Researchers demonstrated that many Azure services expose an owning tenant ID via authentication-related HTTP responses, enabling attribution of publicly enumerable resource hostnames to specific tenants. They released ATEAM (Azure Tenant Enumeration and Attribution Module) to automate large-scale discovery and mapping of these resources. #Azure #ATEAM
Keypoints
- Many Azure resources use predictable subdomains (e.g., blob.core.windows.net) that are discoverable via DNS and certificate records.
- Certain Azure services that use Entra ID authentication reveal a tenant ID in authentication-related headers (e.g., WWW-Authenticate, Location, Report-To).
- Tenant IDs can be resolved to tenant domains via the Microsoft Graph API, enabling attribution of resources to organizations, including private endpoint resources.
- Impacted services include Storage Accounts, Key Vaults, App Services, SharePoint, Databricks, Azure ML, DevOps, and resources referenced by management.azure.com strings.
- The authors built ATEAM to automate enumeration, tenant extraction, and reporting at scale, storing results in a local SQLite DB and exporting CSV/JSON/HTML.
- Large-scale enumeration produced ~1 million keywords for resource discovery and identified live resources across multiple service types.
- Issues were reported to MSRC with coordinated disclosure; Microsoft acknowledged the findings and indicated further investigation into mitigations.
MITRE Techniques
- [T1583] Acquire Infrastructure – Enumerated and discovered cloud-hosted resources by resolving predictable Azure subdomains (e.g., “$StorageName.blob.core.windows.net”) using DNS and certificate sources: ‘Many Azure resources utilize subdomains for resource addressing’ and DNS enumeration methods described.
- [T1592] Gather Victim Network Information – Mapped discovered hostnames to owning tenants by extracting tenant IDs from authentication headers (e.g., WWW-Authenticate) and resolving them to tenant domains via Graph API: “‘WWW-Authenticate’ header contains… tenant ID” and use of Graph API to get tenant domain.
- [T1596] Phishing for Information (Service Discovery) – Used unauthenticated HTTP requests to trigger authentication redirects/headers that reveal tenant identifiers for attribution: demonstrated with Storage Account request yielding WWW-Authenticate header containing tenant ID (‘WWW-Authenticate: Bearer authorization_uri=https://login.microsoftonline.com/977e0660-…’).
- [T1595] Active Scanning – Performed large-scale DNS brute-force and resolution (including permutations and multi-source subdomain aggregation) to find live Azure resource hostnames at scale: ‘around 1 million total keywords’ and use of permutation generation and worker scaling in ATEAM.
Indicators of Compromise
- [Domain/Subdomain ] publicly enumerable Azure resource hostnames – examples: 0752a779955f4cbda44468.blob.core.windows.net (used in tenant-ID extraction), $StorageName.z4.web.core.windows.net.
- [Tenant ID ] Entra tenant GUIDs exposed in authentication headers – example: 977e0660-d4d3-4752-a79d-3ac9c4dbcf19 (extracted from WWW-Authenticate header), and other tenant GUIDs retrievable via responses.
- [API/URL Strings ] Azure management/resource identifiers found in source or screenshots – example: https://management.azure.com/subscriptions/155c4768-b71c-4e4b-a990-97407f43edda?api-version=2022-12-01 (subscription ID disclosure).
- [Tool/Repository ] enumeration tooling – ATEAM GitHub repo URL: https://github.com/NetSPI/ATEAM (used to automate discovery and reporting).