Researchers unveiled critical attack vectors targeting hybrid Active Directory and Microsoft Entra ID environments that can lead to full tenant compromise. These newly disclosed lateral movement techniques exploit weaknesses in Microsoft’s authentication infrastructure, enabling attackers to gain unauthorized access to Exchange Online, SharePoint, and Entra ID without traditional authentication barriers. The attacks leverage both on-premises and cloud trust relationships, allowing threat actors with on-prem AD control to escalate privileges in Microsoft 365 environments stealthily and persistently.

One of the primary techniques involves manipulating Seamless Single Sign-On (SSO) configurations by injecting backdoor symmetric keys into the OnPremAuthenticationFlowPolicy. With these keys, attackers can forge Kerberos service tickets for any user in the tenant, bypassing multi-factor authentication undetected. The exploitation is further enhanced by the use of the trusted-for-delegation claim in JWT tokens, enabling impersonation of hybrid user accounts. This method can even be executed on .onmicrosoft.com.com domains and remains invisible in Microsoft’s audit logs, leaving defenders with minimal detection capabilities.

Another major vector targets Exchange hybrid deployments through the abuse of hybrid certificates. By extracting these certificates from on-premises servers with tools like ADSyncCertDump.exe, attackers can obtain unsigned Service-to-Service (S2S) bearer tokens from Microsoft’s Access Control Service. These tokens, associated with the service principal ID 00000002-0000-0ff1-ce00-000000000000, grant unrestricted access to Exchange Online and SharePoint for up to 24 hours without triggering audit logs, conditional access enforcement, or revocation mechanisms. The exploitation of the trustedfordelegation property allows attackers to impersonate any user and escalate to Global Administrator privileges across the Microsoft 365 environment.

While Microsoft has implemented partial mitigations such as blocking S2S token abuse for first-party service principal credentials as of August 2025 critical weaknesses remain, particularly in Exchange and SharePoint impersonation. A full fix, involving the separation of Exchange on-premises and Exchange Online service principals, is not expected until October 2025. Until then, organizations should conduct immediate audits of Exchange hybrid configurations, monitor for unauthorized authentication policy changes, enable hard matching in Entra ID Connect, enforce least privilege for Directory Synchronization Accounts, and consider transitioning to dedicated Exchange hybrid applications to reduce the attack surface.