Ethical Hacking News
The Shadow IT Menace: How Non-Human Identity Management Can Put Your Organization at Risk
In a surprising turn, malicious actors have found a way to exploit Microsoft Entra ID's guest subscription feature. Learn how this vulnerability allows attackers to gain unauthorized access and control over an organization's resources and what steps can be taken to mitigate these risks.
Malicious actors can create unauthorized subscriptions with elevated privileges through guest-based subscription creation in Microsoft's Entra ID platform. An attacker can assume control over a legitimate Entra ID-based identity, exposing high-value privileged accounts and reducing visibility from security monitoring tools. The misuse of guest subscription creation allows attackers to create User-Managed Identity in their subscription directory, register devices under their hijacked subscription, and abuse Conditional Access Policies.
In the rapidly evolving landscape of cybersecurity, a new threat is emerging that could potentially put organizations at risk. This threat comes in the form of non-human identity management, specifically through the misuse of guest subscription creation in Microsoft's Entra ID platform.
The security experts at BeyondTrust have identified a growing concern regarding the abuse of guest-based subscription creation by malicious actors, which can lead to unauthorized access and control over an organization's resources. This vulnerability arises from the fact that any user or guest account can invite another guest into their Entra tenant, potentially allowing attackers to create new subscriptions that grant them elevated privileges.
The attack vector begins with an attacker gaining access to an Azure Portal under a compromised identity. Once inside, they navigate to the Subscriptions > Add + section and switch to the "Advanced" tab. By setting the defender's directory as the target directory, the attacker creates a subscription without it appearing in their tenant. Instead, this subscription appears under the root management group of the defender tenant, where the attacker is automatically assigned the Owner role for this new subscription.
This scenario allows an attacker to exploit the privilege escalation that occurs when they assume control over a legitimate Entra ID-based identity, which can result in several potential consequences:
1. **Listing Root Management Group Administrators**: An attacker with Owner permissions on their subscription may view Access Control role assignments on the subscription, exposing high-value privileged accounts ideal for follow-on attacks and social engineering.
2. **Weakening Azure Policies Tied to Subscriptions**: The default Azure policy tied to a subscription can be modified or disabled by an attacker, effectively muting security alerts that would otherwise notify defenders of suspicious activity. This reduces visibility from security monitoring tools and allows attackers to perform malicious activities under the radar.
3. **Creating User-Managed Identity in Entra ID Directory**: An attacker with elevated privileges can create a User-Managed Identity in their subscription directory. These identities persist independently of the original guest account, be granted roles or permissions beyond the subscription's control, blend in with legitimate service identities making detection harder and launch targeted API permission phishing attacks to trick legitimate admins into granting these managed identities elevated privileges.
4. **Registering Microsoft Entra-Joined Devices**: The attacker can register devices under their hijacked subscription, abusing Conditional Access Policies and gaining unauthorized access to trusted assets by spoofing or registering a device that appears as compliant corporate equipment.
Given the severity of this threat, security experts recommend that organizations take several proactive measures to mitigate these risks.
- **Configure Subscription Policies to Block Guest Transfer**: Organizations can configure their Subscription Policies to restrict guest transfer into their tenant, limiting subscription creation to explicitly permitted users only and ensuring Microsoft has published supporting documentation for this control.
- **Regularly Audit All Guest Accounts in the Environment**: Ensure that all guest accounts are audited and removed if no longer required. Implement robust security measures to limit guest-to-guest invitations.
- **Monitor Subscriptions Regularly**: Continuously monitor subscriptions within your tenant for unexpected guest-created subscriptions and resources, ensuring timely visibility into potential risks through Azure Security Center alerts.
- **Inspect Device Access Especially in Dynamic Group Rules Contexts**: Carefully examine device access, especially those governed by dynamic group rules, to prevent the exploitation of previously seen user object targeting vulnerabilities.
In addition to these mitigation strategies, BeyondTrust provides built-in detections that can flag subscriptions created by guest accounts, offering automated visibility into unusual behaviors. This is crucial for defenders as it enables them to quickly identify and address potential security breaches before they escalate further.
As the threat landscape continues to evolve with new and innovative attack vectors emerging, staying informed about recent vulnerabilities like this one is vital. Organizations must remain vigilant in addressing risks such as these that can pose a significant challenge to their cybersecurity posture if left unchecked.
By adopting proactive measures to secure their Entra environments against guest subscription misuse, organizations can significantly reduce the risk of falling victim to these advanced cyber attacks and strengthen their overall security posture against evolving threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Shadow-IT-Menace-How-Non-Human-Identity-Management-Can-Put-Your-Organization-at-Risk-ehn.shtml
https://thehackernews.com/2025/06/beware-hidden-risk-in-your-entra.html
Published: Wed Jun 25 09:13:06 2025 by llama3.2 3B Q4_K_M
