Attackers are increasingly exploiting Microsoft identities to access both Microsoft and federated SaaS applications. Rather than exploiting vulnerabilities, they use native Microsoft features to achieve their goals. Nobelium, the group linked to the SolarWinds attacks, has been observed using such native functionality, like creating Federated Trusts, for persistent access to Microsoft tenants.
This article highlights another native functionality, which, if leveraged by an attacker, allows persistent access to a Microsoft cloud tenant and lateral movement to other tenants. Attackers can exploit misconfigured Cross-Tenant Synchronization (CTS) configurations to access other connected tenants or deploy a rogue CTS configuration for persistence within a tenant. Vectra AI notes that this technique has not been seen in the wild but urges defenders to understand and monitor for its execution. Vectra AI customers are already protected against this technique through their AI-driven detections and Vectra Attack Signal Intelligence™.
Cross-Tenant Synchronization (CTS) is a new Microsoft feature enabling organizations to synchronize users and groups from other source tenants to access resources in the target tenant. While useful for organizations like business conglomerates, CTS can pose risks if not properly managed, creating potential for reconnaissance, lateral movement, and persistence attacks.
The exploitation techniques assume a compromised identity in a Microsoft cloud environment, potentially originating from a browser compromise on an Intune-managed endpoint.
Key points about CTS configuration include:
- New users are synced into a tenant via push from the source tenant.
- Automatic Consent Redemption setup eliminates the need for new user consent.
- Users in scope for synchronization are configured in the source tenant.
The attack techniques require certain licenses and privileged account compromise in the compromised tenant. Techniques include lateral movement by exploiting existing CTS configurations to move from one tenant to another and deploying a rogue Cross Tenant Access configuration for persistent access.
Defensive measures include avoiding default inbound CTA configurations that permit all users/groups/applications from the source tenant to sync inbound and deploying more exclusive inbound CTA configurations. Source tenants should ensure regulated and monitored access for groups allowed to access other tenants via CTS.
Vectra’s AI-driven detections can identify privilege abuse scenarios, focusing on behavior rather than relying on signatures or lists of known operations.
For security testing, the MAAD-Attack Framework is an open-source tool that emulates common attacker techniques, including a module “Exploit Cross Tenant Synchronization” to test against CTS exploitation.
Vectra AI, a leader in AI-driven threat detection and response, offers a platform providing hybrid attack surface coverage and real-time Attack Signal Intelligence, integrating with XDR, SIEM, and SOAR solutions.