A critical attack chain has been found that completely bypasses Microsoft Entra ID Conditional Access without deploying malware or touching an endpoint. Using just a single set of credentials, the researchers compromised a production tenant with over 16,000 users.
Howler Cell conducted authorized red team operations against a production enterprise Microsoft Entra ID tenant (~16,000 users, ~82,000 devices, 78 Conditional Access policies). Starting from a single set of valid user credentials blocked by Conditional Access, the engagement produced a full bypass chain:
- Phantom device registration
- Primary Refresh Token minting
- Intune compliance without a real device
- Enterprise application exfiltration
- On-premises-to-cloud privilege escalation path mapped to Global Administrator.
No corporate endpoint was touched. No malware was deployed. The vulnerability is not in any single component. It is in the trust chain between them.
More details here: https://www.cyderes.com/howler-cell/azure-ad-conditional-access-device-identity-abuse
Ensar Seker, CISO at threat intel company SOCRadar, commented:
“The Howler Cell research highlights a dangerous reality many organizations still underestimate: identity has become the new perimeter, and attackers know how to abuse the trust built into cloud identity ecosystems. What makes this attack path especially concerning is that Conditional Access was technically functioning as designed, yet the attacker was still able to introduce a “trusted” phantom device into the environment and obtain a valid Primary Refresh Token. Once the identity system believes a device is compliant, many downstream protections effectively collapse.
This also demonstrates why organizations cannot rely solely on default Entra ID configurations or compliance states as proof of trust. Attackers increasingly target enrollment workflows, token issuance, and device registration processes because these areas often receive less scrutiny than endpoint malware defenses. Organizations should aggressively restrict device registration permissions, require hardware-backed authentication such as phishing-resistant MFA, continuously audit newly joined devices, monitor abnormal PRT issuance activity, and implement strong conditional policies around privileged access and unmanaged enrollment scenarios.”
Consider this to be your wake up call. Zero trust isn’t a buzzword, it should be a reality for you. And this red team exercise illustrates why.
Related
This entry was posted on May 7, 2026 at 8:51 am and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Red Team Exercise Results In Bypass Of Azure AD Conditional Access Via Phantom Device Registration
A critical attack chain has been found that completely bypasses Microsoft Entra ID Conditional Access without deploying malware or touching an endpoint. Using just a single set of credentials, the researchers compromised a production tenant with over 16,000 users.
Howler Cell conducted authorized red team operations against a production enterprise Microsoft Entra ID tenant (~16,000 users, ~82,000 devices, 78 Conditional Access policies). Starting from a single set of valid user credentials blocked by Conditional Access, the engagement produced a full bypass chain:
No corporate endpoint was touched. No malware was deployed. The vulnerability is not in any single component. It is in the trust chain between them.
More details here: https://www.cyderes.com/howler-cell/azure-ad-conditional-access-device-identity-abuse
Ensar Seker, CISO at threat intel company SOCRadar, commented:
“The Howler Cell research highlights a dangerous reality many organizations still underestimate: identity has become the new perimeter, and attackers know how to abuse the trust built into cloud identity ecosystems. What makes this attack path especially concerning is that Conditional Access was technically functioning as designed, yet the attacker was still able to introduce a “trusted” phantom device into the environment and obtain a valid Primary Refresh Token. Once the identity system believes a device is compliant, many downstream protections effectively collapse.
This also demonstrates why organizations cannot rely solely on default Entra ID configurations or compliance states as proof of trust. Attackers increasingly target enrollment workflows, token issuance, and device registration processes because these areas often receive less scrutiny than endpoint malware defenses. Organizations should aggressively restrict device registration permissions, require hardware-backed authentication such as phishing-resistant MFA, continuously audit newly joined devices, monitor abnormal PRT issuance activity, and implement strong conditional policies around privileged access and unmanaged enrollment scenarios.”
Consider this to be your wake up call. Zero trust isn’t a buzzword, it should be a reality for you. And this red team exercise illustrates why.
Share this:
Like this:
Related
This entry was posted on May 7, 2026 at 8:51 am and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.