New Microsoft Azure AD CTS feature can be abused for lateral movement


Microsoft’s new Azure Active Directory Cross-Tenant Synchronization (CTS) feature, introduced in June 2023, has created a new potential attack surface that might allow threat actors to more easily spread laterally to other Azure tenants.

Microsoft tenants are client organizations or sub-organizations in Azure Active Directory that are configured with their own policies, users, and settings.

However, as large organizations may be split up into multiple tenants for organizational purposes, it may sometimes be easier to allow users to synchronize between authorized tenants controlled by the same entity.

In June, Microsoft introduced a new Cross-Tenant Synchronization (CTS) feature that allows an administrator to synchronize users and groups across multiple tenants and tenant resources, offering seamless collaboration, automating lifecycle management of B2B projects, etc.

Read more…