Advanced Active Directory to Entra ID Lateral Movement Techniques
Black Hat USA 2025 · Day 1 · Briefings
Dirk-Jan Mollema of Outsider Security demonstrated that Exchange Hybrid deployments create a hidden, high-privilege attack path from on-premises Active Directory to full Microsoft 365 tenant compromise. By extracting exportable certificates from an on-premises Exchange server, an attacker can impersonate any user in Exchange Online and SharePoint without bypassing MFA or generating audit logs — and a second technique using the deprecated Access Control Service (ACS) token mechanism previously granted full Entra global admin access until a hotfix shipped the day of the talk. ---
AI review
Dirk-Jan Mollema doesn't do surface-level work, and this is no exception. The Exchange Hybrid exportable-cert attack chain is the kind of 'right-click, export, I'm Exchange Online now' finding that makes you want to audit every hybrid deployment on the planet. Microsoft shipped a hotfix the day of the talk. That tells you everything.