Recent research has unveiled sophisticated attack vectors that exploit hybrid Active Directory and Microsoft Entra ID environments, enabling attackers to achieve complete tenant compromise through previously unknown lateral movement techniques. These methods, presented at Black Hat USA 2025, expose critical vulnerabilities in Microsoft’s authentication infrastructure, allowing unauthorized access to Exchange Online, SharePoint, and Entra ID without traditional authentication barriers.
Seamless SSO Key Manipulation
According to Dirk-Jan Mollema’s Black Hat presentation, attackers with control over on-premises Active Directory can manipulate Seamless Single Sign-On (SSO) configurations to forge Kerberos service tickets for any user in the tenant. By adding backdoor keys to the OnPremAuthenticationFlowPolicy, threat actors can create persistent access mechanisms that bypass multi-factor authentication requirements.
The technique involves injecting custom symmetric keys with identifiers like 13371337-ab99-4d21-9c03-ed4789511d01 into the policy’s KeysInformation array, enabling RC4-encrypted Kerberos ticket generation for any domain user. Particularly concerning is the ability to provision these backdoor keys on .onmicrosoft.com domains, which paradoxically works despite the logical inconsistency.
The attack leverages the trustedfordelegation claim in JWT tokens, allowing impersonation of any hybrid user account. Microsoft’s audit logs provide no visibility into these modifications, making detection extremely challenging for security teams.
Exchange Hybrid Certificates
Another devastating attack vector exploits Exchange hybrid deployments through certificate-based authentication abuse. Attackers can extract Exchange hybrid certificates from on-premises servers using tools like ADSyncCertDump.exe and leverage them to request Service-to-Service (S2S) actor tokens from Microsoft’s Access Control Service (ACS). These unsigned bearer tokens, containing the service principal identifier 00000002-0000-0ff1-ce00-000000000000, provide unrestricted access to Exchange Online and SharePoint without user context validation.
The S2S tokens exploit the trustedfordelegation property, enabling attackers to impersonate any user within the tenant for 24-hour periods. Critically, these tokens generate no audit logs during issuance or usage, operate without Conditional Access policy enforcement, and remain non-revocable once issued. The attack chain involves requesting actor tokens for graph.windows.net endpoints, effectively granting Global Administrator privileges across the entire Microsoft 365 environment.
Mitigations
Microsoft has acknowledged these vulnerabilities and implemented partial mitigations, including blocking S2S token abuse for first-party service principal credentials as of August 2025. However, Exchange and SharePoint impersonation capabilities remain functional, posing ongoing risks to hybrid deployments. The company plans to enforce mandatory separation of Exchange on-premises and Exchange Online service principals by October 2025.
Organizations should immediately audit their Exchange hybrid configurations using detection queries like AuditLogs | where InitiatedBy.user.displayName == Office 365 to identify potential abuse. Implementing strict monitoring and access controls is crucial to mitigate these risks.
