Vulnerability cyber

Microsoft

Jan 1, 2025 2 min read
Microsoft

Security researchers uncovered a **max-severity vulnerability** in **Microsoft Entra ID (formerly Azure Active Directory)** that enables attackers to **impersonate any user—including Global Administrators—across any tenant without triggering Multi-Factor Authentication (MFA), Conditional Access, or leaving audit logs**. The flaw, discovered by red-teamer **Dirk-jan Mollema**, exploits **‘Actor tokens’**, an internal Microsoft delegation mechanism, by abusing a **legacy API that fails to validate the originating tenant**. An attacker in a low-privilege environment could **request an Actor token** and use it to **assume the identity of a high-privileged user in a completely separate organization**. Once impersonating a **Global Admin**, the attacker could **create rogue accounts, escalate permissions, or exfiltrate sensitive corporate and customer data** without detection. The vulnerability poses a **critical risk of large-scale account takeover, unauthorized access to enterprise systems, and potential data breaches** across organizations relying on **Entra ID/Azure AD for identity management**. While no active exploitation has been confirmed, the flaw’s **stealthy nature**—bypassing logging and security controls—makes it a prime target for **advanced persistent threats (APTs), ransomware operators, or state-sponsored actors** seeking to compromise cloud environments. Microsoft has since addressed the issue, but organizations are urged to **review suspicious admin activities and enforce stricter token validation policies** to mitigate residual risks.

Source: https://www.csoonline.com/article/4060101/entra-id-vulnerability-exposes-gaps-in-cloud-identity-trust-models-experts-warn.html

TPRM report: https://www.rankiteo.com/company/microsoft

"id": "mic3092330100325",
"linkid": "microsoft",
"type": "Vulnerability",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"
{'affected_entities': [{'industry': 'Technology',
                        'location': 'Global',
                        'name': 'Microsoft',
                        'size': 'Large',
                        'type': 'Corporation'}],
 'attack_vector': ['Exploitation of Legacy API',
                   'Token Manipulation (Actor Tokens)',
                   'Tenant Validation Bypass'],
 'data_breach': {'data_exfiltration': ['Potential (if exploited)'],
                 'personally_identifiable_information': ['Potential (if Global '
                                                         'Admin privileges '
                                                         'abused)']},
 'description': 'Security researchers discovered a max-severity vulnerability '
                'in Microsoft Entra ID (formerly Azure Active Directory) that '
                'could allow attackers to impersonate any user in any tenant, '
                'including Global Administrators, without triggering MFA, '
                'Conditional Access, or leaving any normal login or audit '
                "trail. The flaw exploited 'Actor tokens,' a hidden Microsoft "
                'mechanism for internal delegation, by manipulating a legacy '
                'API that failed to validate the originating tenant. Attackers '
                'in a benign environment could request an Actor token and use '
                'it to pose as a privileged user in a separate organization, '
                'enabling actions such as creating new accounts, granting '
                'permissions, or exfiltrating sensitive data.',
 'impact': {'brand_reputation_impact': ['Potential erosion of trust in '
                                        'Microsoft Entra ID security'],
            'identity_theft_risk': ['High (impersonation of any user, '
                                    'including Global Admins)'],
            'operational_impact': ['Potential unauthorized account creation',
                                   'Permission escalation',
                                   'Sensitive data exfiltration'],
            'systems_affected': ['Microsoft Entra ID (Azure AD)']},
 'initial_access_broker': {'entry_point': ['Legacy API in Microsoft Entra ID'],
                           'high_value_targets': ['Global Administrators',
                                                  'Privileged Users']},
 'investigation_status': 'Disclosed by third-party researchers (Mitiga, '
                         'Dirk-jan Mollema)',
 'post_incident_analysis': {'root_causes': ['Legacy API lacking tenant '
                                            'validation for Actor tokens',
                                            'Hidden delegation mechanism '
                                            '(Actor tokens) exposed to '
                                            'exploitation']},
 'references': [{'source': 'Mitiga Research Blog'},
                {'source': 'Dirk-jan Mollema (Red-Teamer, Initial Reporter)'}],
 'response': {'third_party_assistance': ['Mitiga (research analysis)']},
 'title': 'Max-Severity Vulnerability in Microsoft Entra ID (Azure AD) Allows '
          'Tenant-Wide User Impersonation',
 'type': ['Authentication Bypass', 'Privilege Escalation', 'Impersonation'],
 'vulnerability_exploited': 'Legacy API in Microsoft Entra ID (Azure AD) '
                            'failing to validate tenant source of Actor tokens'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.