You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Lina Lau’s blog post on Xintra.org provides an insightful look into how attackers can misuse Microsoft Entra ID’s cross-tenant synchronization feature to move laterally between tenants with P1 and P2 licenses. By exploiting this feature, attackers can create new accounts in a victim’s tenant, enabling them to persist or move laterally even if their initial access is revoked. (The blog post link will be shared in the comment section.)
// Defenders with P1 or P2 licenses should use the Sentinel KQL provided below to monitor for any changes to their Entra Cross-Tenant settings, helping to detect potential abuse of the cross-tenant synchronization. The KQL code can be downloaded from my SlimKQL GitHub Repository, which is featured on my LinkedIn profile (search for “Monitoring Cross-Tenant Abuse by Threat Actors”).
