News and Analysis

A well-known open-source security framework called ROADtools has been turned against the organizations it was originally built to protect.

Once a legitimate red-teaming tool, attackers are now actively weaponizing it to steal authentication tokens, register rogue devices, and bypass multi-factor authentication (MFA) controls in Microsoft Azure environments.

ROADtools is a Python-based toolkit designed to interact with Microsoft Entra ID, formerly known as Azure Active Directory.

It can enumerate users, groups, devices, and applications within a cloud tenant. Attackers have found it useful because it operates through the same legitimate Microsoft APIs that organizations rely on every day, making it extremely difficult to detect.

Analysts at Unit 42, Palo Alto Networks’ threat intelligence division, Unit 42 said in a report shared with Cyber Security News (CSN), have outlined how the toolkit evolved from a research utility into a full-blown attack platform.

Nation-state threat actors have been observed using it in real-world cloud intrusions for discovery, persistence, and defense evasion.

The toolkit gained attention as early as late 2021, when Cloaked Ursa, also tracked as Midnight Blizzard or APT29, was caught using it after gaining access through spear phishing.

By 2023, the Iranian group Curious Serpens, also known as Peach Sandstorm or APT33, was using ROADtools following password spray campaigns.

A 2025 phishing campaign attributed to state-affiliated actor UTA0355 used tooling that closely matched ROADtools’ token management capabilities.

The threat is not limited to any one industry. Any organization using Microsoft cloud services could be a target, especially those with misconfigured Conditional Access Policies or apps that carry overly broad permissions.

ROADtools Misused in Cloud Attacks

The toolkit’s most dangerous capability lies in its roadtx module, which handles token acquisition and exchange.

Once an attacker has valid credentials, they can use roadtx to authenticate through several supported login flows, including the device code flow and the on-behalf-of (OBO) flow.

The output is a set of OAuth 2.0 access and refresh tokens that can be used to silently access Microsoft cloud services.

By obtaining a Primary Refresh Token (PRT), an attacker can continuously generate new access tokens in the background without triggering another login prompt.

This effectively allows them to operate inside a compromised tenant for extended periods while bypassing MFA controls entirely. A single compromised PRT can grant persistent, programmatic access across an entire Azure tenant.

Entra ID Groups in the ROADtools web interface (Source – Unit42)

The roadtx module also allows attackers to register rogue devices in Entra ID, which appear as legitimate entries in the device inventory. Depending on the Entra ID configuration, these devices may also be used to bypass Conditional Access Policies.

By default, roadtx registers devices with OS version 10.0.19041.928 and names them using the pattern DESKTOP followed by eight random digits, a useful detection indicator for defenders.

Hunting for ROADtools and Recommended Defenses

Unit 42 researchers recommend a layered approach to detecting and stopping ROADtools abuse. Enabling Entra ID token protection is one of the most direct defenses, as it binds refresh tokens to a specific device and makes them far harder to steal and reuse.

Organizations should also restrict the device code flow through Conditional Access Policies, since attackers favor it specifically because it works well for automated, script-based attacks.

Regular audits of OAuth application permissions are equally important. Custom or abandoned apps with broad access to Microsoft Graph, SharePoint, or Exchange are prime targets for token theft.

Deploying privileged identity management (PIM) or privileged access management (PAM) solutions can further limit damage if a token is stolen.

For threat hunting, defenders should look for scripted user agents such as strings containing “python-requests” or “urllib” appearing in authentication logs.

Microsoft Graph API logs showing high-volume, repetitive queries against endpoints like /users, /groups, or /devices within a short window are a strong indicator of roadrecon enumeration.

Consolidating Azure audit logs, Graph API activity logs, and sign-in data in a SIEM platform will give security teams the visibility they need to catch this activity before it escalates.

Indicators of Compromise (IoCs):-

TypeIndicatorDescriptionUser-Agent StringroadtoolsHTTP user-agent string associated with ROADtools tool activity in network trafficUser-Agent Stringpython-requests/<version>HTTP user-agent string used by roadtx/roadlib when making token requests via PythonOS Version (Default)10.0.19041.928Default OS version set by roadtx when registering a rogue device in Entra IDDevice Name PatternDESKTOP-<RANDOM 8 DIGITS>Default naming convention used by roadtx for rogue device registration in Entra IDOAuth ScopeDirectory.ReadWrite.AllBroad Microsoft Graph permission targeted by attackers via roadtx for tenant enumerationOAuth ScopeDevice.ReadWrite.AllMicrosoft Graph permission associated with device manipulation via ROADtoolsOAuth ScopeApplication.ReadWrite.AllMicrosoft Graph permission abused by attackers for application-level token theftOAuth ScopeAuditLog.ReadWrite.AllMicrosoft Graph permission potentially targeted to access or manipulate audit recordsOAuth ScopePolicy.ReadWrite.AllMicrosoft Graph permission abused to modify or read organizational access policies

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post ROADtools Misused in Cloud Attacks to Steal Tokens and Bypass MFA Controls appeared first on Cyber Security News.