Golden dMSA flaw in Windows Server 2025 exposes Active Directory
Flaw found in dMSA
The vulnerability, uncovered by Semperis security researcher Adi Malyanker, has been termed the Golden dMSA attack. It takes advantage of a design issue in dMSAs, a security feature first introduced in Windows Server 2025, which can be misused by bad actors to gain ongoing access and elevate privileges across domains after compromising a forest-level account.
Malyanker developed a tool named GoldenDMSA to demonstrate and analyse the technique, enabling security practitioners to examine in detail how the attack could be executed in operational networks.
The research shows that the attack leverages a predictable element within the ManagedPasswordId structure of dMSAs. This identifier includes time-based components that, according to Semperis, present only 1,024 possible combinations. This low number of possibilities makes brute-force attacks on service account passwords computationally straightforward, potentially enabling a threat actor not only to persist in an Active Directory environment but also to move laterally across domains. "Golden dMSA exposes a critical design flaw that could let attackers generate service account passwords and persist undetected in Active Directory environments. I built a tool that helps defenders and researchers better understand the mechanism of the attack. Organisations should proactively assess their systems to stay ahead of this emerging threat," said Malyanker.
Risk assessment and implications
Semperis has rated the risk associated with the Golden dMSA technique as moderate. However, the researchers warn that in cases where an attacker achieves initial forest-level compromise, the method could make it possible to completely take over dMSA or Group Managed Service Account (gMSA) environments. Successful exploitation would allow attackers to maintain control without detection for extended periods, posing a severe threat to corporate and governmental IT infrastructure.
The potential for widespread, persistent access stems from the architectural flaw in how dMSA passwords are generated and managed. By exploiting the weak cryptographic and structural protections, attackers could automate the generation of valid account credentials for managed service accounts, undermining protections intended to secure critical identity services.
Recent related work
The Golden dMSA research builds on previous work by Semperis in the field of identity threat detection. The group has reported on other vulnerabilities, such as nOauth, which affects Microsoft's Entra ID and may permit full account takeover in software-as-a-service applications.
Semperis has also implemented detection features in its Directory Services Protector platform to defend against BadSuccessor, another high-impact privilege escalation technique that targets a recently introduced functionality in Windows Server 2025. This comes in addition to the Silver SAML vulnerability discovered by the team, a new variant related to Golden SAML attacks from the SolarWinds incident, which can bypass conventional security measures in Entra ID-integrated applications.
Recommendations and industry impact
The research underscores the need for organisations using Windows Server 2025 and managed service accounts to carry out active risk assessments and update their security controls. Attackers exploiting weaknesses in dMSA structures could not only remain undetected but also have unrestricted access to valuable resources across a company's entire digital estate.
Industry observers and IT departments are expected to analyse the implications of the flaw, explore mitigation options, and consider how tools such as GoldenDMSA can be used by defenders to better understand and counteract these attack vectors. The ability to simulate attacks is viewed as a vital capability for defenders and researchers, supporting a more robust defensive posture against evolving identity-based threats.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
17 hours ago
- Techday NZ
Sinch launches Model Context Protocol to drive AI messaging
Sinch has launched its implementation of the Model Context Protocol (MCP), allowing artificial intelligence agents to initiate compliant, real-time telecommunications activities across messaging, voice, email, and verification channels via standardised interfaces. The MCP is an emerging protocol intended to standardise how AI agents interact with various systems and services. Sinch's deployment of the protocol is designed to give AI agents the ability to carry out communications tasks directly through its platform. These tasks range from orchestrating marketing campaigns to client notifications, identity verification processes, and customer service handling. AI-driven communications According to Sinch, MCP is engineered to manage AI-scale communication volumes, suitable for tasks demanding rapid, automated interaction rather than the slower cadence typically associated with human-initiated communications. The implementation supports integration with AI tools, including OpenAI SDK, Claude, and Microsoft's Azure AI, and is delivered with compliance and security protocols incorporated as standard. The company states that MCP helps support a broad transition away from traditional brand-centric applications to direct communication channels between enterprises and their customers. Sinch currently manages over 900 billion customer interactions each year for 175,000 businesses in more than 60 countries, providing messaging, voice, email, and verification services, and drawing upon its local compliance and routing expertise. Global scale and expertise Sinch customers have already begun to report outcomes claimed to result from the shift towards AI-assisted engagement. For example, a global insurer has been able to autonomously process 80% of customer enquiries across 125 languages, while a retail client achieved tripled engagement by integrating conversational AI with Rich Communication Services (RCS). The company issued data from its State of Customer Communications Report suggesting that 95% of businesses are currently using or planning to utilise AI in customer communications. Research from IDC projects that the global AI platforms market will reach USD $153.0 billion by 2028. MCP implementation details Through its new MCP server, now available in developer preview with Claude, Sinch is providing a mechanism for AI agents to understand the requirements of different communication actions. The server allows agents to determine which channel should be used, how messages should be formatted for different jurisdictions, which regulatory rules apply, and how to ensure successful delivery. Sinch notes that these capabilities are accessible via a range of tools, including development environments like Cursor and frameworks such as OpenAI Agents SDK, as well as platforms like AgenticFlow and Microsoft Azure AI Foundry. "AI is transforming how businesses communicate, and Sinch has the proven infrastructure to make it work at scale," said Robert Gerstmann, Chief Evangelist and Co-Founder at Sinch. "With MCP, we're codifying decades of communications expertise into protocols that AI agents can understand, teaching them the specific requirements, compliance rules, and best practices needed for each use case and region. What matters most happens behind the scenes; guaranteeing delivery, maintaining quality, navigating compliance, and preventing fraud. We've spent decades perfecting these operational fundamentals that make AI-powered communications actually work." Strategic partnerships The MCP protocol is part of Sinch's broader strategic approach to AI communications. Alongside established integrations with OpenAI and Anthropic, Sinch also provides routing systems and conversational AI functionality, intending to offer enterprises a comprehensive platform for deploying AI-assisted communication strategies. Sinch's partnerships span a variety of major technology companies. It is an Adobe Platinum Partner and has links with Salesforce Agentforce and Microsoft Dynamics Customer Insights, which the company reports strengthens its position within the enterprise AI communications landscape. "At Sinch we are pioneering the way the world communicates, and our MCP implementation represents the next evolution of that mission," said Laurinda Pang, CEO of Sinch. "Through the expansion of native AI capabilities and partnerships, we're equipping organizations with unprecedented capabilities to connect with customers anywhere, anytime, through any channel. We envision a world where every business, regardless of size or technical sophistication, can harness the power of intelligent communications to keep their customers engaged, informed, safe, and happy."
Techday NZ
17 hours ago
- Techday NZ
Quest launches AI security tool to cut response times on AD threats
Quest Software has announced the worldwide release of Security Guardian Intelligence, a generative AI-powered addition to its identity threat detection and response platform aimed at hybrid Active Directory and Microsoft Entra ID environments. Features and context The update is designed to help security teams, often facing a shortage of senior Active Directory (AD) specialists, translate technical alerts into plain-language insights, map incidents against recognised attacker behaviours, and follow guided remediation steps. This is intended to reduce investigation times and allow quicker action against potential identity threats. Heath Thompson, President and Chief Product Officer at Quest, said, "Security Guardian Intelligence doesn't just detect identity threats - it explains them with business or board-level context. It gives teams a faster way to prioritize real risk and take action, without needing to interpret every technical detail manually." Industry pressures Security and IT departments continue to experience increasing pressure as identity-based attacks rise and the financial impact of AD system downtime remains significant. The disruption from an Active Directory outage can cost in excess of $730,000 per hour, highlighting the importance of fast and effective response capabilities. Organisations are also challenged by the growth in alert volumes, disconnected security tools, and a documented lack of specialists with advanced Active Directory skills. These delays in response can leave companies vulnerable to further impact, with data showing that successful ransomware attacks may disable systems for an average of 23 days. Eric Aslaksen, General Manager of Security and Chief Information Security Officer at ivision, said, "We support customers across industries who are drowning in identity alerts but lack the in-house expertise to act on them. Security Guardian already gives visibility - SGI adds the context and speed they've been missing. By helping surface what matters and guiding the response, it's shaping up to be a valuable tool in our identity security toolkit." Key capabilities Security Guardian Intelligence introduces three primary functions to address current industry challenges: Plain-language threat summaries, providing technical findings in an accessible format Mapped attacker behaviour, aligned with recognised frameworks such as MITRE ATT&CK Embedded, step-by-step remediation guidance, designed to function without the need for manual scripting or escalation Comparison with legacy platforms Quest has highlighted the architectural difference between its platform and older solutions. Security Guardian was developed as a cloud-native platform, enabling it to support real-time application of large language models across live identity telemetry without requiring additional workarounds. The company noted that traditional on-premises security tools can face performance and infrastructure limitations when integrating advanced artificial intelligence capabilities. By contrast, Quest seeks to provide accelerated insights and more comprehensive context through its updated solution. Integration and availability Security Guardian Intelligence is included in the existing platform at no additional charge for current customers. It also functions alongside other components in Quest's Cybersecurity & Resilience suite, which covers enterprise backup and disaster recovery, endpoint protection, and continuous incident response, in an effort to extend protection across all phases of the attack lifecycle. The update uses a click-to-context approach, taking users directly from identity alerts to recommendations and business impact analysis, with the objective of helping teams act even in the absence of senior identity specialists. Quest Software reports that the new functionality was designed to be AI-ready from the outset, meeting the needs of modern hybrid identity environments involving both on-premises and cloud-based directories.
Techday NZ
19 hours ago
- Techday NZ
Cohesity Gaia brings AI-powered backup search to Microsoft 365
Cohesity has announced the integration of Gaia, its AI-powered enterprise search assistant, into Microsoft 365 Copilot, enabling corporate users to securely extract insights from backup data across emails, documents, spreadsheets, and more within the familiar Microsoft 365 interface. The move is set to provide employees across various departments with the ability to search and derive value from backup data, incorporating retrieval augmented generation (RAG) artificial intelligence and large language models (LLMs). This integration allows users to maintain strict access controls while benefiting from deeper organisational insights. The integration marks the availability of Cohesity Gaia for Microsoft 365 Copilot subscribers, allowing organisations to leverage generative AI while prioritising data security. Through conversational queries within the Copilot interface, employees can access both surface-level and in-depth information stored within backup systems, supporting more informed and timely decision-making across departments. "Generative AI is opening a world of opportunities, but to effectively tap into this, organisations need to be able to dive deep into their data. Without a single plane of data visibility, many organisations are unaware of the power of backup data in unlocking new business insights," said Paul Henaghan, Managing Director, Cohesity, Australia and New Zealand. "In bringing Cohesity Gaia together with Microsoft 365 Copilot, organisations can benefit from easy and secure extraction of both surface-level and deeper data and harness the full potential of AI technologies." Cohesity Gaia operates by combining generative AI with LLMs and RAG techniques, offering a search experience that trawls large datasets to deliver relevant, department-specific insights based on natural language queries. This functionality is reinforced by granular, role-based access controls, restricting system responses in line with individual user permissions and ensuring ongoing protection of sensitive information. Chantrelle Nielsen, Group Product Manager for Microsoft 365 Copilot at Microsoft, described the integration as reflecting wider trends in enterprise AI use cases. "Generative AI has created a tipping point for enterprise AI deployments. The next phase of this journey will involve more AI-to-AI communications and expectations for transformative business outcomes," Nielsen said. "Microsoft 365 Copilot integration with Cohesity reflects this progression, giving enterprises more ways to take advantage of AI from the convenience of a single interface with a consistent user experience." The partnership between Cohesity and Microsoft continues to be highlighted by developments such as this, which are aimed at enhancing organisational cyber resilience and offerings around data security. Jared Crowley, Senior Director of Security & Software Partners at SHI International Corp, commented on the impact of the new integration. "Cohesity and Microsoft continue to build on their partnership, working together to safeguard data and strengthen organisations' cyber resilience. This integration extends the value proposition even further to bring new benefits by instantly putting high-quality backup data at the fingertips of users across the enterprise," Crowley said. "The end result is faster, better decision making and fresh opportunities for maximising customers' investments in Cohesity and Microsoft." Cohesity Gaia operates on a subscription basis, and the new capabilities within Microsoft 365 Copilot are currently available at no extra cost to organisations subscribed to both services. The integration is available to users in Australia and New Zealand, with further information accessible for those interested in exploring the service in depth. Cohesity reports that over 13,600 enterprise customers, including a significant number of companies from the Fortune 100 and Global 500, rely on the company's solutions to protect, secure, and extract insight from large volumes of organisational data. The company formed through the recent combination of Cohesity with the Veritas enterprise data protection business and is backed by several major technology partners. Follow us on: Share on:
