ZeroDayWire ALERT: Entra ID Under Siege by New 'Pass-the-PRT' Attack

YOUSSEF MOSSTAKIM
ZeroDayWire ALERT: Entra ID Under Siege by New 'Pass-the-PRT' Attack
ZeroDayWire ALERT: Entra ID Under Siege by New 'Pass-the-PRT' Attack

ZeroDayWire ALERT: Entra ID Under Siege by New 'Pass-the-PRT' Attack

(ZeroDayWire) – A new and highly sophisticated attack technique, dubbed "Pass-the-PRT," is being actively used by threat actors to achieve full, persistent, and often undetectable takeovers of corporate cloud environments. Security researchers are warning that this method, which targets a core component of Microsoft's Entra ID (formerly Azure AD), allows attackers who have gained initial access to a single corporate device to bypass Multi-Factor Authentication (MFA) and move silently across the entire cloud tenant. CISA is expected to issue a formal advisory as the technique is now being incorporated into the playbooks of major cybercriminal and state-sponsored groups.

The Target: The Primary Refresh Token (PRT)

To understand this attack, you need to understand the Primary Refresh Token (PRT). A PRT is a special type of token that is central to how modern Windows devices authenticate users in a Microsoft Entra ID environment. Think of it as a long-lived "master ticket" that is issued to a trusted device when a user logs in. This PRT is then used in the background to seamlessly request access tokens for various applications (like Outlook, SharePoint, etc.) without requiring the user to re-enter their password or MFA for every single action. It's the key to the convenient Single Sign-On (SSO) experience in the modern workplace.

This master ticket is exactly what attackers are after. The "Pass-the-PRT" attack is a post-compromise technique. It assumes the attacker has already gained initial administrative access to a user's corporate laptop, for example, through a phishing attack or by exploiting another vulnerability.

The Attack Chain: From One Device to a Full Tenant Takeover

Once an attacker has control of a device, they can extract the PRT and its associated cryptographic keys from memory. This is the "theft" part of the attack. The "passing" part is where the true danger lies.

  1. 1. PRT Exfiltration: The attacker uses specialized tools on the compromised device to steal the user's PRT.
  2. 2. Impersonation: The attacker, from their own machine, can now use this stolen PRT to generate valid access tokens for cloud applications *as the compromised user*. Because the PRT is a symbol of a trusted, already-authenticated session, this often bypasses the need for a new MFA prompt.
  3. 3. Persistence and Privilege Escalation: With the power to act as the user, the attacker can access the user's email, files, and other resources. More dangerously, if the compromised user is an administrator, the attacker can use the stolen PRT to modify the Entra ID tenant itself—adding their own rogue administrator accounts, enrolling their own MFA devices, and creating backdoors that will allow them to maintain access even if the original user's password is changed.

This technique is devastatingly effective because the activity generated by the attacker using the stolen PRT looks like legitimate activity from the compromised user and their trusted device, making it incredibly difficult for security teams to detect.

Mitigation: A Zero Trust Approach to Identity and Devices

Defending against Pass-the-PRT attacks is challenging and requires a mature security posture that treats both identity and devices with suspicion.

  • Assume Device Compromise: The attack begins with a compromised endpoint. Advanced Endpoint Detection and Response (EDR) solutions are critical for detecting the initial intrusion before the PRT can be stolen.
  • Strict Conditional Access Policies: Configure Entra ID Conditional Access policies to be as restrictive as possible. Policies that flag or block logins from unfamiliar locations or require a re-authentication with phishing-resistant MFA for sensitive actions can help mitigate the impact.
  • Monitor for Anomalous Token Activity: Use cloud security tools to monitor for unusual patterns, such as a user's PRT being used from a new or unrecognized device or geographical location, or an unusual number of access tokens being generated in a short period.
  • Reduce Privileged Access: Enforce the principle of least privilege and use Privileged Identity Management (PIM) to ensure that users do not have standing administrator privileges.

Conclusion: The New Frontier of Cloud Identity Attacks

The "Pass-the-PRT" technique is a powerful example of how attackers are shifting their focus from simply stealing passwords to compromising the underlying authentication mechanisms of the cloud. It proves that in a modern IT environment, the endpoint device and the cloud identity are inextricably linked. This attack highlights the absolute necessity of a Zero Trust architecture, where trust is never assumed and verification is always required, even for requests that appear to come from an already authenticated user.