Experts Uncover How Cybercriminals Could Exploit Microsoft Entra ID for Elevated Privilege

Cybersecurity researchers have discovered a case of privilege escalation associated with a Microsoft Entra ID (formerly Azure Active Directory) application by taking advantage of an abandoned reply URL.

“An attacker could leverage this abandoned URL to redirect authorization codes to themselves, exchanging the ill-gotten authorization codes for access tokens,” Secureworks Counter Threat Unit (CTU) said in a technical report published last week.

“The threat actor could then call Power Platform API via a middle-tier service and obtain elevated privileges.”

Following responsible disclosure on April 5, 2023, the issue was addressed by Microsoft via an update released a day later. Secureworks has also made available an open-source tool that other organizations can use to scan for abandoned reply URLs.

Reply URL, also called redirect URI, refers to the location where the authorization server sends the user once the app has been successfully authorized and granted an authorization code or access token.

“The authorization server sends the code or token to the redirect URI, so it’s important you register the correct location as part of the app registration process,” Microsoft notes in its documentation.

Secureworks CTU said it identified an abandoned Dynamics Data Integration app reply URL associated with the Azure Traffic Manager profile that made it possible to invoke the Power Platform API via a middle-tier service and tamper with the environment configurations.

In a hypothetical attack scenario, this could have been used to acquire the system administrator role for an existing service principal and send requests to delete an environment, as well as abuse the Azure AD Graph API to gather information about the target in order to stage follow-on activities.

This, however, banks on the possibility that a victim clicks on a malicious link, as a result of which the authorization code issued by Microsoft Entra ID upon logging is delivered to a redirect URL hijacked by the threat actor.

The disclosure comes as Kroll revealed an uptick in DocuSign-themed phishing campaigns utilizing open redirects, enabling adversaries to propagate specially crafted URLs that, when clicked, redirect potential victims to a malicious site.

“By crafting a deceptive URL that leverages a trustworthy website, malicious actors can more easily manipulate users into clicking the link, as well as deceiving/bypassing network technology that scans links for malicious content,” Kroll’s George Glass said.

“This results in a victim being redirected to a malicious site designed to steal sensitive information, such as login credentials, credit card details or personal data.”