An investigation by inversecos, an IR consultant for Secureworks, confirms that APT groups are still using the Golden SAML attack to bypass authentication controls and access Office 365 environments. Most of the victims either have a hybrid authentication model or are completely in the cloud.
Compromising the AD FS (Active Directory Federation Services) server token-signing certificate could result in access to the Azure/Office365 environment. Certificates are valid for one year by default, which allows threat actors to maintain persistence and re-enter Azure/Office365 environments as any user within AD regardless of any password resets or multi-factor authentication.
The attack flow is as follows:
Step 1. Attacker compromises the on-premise domain
Step 2. Enumeration
Step 3. Gather the credentials for AD FS process owner account
Step 4. Laterally move to AD FS server
Step 5. Obtain the token-signing certificate from the AD FS server
Step 6. Obtain the DKM (Distributed Key Manager) in order to decrypt
Step 7. Decrypt the token-signing certificate
Step 8. Generate a SAML token