Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Microsoft Teams macOS Bug Exposes Screen Sharing Content
July 12, 2026
Apple Sues OpenAI and Ex-Staff Over Alleged Trade Secret Theft
July 12, 2026
Ghostcommit Attack Hides Malicious Prompts in Images to Exploit AI Agents
July 11, 2026
Home/CyberSecurity News/Critical Azure AD Flaw Bypassed Conditional Access, Exposing Cloud Resources
CyberSecurity News

Critical Azure AD Flaw Bypassed Conditional Access, Exposing Cloud Resources

Key Takeaways A critical flaw in Microsoft Entra ID (formerly Azure AD) Conditional Access allowed attackers to bypass robust security policies. Researchers successfully compromised a production...

Emy Elsamnoudy
Emy Elsamnoudy
May 6, 2026 4 Min Read
39 0

Key Takeaways

  • A critical flaw in Microsoft Entra ID (formerly Azure AD) Conditional Access allowed attackers to bypass robust security policies.
  • Researchers successfully compromised a production environment with over 16,000 users using stolen credentials and a novel device spoofing technique.
  • The attack chain exploited vulnerabilities in the Device Registration Service (DRS) and Intune enrollment logic, creating a “phantom device” that appeared compliant.
  • The vulnerability highlights significant gaps in default device registration and compliance validation, mirroring tactics used by advanced threat actors.
  • Organizations must implement stringent device trust models, including TPM 2.0 attestation and external health validation, to mitigate this risk.

Microsoft Entra ID, previously known as Azure AD, serves as the foundational security layer for cloud identity, with Conditional Access (CA) policies acting as the primary gatekeeper. These policies are designed to rigorously evaluate user location, device health, and risk scores before granting access to sensitive cloud resources.

Table Of Content

  • Key Takeaways
  • Azure AD Conditional Access Bypassed
  • Escalation and Mitigation
  • What You Should Do

However, a recent authorized red team exercise conducted by cybersecurity firm Howler Cell uncovered a critical attack path that completely circumvents these essential protections. This sophisticated exploit allowed researchers to gain unauthorized access to a production tenant, bypassing all Conditional Access restrictions.

The engagement commenced with a single set of valid user credentials, often readily available for purchase on underground cybercrime markets. Leveraging these credentials, the researchers successfully infiltrated a production environment managing over 16,000 user accounts. Notably, this attack required no interaction with corporate endpoints and deployed no malware, underscoring significant weaknesses in default device registration and compliance validation mechanisms.

Howler Cell’s methodology closely resembled tactics employed by Storm-2372, a threat actor group suspected of being aligned with the Russian state. Both the researchers and the threat actors exploited unprotected Device Registration Service (DRS) endpoints to establish an initial foothold, demonstrating that even credentials blocked by CA policies are not a definitive deterrent for determined attackers.

Azure AD Conditional Access Bypassed

Howler Cell’s detailed research outlines an attack that began when valid credentials, explicitly blocked by a CA policy, generated an AADSTS53003 error. To circumvent this, the team targeted the DRS endpoint using the device code authentication flow, an avenue left exposed by insufficiently enforced security policies. This permitted successful authentication, enabling progression to the subsequent stages of the attack.

With a single command, Howler Cell registered a “phantom device” by presenting a signed Azure AD certificate and private key. The DRS API, critically, does not validate whether the caller is a physical Windows machine, allowing a Linux laptop to effectively impersonate a legitimate endpoint. This maneuver aligns with the MITRE ATT&CK technique for Account Manipulation (T1098.005).

Once the phantom device was registered, researchers minted a Primary Refresh Token (PRT) containing fabricated device claims. When this PRT was exchanged for an access token, Azure AD interpreted the session as device-authenticated. This effectively bypassed CA policies requiring a compliant or joined device, thereby granting access to the broader tenant environment for directory enumeration.

To overcome policies specifically mandating an Intune-compliant device, the researchers exploited a known deficiency in Intune enrollment restrictions. By falsely asserting a hybrid domain-join status, the phantom device bypassed pre-registration requirements. Intune, in this scenario, trusted the client’s self-declared domain membership without verifying it against the on-premises Active Directory.

Upon enrollment, the device achieved “compliant” status despite lacking essential security features such as BitLocker, Secure Boot, or antivirus software. Intune’s evaluation logic treated missing health attestation responses as “not applicable” rather than non-compliant. This permissive default posture allowed the researchers to download internal enterprise applications. The extraction of a single application package subsequently revealed critical internal server naming conventions and network architecture details.

Escalation and Mitigation

Beyond device spoofing, researchers at Cyderes identified a fundamental structural risk within hybrid identity environments. Their investigation uncovered 255 highly privileged directory roles, including multiple Global Administrators, that were directly synchronized from on-premises Active Directory. Compromising these on-premises accounts offers attackers a direct route to complete cloud tenant takeover, eliminating the need for any cloud-specific exploits.

To effectively defend against these complex attack chains, organizations must significantly strengthen their device trust models. Howler Cell recommends the following critical mitigations:

What You Should Do

  • Implement report-only CA policies that specifically block device code flows and mandate multi-factor authentication (MFA) for device registration.
  • Strictly enforce TPM 2.0 attestation as a prerequisite for all Primary Refresh Token (PRT) issuance.
  • Require external validation of device health through the Microsoft Health Attestation Service, rather than relying on self-reported data from devices.
  • Scope user-level Graph API access to prevent unauthorized bulk directory enumeration.
  • Restrict privileged directory roles exclusively to cloud-only accounts, managed and protected through Microsoft’s Privileged Identity Management (PIM) solution.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Critical Palo Alto PAN-OS Vulnerability CVE-2024-3400 Exploited for Root Access

Next Post

Vimeo Data Breach Exposes 119,000 User Email Addresses

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
CISA Report Details Lessons Learned From AWS GovCloud Credential Leak
July 11, 2026
281 Android VPN Apps Leak Sensitive Data, Transfer Data Unencrypted
July 11, 2026
Top 10 Unified Threat Management Solutions for 2026
July 11, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us