Entra Identity Compromised

1. Incident Summary

An internal investigation has confirmed a critical security breach in our Microsoft Entra ID (Azure AD) environment. A high-privilege user account, *XXXXX.com.sg, was compromised via a password spray attack leveraging legacy authentication protocols. The attacker then used the compromised account's privileges to install a permanent Global Administrator backdoor by assigning the role to the Octiga Cloud Security service principal on September 26, 2025.

The attacker intentionally bypassed our Privileged Identity Management (PIM) policies to ensure persistent, unmonitored access. Post-exploitation activities, including attempted password resets and mailbox access, have been observed.

2. Chronological Timeline of Attack Execution

Date (UTC)Action/FindingEvidence09/02/2025 - 09/25/2025Account Compromise: The ********XXXXX.com.sg account was targeted by a sustained password spray attack, logging over 7,000 failed attempts (Error 50053), with sign-ins targeting legacy protocols (SMTP).Sign-in Logs__09/02/2025 - 09/25/2025____Account Compromise:__ The ******@XXXX.com.sg account was targeted by a sustained password spray attack, logging over 7,000 failed attempts (Error 50053), with sign-ins targeting legacy protocols (SMTP).Sign-in Logs__09/26/2025____Escalation & Backdoor:__ The compromised account ******@XXXXX.com.sg performed the "Add member to role" activity. This action assigned a Permanent Global Administrator role to the Octiga Cloud Security service principal.Entra Audit Log__09/26/2025____PIM Bypass Confirmed:__ PIM Audit Logs show no role activation activity on this date, confirming the attacker directly assigned the role outside of PIM's governance.PIM Audit Log__09/30/2025 - 10/02/2025____Post-Exploitation Actions:__ The persistence was used to perform malicious actions, including "Reset User Password" attempts and "Mailbox access attempt" via Exchange ActiveSync.Entra Audit LogExport to Sheets

3. Key Findings and Supporting Evidence

Compromise Confirmed: The ******@XXXX.com.sg account was the source of the malicious activity.

Backdoor Details: The backdoor is a Permanent Global Administrator role assignment given to the Octiga Cloud Security service principal.

Root Privilege: The compromised user held the powerful Owner role on the MCPP Subscription, which provided the necessary initial privilege for tenant-wide role assignment.

Malicious Goal: The attacker’s intent was to achieve persistent, unmonitored access, evidenced by the Permanent role assignment and the subsequent post-exploitation actions.

4. Requested Action from Microsoft Support

We have taken immediate containment steps (disabling the user and removing the role, blocking legacy auth), but we request assistance with the following:

Forensic Log Retention: Ensure all underlying log data for the affected dates (especially 09/25/2025 to 10/03/2025) is preserved for deeper analysis.

Attacker Footprint Analysis: Assist in determining if the Global Administrator backdoor was successfully used to create any other hidden users, modify Conditional Access policies, or access sensitive resources beyond the noted activity.

1. MCPP Partner Review: Investigate if the partner service principal (PartnerCenter_MPNAdmin) or related privileges were compromised or used in any other unexpected ways.
   2. Chronological Timeline of Attack Execution

Date (UTC)Action/FindingEvidence__09/02/2025 - 09/25/2025____Account Compromise:__ The ******@XXXXX.com.sg account was targeted by a sustained password spray attack, logging over 7,000 failed attempts (Error 50053), with sign-ins targeting legacy protocols (SMTP).Sign-in Logs__09/26/2025____Escalation & Backdoor:__ The compromised account ******@XXXXX.com.sg performed the "Add member to role" activity. This action assigned a Permanent Global Administrator role to the Octiga Cloud Security service principal.Entra Audit Log__09/26/2025____PIM Bypass Confirmed:__ PIM Audit Logs show no role activation activity on this date, confirming the attacker directly assigned the role outside of PIM's governance.PIM Audit Log__09/30/2025 - 10/02/2025____Post-Exploitation Actions:__ The persistence was used to perform malicious actions, including "Reset User Password" attempts and "Mailbox access attempt" via Exchange ActiveSync.Entra Audit Log Export to Sheets

3. Key Findings and Supporting Evidence

• Compromise Confirmed: The ******@XXXX.com.sg account was the source of the malicious activity.
  • Backdoor Details: The backdoor is a Permanent Global Administrator role assignment given to the Octiga Cloud Security service principal.
  • Root Privilege: The compromised user held the powerful Owner role on the MCPP Subscription, which provided the necessary initial privilege for tenant-wide role assignment.
  • Malicious Goal: The attacker’s intent was to achieve persistent, unmonitored access, evidenced by the Permanent role assignment and the subsequent post-exploitation actions.

4. Requested Action from Microsoft Support We have taken immediate containment steps (disabling the user and removing the role, blocking legacy auth), but we request assistance with the following:
5. Forensic Log Retention: Ensure all underlying log data for the affected dates (especially 09/25/2025 to 10/03/2025) is preserved for deeper analysis.
   1. Attacker Footprint Analysis: Assist in determining if the Global Administrator backdoor was successfully used to create any other hidden users, modify Conditional Access policies, or access sensitive resources beyond the noted activity.
   2. MCPP Partner Review: Investigate if the partner service principal (PartnerCenter_MPNAdmin) or related privileges were compromised or used in any other unexpected ways.