CISA and CrowdStrike Tools Make Detecting Compromised Microsoft 365 Accounts Easier

The Cybersecurity and Infrastructure Security Agency (CISA) recently released a PowerShell-based tool to help organizations detect compromised accounts and applications in Microsoft Azure and 365.

Following the SolarWinds attack in late 2020, which used malicious SolarWinds files that could have given nation-states access to networks, Microsoft outlined the complex techniques used as part of the attack.

Post-Compromise Threat Activity in Microsoft Azure and 365

The attack involved compromising a network through malicious code in the SolarWinds Orion product. It allowed the attacker to elevate privileges and get access to an organization’s trusted SAML token-signing certificate. Security Assertion Markup Language (SAML) is an open standard that facilitates user logon to on-premises and cloud services. The attacker could then forge SAML tokens to impersonate the organization’s existing users, including privileged accounts.

An attacker could access any resources trusted by an organization’s SAML token signing certificates. And because a signing certificate is the basis on which federated trust relationships are formed, service providers like Microsoft Azure might not detect forged tokens.

Microsoft says that its built-in security and monitoring features in its cloud were able detect any anomalies in SAML authentication. And that Microsoft Defender malware definitions have been updated to detect malicious SolarWinds files.

CISA Sparrow

The CISA PowerShell tool is designed to detect unusual activity that might impact a Microsoft 365 or Azure environment.

“CISA has created a free tool for detecting unusual and potentially malicious activity that threatens users and applications in an Azure/Microsoft O365 environment. The tool is intended for use by incident responders and is narrowly focused on activity that is endemic to the recent identity- and authentication-based attacks seen in multiple sectors.”

The tool (sparrow.ps1) is available for free on GitHub. It can be used by incident responders to narrow the scope of user and application activity that might indicate authentication-based attacks. The tool checks the unified audit log in Azure for indicators of compromise, lists Azure AD domains, and checks Azure service principals and related Microsoft Graph API permissions to alert incident responders of potentially malicious activity.

CrowdStrike Reporting Tool for Azure

Not to be left out, CrowdStrike has also created a PowerShell reporting tool for Azure. The tool is designed a bit differently from the CISA effort. CrowdStrike’s script is free and can be downloaded on GitHub.

The script is designed to expose information about permissions and configuration settings that are hard to find in Azure, like Mail Forwarding Rules for Remote Domains, Exchange Online PowerShell Enabled Users, and Service Principal Objects with KeyCredentials.

The tool came about as CrowdStrike was investigating whether its systems had been compromised as part of the SolarWinds attack. Microsoft had informed the company that an Azure reseller’s account was being used to try and read CrowdStrike emails using a compromised Azure account. The attempted breach turned out to be unsuccessful.

SAML authentication-based attacks aren’t unique to Microsoft platforms

While these two tools have been designed to work specifically with Azure and Microsoft 365, the SAML issue that was exploited during the SolarWinds attack isn’t unique to Microsoft. SAML is widely used and it could affect other organizations and service providers.