Overview

• Mollema uncovered a two-part issue involving undocumented Actor tokens and a legacy Azure AD Graph validation bug that allowed authentication as any user in other tenants, including Global Admins.
• Microsoft says it received the report on July 14, pushed a global fix on July 17, confirmed remediation by July 23, and later issued a CVE on September 4.
• The CVE rates the issue Critical with a base score of 10 and Low attack complexity, reflecting the potential for full tenant compromise.
• If exploited, the chain could have granted access to services that rely on Entra ID, including Azure resources as well as SharePoint Online and Exchange Online.
• Actor token requests did not generate logs in victim tenants, complicating detection, though Microsoft reports no evidence of abuse and Mollema published KQL queries to aid investigations.