Imagine discovering a vulnerability that could allow you to compromise any Entra ID tenant worldwide without leaving any evidence of an attack. A few months ago, security researcher Dirk-jan Mollema discovered this vulnerability but had it been a bad actor, major damage would've been done.
Mollema discovered that Microsoft had undocumented impersonation tokens known as Actor Tokens and because of a validation flaw in Azure AD Graph API, an attacker would be able to impersonate any user, including global admins, in any tenant for 24 hours.
What's even more insidious about this vulnerability is the fact that requesting the actor token wasn't logged and they weren't subject to typical security policies, which makes detection difficult. If exploited, an attacker would be able to access Entra ID data for:
- User information
- Group and role information
- The tenant's conditional access policies
- Any application permission assignment
- Device information
- BitLocker keys synced to Entra ID
If a Global Admin was impersonated, the attacker would be able to modify objects, including ones within Microsoft 365. While the actions would be logged, the logs would reflect modifications made by a legitimate Global Admin and not an attacker.
Mollema immediately reported his findings to the Microsoft Security Response Center on July 14th, 2025 and MSRC confirmed the issue had been solved. On August 6th, MSRC released further mitigations that will prevent Actor Tokens from being issued for the Azure AD graph with SP credentials. Finally, on September 4th, Microsoft issued CVE-2025–55241 and stated that the vulnerability requires no customer action to resolve. There has been no evidence that this vulnerability was exploited in the wild.
While both Mollema and Microsoft deserve praise, Mollema for the responsible disclosure and Microsoft for taking action so fast, this incident highlights a few bigger lessons worth keeping in mind:
Key Takeaways
- 🔍 Importance of cybersecurity researchers: Finding vulnerabilities before attackers do is critical to preventing large-scale damage.
- ☁️ Even the biggest cloud providers are vulnerable: No system is immune, even platforms as widely used as Microsoft Entra.
- 🤝 Responsible disclosure saves the day: This is a case study in why trust between researchers and vendors is essential to cybersecurity.
- 🛡️ Logs and detection aren't always enough: Just because activity is logged doesn't mean it reflects the true source, attackers can still blend in with legitimate admin actions.
- 🚀 Rapid vendor response matters: Microsoft's quick mitigation and patching show the importance of acting fast once a critical vulnerability is reported.
🤝 Let's Connect!
Whether you're deep in cyber or just getting started, I'd love to learn from you and with you. Follow this blog if you're curious about GRC, Red/Blue teaming, or the real journey behind building cyber skills.
👉 Follow me here on Medium to keep up with new posts. 👉 Connect with me on LinkedIn (especially if you're in cybersecurity or just breaking in)
Thanks for reading — and welcome to Brittney's Bytes! 💻🔐✨
Learning cybersecurity, one byte at a time. — Brittney