Listen to this Post

Introduction:
A critical reconnaissance capability for targeting U.S. Department of Defense (DoD) and Government Community Cloud (GCC) High Azure Active Directory tenants has been quietly reintroduced into the powerful AADInternals toolset. This revival of pre-authentication domain enumeration transforms the initial access phase for threat actors, allowing them to identify and validate high-value government-associated tenants without triggering a single alert, while simultaneously handing defenders a crucial blueprint for exposure management.
Learning Objectives:
- Understand the function and operational security impact of the AADInternals toolkit.
- Learn the specific commands for enumerating DoD and GCC High Azure tenants.
- Develop defensive strategies to mitigate reconnaissance and harden Azure tenant footprints.
You Should Know:
- AADInternals: The Swiss Army Knife for Azure AD
AADInternals is a PowerShell-based framework that replicates and exposes the backend functionalities of Azure Active Directory, often used for legitimate penetration testing, adversary simulation, and administrative tasks. It interacts with various public and private Azure APIs, allowing users to perform actions ranging from simple reconnaissance to complex attacks like Golden SAML and backdooring service principals. Its power lies in using pre-existing, often poorly documented, Microsoft endpoints.
Step‑by‑step guide:
Installation on a Testing Machine (Windows/Linux with PowerShell):
Install from the PowerShell Gallery Install-Module AADInternals -Force Import the module into your session Import-Module AADInternals Check available functions Get-Command -Module AADInternals
2. The Crown Jewel: Enumerating Government Tenants
The reintroduced feature targets the `login.microsoftonline.us` namespace, which hosts DoD (.mil) and GCC High tenants. Previously, public enumeration of these domains was restricted, forcing attackers to rely on guessed or phished identifiers. This function automates discovery, checking the existence of specific tenant names or domains without authentication.
Step‑by‑step guide:
Basic Tenant Enumeration Command:
Enumerate a suspected DoD tenant (e.g., airforce)
Get-AADIntTenantDomains -Domain airforce -AzureEnvironment USGov
Perform a brute-force style check using a wordlist
foreach ($name in Get-Content .\gov_words.txt) {
Get-AADIntTenantDomains -Domain $name -AzureEnvironment USGov
}
This command queries the Azure US Government authentication endpoint. A valid response confirms the tenant’s existence and often returns the primary domain name, which is critical intelligence for crafting targeted phishing campaigns or password spray attacks.
3. Pre-Auth Reconnaissance: The Silent Footprint
This activity is considered “pre-authentication” because it occurs before any login attempt. It leverages public API endpoints that respond differently based on whether a tenant exists or not. This makes it virtually impossible to detect and attribute to a specific malicious actor, as it generates no anomalous sign-in logs in the target tenant.
Step‑by‑step guide (Understanding the Technique):
- The tool sends an HTTP GET request to:
https://login.microsoftonline.us/<tenant_name>/v2.0/.well-known/openid-configuration. - If the tenant exists, it returns a valid OpenID Connect configuration JSON.
- If the tenant does not exist, it returns an error. This differential response is the core of the enumeration technique.
4. Offensive Application: From Recon to Initial Access
For a red team or threat actor, this is the first step in a kill chain. After identifying a valid tenant (e.g., usaf.dod.mil), the attacker proceeds with targeted attacks.
Step‑by‑step guide (Next Steps for an Attacker):
Password Spraying: Use the validated domain with a list of common passwords against default usernames (e.g., [email protected]).
Using a tool like o365spray (Python) python3 o365spray.py --spray -d usaf.dod.mil -p 'Winter2024!' -u users.txt
Phishing Crafting: Create hyper-realistic phishing lures using the verified tenant branding and login URLs.
User Enumeration: Further abuse other endpoints to validate specific usernames within the discovered tenant.
5. Defensive Hardening: Shrinking the Attack Surface
Blue teams cannot prevent this enumeration, but they can minimize its value and prepare for the follow-up attacks it enables.
Step‑by‑step guide (Defensive Actions):
Implement Conditional Access Policies: Enforce strict geo-blocking and device compliance policies. Block legacy authentication protocols universally.
Enable and Monitor Risky Sign-In Logs: In Azure AD, audit all `Risky sign-ins` and Risky users. Configure alerts for impossible travel, anonymous IP addresses, and password spray detection.
Conduct Proactive Exposure Checks: Use the same tooling defensively.
Defensively check your own company's footprint Get-AADIntTenantDomains -Domain YourCompanyName -AzureEnvironment Global
User Awareness: Train users, especially in high-value targets, to recognize sophisticated phishing attempts that leverage their genuine tenant name.
What Undercode Say:
- The Intelligence Gap is Closed: The barrier to identifying high-value government cloud tenants has been significantly lowered, democratizing a once-specialized reconnaissance capability for a broader range of threat actors.
- Detection Evasion is Built-In: Because this technique uses legitimate, pre-login API calls, the primary detection responsibility shifts from the targeted tenant to network-level analytics and proactive threat hunting based on the intent that follows enumeration.
The reintroduction of this feature is not a software vulnerability but an exposure of inherent system design. It highlights the continuous cat-and-mouse game in cloud security, where administrative and reconnaissance APIs can be repurposed. For defenders, the focus must move beyond trying to hide their tenant footprint—which is often public—and instead rigorously assume that adversaries already know their Azure AD domain. Security postures must be built on the assumption of compromise, with zero-trust principles, robust conditional access, and intense monitoring for the password sprays and phishing attempts that will follow this initial recon.
Prediction:
This event foreshadows an increased focus on the software supply chain and open-source offensive tooling. Microsoft will likely respond by implementing more nuanced rate-limiting or behavioral analysis on the `login.microsoftonline.us` discovery endpoints, potentially adding “honeytoken” responses to confuse automated enumeration. However, the core technique will persist in other forms. We will see a rapid evolution of automated frameworks that chain this government tenant discovery directly into AI-powered phishing kit generation and fully automated password spray campaigns, forcing a widespread adoption of phishing-resistant MFA (like FIDO2 security keys) as the only viable defense for high-assurance environments within the next 18-24 months.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Daniel Scheidt – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


