By Ilan Kalendarov, Security Researcher, and Elad Beber, Security and Vulnerability Researcher, of Cymulate
As modern networks grow more sprawling and access needs become increasingly complex, organizations need solutions that can help them manage authentication across their entire digital environment. Today’s businesses are leveraging both on-premises infrastructure and cloud (or even multi-cloud) solutions, and tools like Microsoft Entra ID (formerly known as Azure Active Directory, or AAD) that can help sync data and manage user access across all these environments are—naturally—in high demand. Entra ID is extremely adept at streamlining authentication, making life significantly easier for IT and security staff—but it also comes with potential vulnerabilities. Like an on-premises Active Directory (AD) solution, Entra ID touches nearly every element of an organization’s digital infrastructure, which means keeping it secure must be a priority.
Cymulate researchers recently discovered a concerning Entra ID vulnerability when syncing multiple on-premises AD domains to an Azure tenant. When this happens, attackers can gain unauthorized access by exploiting pass-through authentication (PTA) agents for different on-premises domains. These attackers can manipulate the credential validation process in a way that allows them to bypass standard security checks, gaining elevated access to otherwise protected environments. This is known as a “double agent” attack: It effectively turns the PTA agent into an ally for the attacker, granting login privileges to any synced AD user, regardless of whether they have the correct password. The potential danger here is significant—especially if an attacker can log in as an administrator or other high-privilege user—and organizations need to know how to defend against these attacks.
Understanding PTA and How Attackers Can Exploit It
Microsoft describes pass-through authentication as a process that allows users to “sign in to both on-premises and cloud-based applications using the same passwords.” The utility here is clear: It lowers the number of passwords employees need to manage, reducing friction (not to mention password reset requests). According to Microsoft, the feature “validates users’ passwords directly against your on-premises Active Directory” via an authentication agent. Once the on-premises AD validates (or rejects) the request, the authentication agent returns the appropriate response to the user, granting or denying access to the requested application. Rather than having separate login systems for cloud and on-premises applications, all the necessary authentication processes happen out of sight.
Unfortunately, the system isn’t always perfect. Researchers recently uncovered something strange: Sometimes, when attempting to log in as a synced user, the system would respond with an “incorrect password” error. But after a few more tries, the system would allow the login to proceed—even though the researchers were inputting in the same password. Clearly, something was wrong—and while, at first, it seemed like the browser agent might be the culprit, that ultimately proved not to be the case. Instead, researchers discovered that PTA agents were randomly retrieving login requests behind the scenes—and if a request was retrieved by an agent from a different synced domain, the login attempt would fail. This makes sense (the AD server would not recognize a user from a different domain, after all), but it creates a poor user experience.
Worse, it creates a potential vulnerability for attackers to exploit. When a synced user tries to log into Microsoft Entra ID, it doesn’t matter what the user’s origin domain is—a PTA agent will retrieve it from the queue. If the incorrect agent retrieves it, the attempt will fail, and it will continue to fail until the correct agent happens to retrieve it from the queue. Knowing this, researchers could inject an unmanaged dynamic-link library (DLL) into the PTA agent process that allowed them to control the return value of the function. In simpler terms, they were able to ensure that the PTA agent would return a favorable response, whether or not the user credentials making the request came from the correct domain. As a result, they could bypass the authentication process, effectively logging in as any user from a synced on-premises AD. This is, to put it lightly, not ideal.
Mitigating the Potential Danger
After confirming the extent of the vulnerability, the researchers conveyed their discovery to Microsoft. The company indicated that it intends to fix the code on its end, though there are no current plans to issue a CVE specific to this threat. In the meantime, Microsoft recommends treating the Entra Connect server where the vulnerability lives as a Tier 0 component. Tier 0 components are an organization’s most critical IT assets, considered high-value targets for attackers, and demand additional security measures to ensure they are adequately protected. Specifically, Microsoft recommends “hardening the Microsoft Entra Connect server as a Control Plane asset by following the guidance provided in Secure Privileged Access.”
Organizations can also implement an additional layer of protection by ensuring that multifactor authentication (MFA) is enabled for all synced users. While MFA is not a one-size-fits-all solution, it is an effective way to mitigate this type of attack by preventing attackers from moving laterally to the cloud. In fact, MFA remains one of the most effective ways to derail a wide range of attacks—but adoption remains surprisingly low. This new Entra ID exploit underscores the fact that basic security practices like implementing MFA continue to have an outsized impact on an organization’s risk posture.
Microsoft will likely implement domain-aware routing as part of the fix here, ensuring that authentication requests are directed to the appropriate PTA agent and eliminating both the user experience problems and the risk of exploitation. Establishing a logical separation between various on-premises domains within the same tenant is another potential solution that Microsoft could choose to pursue. In the meantime, organizations should ensure they are taking the appropriate steps to secure their environments, putting MFA protections in place and hardening their Entra Connect servers according to the guidance provided by Microsoft. With these measures, organizations can avoid becoming an easy target for opportunistic attackers.
About the Authors
Ilan Kalendarov is a Security Researcher at Cymulate.
Elad Beber is a Security and Vulnerability Researcher at Cymulate.
About the Author
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.