Entra ID Account Takeover – Part 2

There are multiple ways for a bad actor to take over an Entra ID account. There should be no surprise that the main accounts targeted are privileged, especially Global Admin (GA). You need to put in place policies to mitigate this threat. Organizations that use Entra (Azure AD) Connect to sync identities from on-prem Active Directory (AD) to the cloud (Entra ID) need to take precautions to protect against attackers using it to take over Entra ID accounts.

Entra (Azure AD) Connect Sync Attack Methods

The attack would consist of copying the Entra ID UPN of a targeted account and write it to the on-prem AD userPricipleName attribute of the unsynchronized on-prem AD account. Next, they would also copy the mS-DS-ConsistencyGuid attribute of the Entra ID targeted user and write it to that AD account. They would then delete the original corresponding on-prem AD account of the targeted Entra ID account. Once synchronization occurs, approximately every 2 minutes, the previously unsynchronized AD account will hard match with the targeted Entra ID account and password sync will update the password to value known by the attacker. The attacker can now gain access to Entra ID resources that account has. If the account is a global admin, it would have those permissions or if it is eligible to activate administrative roles, the compromised account could then elevate its privileges.

SMTP matching can also be used in a similar fashion to synchronize on-prem AD accounts to Entra ID accounts. An on-prem AD account that has not been synchronized to Entra ID could be changed to match the userPrincipalName and proxyAddress attributes of a targeted Entra ID account. Once synchronization occurs, approximately every 2 minutes, SMTP matching occurs to the targeted Entra ID account. The attacker can now gain access to Entra ID resources and if it is eligible to activate administrative roles, the compromised account could also elevate privileges.

This is also why Microsoft recommends that privileged Entra ID accounts be cloud only and not a hybrid account synced from AD. For these attacks to work, multi-factor authentication (MFA) must not be enabled for the accounts or for role activation in Entra ID. Microsoft also recommends that privileged users in Entra ID have MFA enabled and is moving to enforce it this year. Given the risk to all accounts, more organizations will enable MFA on all their Entra ID accounts.