Cybersecurity researchers have disclosed a new attack technique dubbed Silver SAML, which exploits SAML to target applications like Salesforce from identity providers such as Entra ID. Unlike Golden SAML, Silver SAML works independently of Active Directory Federation Services (AD FS) and poses a moderate threat to organizations. This approach leverages self-signed certificates from identity providers, enabling attackers to forge SAML responses and gain unauthorized access to applications with stealthy persistence.
The Silver SAML attack technique is a variation of the Golden SAML attack, which was first documented in 2017 and has been utilized in real-world cyber intrusions. In March 2023, an Iranian threat actor known as Peach Sandstorm leveraged Golden SAML to access cloud resources without requiring passwords. However, unlike Golden SAML, Silver SAML does not require access to AD FS, making it a more versatile and potentially dangerous threat.
Following responsible disclosure to Microsoft, the company acknowledged the issue but did not classify it as an immediate priority for servicing. Nevertheless, organizations are advised to monitor Entra ID audit logs for changes to PreferredTokenSigningKeyThumbprint under ApplicationManagement and implement strict change control processes for certificate rotation. Additionally, vigilance and adherence to certificate management protocols are essential to mitigate the risk posed by Silver SAML attacks.
While there is no evidence of Silver SAML being exploited in the wild, cybersecurity experts emphasize the importance of using only Entra ID self-signed certificates for SAML signing purposes. Semperis has also released a proof-of-concept tool called SilverSAMLForger, enabling organizations to create custom SAML responses for testing and monitoring purposes. As the threat landscape continues to evolve, organizations must remain vigilant and proactive in implementing robust security measures to safeguard against emerging attack techniques like Silver SAML.
