Exploiting Identity in Azure: The Real Impact of Pass-the-Token Attacks

Introduction

When it comes to securing Azure Active Directory (Azure AD) environments, identity management is crucial. However, a common but often overlooked threat remains: attackers exploiting Access Tokens for unauthorized access to cloud resources. Azure AD tokens, typically used to authenticate users and services, are powerful tools that grant access to sensitive resources in the cloud. But what happens if an attacker steals one of these tokens? This is where the Pass-the-Token attack comes into play, and it can lead to an organization-wide breach in seconds. In a world where identity is the new perimeter, this attack method underscores the critical need for robust token management and access controls.

Why This Happens: Tokens Are the Gateway to Your Cloud Resources

Access Tokens in Azure AD authenticate users, services, and applications to Azure resources without requiring a password. However, if an attacker gains access to a valid token, either through phishing, a vulnerability, or poor token management, they can impersonate the legitimate user or service and access cloud resources without further authentication. Once an attacker has a valid token, they can “pass” it to other services and escalate their privileges within your environment.

This attack is particularly effective because tokens are often treated as the holy grail of authentication. When an attacker successfully steals an Azure AD Access Token, they essentially "inherit" the privileges of the user or service associated with that token, granting them access to various resources and allowing them to execute commands across your Azure environment.

Real Attack Flow Example

• Initial Breach (Phishing or Credential Theft) - The attacker targets a user or administrator through phishing, gaining access to their Azure AD credentials. Once the attacker logs in, they authenticate using the compromised user account, and the system issues an Access Token.

• Token Retrieval - With the stolen credentials, the attacker can issue a request to Azure AD’s token endpoint. Using the acquired Access Token, the attacker authenticates and gains access to any resource the token's original user could access.

• Access Azure Resources with the Token - The attacker now has the ability to interact with cloud services using the stolen Access Token. For example, by making an API call to Azure Key Vault, the attacker could retrieve secrets, or by calling ARM, they could create, modify, or delete resources.

• Privilege Escalation and Lateral Movement - After using the initial Access Token to gain access, the attacker can escalate privileges by requesting higher-level tokens or exploiting misconfigured roles. Even if the initial token only provides read access, the attacker may find ways to elevate their permissions, either through weak role assignments or by exploiting service misconfigurations.

Stealing Tokens from Azure Functions

In some cases, attackers don’t need to compromise user credentials directly, they can extract tokens from running Azure Functions. Azure Functions often use Managed Identities or service principals to authenticate to other Azure services. These identities are granted access tokens via the internal Azure Instance Metadata Service (IMDS). If an attacker compromises the function app environment, such as through remote code execution, misconfigured permissions, or vulnerable dependencies, they can query the IMDS endpoint and retrieve access tokens issued to that function.

For example, the endpoint http://169.254.169.254/metadata/identity/oauth2/token is available from within the Azure Function's execution environment and can be used to fetch tokens, provided a valid request is made. Attackers commonly abuse this endpoint using SSRF vulnerabilities or by injecting malicious code into the function runtime to retrieve tokens for accessing other services like Azure Key Vault, Storage, or even Microsoft Graph.

Case: SSRF and Token Exposure

Server-Side Request Forgery (SSRF) is one of the most effective ways attackers steal tokens from Azure Functions. If an attacker can trick a function into making an outbound call to the IMDS endpoint, they can capture the access token issued to that function’s identity. This token can then be replayed from outside the environment to authenticate and interact with other services, depending on the permissions assigned.

A poorly configured function with broad role assignments (like Contributor or Owner) can open the door to complete takeover scenarios. Once the attacker obtains the token, it becomes a matter of enumerating services, reading secrets, or modifying configurations across the Azure tenant.

Real-World Examples

In 2023, Microsoft reported a case where attackers successfully exploited an Azure AD token through a series of chained vulnerabilities. They initially gained access to a user's account via a phishing attack. The attackers then used the stolen credentials to retrieve the Access Token, which allowed them to authenticate and move laterally within the environment.

Once the attackers obtained the token, they didn’t just stop at accessing the initial target. They escalated their attack by "passing" the token to other Azure services, such as Key Vault, Azure Resource Manager (ARM), and Storage Accounts, giving them the ability to read sensitive data, modify configurations, and even delete critical resources. While this particular attack was mitigated due to the discovery of misconfigured permissions, it serves as a stark reminder that gaining a foothold with a single stolen token can result in full cloud control.

Detection & Mitigation

1. Monitor Token Use - It is critical to monitor the use of Access Tokens in your environment. Any abnormal or unexpected use of a token should trigger an alert. For instance, if an Access Token is used in a way that it wasn’t originally intended (such as accessing resources outside the user's regular scope), this could be an indication that the token was stolen.
2. Enforce MFA and Conditional Access - While MFA cannot directly protect tokens once they are issued, enforcing MFA during login and using Conditional Access policies can reduce the risk of initial token theft. By ensuring that only trusted locations or devices are able to issue tokens, you can limit the attack surface.
3. Use Just-In-Time Access for Privileged Accounts - Limit the duration that high-privilege tokens are valid by using Just-In-Time (JIT) access controls. This can prevent tokens from being valid for extended periods and reduce the impact of stolen tokens.
4. Implement Token Expiration and Rotation - Ensure that Access Tokens are short-lived and regularly rotated. Implementing token expiration and automated rotation can limit the window of opportunity for attackers to exploit stolen tokens.
5. Limit Token Scope with Least Privilege - Use Least Privilege principles when assigning roles to users, services, and applications. Ensure that tokens issued to any entity are scoped to the minimum required permissions. This reduces the damage an attacker can do if they successfully steal a token.

Conclusion

The Pass-the-Token attack highlights the crucial need to protect and monitor Azure AD Access Tokens. What may seem like a simple authentication mechanism can, in the wrong hands, become a gateway to an entire Azure environment. By implementing proper monitoring, token management, and access control policies, organizations can dramatically reduce the risk posed by stolen tokens and ensure that their cloud environments remain secure. In the ever-evolving landscape of cloud security, it's essential to not only focus on authentication but to also safeguard the powerful tokens that grant access to critical resources.

Cyngular Security's CIRA Platform

To further secure your cloud environment, consider integrating Cyngular Security's CIRA platform. It enhances your security posture by providing advanced investigation and response capabilities, enabling your team to address threats swiftly and effectively. By adopting Cyngular Security's CIRA, you empower your organization with proactive and automated security measures that protect your cloud assets.

Get a Free Breach Assessment

Protect your cybersecurity infrastructure with a complimentary breach assessment from Cyngular:

• Safe and Non-disruptive: Conducted with read-only access to ensure no operational disruption.
• Easy Setup: Integrates seamlessly with your existing SIEM systems.
• Deep Insights: Empowers your cybersecurity strategy with advanced threat hunting and proactive investigation capabilities.

Request your free Proof-of-Value today and lead the way in cybersecurity innovation with Cyngular.