Microsoft Secure Boot certificates from 2011 begin expiring in June 2026. Here’s how to check whether your Windows PC has the 2023 update.

The post Millions of Windows PCs Face a Secure Boot Update Deadline in 2026 appeared first on TechRepublic.

Microsoft researchers warn of a new ClickFix campaign targeting macOS with fake guides on Medium and Craft to deploy AMOS and SHub Stealer via Terminal commands.

Cybersecurity expert Tom Rønning finds Microsoft Edge loads all saved passwords into computer memory as cleartext, making them easy for hackers to steal.

💾

The post The 1.6 Billion User Pivot: Satya Nadella’s Plan to Fix Windows 11 and Save the 8GB PC appeared first on Daily CyberSecurity.

Cloud identity security relies heavily on Microsoft Entra ID (formerly Azure AD) Conditional Access. It acts as the primary digital gatekeeper, checking user locations, calculating risk scores, and verifying device health before granting access.

However, an authorized red team engagement by Howler Cell recently revealed a critical attack path that entirely bypasses these vital protections.

Starting with a single set of valid credentials, often purchased for just a few hundred dollars on cybercriminal markets, researchers successfully compromised a production tenant containing over 16,000 users.

This attack required no interaction with corporate endpoints. It deployed no malware, highlighting severe gaps in default device registration and compliance validation.

The engagement by Howler Cell closely mirrored real-world tactics used by Storm-2372, a suspected Russian state-aligned threat actor.

Both the researchers and threat actors exploited unprotected Device Registration Service (DRS) endpoints to establish initial footholds, proving that blocked credentials are not a dead end for sophisticated attackers.

Azure AD Conditional Access Bypassed

According to Howler Cell’s comprehensive research, the operation began with valid credentials explicitly blocked by a CA policy, resulting in an AADSTS53003 error.

To bypass this, researchers targeted the DRS endpoint using the device code authentication flow, an avenue left open by unenforced security policies.

This allowed them to authenticate successfully and proceed to the next phase of the attack.

Using a single command, the Howler Cell team registered a phantom device with a signed Azure AD certificate and private key.

The DRS API does not validate if the caller is a physical Windows machine, allowing a Linux laptop to masquerade as a legitimate endpoint.

This step leveraged the MITRE ATT&CK technique for Account Manipulation (T1098.005).

With the phantom device registered, researchers minted a Primary Refresh Token (PRT) containing false device claims.

When this PRT was exchanged for an access token, Azure AD determined that the session was device-authenticated.

This completely bypassed CA policies that required a compliant or joined device, granting access to the broader tenant environment for directory enumeration.

To bypass policies strictly requiring an Intune-compliant device, the researchers exploited a known gap in Intune enrollment restrictions.

By claiming hybrid domain-join status, the phantom device bypassed pre-registration requirements.

Intune trusted the client’s self-declared domain membership without verifying it against on-premises Active Directory.

Once enrolled, the device achieved compliance despite lacking BitLocker, Secure Boot, or antivirus software.

Intune’s evaluation logic treated missing health attestation responses as “not applicable” rather than non-compliant.

This permissive default posture allowed the researchers to download internal enterprise applications, and extracting a single package revealed critical internal server naming conventions and network architecture.

Escalation and Mitigation

Independent of device spoofing, researcher Howler Cell from Cyderes identified a structural risk in hybrid identity environments.

They discovered 255 highly privileged directory roles, including multiple Global Administrators, synced directly from on-premises Active Directory. 

Compromising these on-premises accounts provides attackers with a direct path to complete cloud tenant takeover without needing any cloud-specific exploits.

To defend against these complex attack chains, organizations must harden their device trust models.

Crucial mitigations include:

• Enforcing report-only CA policies that block device code flows and require MFA for device registration.
• Mandating TPM 2.0 attestation as a strict prerequisite for all PRT issuance.
• Requiring external validation of device health through the Microsoft Health Attestation Service rather than relying on self-reported data.
• Scoping user-level Graph API access to prevent unauthorized bulk directory enumeration.
• Restricting privileged directory roles exclusively to cloud-only accounts managed through Privileged Identity Management.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Azure AD Conditional Access Bypassed Via Phantom Device Registration and PRT Abuse appeared first on Cyber Security News.

Microsoft is set to bridge the gap in enterprise unified communications with a highly anticipated update to its conference room hardware. Starting in June 2026, Microsoft Teams Rooms on Android will officially support joining third-party external meetings through Session Initiation Protocol (SIP). This strategic development aims to deliver seamless cross-platform interoperability for organizations relying on […]

The post Microsoft Teams on Android Now Lets Users Join External Meetings Through SIP appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

CloudZ is a new modular remote access trojan that abuses Microsoft’s built‑in Phone Link feature to steal SMS one‑time passwords (OTPs) and other mobile notifications directly from Windows PCs, without infecting the phone itself. Microsoft Phone Link (formerly “Your Phone”) is integrated into Windows 10 and 11 to mirror smartphone SMS messages, application notifications, call […]

The post CloudZ RAT Exploits Microsoft Phone Link to Steal SMS OTPs appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Microsoft fixed a Defender false positive that flagged legitimate DigiCert certificates as malware, disrupting Windows trust stores for some IT teams.

The post Microsoft Defender Bug Triggers False Malware Alerts for DigiCert Certificates appeared first on TechRepublic.

Microsoft has confirmed that the April 2026 security updates are causing failures in third-party backup applications using the psmounterex.sys driver. [...]

Microsoft Defender is detecting legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, resulting in widespread false-positive alerts, and in some cases, removing certificates from Windows. [...]

Microsoft flagged 8.3 billion phishing emails as attackers turned to QR codes, fake CAPTCHAs, PhaaS kits, and file-based payloads.

The post Microsoft Flagged 8.3B Phishing Emails in Q1 as QR Codes, CAPTCHAs Rise appeared first on TechRepublic.

Microsoft has confirmed that Windows 11 is getting a new modern Run dialog with dark mode support and faster performance in a new preview build. [...]

Microsoft has fixed a known issue causing newly introduced Windows security warnings to display incorrectly when opening Remote Desktop (.rdp) files. [...]

Microsoft has updated a Windows 11 in-box app removal policy introduced in October to include a dynamic list that lets IT admins choose which preinstalled Store apps to uninstall. [...]

Microsoft has released the KB5083631 optional cumulative update for Windows 11, which includes 34 changes, such as a new Xbox mode for Windows PCs, enhanced security and performance for batch files, and performance improvements for launching startup apps. [...]

The April 2026 KB5083769 security update breaks third-party backup applications from multiple vendors on systems running Windows 11 24H2 and 25H2. [...]

Microsoft confirmed a Windows zero-click flaw tied to an incomplete patch is being exploited, putting credentials at risk for unpatched users.

The post Microsoft Confirms Windows Flaw Is Being Exploited After Incomplete Patch appeared first on TechRepublic.

A man accused of working as a hacker for China's Ministry of State Security has been extradited to the USA from Italy, and faces - if found guilty - the prospect of decades behind bars. Read more in my article on the Hot for Security blog.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a newly discovered zero-day vulnerability affecting Microsoft Windows. On April 28, 2026, the agency officially added CVE-2026-32202 to its Known Exploited Vulnerabilities (KEV) catalog. This critical flaw involves a failure of a protection mechanism within the Microsoft Windows Shell, and active exploitation […]

The post CISA Warns of Windows Shell Zero-Day Exploited in Attacks appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to secure their Windows systems against a vulnerability exploited in zero-day attacks. [...]