Unit 42’s latest research on ROADtools is a useful reminder that cloud identity compromise does not always look like malware. ROADtools is a legitimate open-source framework for Azure and Microsoft Entra ID research, but the same capabilities that help defenders understand a tenant can also help attackers map it, register devices, and work with stolen tokens through normal Microsoft APIs.
For SMBs and government contractors, this matters because many Microsoft 365 compromises now move through identity, OAuth, and device trust instead of traditional endpoint payloads. If an attacker gets valid credentials or a reusable refresh token, the next phase may be quiet enumeration of users, groups, applications, devices, service principals, and permissions — all activity that can blend into expected cloud traffic.
Source: Unit 42 — Paved With Intent: ROADtools and Nation-State Tactics in the Cloud.
What Unit 42 Reported
Unit 42 describes how ROADtools can be misused for Microsoft Entra ID discovery, token acquisition and exchange, and device registration. The framework includes modules that can enumerate tenant objects and interact with authentication flows, including device code flow, refresh token reuse, on-behalf-of flows, and Primary Refresh Token-style abuse paths.
The key defensive problem is that these actions can ride legitimate Microsoft interfaces. A tenant may not see an obvious malicious binary or exploit chain. Instead, defenders may see API calls, token activity, device registration events, and cloud object enumeration that only become suspicious when correlated across sign-in logs, audit logs, device inventory, and Microsoft Graph activity.
Why This Matters
ROADtools-style activity is valuable to attackers because identity systems are the control plane. Once an adversary understands the tenant, they can identify privileged users, risky applications, stale service principals, weak conditional access coverage, and device trust paths that support persistence or lateral movement.
That is especially relevant to small businesses and contractors that rely heavily on Microsoft 365 but may not have full-time cloud security engineering. A single compromised account can become more than mailbox access. It can become a map of the organization’s people, devices, applications, and privilege relationships.
Defensive Takeaways
- Monitor device registration events. Treat unexpected Entra joined or registered devices as a high-signal investigation lead, especially when tied to users who do not normally enroll devices.
- Restrict device code flow where possible. Device code authentication is useful in some scenarios, but it is also a common path for phishing and token-oriented attacks.
- Baseline Graph API and tenant enumeration activity. Alert on unusual bursts of user, group, application, service principal, and device queries from accounts that do not normally perform administrative discovery.
- Audit OAuth apps and delegated permissions. Abandoned apps and over-permissioned service principals are attack accelerants after token compromise.
- Use conditional access and token protection deliberately. MFA alone is not enough if attackers can replay or exchange tokens. Tie access to device health, risk, location, and protected token claims where licensing and operations allow it.
- Centralize cloud logs. Entra sign-in logs, audit logs, Microsoft Graph activity, device inventory, and Microsoft 365 audit data need to land in a SIEM or detection platform where they can be correlated.
Bulwark Black Assessment
The lesson is not “ban ROADtools.” Defenders use tools like this for good reasons. The lesson is that identity-plane tradecraft has matured. Attackers no longer need to drop noisy malware if they can live inside the authentication and API layers that the business already trusts.
Organizations should treat Microsoft Entra ID as critical infrastructure. Know who can register devices, which apps have powerful Graph permissions, where device code flow is allowed, and what normal token behavior looks like. If those questions cannot be answered quickly during an incident, the attacker’s first win is already baked in.
For contractors handling sensitive customer, defense, or regulated data, the practical priority is simple: reduce token replay opportunities, watch the device inventory, and make identity telemetry part of routine threat hunting — not just post-breach forensics.
