Security News > 2023 > August > Emerging Attacker Exploit: Microsoft Cross-Tenant Synchronization

This attack vector enables an attacker operating in a compromised tenant to abuse a misconfigured Cross-Tenant Synchronization configuration and gain access to other connected tenants or deploy a rogue CTS configuration to maintain persistence within the tenant.

Terminologies# Source tenant Tenant from where users & groups are getting synced Target tenant Tenant with resources where users & groups are getting synced Resources Microsoft applications and non-Microsoft applications CTS Abbreviation to reference 'Cross Tenant Synchronization' in this document CTA Abbreviation to reference 'Cross Tenant Access' in this document Compromised Account Adversaries initial point of access The Facilitator#.

An attacker operating in a compromised environment can exploit an existing CTS configuration tenant to move laterally from one tenant to another connected tenant.

Attacker reviews Cross Tenant Access policy configuration for each connected tenant to identify one with 'Outbound Sync' enabled.

An attacker operating in a compromised tenant can deploy a rogue Cross Tenant Access configuration to maintain persistent access.

The attacker attempts to deploy a new Cross Tenant Access Policy in the victim tenant with the following properties.

News URL

https://thehackernews.com/2023/08/emerging-attacker-exploit-microsoft.html