FILTERING BY: CLEAR FILTER

Nation-State Weaponization of ROADtools for Entra ID Identity Abuse

Nation-state actors, including APT29 (Midnight Blizzard), APT33 (Curious Serpens), and UTA0355, are weaponizing the open-source ROADtools framework to compromise Microsoft Entra ID environments. Attackers exploit permissive Intune enrollment settings and poor identity hygiene to register rogue, attacker-controlled devices as legitimate corporate assets via administrative API calls. This process allows the acquisition of Primary Refresh Tokens (PRTs), which enable the bypass of Multi-Factor Authentication (MFA) by satisfying Conditional Access policies that trust managed devices. This technique provides high-persistence cloud access and allows malicious activity to blend with standard administrative operations, facilitating stealthy lateral movement and data exfiltration.


LINK COPIED TO CLIPBOARD