azure attacks azure-ad Inviting external users

Inviting external users

PLATFORM

SERVICE

azure-ad

DATA BREACHES

known

LAST UPDATED

EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.

low

medium

About

In an Azure AD tenant, you can invite external users. An attacker can abuse this process to gain persistent access to your environment, as they can invite themselves as a guest.

Understanding Impact

Business Impact

The use of Azure AD guests can lead to third-parties having unexpected access to your Azure or corporate Microsoft 365 resources.

Technical Impact

In the default Azure AD configuration, any member in an Azure AD tenant (including non-administrators) can invite guests. This is controlled through external collaboration settings.

Detection

When someone invites a guest user in Azure AD, several events are logged in the Azure AD Activity logs:

  • Add user
  • Invite external user
  • Add user sponsor

When the invited user accepts the invite, an additional event Redeem external user invite is logged.

Sample events, shortened for clarity:

{
  "category": "UserManagement",
  "result": "success",
  "activityDisplayName": "Invite external user",
  "loggedByService": "Invited Users",
  "initiatedBy": {
    "user": {
      "userPrincipalName": "<inviter@tenant.tld>",
    }
  },
  "userAgent": "",
  "targetResources": [
    {
      "displayName": "<invited user display name>",
      "type": "User",
      "userPrincipalName": "<invited-user-email>#EXT#@<tenant.tld>",
      "groupType": null,
      "modifiedProperties": []
    }
  ],
  "additionalDetails": [
    {
      "key": "invitedUserEmailAddress",
      "value": "<invited-user-email>"
    }
  ]
}

{
  "category": "UserManagement",
  "result": "success",
  "resultReason": null,
  "activityDisplayName": "Redeem external user invite",
  "loggedByService": "B2B Auth",
  "initiatedBy": {
    "user": {
      "userPrincipalName": "<invited-user-email>",
      "ipAddress": "<invited-user-ip>"
    }
  },
  "targetResources": [
    {
      "id": "d042c4fe-5dd1-44a2-883a-eede6c10608f",
      "displayName": "UPN: <invited-user-email>#EXT#<tenant.tld>, Email: <invited-user-email>, InvitationId: 4c93fc70-169a-411f-8cf7-aff732f8c7b9, Source: One Time Passcode",
      "type": "User",
      "userPrincipalName": "<invited-user-email>#EXT#<tenant.tld>"
    }
  ]
}

How Datadog can help

Cloud SIEM

Datadog Cloud SIEM detects this attack using the out-of-the-box rule "Azure user invited an external user".

References

Sample incident: Azure subscription hijacking and cryptomining

derkvanderwoude.medium.com

Backdooring and hijacking Azure AD accounts by abusing external identities

dirkjanm.io

Add a guest user and send an invitation

azure documentation

Hunt for compromised Azure subscriptions

azure documentation

Did you find this article helpful?

work with us

We're always looking for talented people to collaborate with

featured positions

We have 10 positions

view all