An APT group has recently targeted the Active Directory server of a victim’s Office365 environment by extorting the secret SAML tokens. These tokens pass information about users, logins, and attributes between the identity and service providers.

What has happened?

Researchers found out that the threat group targeted the Office 365 environment that is believed to be having a hybrid authentication model set up or fully operating on a cloud network.
  • The threat actor hijacked the AD FS server probably using stolen credentials and gained access to the server exploiting the SAML token.
  • The attackers specifically targeted token-signing certificates and private keys used to signify SAML tokens, within the servers. This certificate is by default valid for a year. 
  • It allows cybercriminals to log into Azure or Office365 as any existing user within AD, regardless of any password resets or MFA requirement.

A hot target for a reason

Azure/Azure AD, Office365, Azure Applications, and Defender Security Center can be accessed by the attackers by abusing the Golden SAML token.
  • Attackers can exfiltrate DB files using proxy logs, NetFlow, EDR, and Command-line analysis. They can perform ADFS lateral movement via PTH attack.
  • They can use credential dumping tools via command line logging in Sysmon or EDR tools. Moreover, they can perform DKM access using Powershell and forge SAML requests as well.


The recent attack is complicated and carried out with the aim of achieving the token-signing certificate to gain entry to a specific target network. Therefore, experts suggest implementing additional layers of protection for SAML certificates, and in case of compromise, re-issue certificates on the ADFS twice and force re-authentication for all users.
Cyware Publisher