An investigation by inversecos, an IR consultant for Secureworks, confirms that APT groups are still using the Golden SAML attack to bypass authentication controls and access Office 365 environments. Most of the victims either have a hybrid authentication model or are completely in the cloud.

Compromising the AD FS (Active Directory Federation Services) server token-signing certificate could result in access to the Azure/Office365 environment. Certificates are valid for one year by default, which allows threat actors to maintain persistence and re-enter Azure/Office365 environments as any user within AD regardless of any password resets or multi-factor authentication.

The attack flow is as follows:

            Step 1. Attacker compromises the on-premise domain

            Step 2. Enumeration

            Step 3. Gather the credentials for AD FS process owner account

            Step 4. Laterally move to AD FS server

            Step 5. Obtain the token-signing certificate from the AD FS server

            Step 6. Obtain the DKM (Distributed Key Manager) in order to decrypt

            Step 7. Decrypt the token-signing certificate

            Step 8. Generate a SAML token