Скачать или смотреть SyncJacked - Hijacking Identities Through Entra Connect Synchronization

SyncJacked - Hijacking Identities Through Entra Connect Synchronization
Tomar Nahum

Abstract:
this talk, we unveil attack techniques and vulnerabilities, SyncJacking and SoftMatching Abuse, that exploit inherent weaknesses in Microsoft Entra Connect’s synchronization mechanisms to hijack or impersonate cloud identities in hybrid environments. These techniques abuse architectural trust assumptions between Active Directory and Microsoft Entra ID (formerly Azure AD), enabling attackers with limited access to gain unauthorized control over cloud accounts.
SyncJacking, a vulnerability in the Hard Matching process, allows an attacker to forcibly associate an Entra ID cloud identity with an on-premises account under their control. This stealthy takeover method was confirmed as a valid vulnerability by Microsoft’s MSRC, which is actively working on a fix.
SoftMatching Abuse targets the second half of the Entra Connect synchronization model. By exploiting overlooked weaknesses in the Soft Matching process, attackers can maliciously link accounts, and persist in tenants with minimal footprint.
This session will feature live demonstrations and practical tooling to showcase how both vulnerabilities can be leveraged end-to-end, from reconnaissance to exploitation and privilege escalation. Attendees will gain both red team insights and defensive strategies for securing hybrid identity synchronization.

Tomer Nahum:
Tomer Nahum is a Security Researcher at Semperis, where he works to find new attacks, and how to defend against them, in on-prem identity stacks such as Active Directory, as well as cloud identity systems. Tomer was awarded Most Valuable Researcher (MVR) in 2023 by Microsoft Security Response Center (MSRC).


Recorded at fwd:cloudsec Europe 2025
https://fwdcloudsec.org/