Analysis Summary

A critical vulnerability in Microsoft’s Entra ID (CVE-2025-55241) was discovered in July 2025 that could have allowed attackers to gain complete administrative control over any tenant in Microsoft’s global cloud infrastructure. The flaw, found by security researcher, stemmed from a dangerous combination of a legacy authentication mechanism and a validation oversight in the Azure AD Graph API. By exploiting these weaknesses, attackers could impersonate Global Administrators across tenants, effectively seizing control of Microsoft 365 services and Azure resources tied to the victim organization.

The attack centered on the misuse of “Actor tokens,” undocumented internal-use tokens Microsoft employs for service-to-service communication. Unlike standard tokens, these were not governed by Conditional Access or other common security policies. The Azure AD Graph API failed to properly verify that Actor tokens were bound to the tenant being accessed, meaning an attacker could generate tokens within their own tenant and use them against entirely different organizations. This bypass enabled adversaries to elevate privileges and access highly sensitive tenant data.

Exploitation would have allowed attackers to impersonate Global Admins and perform critical operations such as modifying tenant configurations, creating or hijacking accounts, and granting any level of permissions. Beyond administrative takeover, adversaries could exfiltrate sensitive data including user details, group memberships, tenant policies, service principals, device data, and even BitLocker recovery keys all without generating logs in the target tenant. While object modifications triggered audit entries, these appeared under misleading service display names, making malicious activity difficult to detect without prior awareness of the technique.

To launch an attack, only a target tenant’s public ID and an internal user identifier (netId) were required data that could be brute-forced or discovered through cross-tenant guest (B2B) trust relationships, raising the risk of widespread compromise across interconnected organizations. Microsoft received the report on July 14, 2025, and patched the issue within three days, followed by further mitigations in August to block applications from requesting Actor tokens for the Graph API. The company reported no evidence of exploitation in the wild, and Mollema has published a KQL detection rule to help organizations proactively hunt for potential traces of compromise in their environments.

Impact

• Exfiltration Sensitive Data
• Privilege Escalation
• Gain Access

Indicators of Compromise

CVE

• CVE-2025-55241

Affected Vendors

Affected Products

• Microsoft Entra

Remediation

• Apply Microsoft’s patch for CVE-2025-55241 (already deployed globally in July 2025) to ensure protection.
• Review tenant audit logs for suspicious modifications, especially Global Admin changes logged under Microsoft service display names.
• Use the researcher’s KQL detection rule to hunt for potential malicious Actor token activity within your environment.
• Remove or restrict legacy authentication mechanisms that may still be in use and increase exposure to token misuse.
• Disable unused or untrusted B2B guest accounts to prevent cross-tenant pivoting through compromised identities.
• Monitor for abnormal privilege escalation events, especially new admin role assignments or application consent grants.
• Apply Conditional Access and MFA policies across all accounts where possible, even though Actor tokens bypassed them.
• Regularly review service principal and application permissions to detect unauthorized or excessive access rights.