Skip to content
Threat Feed
high advisory

Azure AD Federated Domain Added

This analytic detects the addition of a new federated domain within an Azure Active Directory tenant, potentially indicating the establishment of an Azure AD identity federation backdoor for persistence and unauthorized access.

This detection identifies the addition of a new federated domain within an Azure Active Directory (Azure AD) tenant. It leverages Azure AD AuditLogs to identify successful "Set domain authentication" operations. The addition of a new federated domain can be a legitimate administrative action, but it can also be indicative of malicious activity where an attacker is attempting to establish a persistence mechanism within the Azure AD environment. This tactic is sometimes referred to as the Azure AD identity federation backdoor technique. Successful exploitation allows an attacker to impersonate any user, effectively bypassing password and multi-factor authentication (MFA) requirements, potentially leading to unauthorized access and complete control over the Azure AD environment. This activity is related to APT29 and other advanced threat actors and their persistence techniques in cloud environments.

Attack Chain

  1. The attacker compromises an Azure AD account with sufficient privileges to modify domain federation settings.
  2. The attacker uses the compromised account to access the Azure portal or uses PowerShell with the Azure AD module to interact with the Azure AD tenant.
  3. The attacker executes the "Set domain authentication" operation to add a new federated domain. This can involve creating a malicious domain controlled by the attacker.
  4. The attacker configures the trust settings between the Azure AD tenant and the newly added, attacker-controlled domain.
  5. The attacker creates user accounts or modifies existing user accounts within the attacker-controlled domain with attributes that match identities in the target Azure AD.
  6. The attacker uses the newly federated domain to generate tokens and authenticate as any user within the target Azure AD tenant, bypassing normal authentication controls.
  7. The attacker escalates privileges and accesses sensitive data and resources within the Azure AD tenant, such as mailboxes, SharePoint sites, and applications.
  8. The attacker maintains persistent access through the federated domain, even if the compromised initial account is remediated, allowing for long-term data exfiltration or other malicious objectives.

Impact

A successful attack can result in complete compromise of the Azure AD environment. Attackers can gain unauthorized access to sensitive data, escalate privileges, and maintain persistent access even after the initial point of compromise is remediated. This can lead to data breaches, financial losses, reputational damage, and disruption of business operations. The number of potential victims is equal to the number of users within the compromised Azure AD tenant. Sectors commonly targeted by APT29 and similar groups include government, defense, and technology.

Recommendation

  • Deploy the provided Sigma rule Azure AD New Federated Domain Added to your SIEM and tune it for your environment to detect the initial addition of a new federated domain.
  • Investigate any alerts generated by the Azure AD New Federated Domain Added rule, focusing on the user account that initiated the "Set domain authentication" operation, the source IP address, and the domain being added.
  • Monitor Azure AD Audit Logs for suspicious "Set domain authentication" operations, as described in the "data_source" section.
  • Implement strong MFA policies for all privileged accounts in Azure AD, but be aware that this attack bypasses MFA.
  • Review and audit existing Azure AD federation settings regularly to identify any unauthorized or suspicious federated domains.
  • Consider Conditional Access policies to restrict domain federation modifications to specific, highly trusted accounts and locations.

Detection coverage 2

Azure AD New Federated Domain Added

high

Detects the addition of a new federated domain in Azure AD, which can be indicative of an attacker establishing a persistence mechanism.

sigma tactics: persistence techniques: T1484.002 sources: webserver, azure

Azure AD Federated Domain Addition by Uncommon User Agent

medium

Detects the addition of a new federated domain in Azure AD by an uncommon user agent, possibly indicating attacker activity.

sigma tactics: initial_access, persistence techniques: T1484.002 sources: webserver, azure

Detection queries are available on the platform. Get full rules →