Hello Reader,
One of the trends I've been noticing when a threat actor first gets into Azure or Microsoft 365 accounts is they will immediately look to see how many other third party services they can access from that account. This allows them to expand their reach into additional services, clouds and systems without needing any additional credentials. Within Azure this is called 'My Apps' and you can reach it by click on your user profile picture in the upper right hand corner and then clicking on My Apps on the bottom left as shown below.
When you click on 'My Apps' you'll then see the list of integrated apps your user has been provisioned for:
As you can see here my user has been provisioned for SSO access into AWS, which means with this one compromise account I could pivot into AWS with the same credentials. For larger enterprises there can be a large number of these applications available all allowing authentication with my existing credentials.
To see this in the logs go to Entra ID and then Signin Logs and you can see the user accesses to My Apps as shown below.
So the next time you are working an Azure incident, make sure to keep an eye out for My Apps access and then you can begin the long process of determining how many apps you are going to have to review to determine total impact.
Also Read: Daily Blog #774: Forensic Lunch Test Kitchen 3/11/25
Post a Comment