Securing Non-Human Identities in Microsoft 365 & Azure AD

To streamline workflows and maximize its functionality, Microsoft 365 & Azure Active Directory (AAD) can be connected to thousands of apps and services, as well as a large number of non-marketplace apps that can be connected via NHIs like webhooks, OAuth tokens, API keys and workflow automation platforms. Each and every NHI that connects Microsoft 365 and third-party apps poses a security threat to your company, from supply chain attacks to data breaches and compliance violations.

The risks of unmonitored non-human identities to Microsoft 365 environments

The recent year has seen an uptick in attacks carried out via third-party NHIs, as cyber criminals exploit this ungoverned access to penetrate companies’ Microsoft 365 environments. Here are just some examples:

• Microsoft Midnight Blizzard (January 2024): Russian state-sponsored threat actors abused OAuth applications as part of their attack against the company’s corporate environment. Microsoft’s Office 365 email server was breached, and internal email correspondences of Microsoft employees’ were exposed.
• Microsoft365 Forged Access Token (July 2023): Inactive signing key was stolen from a possibly breached enterprise Azure system, and used to sign and create valid email access tokens, which were erroneously accepted by the Azure AD cloud system of several of its customers. This allowed the hackers to expand their reach to Office365 used by all organizations sharing the same Azure AD cloud environment. 
• Microsoft SAS Key (September 2023): A SAS token that was published by Microsoft’s AI researchers actually granted full access to the entire Storage account it was created on, leading to a leak of over 38TB of extremely sensitive information. These permissions were exposed to attackers for over 2 years.
• Microsoft OAuth Phishing Attack (December 2022): Malicious OAuth apps were used to steal customers’ emails. The threat actors then used these accounts to register verified OAuth apps in Azure AD for consent phishing attacks targeting corporate users in the UK and Ireland.
• Microsoft OAuth (September 2022): By exploiting OAuth integrations, malicious applications were deployed on compromised cloud tenants. From there, they modified Exchange Online settings to spread spam

Your Microsoft 365 environment could be more exposed than you think

Using the Astrix Security platform, we discovered that organizations’ Microsoft environments are far more exposed to ungoverned NHI access than one might think. 

From our research we discovered Microsoft environments have: 

• Hundreds of connections to third-party applications and cloud services.
• New NHIs created on a weekly basis.
• The majority of NHIs grant access to applications originating from non-marketplace sources which means they are not vetted.
• Some access granted between Microsoft 365 environments and other apps is no longer used. 
• NHIs were configured with complete (and unnecessary) admin permissions. 
• Many of the NHIs had third-party apps and services of low-reputation vendors behind them.

How Astrix helps secure your Microsoft environment

1. Get a full inventory of all non-human identities accessing your Microsoft 365 environment. M365 has a huge variety of connection types that you can’t really see without Astrix. 
2. Detect anomalous behavior for each token accessing your Microsoft 365 environment. Astrix’s anomaly detection is based on a correlation of different IoCs (Indicators of Compromise) and real-time threat intelligence. In addition, Astrix engines watch for anomalous behavior for each NHIs in your M365 environment. 
3. Get alerts only on risks that expose you to supply chain attacks, data breaches, and compliance violations, and easily remediate them through automated workflows.