Windows Server 2025 flaw lets attackers persist in Active Directory
Vulnerability details
The flaw, which researchers are calling 'Golden dMSA', affects delegated Managed Service Accounts (dMSAs) within Windows Server 2025.
According to Semperis, the vulnerability could allow attackers to achieve persistent, undetected access to these accounts, potentially exposing resources across Active Directory for indefinite periods and enabling cross-domain lateral movement.
Researcher Adi Malyanker from Semperis has developed a tool named GoldenDMSA, which incorporates the logic of the attack and enables security professionals to simulate and understand the risks posed by the vulnerability. The tool aims to help defenders evaluate how the technique might be exploited in their own environments.
Technical findings
The Golden dMSA attack centres on a cryptographic vulnerability in Microsoft's newly introduced security features within Windows Server 2025. The architectural setup of dMSAs is exploited because the ManagedPasswordId structure contains time-based components that are predictable. These components offer only 1,024 possible combinations, making it computationally trivial for attackers to brute-force service account passwords. "Golden dMSA exposes a critical design flaw that could let attackers generate service account passwords and persist undetected in Active Directory environments," said Malyanker. "I built a tool that helps defenders and researchers better understand the mechanism of the attack. Organisations should proactively assess their systems to stay ahead of this emerging threat."
This flaw means that threat actors could potentially move laterally across domains and maintain access over time, evading detection by traditional monitoring methods.
Industry context
The new research on Golden dMSA follows previous identity-related discoveries by Semperis. The company's researchers have also highlighted a vulnerability called nOauth in Microsoft's Entra ID, which is known to enable full account takeover in certain vulnerable SaaS applications with limited attacker interaction.
Within the last year, Semperis further developed detection capabilities in its Directory Services Protector platform to defend against BadSuccessor, described as a severe privilege escalation technique that targets a newly introduced feature in Windows Server 2025.
The team previously identified Silver SAML, which is a variant of the SolarWinds-era Golden SAML technique. Silver SAML is notable for its ability to bypass standard security defences in applications integrated with Entra ID.
Recommendations and implications
Semperis is advising organisations using Windows Server 2025 to consider proactively assessing their managed service accounts and other identity infrastructure.
By understanding the mechanism of the newly disclosed attack and employing simulation tools such as GoldenDMSA, security and IT teams can evaluate their exposure and consider mitigation strategies.
The discovery of Golden dMSA highlights ongoing challenges in identity and account management security, particularly as new features are introduced into widely used enterprise systems like Active Directory. The predictability of password generation mechanisms, as exposed by Malyanker's research, underscores the importance of cryptographic design choices in authentication frameworks.
Semperis continues its focus on identity security research and has called on others in the cybersecurity community to stay vigilant as new issues emerge with changes in enterprise software architecture and security models.
Follow us on:
Share on:
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
7 hours ago
- Techday NZ
KnowBe4, Microsoft add real-time security to Edge for Business
KnowBe4 and Microsoft have announced a new integration between the KnowBe4 SecurityCoach platform and Microsoft Edge for Business aimed at addressing risky online user behaviours. The integration is designed to provide real-time security guidance to users when potentially dangerous actions are detected in the browser, such as reusing passwords, visiting blocked sites, or attempting to bypass security warnings. By leveraging native security signals and browser activity, the solution delivers learning opportunities within seconds of an at-risk behaviour occurring. Industry reports indicate an increasing threat landscape associated with browser usage. Menlo Security recently reported a 140% increase in browser-based phishing attacks, highlighting the importance of strengthening defence mechanisms at the browser level. The collaboration makes KnowBe4 one of the few human risk management platforms featuring a built-in reporting connector for Microsoft Edge for Business. This function is intended to support organisations operating within the Microsoft ecosystem, helping them maximise investments in their current security technologies while encouraging a stronger culture of security awareness. "This new integration presents an ideal opportunity to turn people-centric cybersecurity risks into teachable moments that will ultimately help to better protect businesses. This integration continues KnowBe4 innovation with Microsoft, building upon our successful KnowBe4 Defend integration with Microsoft Defender for Office 365 that launched earlier this year. It also bridges the gap between a company's technical defenses and its users, transforming the biggest potential vulnerability into the strongest asset. We look forward to offering this to our global SecurityCoach customers to help them enhance their security efforts," said Stuart Clark, VP of Product Strategy at KnowBe4. As an increasing number of organisations rely on the browser for primary work activities, the need to ensure proper protection at this endpoint has become more pressing. The new integration targets human error and behaviour - the common weak point in many cyber defence strategies - by combining technical monitoring with immediate user education. "As the browser becomes the primary workspace for users, securing this critical endpoint is essential. We're pleased to see KnowBe4 SecurityCoach integrate with Microsoft Edge to help organizations improve management of human risk and strengthen their security posture," said Arunesh Chandra, Principal Product Manager for Microsoft Edge for Business. The integration with Microsoft Edge for Business builds on previous collaborations between KnowBe4 and Microsoft, including the earlier launch of KnowBe4 Defend compatibility with Microsoft Defender for Office 365. Together, these harmonised solutions are positioned to support organisations in countering the growing array of cyber threats that target human behaviour as much as technological infrastructure. By prompting employees to recognise and correct unsafe practices instantly, organisations can better address the human element of information security. The approach is aligned with broader trends in cybersecurity which seek to reinforce defensive measures not only through technical controls but also through targeted education and user engagement. KnowBe4 reports that it is trusted by more than 70,000 organisations worldwide, providing a range of solutions built around shaping employee behaviour to reduce security risks. Its HRM+ platform includes components such as awareness and compliance training, AI-driven response tools, and real-time user coaching. Follow us on: Share on:
Techday NZ
2 days ago
- Techday NZ
Major rise in global email impersonation threats
Barracuda Networks threat analysts have identified a new wave of sophisticated email-based threats targeting organisations globally, with a range of phishing campaigns leveraging phishing-as-a-service (PhaaS) kits to evade detection. Among the key threats observed in July are credential phishing attacks impersonating well-known business services, including Autodesk Construction Cloud, Zix Secure Message Centre, and RingCentral. These campaigns are increasingly designed to bypass standard security controls and target a wide range of sectors, from healthcare and finance to legal, government, and corporate environments. Autodesk Construction Cloud impersonation The Autodesk Construction Cloud, widely used for collaboration within the construction industry, has been used as a vector for phishing attacks involving the Tycoon PhaaS kit. In these incidents, attackers impersonate trusted executives and send official-seeming project notifications, directing recipients to Autodesk-hosted pages with links to download ZIP files. The contained HTML file launches what appears to be a standard CAPTCHA screen, followed by a spoofed Microsoft login page designed to harvest credentials. Toll violation phishing scam targets US drivers Another scam identified involves fraudulent notifications about unpaid tolls, aimed at drivers in the United States. Victims receive urgent messages via text, email, or phone calls, appearing to originate from legitimate toll agencies. These messages create a sense of urgency, threatening suspension or legal action if payment is not made. Recipients who respond are directed to fake websites that request sensitive information such as licence plate numbers and credit card details, exposing them to financial loss or identity theft. Zix Secure Message Centre phishing campaign This campaign mimics the Zix Secure Message Centre, an encrypted email service that is popular with organisations in healthcare, finance, legal and government sectors. Victims receive an email about a supposed secure message, with a link to click to view it. The link takes users to a fake Zix page where they are asked to enter their email. They are then redirected to a fraudulent Microsoft login page designed to steal credentials. The campaign is effective because it closely replicates Zix's real workflows and branding, making it hard for recipients to spot the deception. Organisations using email encryption services like Zix and Microsoft 365 are particularly at risk. This demonstrates attackers' ability to closely replicate the look and feel of established workflow and branding, making it challenging for recipients to discern illegitimate communications. RingCentral voicemail phishing with EvilProxy Barracuda's analysts have also uncovered a campaign where attackers impersonate RingCentral, a widely used business communication service. Victims receive apparent voicemail notifications with personalised details, encouraging them to click a playback button. The link initiates multiple redirections - first to a known newsletter provider, then onwards to legitimate cloud hosting, and finally to a verification step - before concluding at a phishing site hosted by the EvilProxy PhaaS kit. This attack is designed to bypass detection and steal Microsoft credentials, including those protected by two-factor authentication. Other notable threats Researchers identified further examples of credential theft and phishing tactics involving the Gabagool PhaaS kit, which exploits the file-sharing capabilities of the platform by delivering phishing links within harmless-seeming PDF attachments. Meanwhile, campaigns were seen combining Microsoft SharePoint and Copilot branding to create believable 'Document shared' notifications, and using LogoKit with Roundcube webmail for password expiry deception. The Tycoon PhaaS kit has also been distributed in campaigns disguised as legitimate business documents, such as 'Project Victims are led through multiple intermediate webpages to conceal the attack's intent, eventually landing on phishing sites where credentials are harvested. Mitigation and protection Barracuda advocates for multilayered security measures and employee awareness training to counter these evolving threats. The company states its Email Protection suite includes features such as Email Gateway Defence against phishing and malware, Impersonation Protection for social engineering attacks, Incident Response, and Domain Fraud Protection. It also provides Cloud-to-Cloud Backup and Security Awareness Training. According to Barracuda, the solution combines artificial intelligence and deep integration with Microsoft 365 to help guard organisations from highly targeted phishing and impersonation attacks.
Techday NZ
5 days ago
- Techday NZ
ManageEngine AD360 adds identity risk & MFA to combat breaches
ManageEngine has announced the general availability of new identity risk exposure management and local user multifactor authentication (MFA) features in its AD360 identity and access management platform. The new features are intended to help security teams detect privilege escalation risks and secure unmanaged local accounts, two attack vectors that are frequently targeted by threat actors. These additions come amid continuing concern over identity-centric breaches, as reported in Verizon's 2025 Data Breach Investigations Report, which found that credential abuse was the initial access vector in 22% of breaches and highlighted ongoing exploitation of mismanaged local accounts and privilege chains. Manikandan Thangaraj, Vice President of ManageEngine, said, With this release, ManageEngine AD360 moves beyond traditional IAM by embedding identity threat defences into core identity operations. By turning identity data into actionable security insights, we're helping customers make IAM the first line of defence, not a check box. The update to AD360 introduces risk exposure mapping using attack path analysis, as well as the ability to enforce MFA on local accounts. According to ManageEngine, these capabilities are designed to assist enterprises in closing attack paths that may otherwise go undetected, thereby advancing the role of identity management from basic access control to active security enforcement. Risk exposure management The identity risk exposure management feature operates using graph-based analysis to map lateral movement and privilege escalation paths within Active Directory (AD). By representing AD objects as nodes and privilege inheritance as lines, the system models and visualises attack chains in real time. It automatically prioritises risky AD configurations and provides IT staff with actionable remediation steps, enabling organisations to address threats proactively. Local account MFA enforcement The new local user MFA capability extends adaptive MFA protections beyond domain-joined devices, allowing enterprises to secure credentials on local accounts that reside on non domain-joined servers, assets in demilitarised zones (DMZ), and in test environments. This move is intended to mitigate risks associated with credential stuffing and persistence techniques, which have proven effective in attacks on unmanaged local accounts. Machine learning-driven recommendations ManageEngine has also incorporated machine learning (ML) into AD360 to support access recommendations. During both provisioning and periodic access review campaigns, the software now analyses permission patterns and suggests adjustments designed to enforce least privilege access. This is expected to reduce the incidence of excess entitlements and consequently limit attackers' ability to move laterally following an initial compromise. Access certification and governance Enhancements to the platform's access certification module include expanded entitlements for more comprehensive review coverage. The risk assessment capabilities now feature additional indicators for improved identity risk monitoring across both Active Directory and Microsoft 365 environments. ManageEngine states that these changes are aimed at improving compliance reporting and strengthening access governance across enterprise environments. The newly added features in AD360 are intended to support compliance with NIST SP 800-207 for Zero Trust architecture, align with PCI DSS Version 4.0 Requirement 8, and facilitate controls for SOX, HIPAA and GDPR regulations. AD360 is positioned by ManageEngine as a single-console, unified identity platform designed to provide visibility and control over enterprise identity infrastructure. The platform offers automated lifecycle management, secure single sign-on (SSO), adaptive MFA, risk-based governance, auditing, compliance and identity analytics, with built-in integrations and support for custom connectors to fit into existing IT environments.
