Critical flaws uncovered in the network communication between Microsoft Defender for Endpoint (DFE) and its cloud services, allowing post-breach attackers to bypass authentication, spoof data, disclose sensitive information, and even upload malicious files to investigation packages.
These vulnerabilities, detailed in a recent analysis by InfoGuard Labs, highlight ongoing risks in endpoint detection and response (EDR) systems, potentially undermining incident response efforts.
Reported to Microsoft’s Security Response Center (MSRC) in July 2025, the issues were deemed low severity, with no fixes confirmed as of October 2025.
The research builds on prior explorations of EDR attack surfaces, focusing on the agent’s interaction with cloud backends. By intercepting traffic using tools like Burp Suite and bypassing certificate pinning through memory patches in WinDbg, the analysis revealed how DFE’s MsSense.exe process handles commands and data uploads.
Certificate pinning, a common security measure, was circumvented by altering the CRYPT32!CertVerifyCertificateChainPolicy function to always return a valid result, enabling plaintext inspection of HTTPS traffic.
Similar patches were applied to SenseIR.exe for complete interception, including Azure Blob uploads.
Authentication Bypasses and Command Interception
According to InfoGuard Labs the core issue lies in the agent’s requests to endpoints like https://[location-specific-host]/edr/commands/cnc, where it polls for commands such as isolation, forensics collection, or scans.
Despite including Authorization tokens and Msadeviceticket headers, the backend ignores them entirely. An attacker with the machine ID and tenant ID easily obtainable by low-privileged users via registry reads can impersonate the agent and intercept responses.
For instance, an intruder tool like Burp’s Intruder can continuously query the endpoint, snatching available commands before the legitimate agent receives them.
This allows spoofing responses, such as faking an “Already isolated” status for an isolationcommand, leaving the device unisolated while the Microsoft Defender Portal reports it as secured.
The serialization format, often in Microsoft Bond, complicates manual crafting, but capturing and modifying legitimate responses suffices for proof-of-concept exploits.
A parallel vulnerability affects /senseir/v1/actions/ endpoints for Live Response and Automated Investigations. Here, CloudLR tokens are similarly ignored, obtainable without authentication using just the machine ID.
Attackers can decode action payloads with custom scripts leveraging large language models for Bond deserialization and upload fabricated data to provided Azure Blob URIs via SAS tokens, which remain valid for months.
Information Disclosure and Malicious File Risks
Unauthenticated access extends to incident response (IR) exclusions via the registration endpoint, requiring only the organization ID from the registry.
More alarmingly, polling /edr/commands/cnc without credentials yields an 8MB configuration dump, including RegistryMonitoringConfiguration, DriverReadWriteAccessProcessList, and ASR rules. While not tenant-specific, this data reveals detection logic valuable for evasion.
Post-breach, attackers can enumerate investigation packages on the filesystem, readable by any user, containing autoruns, installed programs, and network connections.
For ongoing investigations, spoofed uploads to these packages enable embedding malicious files with innocuous names, tricking analysts into execution during review.
These flaws underscore the challenges in securing EDR communications, where simple oversights persist despite multiple token types. The analyst urges remediation, arguing that post-breach disruption and analyst-targeted attacks merit a higher priority than MSRC’s assessment.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
