Security News > 2023 > August > New Microsoft Azure AD CTS feature can be abused for lateral movement
Microsoft's new Azure Active Directory Cross-Tenant Synchronization feature, introduced in June 2023, has created a new potential attack surface that might allow threat actors to more easily spread laterally to other Azure tenants.
Microsoft tenants are client organizations or sub-organizations in Azure Active Directory that are configured with their own policies, users, and settings.
In June, Microsoft introduced a new Cross-Tenant Synchronization feature that allows an administrator to synchronize users and groups across multiple tenants and tenant resources, offering seamless collaboration, automating lifecycle management of B2B projects, etc.
If improperly configured, attackers who have already compromised a tenant and gained elevated privileges may exploit the new feature to move laterally to other connected tenants and then deploy rogue CTS configurations to establish persistence on those networks.
The first technique described in Vectra's report involves reviewing the CTS configurations to identify target tenants connected through these policies and, specifically, look for tenants with 'Outbound Sync' enabled, which allows syncing to other tenants.
Specifically, the attacker deploys a new CTS policy and enables 'Inbound Sync' and 'Automatic User Consent,' allowing them to push new users from their external tenant to the target anytime.