Security researcher Nyxgeek has disclosed two additional Azure Entra ID sign-in log bypasses, dubbed GraphGoblin and Graph******. These vulnerabilities allowed attackers to authenticate and receive fully functional tokens without any record appearing in the Entra ID sign-in logs. By exploiting simple flaws like repeating scope parameters or submitting excessively long User-Agent strings to overflow SQL columns, the researcher successfully bypassed critical logging mechanisms that administrators worldwide rely on to detect unauthorized access.
Although Microsoft has since patched these specific issues, the discovery highlights significant gaps in the security testing of the Entra ID authentication endpoint. The researcher notes that while Microsoft downgraded the severity to "Moderate," the integrity of sign-in logs is paramount for organizational security. To defend against similar future failures, organizations with E5 licenses can utilize specific KQL queries to cross-reference Graph Activity logs with Sign-In logs to identify sessions that lack corresponding authentication records.
Top comments (0)