New Active Directory Attack Method Bypasses Authentication to Steal Data

Security researchers have uncovered a novel attack technique that exploits weaknesses in hybrid Active Directory (AD) and Entra ID environments to bypass authentication and exfiltrate sensitive data.

The method, showcased at Black Hat USA 2025 by cybersecurity expert Dirk-jan Mollema, targets organizations that synchronize on-premises AD with Azure Entra ID, leveraging compromised synchronization credentials to gain unfettered access.

At the heart of the attack is the Microsoft Entra Connect service, used by enterprises to replicate user accounts and credentials from on-premises AD into Entra ID.

By obtaining control of the Entra Connect synchronization server through lateral movement or credential dumping tools, attackers can extract both the synchronization service’s certificate and its private key.

With these keys, adversaries can generate valid authentication tokens, effectively forging identity assertions accepted by Entra ID without triggering multifactor authentication or conditional access policies.

Once attackers possess forged tokens, they can impersonate any hybrid user—whether synchronized from AD or created as a “cloud-only” account—within the tenant.

This grants them full read and write privileges across directory objects, including privileged roles.

In Mollema’s demonstration, the attacker converted a low-privilege cloud user into a synchronized hybrid account via “soft matching,” thereby inheriting elevated administrative rights and evading detection mechanisms.

The technique extends beyond directory access. By abusing Exchange hybrid configurations, attackers can request Service-to-Service (S2S) tokens that carry “trustedForDelegation” claims, enabling them to impersonate any mailbox within Exchange Online and potentially exfiltrate emails, documents, and collaboration artifacts.

Because S2S tokens are unsigned and valid for 24 hours, no logs are generated during issuance or use, leaving security teams blind to the compromise.

Compounding the threat, Mollema demonstrated how adversaries can manipulate Graph API policies, such as Conditional Access and External Authentication Methods, to insert backdoor credentials or disable enforcement controls.

Seamless Single Sign-On (SSO) keys, used for seamless Kerberos authentication, can be injected or rotated with attacker-controlled keys, providing persistent remote access that survives key rollovers.

Microsoft has addressed several Entra Connect-based attack paths in recent patches, revoking unnecessary Graph API permissions from the sync account and hardening soft matching safeguards for global administrators.

However, many enterprise environments remain vulnerable until hybrid Exchange and Entra services are fully segregated—a mitigation Microsoft plans to mandate by October 2025.

Organizations are urged to audit their synchronization servers for unauthorized certificate exports, enforce hardware-backed key storage, and monitor unusual Graph API calls.

Enabling Exchange hybrid application splitting, regularly rotating SSO keys, and restricting Directory.ReadWrite.All permissions on service principals can further reduce risk.

As hybrid identity deployments become ubiquitous, security teams must adopt a zero-trust posture and assume that synchronization services could be compromised at any time.

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free