Security News > 2023 > June > Microsoft fixes Azure AD auth flaw enabling account takeover
Microsoft has addressed an Azure Active Directory authentication flaw that could allow threat actors to escalate privileges and potentially fully take over the target's account.
This misconfiguration could be abused in account and privilege escalation attacks against Azure AD OAuth applications configured to use the email claim from access tokens for authorization.
An attacker only had to change the email on their Azure AD admin account to the victim's email address and use the "Log in with Microsoft" feature for authorization on the vulnerable app or website.
This tactic can also be used when the victim doesn't even have a Microsoft account, and it was a feasible attack method because Azure AD did not require email changes to be validated.
"If the app merges user accounts without validation, the attacker now has full control over the victim's account, even if the victim doesn't have a Microsoft account," Descope said.
Descope also shared a video detailing how exploiting this AAD auth misconfiguration can lead to complete account takeover and information on this can be prevented.