Safety researchers are warning a couple of max-severity vulnerability in Microsoft Entra ID (previously Azure Energetic Listing) that might doubtlessly enable attackers to impersonate any person in any tenant, together with International Directors, with out triggering MFA, conditional Entry, or leaving any regular login or audit path.
The flaw, first reported by red-teamer Dirk-jan Mollema, exploited “Actor tokens,” a hidden Microsoft mechanism usually used for inner delegation, by manipulating a legacy API that didn’t validate the originating tenant.
Based on Mitiga’s additional breakdown of the exploit, an attacker in a benign atmosphere might request an Actor token, then use it to pose as a privileged person in a very separate group.
“The vulnerability arose as a result of the legacy API didn’t validate the tenant supply of the Actor token,” Mitiga researchers mentioned in a weblog submit. “As soon as impersonating a International Admin, they might create new accounts, grant themselves permissions, or exfiltrate delicate information.”
