An Azure Active Directory (AD) app with an abandoned reply URL address was recently observed, a situation that could let an attacker leverage the abandoned URL to redirect authorization codes to themselves, exchanging the fraudulently obtained authorization codes for access tokens.
In a blog post Aug. 24 the Secureworks Counter Threat Unit (CTU) said a threat actor could potentially then call Microsoft’s Power Platform API via a middle-tier service and obtain elevated privileges to launch attacks.
The CTU researchers reported the issue to Microsoft at the beginning of April. They said Microsoft quickly confirmed privilege escalation was possible and assigned a critical severity rating. Within 24 hours of CTU notification, Microsoft removed the abandoned reply URL from the Azure AD app.
According to Microsoft, a redirect URI or reply URL is the location where the authorization server sends the user once the app has been successfully authorized and granted an authorization code or access token. The authorization server then sends the code or token to the redirect URI, so Microsoft advises security teams to register the correct location as part of the app registration process.
The CTU researchers said they have no evidence that the issues around the specific abandoned reply URLs it identified has been abused as of the publication of its Aug. 24 blog. The researchers said because the identified application is managed by the vendor, organizations cannot mitigate this issue directly.
“The only option would be deleting the service principal, which would nullify any legitimate use of the app,” said the CTU researchers. “We recommend monitoring for abandoned reply URLs.”
Zane Bond, head of product at Keeper Security, said this exploit is novel in that it leverages a specific reply URL, where a server sends the authorized user for their authorization code or access token. Bond said the attack effectively runs as a more stealthy Man-in-the-Middle (MITM) attack that does not rely on user error or having to input MFA codes multiple times.
“It uses a real webpage — in this case, the abandoned reply URLs — for cybercriminals to redirect authorization codes to themselves,” said Bond. “It’s an interesting spin on a common attack vector. Because this cannot be mitigated directly, it serves as a warning for organizations to be hyper-vigilant about having plans to properly sunset old systems when new ones come online.”
Nick Rago, Field CTO at Salt Security, added that many recent API attack campaigns have involved an initial wave of a social engineering attacks. Rago said for an adversary to achieve Power Platform Privilege Escalation in the manner reported here, the adversary must first spear-phish a victim with privileges into clicking a malicious link to kick off the next wave of the campaign.
“This incident serves as an important reminder that organizations must remain vigilant in educating their teams about social engineering attacks,” Rago said. “Because the API is hosted by the vendor in this case, the vendor must also proactively monitor for abandoned redirect URLs.”
