Detections
Analytics

Unverified Domain

LOW
Note: This indicator is in Early Access.

Description

A Microsoft Entra tenant can federate with an external domain to establish trust with another domain for authentication and authorization. However, if malicious actors gain elevated privileges in Microsoft Entra ID, they can abuse this federation mechanism to create a backdoor by adding their own federated domain or editing an existing one to add a secondary configuration with their own settings.

It is good practice to avoid leaving unverified custom domains configured in Entra ID for an extended period.

Until spring 2020 when Microsoft fixed the issue, it was even possible to create a federated domain backdoor using a new unverified domain. This was achievable via the New-AADIntBackdoor cmdlet from the open-source attacker tool AADInternals.

This Indicator of Exposure lists all unverified custom domains in your Entra ID environment, allowing you to verify their legitimacy.

Solution

You should address the unverified custom domains listed in the findings from this Indicator of Exposure, as they could be, or facilitate, a potential backdoor from an attacker.

To view the list of domains in the Azure portal, navigate to the Custom domain names blade and look for domains marked as 'Unverified' in the 'Status' column. Any potentially malicious domain will match the name listed in the findings. PowerShell cmdlets from MS Graph API allow you to list the domains with Get-MgDomain:

Connect-MgGraph -Scopes "Domain.Read.All"
Get-MgDomain -All | ? { $_.IsVerified -eq $True }

Complete the configuration of those unverified domains or remove them.

If it is a legitimate trusted domain, you need to create the required DNS entries with your domain registrar and then complete the verification process.

Otherwise, conduct a forensic investigation to determine if the domain was compromised and to assess the extent of the breach. Since adding a custom domain typically requires elevated privileges, such as the 'Global Administrator' role and potentially other lesser-known Entra roles, a full compromise of Entra ID is likely if these privileges are misused.

After saving evidence for potential forensic analysis, if you deem the domain to be illegitimate, remove it using Remove-MgDomain. Finally, anticipate that the attacker may have established other persistence mechanisms, such as backdoors. Consult with incident response experts to identify and eliminate these additional threats.

Indicator Details

Name: Unverified Domain

Codename: UNVERIFIED-DOMAIN

Severity: Low

MITRE ATT&CK Information: