Potential abuse for persistence, elevated access: Essentially, guest users assigned specific billing roles, such as “Billing Account Contributor”, can create new Azure subscriptions within a host tenant. This action does not require explicit permissions in the target tenant, effectively allowing guests to establish a foothold without direct administrative oversight.Once a subscription is created, the guest user gains “Owner” rights over it. According to BeyondTrust, this elevated privilege enables them to deploy resources, assign roles, and potentially escalate their access, posing a significant threat to the tenant’s security posture.The ability to create and control subscriptions potentially allows malicious actors to maintain persistence within the environment. They can leverage this position to move laterally, access sensitive data, or disrupt services.To defend against this attack vector BeyondTrust recommended a number of actions on top of leveraging the optional Microsoft control to block the transfer of subscriptions. These actions include auditing all guest accounts, hardening guest controls, monitoring all subscriptions, and auditing device access. This is the second time this week that a Microsoft over-permission issue has been reported by threat hunters, the first being an Oasis discovery about a bunch of web applications having more than required access within a user’s OneDrive account due to an overly permissive OAuth implementation in OneDrive File Picker.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3997999/microsoft-entras-billing-roles-pose-privilege-escalation-risks-in-azure.html
