New Active Directory Lateral Movement Techniques that Bypasses Authentication and Exfiltrate Data
Sophisticated attack vectors unveiled that exploit hybrid Active Directory and Microsoft Entra ID environments, demonstrating how attackers can achieve complete tenant compromise through previously unknown lateral movement techniques.
These methods, presented at Black Hat USA 2025, expose critical vulnerabilities in Microsoft’s authentication infrastructure that allow unauthorized access to Exchange Online, SharePoint, and Entra ID without traditional authentication barriers.
Key Takeaways
1. Inject keys into OnPremAuthenticationFlowPolicy to forge Kerberos tickets, bypassing MFA undetected.
2. Exchange hybrid certs generate S2S tokens with Global Admin access without audit logs.
3. Microsoft blocked some abuse (Aug 2025), Exchange/SharePoint still vulnerable.
Seamless SSO Key Manipulation
According to Dirk-Jan Mollema’s BlackHat presentation, attackers with on-premises Active Directory control can manipulate Seamless Single Sign-On (SSO) configurations to forge Kerberos service tickets for any user in the tenant.
By adding backdoor keys to the OnPremAuthenticationFlowPolicy, threat actors can create persistent access mechanisms that bypass multi-factor authentication requirements.
The technique involves injecting custom symmetric keys with identifiers like 13371337-ab99-4d21-9c03-ed4789511d01 into the policy’s KeysInformation array, enabling RC4-encrypted Kerberos ticket generation for any domain user.
Particularly concerning is the ability to provision these backdoor keys on .onmicrosoft.com domains, which paradoxically works despite the logical inconsistency.
The attack leverages the trustedfordelegation claim in JWT tokens, allowing impersonation of any hybrid user account. Microsoft’s audit logs provide no visibility into these modifications, making detection extremely challenging for security teams.
Exchange Hybrid Certificates
The most devastating attack vector exploits Exchange hybrid deployments through certificate-based authentication abuse.
Attackers can extract Exchange hybrid certificates from on-premises servers using tools like ADSyncCertDump.exe and leverage them to request Service-to-Service (S2S) actor tokens from Microsoft’s Access Control Service (ACS).
These unsigned bearer tokens, containing the service principal identifier 00000002-0000-0ff1-ce00-000000000000, provide unrestricted access to Exchange Online and SharePoint without user context validation.
The S2S tokens exploit the trustedfordelegation property, enabling attackers to impersonate any user within the tenant for 24-hour periods.
Critically, these tokens generate no audit logs during issuance or usage, operate without Conditional Access policy enforcement, and remain non-revocable once issued.
The attack chain involves requesting actor tokens for graph.windows.net endpoints, effectively granting Global Administrator privileges across the entire Microsoft 365 environment.
Mitigations
Microsoft has acknowledged these vulnerabilities and implemented partial mitigations, including blocking S2S token abuse for first-party service principal credentials as of August 2025.
However, Exchange and SharePoint impersonation capabilities remain functional, posing ongoing risks to hybrid deployments.
The company plans to enforce mandatory separation of Exchange on-premises and Exchange Online service principals by October 2025.
Organizations should immediately audit their Exchange hybrid configurations using detection queries like AuditLogs | where InitiatedBy.user.displayName == “Office 365 Exchange Online” to identify suspicious activities.
Additional protective measures include enabling hard matching in Entra ID Connect to prevent cloud-only account takeovers and implementing the principle of least privilege for Directory Synchronization Accounts.
Security teams must also monitor for unauthorized modifications to authentication policies and consider transitioning to dedicated Exchange hybrid applications to limit attack surface exposure.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
Source link