Azure AD External Guest User Invitation
Detection of an external guest user invitation in Azure AD through monitoring Azure AD AuditLogs, which, if malicious, can lead to unauthorized access, data breaches, or further exploitation by abusing external identities.
This analytic detects the invitation of external guest users within Azure Active Directory (Azure AD). The detection focuses on identifying specific events recorded in the Azure AD AuditLogs, triggered when a new external user is invited to the tenant. While legitimate use cases exist for inviting guest users, malicious actors can abuse this feature to gain unauthorized access to internal resources, establish persistence, and potentially compromise sensitive data. The activity is detected using the "Invite external user" operation name within the Azure AD AuditLogs. This analytic helps defenders identify potentially malicious invitations that could lead to broader security incidents.
Attack Chain
- An attacker gains initial access to an Azure AD account with sufficient privileges to invite external users.
- The attacker navigates to the Azure AD portal or uses PowerShell/Azure CLI to manage users.
- The attacker initiates the "Invite external user" process, providing an external email address.
- Azure AD generates an invitation to the specified external user.
- The external user receives the invitation and accepts it, creating a guest user account in the Azure AD tenant.
- The attacker assigns the newly created guest user account permissions to access specific resources within the Azure AD environment, such as applications or data.
- The attacker uses the guest user account to access these resources, potentially exfiltrating data or performing other malicious activities.
- The attacker maintains persistence by ensuring the guest user account remains active and retains its permissions over time.
Impact
A successful attack leveraging malicious guest user invitations can lead to unauthorized access to sensitive data and applications. This could result in data breaches, intellectual property theft, or financial losses. The impact can vary depending on the permissions granted to the guest user account and the resources they are able to access. The references suggest this is a real threat that has been used in attacks.
Recommendation
- Deploy the Sigma rule
Azure AD External Guest User Invitedto your SIEM and tune for your environment to detect potentially malicious external user invitations. - Review Azure AD audit logs for suspicious "Invite external user" events, paying close attention to the
initiatedByanduserfields, to uncover unauthorized invitations. - Implement multi-factor authentication (MFA) for all Azure AD accounts, including administrators, to reduce the risk of account compromise.
- Regularly review and audit the permissions assigned to guest user accounts to ensure they adhere to the principle of least privilege.
- Monitor the references provided in this brief to stay up to date with the latest tactics and techniques used by attackers abusing external identities in Azure AD.
Detection coverage 2
Azure AD External Guest User Invited
mediumDetects the invitation of an external guest user within Azure AD
Azure AD Guest User Invited by Suspicious User Agent
highDetects the invitation of an external guest user within Azure AD by a suspicious User Agent
Detection queries are available on the platform. Get full rules →