Cyber security news for all


    Misuse of Microsoft’s Cross-Tenant Sync Feature

    Cybercriminals are increasingly focusing their efforts on exploiting Microsoft identities to infiltrate not only Microsoft applications but also associated SaaS platforms. Their modus operandi doesn’t necessarily involve leveraging vulnerabilities; instead, they manipulate intrinsic Microsoft features to reach their objectives. A case in point is Nobelium, the group associated with the infamous SolarWinds breaches, which has utilized such native capabilities like establishing Federated Trusts [1] to ensure uninterrupted access to a Microsoft tenant.

    This piece sheds light on another such intrinsic function which, if manipulated by cybercriminals, could allow sustained access to a Microsoft cloud tenant and also the ability to traverse laterally to a different tenant. By exploiting flawed Cross-Tenant Synchronization (CTS) configurations, assailants can access multiple connected tenants or institute a rogue CTS setup to ensure ongoing presence within a tenant. Vectra AI reports that this particular technique hasn’t been seen in active use, but given the history of exploitation of similar features, the firm wishes to educate defenders on potential indicators of such an attack and how to preemptively monitor its execution. Additionally, this article outlines how Vectra AI users are already shielded against this through their AI-powered alerts and Vectra’s Attack Signal Intelligence™.

    Understanding Cross-Tenant Synchronization (CTS)

    Microsoft’s CTS is a recent addition that allows entities to sync users and groups from alternative source tenants and then permit them access to resources in the destination tenant. While beneficial for large corporations with various tenants across affiliated firms, it also lays the groundwork for potential exploitation if not correctly configured. Here’s how malicious actors could misuse CTS:

    1. Lateral Movement: Within a compromised setting, attackers can leverage existing CTS configurations to shift laterally from one tenant to another.
    2. Backdoor Access: Cybercriminals within a compromised tenant can establish a rogue CTS setup to guarantee continued access.

    The Assumption

    These exploitation techniques work on the ‘Assumed Compromise’ premise, meaning it starts with the notion that an identity within Microsoft’s cloud ecosystem is already compromised.

    Key Terms

    • Source Tenant: The origin from which users & groups are synced.
    • Target Tenant: Where the users & groups are transferred and resources are located.
    • CTS: Abbreviation for ‘Cross Tenant Synchronization’
    • CTA: Abbreviation for ‘Cross Tenant Access’
    • Compromised Account: The initial point of access for adversaries.

    The Mechanism

    For a successful attack, certain licenses and elevated privileges are required in the breached tenant. A Global Admin role would have all the required permissions for these actions.

    Defensive Measures

    It’s vital to follow best practices to minimize the risks. This includes avoiding an all-encompassing inbound CTA configuration and ensuring strict regulation and monitoring of groups with access permissions.

    For Vectra Customers

    Vectra’s portfolio is equipped to detect these malicious activities. The emphasis on detecting behavioral patterns, rather than relying on known attack signatures, places Vectra in a unique position to identify emerging threats like this one.

    Test to Protect

    Continuous and effective testing of environments is paramount. The MAAD-Attack Framework is a resourceful open-source tool that amalgamates widely-used attacker techniques, offering security teams a way to simulate them in their ecosystems. It can be found on GitHub and is a valuable asset for ongoing security evaluation.

    Recent Articles

    Related Stories