In this case there was a flaw discovered in how Entra ID handles authentication between service principals. Researchers at SecureWorks identified an abandoned reply URL in a single application. This application was related to the Power Platform inside Microsoft’s cloud environment. The reply URL is used for app connectivity, when an app requests access, the access tokens are sent to the reply URL. In the case of an abandoned one, an attacker could, theoretically, take control of the URL and have those same tokens sent to a system under their control. They would leverage an API call to Power Platform and get the tokens in return with elevated privileges.

Because some of the internal APIs for Microsoft services (in this case Power Platform) are exposed to first party apps, the SecureWorks team was able to send a request for system administrator for an existing service principal via the exposed API. They were also able to send an HTTP delete request to destroy an environment referenced in the API call. Both were successfully demonstrated but were not the end of what could be done with this flaw. The SecureWorks team stated:

“The goal was not to further abuse this privileged access but to demonstrate that privileged actions such as elevating applications and deleting environments are possible due to the access gained via the middle-tier service. An attacker with malicious intent and adequate knowledge of the Power Platform admin API operations could likely develop additional scenarios”

The attack chain would involve a phishing style email where the attacker fools a user into clicking a link.

“A victim accesses a malicious link. Azure AD redirects the victim's system to the reply URL claimed by the attacker and includes the authorization code in the URL parameter.
The malicious server exchanges the authorization code for the access token.
The malicious server calls the middle-tier service using the access token and intended API.
We focused our investigation on the middle-tier service calling the downstream API but later discovered that it was also possible to directly exchange the authorization codes for access tokens without relaying these tokens to the middle-tier service. The original focus was the most beneficial approach for research purposes because it allowed us to understand why and how the APIs are used.”

SecureWorks communicated the finding with Microsoft back in March following responsible disclosure practices and Microsoft confirmed the flaw and privilege escalation potential. Microsoft has applied a fix to their internal systems to mitigate this risk, but SecureWorks still feels that organizations should keep track of application reply URLs and monitor specifically for abandoned ones. This is (and should be) part of the general cybersecurity hygiene process used by organizations to ensure that they are not leaving their cloud environments open to attack because of changes in the way an app or integration work. It might sound like a lot of extra work, and it is, but it is also vital as we see attackers increase their attention on clous services and their APIs in particular. SecureWorks does have a GitHub project which includes a version of the scanner used to identify abandoned reply URLs. It is certainly worth checking out.