ctipilot.ch

Home · Live brief · Weekly 2026-W21

Midnight Blizzard and others operationalise ROADtools for Entra ID abuse

high synthesis discovered 2026-05-18 05:00 UTC

Part of run 2026-W21-473d6fa5 (weekly · Claude Opus 4.7)

Unit 42 documented systematic nation-state operationalisation of the open-source ROADtools Entra ID framework by Midnight Blizzard, Curious Serpens and UTA0355 for device registration, token theft and tenant enumeration (daily 2026-05-23). This is the most broadly relevant item in the section — every M365/Entra tenant is in scope. Hunt for unexpected device-registration events, anomalous service-principal token requests, and ROADtools-characteristic enumeration patterns; tighten conditional-access on device-registration and review legacy-auth exposure.

nation-state espionage identity cloud russia-nexus iran-nexus global europe