Potential exploitation of new Microsoft Azure AD feature detailed

Threat actors with elevated privileges could leverage the recently introduced Microsoft Azure Active Directory Cross-Tenant Synchronization feature to facilitate lateral movement to other tenants and establish network persistence, BleepingComputer reports. Already compromised tenants could have their CTS configurations examined to enable the discovery of other tenants that have allowed "Outbound Sync," with threat actors later changing the configuration of the CTS syncing app to include the compromised user to its sync scope and eventually obtain additional tenant network access without having to input new user credentials, a Vectra report revealed. New malicious CTS policies could also be distributed by attackers to activate "Automatic User Consent" and "Inbound Sync" that would permit tenant access even with the removal of rogue accounts. Despite the absence of in-the-wild exploitation of Azure AD CTS, organizations have been urged to strengthen their configurations by eschewing default CTA configurations, as well as restricting cloud environment access.