ROADtools Operationalized by Nation-State Actors for Azure/Entra ID Attacks
Nation-state threat actors including Midnight Blizzard, Curious Serpens, and UTA0355 have weaponized the open-source ROADtools framework to enumerate Entra ID, manipulate tokens, register rogue devices, and evade detection via legitimate Microsoft APIs.
Attack Brief
TargetMicrosoft Azure / Entra ID (formerly Azure Active Directory)VectorSpear phishing and password spray attacks leading to ROADtools deployment for identity enumeration, token manipulation, device registration, and persistenceAttributionMidnight Blizzard (Cloaked Ursa / APT29), Curious Serpens (Peach Sandstorm / APT33), UTA0355
Technical Details
MITRE ATT&CKT1087T1110T1098T1556T1550IoCshttps://github.com/dirkjanm/ROADtoolsmsgraph branch (last updated April 2025)AffectedROADtools framework (Python-based); Microsoft Graph API and Azure AD Graph API (deprecated); Entra ID tenants with inadequate token lifecycle and device registration controls
Impact
Affected OrganisationsUnattributed; targeted victims of Midnight Blizzard, Curious Serpens, and UTA0355 campaignsSectorsGovernmentDefenseCritical InfrastructureConfirmed DamageUnauthorized enumeration of Entra ID users, groups, roles, devices, service principals, and applications; token theft and replay; rogue device registration; MFA bypass; persistence in cloud environmentsGeographyRussiaIran
Mitigation
PatchesMicrosoft Graph API migration (Azure AD Graph API retirement in progress)WorkaroundsImplement strict token lifecycle policies; enforce conditional access and device compliance; restrict device registration permissions; monitor and block suspicious user-agent strings; segment cloud identity infrastructure; enforce MFA with hardware keys resistant to token replayDetectionHunt for ROADtools module execution patterns (roadrecon, roadtx, roadlib); monitor Microsoft Graph API calls for bulk enumeration of users, groups, roles, devices, service principals; detect device code flow and on-behalf-of (OBO) flow abuse; alert on token exchange and refresh token reuse; track Entra ID device registration from anomalous sources; analyze user-agent customization in authentication requests
Context
Previous CampaignsMidnight Blizzard operationalized ROADtools in late 2021 for discovery and Azure AD enumeration following spear phishing; Curious Serpens deployed ROADtools post-password spray in 2023; UTA0355 conducted targeted phishing in early 2025 with tooling matching roadtx token management capabilitiesSimilar AttacksBroader nation-state cloud intrusion campaigns leveraging identity and authentication layer weaknesses in Azure and Entra ID environments