Cloud identity security relies heavily on Microsoft Entra ID (formerly Azure AD) Conditional Access. It acts as the primary digital gatekeeper, checking user locations, calculating risk scores, and verifying device health before granting access.
However, an authorized red team engagement by Howler Cell recently revealed a critical attack path that entirely bypasses these vital protections.
Starting with a single set of valid credentials, often purchased for just a few hundred dollars on cybercriminal markets, researchers successfully compromised a production tenant containing over 16,000 users.
This attack required no interaction with corporate endpoints. It deployed no malware, highlighting severe gaps in default device registration and compliance validation.
The engagement by Howler Cell closely mirrored real-world tactics used by Storm-2372, a suspected Russian state-aligned threat actor.
Both the researchers and threat actors exploited unprotected Device Registration Service (DRS) endpoints to establish initial footholds, proving that blocked credentials are not a dead end for sophisticated attackers.
According to Howler Cell’s comprehensive research, the operation began with valid credentials explicitly blocked by a CA policy, resulting in an AADSTS53003 error.
To bypass this, researchers targeted the DRS endpoint using the device code authentication flow, an avenue left open by unenforced security policies.
This allowed them to authenticate successfully and proceed to the next phase of the attack.
Using a single command, the Howler Cell team registered a phantom device with a signed Azure AD certificate and private key.
The DRS API does not validate if the caller is a physical Windows machine, allowing a Linux laptop to masquerade as a legitimate endpoint.
This step leveraged the MITRE ATT&CK technique for Account Manipulation (T1098.005).
With the phantom device registered, researchers minted a Primary Refresh Token (PRT) containing false device claims.
When this PRT was exchanged for an access token, Azure AD determined that the session was device-authenticated.
This completely bypassed CA policies that required a compliant or joined device, granting access to the broader tenant environment for directory enumeration.
To bypass policies strictly requiring an Intune-compliant device, the researchers exploited a known gap in Intune enrollment restrictions.
By claiming hybrid domain-join status, the phantom device bypassed pre-registration requirements.
Intune trusted the client’s self-declared domain membership without verifying it against on-premises Active Directory.
Once enrolled, the device achieved compliance despite lacking BitLocker, Secure Boot, or antivirus software.
Intune’s evaluation logic treated missing health attestation responses as “not applicable” rather than non-compliant.
This permissive default posture allowed the researchers to download internal enterprise applications, and extracting a single package revealed critical internal server naming conventions and network architecture.
Independent of device spoofing, researcher Howler Cell from Cyderes identified a structural risk in hybrid identity environments.
They discovered 255 highly privileged directory roles, including multiple Global Administrators, synced directly from on-premises Active Directory.
Compromising these on-premises accounts provides attackers with a direct path to complete cloud tenant takeover without needing any cloud-specific exploits.
To defend against these complex attack chains, organizations must harden their device trust models.
Crucial mitigations include:
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Azure AD Conditional Access Bypassed Via Phantom Device Registration and PRT Abuse appeared first on Cyber Security News.
Microsoft is set to bridge the gap in enterprise unified communications with a highly anticipated update to its conference room hardware. Starting in June 2026, Microsoft Teams Rooms on Android will officially support joining third-party external meetings through Session Initiation Protocol (SIP). This strategic development aims to deliver seamless cross-platform interoperability for organizations relying on […]
The post Microsoft Teams on Android Now Lets Users Join External Meetings Through SIP appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
CloudZ is a new modular remote access trojan that abuses Microsoft’s built‑in Phone Link feature to steal SMS one‑time passwords (OTPs) and other mobile notifications directly from Windows PCs, without infecting the phone itself. Microsoft Phone Link (formerly “Your Phone”) is integrated into Windows 10 and 11 to mirror smartphone SMS messages, application notifications, call […]
The post CloudZ RAT Exploits Microsoft Phone Link to Steal SMS OTPs appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Microsoft fixed a Defender false positive that flagged legitimate DigiCert certificates as malware, disrupting Windows trust stores for some IT teams.
The post Microsoft Defender Bug Triggers False Malware Alerts for DigiCert Certificates appeared first on TechRepublic.
Microsoft flagged 8.3 billion phishing emails as attackers turned to QR codes, fake CAPTCHAs, PhaaS kits, and file-based payloads.
The post Microsoft Flagged 8.3B Phishing Emails in Q1 as QR Codes, CAPTCHAs Rise appeared first on TechRepublic.
Microsoft confirmed a Windows zero-click flaw tied to an incomplete patch is being exploited, putting credentials at risk for unpatched users.
The post Microsoft Confirms Windows Flaw Is Being Exploited After Incomplete Patch appeared first on TechRepublic.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a newly discovered zero-day vulnerability affecting Microsoft Windows. On April 28, 2026, the agency officially added CVE-2026-32202 to its Known Exploited Vulnerabilities (KEV) catalog. This critical flaw involves a failure of a protection mechanism within the Microsoft Windows Shell, and active exploitation […]
The post CISA Warns of Windows Shell Zero-Day Exploited in Attacks appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Microsoft has officially launched its new “agentic” capabilities for Copilot in Outlook, transforming the AI from a basic drafting assistant into an autonomous digital agent.
Announced on April 27, 2026, this major update enables Copilot to manage both your inbox and calendar proactively.
By automating complex, ongoing tasks, Microsoft aims to reduce digital fatigue and drastically streamline daily enterprise workflows.
For cybersecurity and IT professionals managing high volumes of alerts and communications, this autonomous triage could become a critical productivity tool.
Previously, Copilot in Outlook primarily assisted with single tasks, such as writing an email or summarizing a thread.
Now, the new agent mode works continuously in the background to keep operations moving.
Copilot actively prioritizes incoming messages, surfaces emails that require urgent responses, and automatically drafts follow-ups for unreturned messages.
Users can also instruct the AI to create complex inbox rules, such as automatically tagging leadership emails as “High Priority” if the user is on the direct “To:” line.
For employees returning from leave, Copilot can summarize missed emails, highlight urgent items, draft brief update emails, and suggest messages to archive safely.
Importantly, the AI shows its workflow steps transparently. This allows users to review, adjust, or stop actions at any time, maintaining essential oversight over confidential data.
Copilot’s new capabilities extend deeply into calendar management. Scheduling a meeting is simple, but resolving conflicts and reprioritizing tasks takes significant administrative effort.
Copilot now continuously monitors schedules to keep your day on track. It can automatically resolve booking conflicts, reschedule overlapping 1:1 meetings, rebook conference rooms, and proactively block out focus time.
Users can prompt the AI to draft detailed meeting agendas based on specific goals, open blockers, and owner assignments.
It can also protect off-hours by automatically following large meetings outside the typical workday instead of accepting them.
Beyond basic scheduling, Copilot helps users align their time with their actual corporate priorities.
Copilot can execute several advanced prompts:
As AI takes on more autonomous roles, maintaining user control over sensitive corporate communications remains critical.
Microsoft has designed these agentic features to keep the human in the loop for final approvals.
The new Copilot agent capabilities are currently available for early access through Microsoft’s Frontier program for all Outlook platforms, including Windows and web environments.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Microsoft Launches Copilot Agent Mode for Outlook, Inbox and Calendar Functions appeared first on Cyber Security News.
Entrar