has not disclosed the full technical scope of these fixes, the focus remains on preventing the unauthorized programmatic access that allowed for the systematic theft of customer API keys.
The investigation into how exactly the defendants obtained the keys from various U.S.-based customers remains ongoing, as Microsoft continues to track the pattern of exploitation used to facilitate the creation of harmful AI-generated media.