![[The AI Show Episode 142]: ChatGPT’s New Image Generator, Studio Ghibli Craze and Backlash, Gemini 2.5, OpenAI Academy, 4o Updates, Vibe Marketing & xAI Acquires X](https://www.marketingaiinstitute.com/hubfs/ep%20142%20cover.png)
![[DEALS] The Premium Learn to Code Certification Bundle (97% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![From drop-out to software architect with Jason Lengstorf [Podcast #167]](https://cdn.hashnode.com/res/hashnode/image/upload/v1743796461357/f3d19cd7-e6f5-4d7c-8bfc-eb974bc8da68.png?#)
.png?#)
_Christophe_Coat_Alamy.jpg?#)
 (1).webp?#)
![iPhone 17 Pro Won't Feature Two-Toned Back [Gurman]](https://www.iclarified.com/images/news/96944/96944/96944-640.jpg)
![Tariffs Threaten Apple's $999 iPhone Price Point in the U.S. [Gurman]](https://www.iclarified.com/images/news/96943/96943/96943-640.jpg)
Hackers Leveraging Azure App Proxy Pre-authentication to Access Orgs Private Network Resources
Recent security findings reveal that threat actors are actively exploiting misconfigured Azure application proxies to gain unauthorized access to organizations’ internal resources. When Azure app proxy pre-authentication is set to “Passthrough” instead of the default “Microsoft Entra ID” setting, private network resources may become unintentionally exposed to potential attackers. Attackers Leveraging Azure App Proxy Pre-authentication […] The post Hackers Leveraging Azure App Proxy Pre-authentication to Access Orgs Private Network Resources appeared first on Cyber Security News.
Recent security findings reveal that threat actors are actively exploiting misconfigured Azure application proxies to gain unauthorized access to organizations’ internal resources.
When Azure app proxy pre-authentication is set to “Passthrough” instead of the default “Microsoft Entra ID” setting, private network resources may become unintentionally exposed to potential attackers.
Attackers Leveraging Azure App Proxy Pre-authentication
Microsoft’s Azure app proxy service enables organizations to publish on-premises applications to the public internet without opening inbound firewall ports.
This service typically leverages Microsoft Entra ID (formerly Azure Active Directory) for authentication, creating a secure access pathway for remote users.
However, security researchers at TrustedSec have discovered that when administrators configure the pre-authentication option to “Passthrough” instead of the default “Microsoft Entra ID” setting, they effectively remove the authentication barrier that protects internal resources.
“Passthrough pre-authentication is basically the equivalent of opening a port on your firewall to the private system,” researchers said.
“While the intent may have been to have specific applications accessible, other resources may be unintentionally exposed.”
In a demonstration environment, researchers configured two application URLs pointing to the same internal website:
The difference in behavior was stark. When accessing the MSENTRAID URL, all requests were protected by Microsoft Entra ID authentication, requiring proper credentials before granting access.
In contrast, requests to the PASSTHROUGH URL bypass authentication entirely, directly exposing the internal application and potentially other resources on the same server.
Real-World Attack Scenarios
Security experts have observed attackers performing forced browsing and content discovery against exposed Passthrough proxies.
By systematically probing different URL paths, attackers can identify unprotected internal resources, administrative interfaces, and potentially vulnerable endpoints.
In one documented case, attackers discovered a “/secure/” path that only used basic HTTP authentication.
Using simple brute force techniques with default credential combinations like “admin:admin” and “test:test,” they successfully gained unauthorized access to sensitive internal systems:
This vulnerability highlights ongoing challenges in securing hybrid cloud environments. While Azure app proxy offers convenience for remote access, improper configuration can lead to significant security gaps.
“Organizations need to understand that Passthrough pre-authentication removes an important security layer,” notes the research team.
“Microsoft’s own documentation warns that Passthrough doesn’t provide protection against anonymous attacks.” The vulnerability adds to a growing list of security concerns in Azure services.
Earlier this year, Orca Security researchers identified SSRF vulnerabilities in four different Azure services that allowed attackers to scan local ports and access internal endpoints
Mitigation Recommendations
Security experts recommend the following steps to protect against this vulnerability:
- Review all Azure app proxy configurations and ensure pre-authentication is set to “Microsoft Entra ID” rather than “Passthrough”
- Implement additional security layers for any applications that cannot use Entra ID authentication
- Regularly audit exposed applications for potential security gaps
- Consider implementing Web Application Firewall protection for critical applications
As cloud-based services continue to expand, organizations must remain vigilant about configuration settings that could inadvertently expose internal resources to the public internet.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
The post Hackers Leveraging Azure App Proxy Pre-authentication to Access Orgs Private Network Resources appeared first on Cyber Security News.
