Source: www.techrepublic.com – Author: J.R. Johnivan
Published
At Black Hat USA 2025, Dirk-jan Mollema showed how low-privilege cloud accounts can be turned into hybrid admins, bypassing API controls undetected.
At last week’s Black Hat event in Las Vegas, Dirk-jan Mollema, hacker, security researcher, and founder of Outsider Security, outlined a set of techniques for bypassing authentication in hybrid Active Directory (AD) and Entra ID environments. If successfully executed, these methods can allow an attacker to impersonate any synced hybrid user, including privileged accounts.
In the intro for his presentation, Mollema wrote: “Is there a security boundary between Active Directory and Entra ID in a hybrid environment? The answer to this question, while still somewhat unclear, has changed over the past few years as there has been more hardening of how much ‘the cloud’ trusts data from on-premises. The reason for this is that many threat actors, including APTs (advanced persistent threats), have been making use of known lateral movement techniques to compromise the cloud from AD.”
Understanding the weaknesses in Active Directory and Entra ID
In one demonstration, Mollema showed how a low-privilege cloud account could be converted into a hybrid user, thereby granting him administrative rights without raising any alarms in the process. He also demonstrated how it’s possible to modify internal API policies and bypass access enforcement controls under certain conditions.
But the vulnerabilities don’t stop there. By taking advantage of hybrid configurations with Microsoft Exchange, the hacker can impersonate virtually any Exchange mailbox — ultimately giving them access to all of the emails, documents, and attachments within.
Microsoft has been aware of these flaws for some time. The company has issued patches to address some of the more serious vulnerabilities, such as strengthening security for global administrators and removing certain API permissions from synchronized accounts. However, the vulnerability won’t be fully solved until the separation of Microsoft’s hybrid Exchange and Entra ID services occurs in October 2025.
Protecting your Active Directory and Entra ID environments
In the meantime, Microsoft Exchange users can minimize their risk by implementing these security measures:
- Auditing any and all synchronization servers.
- Implementing hardware key storage.
- Monitoring any unusual API calls.
- Enabling hybrid application splitting within Microsoft Exchange.
- Rotating single sign-on (SSO) keys on a regular basis.
- Restricting users to only the necessary permissions.
Staying vigilant in the hybrid era
Hybrid environments are only as strong as their weakest link. Until Microsoft finalizes its service separation, the best defense against these AD and Entra ID vulnerabilities involves consistent server log auditing, proactive API monitoring, and maintaining least-privilege access policies across the board.
Security in the hybrid era isn’t just about waiting for the next patch; it’s also about staying one step ahead of hackers and remaining vigilant at all times.
More Black Hat coverage
- Black Hat 2025: Security Researcher Unpacks Cybercrime’s Evolution… and How AI Is Changing the Game
- Inside Microsoft’s Real-Time War Against Cybersecurity Threats
- What Keeps Cyber Experts Up at Night? TechRepublic Goes Inside Black Hat 25
- Cisco Talos Researcher Reveals Method That Causes LLMs to Expose Training Data
- Former New York Times Cyber Reporter Issues Chilling Warning at Black Hat
J.R. Johnivan
J.R. Johnivan is a 17-year veteran whose writing is focused on innovation and technology, including IT, computer networking, security, cloud computing, staffing, human resources, real estate, sports, entertainment, and more.
Original Post URL: https://www.techrepublic.com/article/news-black-hat-2025-authentication-bypass-active-directory-entra-id/
Category & Tags: Cloud Security,Microsoft,Networking,News,Security – Cloud Security,Microsoft,Networking,News,Security
Views: 2
