{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/identityfederation/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azuread","persistence","identityfederation","backdoor","cloud"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of malicious modifications to the \u003ccode\u003eSourceAnchor\u003c/code\u003e (ImmutableId) attribute within Azure Active Directory (Azure AD). This attribute, when altered by an attacker, can facilitate the creation of a backdoor for identity federation, potentially leading to persistent unauthorized access. The activity is detected via Azure AD audit logs, specifically monitoring \u0026ldquo;Update user\u0026rdquo; operations targeting the \u003ccode\u003eSourceAnchor\u003c/code\u003e attribute. The technique is particularly relevant for defenders because a successful modification enables an attacker to impersonate any user within the organization, circumventing standard authentication measures like passwords and multi-factor authentication (MFA). Successful exploitation could result in unauthorized data access, privilege escalation, and significant data breaches. This technique has been associated with APT29.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to an account with sufficient privileges to modify Azure AD user attributes, potentially through compromised credentials or phishing.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised account to access the Azure portal or uses PowerShell with the Azure AD module.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target user account within Azure AD for which they want to establish persistent access.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eSourceAnchor\u003c/code\u003e attribute (ImmutableId) of the target user account. This attribute is intended for on-premises Active Directory synchronization and is not typically changed directly in Azure AD.\u003c/li\u003e\n\u003cli\u003eThe attacker configures a rogue identity provider (IdP) with claims matching the modified \u003ccode\u003eSourceAnchor\u003c/code\u003e value of the target user.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a federation trust between the rogue IdP and the Azure AD tenant, allowing the attacker to assert authentication for the target user.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the rogue IdP using attacker-controlled credentials.\u003c/li\u003e\n\u003cli\u003eThe rogue IdP generates a SAML token with the forged \u003ccode\u003eSourceAnchor\u003c/code\u003e claim, allowing the attacker to bypass normal Azure AD authentication controls and gain access to the target user\u0026rsquo;s resources. The final objective is to maintain persistence and impersonate the target user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the \u003ccode\u003eSourceAnchor\u003c/code\u003e attribute allows attackers to bypass password and MFA requirements, impersonating any user within the organization. This can lead to unauthorized access to sensitive data, privilege escalation, and potentially significant data breaches. If an attacker successfully establishes this backdoor, the compromise can persist undetected for extended periods, causing widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Azure AD User ImmutableId Attribute Updated\u003c/code\u003e to your SIEM to detect modifications to the \u003ccode\u003eSourceAnchor\u003c/code\u003e attribute (Azure Active Directory Update user).\u003c/li\u003e\n\u003cli\u003eInvestigate and filter legitimate uses of \u003ccode\u003eSourceAnchor\u003c/code\u003e attribute modifications, as identified in the \u003ccode\u003eknown_false_positives\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eMonitor Azure AD audit logs for \u0026ldquo;Update user\u0026rdquo; operations, specifically targeting the \u003ccode\u003eproperties.targetResources{}.modifiedProperties{}.displayName=SourceAnchor\u003c/code\u003e event, as described in the \u003ccode\u003esearch\u003c/code\u003e query.\u003c/li\u003e\n\u003cli\u003eReview the references provided, especially the Mandiant report on remediation strategies for Microsoft 365 to defend against APT29, to understand the broader context of this attack technique and potential mitigation strategies (\u003ca href=\"https://www.mandiant.com/resources/remediation-and-hardening-strategies-microsoft-365-defend-against-apt29-v13)\"\u003ehttps://www.mandiant.com/resources/remediation-and-hardening-strategies-microsoft-365-defend-against-apt29-v13)\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T17:47:35Z","date_published":"2026-05-28T17:47:35Z","id":"https://feed.craftedsignal.io/briefs/2026-05-azure-ad-immutableid-update/","summary":"The following analytic identifies modifications to the SourceAnchor (ImmutableId) attribute for an Azure Active Directory user, which is a step in setting up an Azure AD identity federation backdoor that allows an attacker to impersonate any user and bypass MFA.","title":"Azure AD User ImmutableId Attribute Modification for Persistence","url":"https://feed.craftedsignal.io/briefs/2026-05-azure-ad-immutableid-update/"}],"language":"en","title":"CraftedSignal Threat Feed — Identityfederation","version":"https://jsonfeed.org/version/1.1"}