The flaws allow threat actors to:
* Gather credentials
* Login with invalid credentials
* Conduct DoS attacks
1/3
How is this different from previous PTA exploits like #AADInternals PTASpy?
* After the initial compromise of a PTA agent, the exploitation is remote
* Exploitation can't be detected from the Azure portal or logs
* Exploit is persistent
2/3
What can administrators do if they detect a compromised PTA agent?
* Contact Microsoft support to remove the agent
How to protect / prevent?
* Treat all servers with PTA agent as Tier 0
3/3
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Okay, I just read JDs "scientific" paper.
TL;DR "CitizenLab has not shared all evidence publicly, so their research is fake."
According to JD, one needs to be at least a PhD student to be able to "asses" his research. So here we go.
The paper contains a lot of claims without any backing evidence. For instance, in "Author Overview":
Then to the famous APA formatting. It is indeed hard to follow them, because APA formatting was not used properly. Also, you shouldn't mix APA and footnotes.
First, you can query directory synchronisation status of any Azure AD tenant. This cannot be prevented, but keeping your synchronisation healthy keeps at least error messages away from others.
2/4
Second, the full name of the technical contact can be queried from any Azure AD tenant. This information is given when the tenant was created, and therefore is probably Global Admin.
The name is not shown in any admin portal, so you need contact MS support to change that.
3/4