CrowdStrike Defends Against Azure Cross-Tenant Synchronization Attacks

CrowdStrike's blog post delves into the potential security risks and abuse of Microsoft Azure's cross-tenant synchronization (CTS) feature, introduced in May 2023. This feature facilitates the automation of user/group management across different tenants, allowing seamless access to various applications. However, adversaries can exploit CTS by acquiring specific roles and privileges, enabling lateral movement between tenants or establishing persistent backdoors. The post outlines two primary attack paths: lateral movement and identity backdoor creation, detailing how attackers can misuse CTS for unauthorized access and persistence in compromised tenants. CrowdStrike Falcon Cloud Security offers tools to detect and mitigate such vulnerabilities, providing indicators of attack and best practice recommendations to secure Azure environments. These recommendations include monitoring external identities, securing CTA policies, and maintaining vigilance over administrator roles to prevent potential abuse.