Initial Access Threats to Entra ID/Azure AD

IT Security Analysts should know that staying up-to-date with the latest attack techniques is crucial for protection against evolving threats. This includes researching and tracking new vulnerabilities, exploits, and techniques used for initial access.

Initial access refers to the first step in a cyber attack where an attacker gains unauthorized access to a system or network. It's often achieved through social engineering tactics, phishing, compromised credentials, or exploiting known vulnerabilities.

The usual suspects: common initial access techniques

This article is a short summary of common initial access techniques for Entra ID (Azure AD) and its resources.

1. Credentials abuse

The old hacker trick of just "logging in" 😽

Credential leaks and info-stealers are still as rampant as they have ever been, making it possible for attackers to gain access to users' passwords to abuse and test against services. This, combined with common password patterns, weak password policies and/or lacking multi-factor enforcement still makes it possible for attackers to simply log in to your cloud. Often the attackers test only one or a few statistically probable passwords on a large amount of users to get in.

When performing audits or penetration tests we often see misconfigured multi-factor authentication, where: certain device types, locations, groups and/or users are excluded, and; conditional access policies are configured with too broad MFA exclusion rules. These issues create holes in authentication for attackers to abuse. For example, are you allowing all users coming from the HQ egress IP-address to skip MFA? Have you thought about the Guest Wi-Fi? What happens when an attacker gets foothold on a laptop or server at HQ?

Legacy authentication is the culprit of the vast majority of credential stuffing and password spray attacks. These authentication protocols do not support multifactor authentication and are thus, if enabled, low-hanging fruit for attackers.

Password attacks such as password spraying can be leveraged against many different systems and components, such as ADFS, external VPN/SSO providers (e.g., Cisco AnyConnect, Okta, Auth0). Readily available password spraying tools are designed to target and abuse these services. Similarly, there are tools used to enumerate usernames for password attacks through various, countless means (e.g., Office 365, OneDrive, Teams and LinkedIn); of which many do not leave any traces in logs.

Protection measures include the following:

• Enforce MFA by default (on all devices)
• Review MFA exclusion rules, especially for privileged identities
• Enforce a strong password policy
• Block legacy authentication protocols
• Monitor Smart Lockout activity
• Use Entra ID Password Protection
• Block IP-addresses and ranges (limit to known good)

Additional information can be found at:

• Overview of Identity Protection (Microsoft).
• Conditional Access polices designed to limit device code flow and legacy authentication flows.

2. Adversary-in-the-Middle (AiTM)

An attacker acts as a proxy between the user and the cloud. The user is sent to a malicious landing page which navigates through legitimate authentication processes, including MFA. The attacker captures credentials and MFA-approved access tokens. Attackers often use legitimate looking domains, CDN's or similar to bypass vetting. A variant involves using Azure websites to run the proxy, taking advantage of Microsoft's own trusted domains.

Here, protection measures can be to:

• Educate users
• Implement phishing-resistant authentication flows such as FIDO2, Windows Hello, and CBA
• Leverage Exchange Online Protection (EOP) and Office 365 Defender

Additional information can be found at:

• Well known AiTM framework, Evilginx
• MITRE T1557
• AiTM, AzureAd-Attack-Defense (Github)

3. Device Code Phishing/Dynamic Device Code phishing

Attackers exploit the OAuth device authentication flow for Entra ID tenant, tricking users into authenticating an application through a fake device using a device code. The attacker receives fresh access and refresh tokens in the user's name, which can be used to access for example Microsoft Office APIs. The functionality is intended to enable users to sign in to input-constrained devices such as a smart TVs, printers or IoT devices.

The attack can be hard to detect for users due to that the entire process is using legitimate Microsoft domains. The attacker initiates the authentication flow, requesting access to certain API's, sends the device code to a user together with some pretext such as "Please access linked document with following code" and a link: https://login.microsoftonline.com/common/oauth2/deviceauth (see image below). If the user goes through authentication, the attacker can fetch their newly created tokens by polling a Microsoft API endpoint.

Protection measures:

• Educate users
• Block device codes entirely
• Implement custom monitoring to detect and capture malicious devices
• Require managed devices/compliance, for compliance (had issues with bypasses)

Additional information can be found at:

• OAuth device code flow and phish (Optiv)
• OAuth device code phishing (Secureworks)
• Intune device compliance bypass (Jumpsec Labs)

4. Application Consent/Illicit Consent Grant attack

Attackers register an Azure application in their own cloud tenant, which requires consent granting it access to the user's data in their Entra ID tenant and its services (e.g., email, documents). The attacker lures the user into approving the application by phishing over email or Teams, after consent has been given the attacker application will have delegated access rights to the targeted resources. Often SharePoint and emails contain a trove of information and often credentials which can lead to privilege escalation and further access into the tenant.

Protection measures:

• Educate users
• Regularly inspect and monitor all application consents
• Limit non-admins from consenting to third-party applications (all)
• Use admin consent flow
• Train admins on these attacks, as even low-risk APIs can be exploited

Additional information can be found at:

• A New App Consent Attack: Hidden Consent Grant (Semperis)
• Consent Grant Attack, AzureAD-Attack-Defense (Github)
• Script for defenders to list delegated app consents in tenant

5. Teams Phishing

External or compromised internal users are used to contact other teams, abuse Teams functionality, allowing them to execute the above attacks or getting the victim to run malware. An attacker can abuse their own external Entra ID tenant and Teams to contact users within the target organisation, setting a deceiving display name to for example "IT helpdesk XXXX" where XXXX could be a known external supplier. It is also possible to obfuscate content links and similar functionality within Teams to trick a user into downloading or executing the attackers payload.

Protection measures:

• Educate users
• Use Teams ZAP (Zero-hour Auto Purge)/EOP
• Prevent users from uploading their own Teams apps
• Conduct regular audits with CIS benchmarks
• Isolate external meetings in isolated team, restrict resource access and sharing (SharePoint etc)
• Remove and monitor guests and avoid inviting new guests frequently
• Make all Teams groups private

Additional information can be found at:

• Ransomware gangs pose as IT support in Microsoft Teams phishing attacks (Bleeping Computer)
• Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365 (Microsoft)

Conclusion

By staying informed about the latest attack techniques and implementing effective countermeasures, organizations can significantly reduce the risk of initial access threats to Entra ID and its resources. It is also essential to regularly review and update security policies and procedures to ensure they remain effective in protecting against evolving threats.

It's evident that user education stands out as a critical defense mechanism in mitigating initial access threats. Many of the techniques described - such as AiTM attacks, device code phishing, application consent attacks, and Teams phishing - rely heavily on user manipulation through social engineering. Well-informed users become active participants in the organization's security posture. However, it is also important to aid the users and the organisation by keeping track of and applying the latest technical security controls over time, to minimize and monitor the available attack surface.

Assured Security Consultants offer a comprehensive suite of services designed to empower organizations in fortifying their security. Our technical security services, combined with expert advisory, help organizations build resilient and proactive security defenses to strengthen their security posture and create value through security.