Microsoft has addressed an Azure Active Directory (Azure AD) authentication flaw that could allow threat actors to escalate privileges and potentially fully take over the target’s account.
This misconfiguration (named nOAuth by the Descope security team who discovered it) could be abused in account and privilege escalation attacks against Azure AD OAuth applications configured to use the email claim from access tokens for authorization.
An attacker only had to change the email on their Azure AD admin account to the victim’s email address and use the “Log in with Microsoft” feature for authorization on the vulnerable app or website.
This lets them take complete control over the target’s account if the targeted resources allowed using email addresses as unique identifiers during the authorization process.
This tactic can also be used when the victim doesn’t even have a Microsoft account, and it was a feasible attack method because Azure AD did not require email changes to be validated.
“If the app merges user accounts without validation, the attacker now has full control over the victim’s account, even if the victim doesn’t have a Microsoft account,” Descope said.
“After successful login, the attacker has an open field depending on the nature of the app or site they have taken over. They can establish persistence, exfiltrate data, explore if lateral movement is possible, and so on.”
Among multiple large organizations found vulnerable to this type of attack, Descope discovered a design app with millions of monthly users, a publicly traded customer experience firm, and one belonging to a leading multi-cloud consulting provider.
Descope also shared a video (embedded below) detailing how exploiting this AAD auth misconfiguration can lead to complete account takeover and information on this can be prevented.
​Microsoft fixed the nOAuth configuration via mitigations issued today, following an initial report sent by Descope on April 11, 2023.
“Microsoft has identified several multi-tenant applications with users that use an email address with an unverified domain owner,” Redmond said.
“If you did not receive a notification, your application has not consumed email claims with unverified domain owners.
“To protect customers and applications that may be vulnerable to privilege escalation, Microsoft has deployed mitigations to omit token claims from unverified domain owners for most applications.”
The company also strongly advised developers to thoroughly assess their apps’ authorization business logic and adhere to these guidelines to safeguard against unauthorized access.
In addition, developers are encouraged to adopt these recommended best practices for token validation when utilizing the Microsoft identity platform.