§ Category
Category

IA

AC

A Phished OTP Can Buy the Attacker a Passkey in Your Tenant, and the Registration Audit Trail Is Your Most Direct Signal

O-UNC-066 appears built to walk a victim through a fake passkey enrollment while the operator registers an attacker-controlled passkey in the real Entra tenant. It survives the password reset, and the most direct durable evidence is the authentication-method registration audit trail — written from a session your controls let through because the registration action was protected only by relayable MFA.

·
AC

The BadSuccessor Patch Killed the One-Sided Link. Mutual Pairing Still Leaks the Target’s Kerberos Keys

Microsoft’s August 2025 fix for BadSuccessor (CVE-2025-53779) works — but an attacker who controls a dMSA and can write a target’s migration-link attributes can forge the mutual pairing the KDC now demands and pull that account’s Kerberos key material out of the dMSA key package. The detection has to move from watching one attribute to watching the pairing on the target object.

·
AC

Strong Certificate Mapping Only Helps If the CA Owns the SID. ESC16 Takes It Away

Microsoft’s strong certificate mapping enforcement finally landed, and where it’s genuinely in force it does close the naive implicit-mapping hole that made ADCS escalation trivial — a certificate with only a weak name is denied. ESC16 strips the CA-issued SID so the mapping decision falls to whatever’s left: on a compatibility-mode DC that’s weak SAN mapping, and even on a fully-enforced DC it’s an attacker-supplied SID-in-SAN URI the KDC treats as strong. The audit events you’d hunt it with are off by default.

·