{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/multitenant/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Active Directory","Microsoft 365"],"_cs_severities":["high"],"_cs_tags":["azuread","o365","multitenant"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies Azure Active Directory Applications configured in a way that allows authentication from external tenants or personal accounts. This configuration can lead to inappropriate or malicious access to any data or capabilities the application is authorized to access. This poses a significant risk, as threat actors can exploit this misconfiguration to gain unauthorized access to sensitive resources within the targeted organization's O365 environment. The detection leverages the O365 Universal Audit Log data source to monitor changes to application settings, specifically the 'AvailableToOtherTenants' property. This analytic is based on a Splunk ES-CU detection and can be adapted to other platforms. The Microsoft guidance released in March 2023 highlights the risks associated with such misconfigurations, emphasizing the importance of detecting and remediating these issues promptly.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an Azure Active Directory application within the target organization.\u003c/li\u003e\n\u003cli\u003eThe attacker discovers that the application is configured to allow authentication from external tenants ('AvailableToOtherTenants' is set to true).\u003c/li\u003e\n\u003cli\u003eThe attacker registers a malicious application within their own Azure tenant.\u003c/li\u003e\n\u003cli\u003eThe attacker configures their malicious application to request permissions to access resources within the target organization's environment, leveraging the misconfigured application.\u003c/li\u003e\n\u003cli\u003eA user within the target organization is tricked into granting consent to the attacker's malicious application.\u003c/li\u003e\n\u003cli\u003eThe attacker's application gains access to the target organization's resources, such as data stored in SharePoint or Exchange Online.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or performs other malicious actions, such as creating new accounts or modifying existing configurations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive data, including confidential documents, financial records, and personal information. The impact can range from data breaches and financial losses to reputational damage and legal liabilities. The number of affected users and the extent of the damage will depend on the permissions granted to the misconfigured application and the resources it has access to. Given the widespread use of Azure Active Directory and the potential for misconfiguration, this threat poses a significant risk to organizations of all sizes and across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eO365 Application Available To Other Tenants\u003c/code\u003e to your SIEM and tune for your environment to detect when the 'AvailableToOtherTenants' property is enabled for an application.\u003c/li\u003e\n\u003cli\u003eReview Azure Active Directory application configurations to identify and remediate any applications that are configured to allow authentication from external tenants.\u003c/li\u003e\n\u003cli\u003eImplement strict consent policies to prevent users from granting access to unauthorized applications.\u003c/li\u003e\n\u003cli\u003eMonitor the O365 Universal Audit Log data source for suspicious activity related to Azure Active Directory applications.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eO365 Application Available To Other Tenants\u003c/code\u003e rule and take appropriate remediation actions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-o365-app-multi-tenant/","summary":"An Azure Active Directory Application is configured to allow authentication from external tenants or personal accounts, potentially leading to unauthorized access to data or capabilities.","title":"O365 Application Available To Other Tenants","url":"https://feed.craftedsignal.io/briefs/2024-01-o365-app-multi-tenant/"}],"language":"en","title":"CraftedSignal Threat Feed - Multitenant","version":"https://jsonfeed.org/version/1.1"}