RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: entra-id (3 articles)Clear
threat
2026-05-04

Microsoft says fake HR compliance emails fooled 35,000 people across 26 countries - phishing kit captured login tokens even with MFA enabled

Microsoft disclosed Monday that a phishing campaign between April 14 and 16 hit 35,000+ users across 13,000+ organizations in 26 countries (92% in the US). Lures impersonated internal HR with subjects like 'Internal case log issued under conduct policy.' Each email had a PDF attachment with a 'Review Case Materials' link that walked victims through Cloudflare CAPTCHAs and a final adversary-in-the-middle (AiTM) Microsoft sign-in page. AiTM proxies the real Microsoft login and captures session tokens after MFA - so traditional MFA is bypassed. Healthcare (19%), financial services (18%), and professional services (11%) were the most-targeted sectors.

microsoftaitmphishing35k-users26-countriescode-of-conducttycoon-2facaptcha-gatemfa-bypassentra-idfido2passkey-resistant
Check
Search Exchange Online logs for emails between April 14-16 with subjects containing 'conduct policy' or 'awareness case log.' Hunt sign-in logs for OAuth grants from acceptable-use-policy-calendly.de or compliance-protectionoutlook.de.
Affected
Microsoft 365 / Entra ID tenants with users on traditional MFA (push, SMS, TOTP). AiTM bypasses any non-phishing-resistant MFA factor - only FIDO2 hardware keys and Windows Hello are immune. US users in healthcare, life sciences, financial services, and professional services are at acute risk based on Microsoft's targeting data.
Fix
Migrate users to phishing-resistant MFA (FIDO2 hardware keys, Windows Hello, passkeys) for all accounts. Enable Conditional Access policies that require token binding for high-privilege accounts. Turn on Zero-hour auto purge in Defender for Office 365 to retroactively quarantine campaign emails. Revoke session tokens for any user who visited a fake sign-in page.
threat
2026-05-02

New 'ConsentFix v3' attack lets criminals take over Microsoft 365 accounts even when MFA and passkeys are turned on

Push Security disclosed ConsentFix v3, a new attack that lets criminals take over Microsoft 365 accounts even if the victim has MFA and phishing-resistant passkeys turned on. The trick: instead of stealing a password, the attacker tricks the user into pasting a Microsoft authorization URL into a phishing page during what looks like a routine login. That URL contains a one-time code that the attacker exchanges for permanent access tokens. v3 automates the whole attack with Cloudflare Pages phishing sites, Pipedream webhook automation, and tenant fingerprinting that customizes the lure to each target organization's branding.

consentfixoauthazuremicrosoft-365entra-idpush-securitymfa-bypasspasskey-bypassfirst-party-appscloudflare-pagespipedream
Check
Brief any Microsoft 365 admin or developer that any 'verification step' that asks them to paste a URL containing 'localhost' into a webpage is hostile, no matter how legitimate the page looks.
Affected
Any Microsoft 365 / Entra ID tenant. The attack bypasses MFA, passkeys, and most Conditional Access policies by abusing pre-consented Microsoft first-party apps. Acute risk for organizations whose admins, developers, or DevOps engineers regularly use Azure CLI - those users won't suspect a fake Azure CLI authorization page. Cloudflare Pages and Pipedream both look legitimate in network telemetry.
Fix
Apply token binding to trusted devices and require Conditional Access for first-party Microsoft apps where possible. Hunt Azure sign-in logs for Azure CLI authentications from unfamiliar IPs, especially against accounts that don't normally use it. Train developers to verify out-of-band any 'verification step' that asks them to paste URLs into a webpage. Use app authentication restrictions to limit which first-party apps can issue refresh tokens.
vulnerability
2026-04-28

Microsoft patches Entra ID role flaw that let a low-privileged service account impersonate any service principal in your tenant

Microsoft quietly patched a privilege escalation flaw in Entra ID (formerly Azure AD) that let an attacker with a low-privileged service account take over any service principal in the same tenant - including high-value ones with admin consent grants. The bug was in how Entra ID validated role assignments during certain API calls: the validator checked whether the caller had any role on a service principal but didn't check whether that role authorized the specific action. Microsoft fixed the flaw on the back end, so customers don't need a patch - but the takeover scenario means anyone who exploited it before the fix could have created persistent backdoors via OAuth grants.

entra-idazure-adprivilege-escalationservice-principaloauthadmin-consentserver-side-fix
Check
Audit your Entra ID tenant this week for unfamiliar service principals, unexpected admin consent grants, and OAuth tokens issued to apps you don't recognize.
Affected
Microsoft Entra ID tenants with multiple service principals where any low-privileged account had role assignments on those service principals. The fix is server-side, so you don't need to apply a patch - but you do need to assume any attacker with foothold access before the fix could have abused this to escalate.
Fix
Run a Microsoft Graph audit on your tenant: list all service principals, OAuth grants, and app role assignments created since January 2026. Investigate any unfamiliar app, any grant from a service account, and any service principal whose roles changed unexpectedly. Revoke and re-issue admin consent for high-privilege apps. Enable audit logging for application registrations.