Newly discovered vulnerability lets attackers bypass Microsoft authentication and authorization

A previously unknown vulnerability in Microsoft services is actively exploited, allowing hackers to bypass authentication and authorization mechanisms in Microsoft Azure, Teams, OneDrive, SharePoint, and other applications.<br><br>Attackers have been taking advantage of the issue, called “Subdomain Confusion Attack” or “SCA,” since at least January. Cybersecurity firm Mandiant, which discovered the vulnerability, said that the attacks are highly targeted and the number of affected organizations is low.<br><br>The attack “likely” originated from a Chinese hacking group, the researchers said. Mandiant did not specify which groups it suspects.<br><br>Subdomain confusion attacks involve manipulating users into visiting the wrong website. The user might think they’re visiting login.microsoftonline.com, for example, but would actually be on attacker.com/login.microsoftonline.com instead.<br><br>Attackers are exploiting this issue using typosquatting, where they register domain names that contain typos to catch misspelled URLs, said the researchers.<br><br>This issue is caused by “an insecure configuration of Microsoft services where certain cookie settings allow an attacker to bypass Azure Active Directory authentication and authorization for various Microsoft cloud applications,” Mandiant said in an advisory published this week.<br><br>“An attacker who successfully exploits this vulnerability can elevate privileges, access sensitive data, move laterally within an organization's network, and evade detection, depending on the specific applications impacted and the privileges of the targeted user accounts,” the researchers warned.<br><br>“Given the widespread usage of Azure Active Directory and Microsoft 365 applications, this type of attack can be used to compromise various organizations' environments, depending on attackers’ interests and motivations,” Mandiant said.<br><br>The issue has been actively exploited since at least January, with attackers targeting “multiple organizations across several industries,” the researchers said.<br><br>To exploit the issue, a hacker would first create an Azure Active Directory (AAD) instance and configure the instance to use the “same domain” as the targeted organization. They would then create an application within the AAD instance to communicate with the targeted organization’s network, according to the researchers.<br><br>Once the instance is set up, the hacker would use typosquatting to manipulate a user into visiting the wrong website, as described above.<br><br>From there, the attacker can access sensitive information depending on the permissions of the targeted user, the researchers said.<br><br>“Organizations should be aware that Microsoft services may be configured in a way that allows attackers to bypass Azure Active Directory (AAD) authentication and authorization,” Mandiant warned in the advisory.<br><br>Attackers are targeting “unwary users” and organizations who have not properly configured their Azure Active Directory and Microsoft applications, the researchers said.<br><br>Mandiant has notified Microsoft, which has launched an investigation into the issue.<br><br>In an emailed statement, a Microsoft representative said that the vulnerability is an issue with an Azure configuration and not a vulnerability in Microsoft products themselves.<br><br>“An investigation by Microsoft determined that this issue relates to a specific configuration in an Azure resource rather than a product vulnerability, and we have provided customers with guidance on how to address this issue in order to ensure the security of their environments,” the representative said.<br><br>“Microsoft is actively investigating reports of exploitation of an Azure Active Directory (AAD) feature and will provide additional guidance as necessary,” it added.<br><br>Mandiant has offered mitigation strategies in its advisory.<br><br>In related news, Microsoft announced a “critical” vulnerability in the Windows operating system that lets attackers bypass two-factor authentication (2FA).