Safety researchers are warning a couple of max-severity vulnerability in Microsoft Entra ID (previously Azure Lively Listing) that would probably permit attackers to impersonate any person in any tenant, together with International Directors, with out triggering MFA, conditional Entry, or leaving any regular login or audit path.
The flaw, first reported by red-teamer Dirk-jan Mollema, exploited “Actor tokens,” a hidden Microsoft mechanism usually used for inside delegation, by manipulating a legacy API that didn’t validate the originating tenant.
Based on Mitiga’s additional breakdown of the exploit, an attacker in a benign atmosphere may request an Actor token, then use it to pose as a privileged person in a totally separate group.
“The vulnerability arose as a result of the legacy API didn’t validate the tenant supply of the Actor token,” Mitiga researchers stated in a weblog put up. “As soon as impersonating a International Admin, they may create new accounts, grant themselves permissions, or exfiltrate delicate information.”
