// Module 02 // The Attack Playbook

How they
actually
move.

Module 01 covered what identities are and how authentication works. This module covers how attackers exploit it. Real techniques, real tools, real kill chains used in production environments right now. No theoretical edge cases.

Duration
~55 minutes
Level
Intermediate
Assessment
Timed scenario
// Prerequisites
Module 01: IAM Fundamentals completed
Understanding of tokens, MFA, and NHIs
Familiarity with Entra ID basic concepts
// 02.1 / Read

Initial
Access

Before an attacker can move laterally or escalate privileges, they need a foothold. These are the techniques being used right now to get one, in order of current prevalence and impact against Entra ID environments.

82%
Of 2025 detections were malware-free. Attackers log in, not break in. (CrowdStrike 2026)
29min
Average eCrime breakout time in 2025. Down from 285 minutes in 2024. (CrowdStrike 2026)
1.8B
Credentials stolen by infostealers in H1 2025 alone. 800% increase. (Flashpoint 2025)
The Shift
Identity is the Initial Access Vector
Traditional initial access relied on exploiting vulnerabilities, phishing with malicious attachments, or social engineering users into running malware. The modern approach is simpler and more effective: obtain valid credentials or tokens and authenticate as a legitimate user. No CVE required. No malware to detect. No endpoint to compromise. Just a valid identity presented to a cloud API.
Vector 01 / High Volume
Password Spray
Low-and-slow authentication attempts across many accounts using common passwords. Designed to stay under lockout thresholds. Most effective against tenants that still allow legacy authentication protocols (SMTP, IMAP, POP3) which cannot enforce MFA or Conditional Access. A tenant with legacy auth enabled is wide open to spray. Blocking legacy auth is the single highest-value control available for spray prevention.
Vector 02 / Dominant 2025-2026
Adversary-in-the-Middle Phishing
Reverse proxy kits sit between the victim and the real login page. Victim completes MFA legitimately. Attacker captures the post-auth session token. Bypasses MFA entirely. PhaaS has industrialized this. Tycoon 2FA alone generated 30 million phishing emails per month in late 2025 before its March 2026 disruption. The technique persists across successor kits.
Vector 03 / State Actor Technique
Device Code Phishing
Attacker generates a device code, social engineers victim into authenticating at microsoft.com/devicelogin, receives valid access and refresh tokens. Used by Storm-2372 (Russia-nexus) since August 2024 against governments and NGOs. In April 2026 Microsoft documented AI-driven campaigns using automation platforms to generate thousands of unique polling nodes per campaign. EvilTokens PhaaS kit brought this to criminal-scale adoption in February 2026.
Vector 04 / Silent and Persistent
Infostealer Credential Harvest
Malware installed on an endpoint that silently harvests browser-stored passwords, session cookies, and OAuth refresh tokens. Sold on dark web markets within hours of infection. Common families: LummaC2, Stealc, Redline, Raccoon, Vidar, Banshee (macOS). 14% of infostealer infections now include enterprise credentials. The ByBit $1.4B cryptocurrency heist in February 2025 began with infostealer credentials from a contractor device.
Vector 05 / OAuth Abuse
Consent Phishing
Malicious OAuth application requests delegated permissions from a user. User authenticates legitimately with MFA and clicks Accept. Attacker receives a delegated token with access to mail, files, and calendars. Access persists after password resets. Token survives credential rotation. In one Microsoft-documented campaign, even if the user clicks Cancel, they are redirected to an AiTM domain for a second phishing attempt.
Vector 06 / Supply Chain
Third Party and CI/CD Compromise
Compromising a vendor, contractor, or CI/CD pipeline that has access to the target tenant. Client secrets in GitHub Actions logs, hardcoded credentials in deployment scripts, service principals with Contributor on production subscriptions. 30% of breaches in 2025 involved a third party, doubling from the previous year. The supply chain is often less defended than the primary tenant.
The FOCI pivot: Many Microsoft first-party apps belong to the Family of Client IDs (FOCI). A refresh token obtained for one FOCI member can be exchanged for access tokens to other FOCI members without re-authentication. An attacker who phishes a token via the Microsoft Office client ID can silently pivot to Outlook, Teams, OneDrive, SharePoint, and Azure Management APIs from that single phished session. This is why Storm-2372 specifically targeted the Microsoft Authentication Broker client ID in its device code campaigns.
// Real World // PowerSchool January 2025
62 million students and teachers compromised via single credential
A single set of compromised credentials with no MFA gave an attacker access to PowerSchool's customer support portal. From there they exfiltrated personal data of approximately 62 million students and teachers across 18,000 schools, including Social Security numbers and medical information. No advanced technique. No zero-day. Just a valid username and password and an absent MFA requirement on a customer support system that was treated as low-priority.
Start here
// 02.2 / Read

AiTM
Deep Dive

Adversary-in-the-Middle phishing is the defining identity attack of 2025 and 2026. Understanding exactly how it works at a technical level is the only way to understand why conventional defenses fail against it.

Mechanism
How the Proxy Works
A standard phishing page collects credentials but cannot capture the post-MFA session. AiTM kits solve this by operating as a real-time reverse proxy. Every request and response between the victim's browser and the real Microsoft login endpoint passes through the attacker's server. The victim sees the real login page, enters real credentials, completes real MFA. The attacker's server captures the resulting session cookie the moment it is issued. MFA was not bypassed. It was completed legitimately on behalf of the attacker.
AiTM Attack Kill Chain Step by Step
01
Lure Delivery
Phishing email, QR code, SVG attachment, or LinkedIn message. Victim clicks link to attacker proxy domain.
02
Proxy Relay
Attacker server forwards all traffic to real Microsoft login in real time. Victim sees the legitimate page.
03
MFA Completion
Victim enters credentials, completes MFA push or TOTP. Authentication succeeds against the real endpoint.
04
Cookie Capture
Proxy intercepts the session cookie issued after successful authentication. Attacker extracts it from their server logs.
05
Session Replay
Attacker injects the cookie into their own browser. They are now authenticated as the victim. No password or MFA needed.
Current Kit Landscape / April 2026
The PhaaS Ecosystem After Tycoon 2FA
Tycoon 2FA (Storm-1747) was the dominant PhaaS platform through 2025, accounting for 62% of phishing attempts blocked by Microsoft. In March 2026 Europol and Microsoft seized 330 domains in a coordinated takedown. CrowdStrike confirmed activity returned to pre-disruption levels within days. Its tools, techniques, and affiliates migrated to competing platforms. The market filled immediately.
Kit
Status and Notable Characteristics
Threat Level
Tycoon 2FA
Disrupted March 2026, back to normal volumes within days. Heavily obfuscated JavaScript, CAPTCHA gating, realistic M365 templates. 30M emails/month at peak. Developed by Storm-1747.
Active / Recovering
Evilginx Pro 4.2
Open-source red team framework turned criminal tool. Used by Storm-0485 and Star Blizzard (Russia). v4.2 added JA4 fingerprinting to filter security researchers, wildcard TLS certs, complete proxy rewrite. Requires more technical skill than PhaaS kits.
High / State Actors
Mamba 2FA
Surged post-Tycoon disruption. Telegram-based delivery, rapidly updated infrastructure, strong evasion features.
High / Growing
EvilProxy
About 8% of observed PhaaS attacks. Managed reverse proxy service, minimal technical skill required. Sekoia tracked approximately 280 distinct active servers at any given time.
Active
Sneaky 2FA
Browser-in-the-browser pop-ups. Convincing because the malicious window looks like a native OS dialog. Telegram-sold.
Active
Whisper 2FA
Newcomer filling Tycoon market gap post-disruption. Rapidly boosting infrastructure maturity by adopting Tycoon techniques.
Emerging
Delivery Method Evolution
How Lures Have Changed
Delivery methods shift to stay ahead of email security scanning. The trajectory through 2024 and 2025 moved from QR code image attachments (bypass URL scanners because the payload is an image) to HTML attachments executing JavaScript locally, to SVG files that render phishing content directly in the browser without any URL to scan. Each shift is a direct response to defender tooling catching up to the previous method.
Why Standard Defenses Fail
Conditional Access Does Not Help
CA evaluated at token issuance. A token that satisfied MFA on a compliant device carries that forward. Replaying the stolen session cookie from any machine does not re-trigger CA evaluation unless CAE is active, supported by the client, and a critical revocation event occurs. An IP change alone does not revoke the session.
Why Standard Defenses Fail
Identity Protection Risk Policies
Sign-in risk policies evaluate at the authentication event. An AiTM-captured session cookie is already authenticated. Replaying it does not create a new sign-in event and does not go through Identity Protection risk scoring. The attacker session appears as continued activity from the original legitimate sign-in.
What Actually Works
Phishing-Resistant MFA
FIDO2 security keys and passkeys are cryptographically bound to the legitimate domain. An AiTM proxy cannot relay a FIDO2 assertion to the real Microsoft endpoint because the challenge is domain-specific. The attack fails at the MFA step. This is the only MFA method that fully mitigates AiTM. Push, TOTP, SMS, and voice call all remain vulnerable.
What Actually Works
Token Binding and CAE
Continuous Access Evaluation allows resource servers to reject tokens in near real-time when critical events occur (account disable, password reset, high-risk user). Combined with short access token lifetimes and strict CAE configuration, this reduces the window an attacker has with a stolen cookie. Not a complete mitigation, but meaningful friction.
// Real World // Ascension Health 2024
Healthcare network disrupted, patient care impacted
Ascension Health, one of the largest US healthcare systems, suffered a significant breach attributed to identity-based attack techniques. Patient care was disrupted across multiple facilities as staff lost access to electronic records and had to revert to manual processes. The incident prompted U.S. Senator inquiries into healthcare sector identity security and Microsoft's default configurations for legacy authentication. AiTM-style session capture was among the techniques documented in post-incident analysis.
// 02.3 / Read

Token Theft
and Replay

Once inside, token theft is how attackers move. Tokens are the currency of cloud identity and they exist in multiple places on a compromised endpoint. Each location requires a different extraction technique.

The Fundamental Principle
A Token Is as Good as the Identity
A valid token represents a completed authentication event. It carries all the claims about who authenticated, when, how, and from what device. Presenting that token to a Microsoft API is indistinguishable from the legitimate user making the request. No password needed. No MFA challenge. No Conditional Access re-evaluation in most configurations. The token is the identity for the duration of its validity.
Source 01 / LSASS Memory
Windows Credential Store
LSASS (Local Security Authority Subsystem Service) holds authentication material in memory including Kerberos tickets and NTLM hashes. Requires local admin or SYSTEM on the target. Mimikatz sekurlsa::logonpasswords is the standard extraction method. Credential Guard (available in Windows 10 1511 and later) moves credentials to a protected virtual machine, making this significantly harder but not impossible on all configurations.
Source 02 / Browser Storage
Browser Credential Databases
Chrome, Edge, Firefox store saved passwords, session cookies, and OAuth refresh tokens in local SQLite databases and JSON files. On a compromised host, this is often the faster path to cloud account takeover than LSASS, especially when Credential Guard is enabled. A developer's browser session may simultaneously hold active tokens for GitHub, AWS, Okta, Slack, and internal tooling. Google's App-Bound Encryption in Chrome 127 raised the bar but tools like DumpBrowserSecrets bypass it via IElevator COM interface.
Source 03 / Primary Refresh Token
Pass-the-PRT
The PRT is issued to Entra-joined devices and stored in LSASS. It provides SSO to all Azure and M365 resources and carries MFA claims. Valid for 14 days. The original Mimikatz cloudapkd extraction method no longer works as of 2024 due to Microsoft patching the nonce handling. The current working method uses ROADtoken from the ROADtools suite to generate valid PRT cookies. An attacker with a valid PRT cookie can access all cloud resources without re-authenticating, bypassing MFA because the PRT already satisfied it at device join.
Source 04 / Infostealer Output
Dark Web Credential Markets
Infostealer logs sold on dark web markets contain browser-extracted credentials and session cookies. Operators do not need to compromise the target endpoint directly. They purchase logs that include credentials for the target domain. The Snowflake breach demonstrated this at scale: UNC5537 used infostealer-harvested credentials for initial access to 160 organizations, none of which had MFA enabled on the targeted Snowflake accounts. Time from infection to credential sale is measured in hours.
The FOCI Family
One Token, Many Services
Microsoft first-party apps including Office, Teams, Outlook, SharePoint, OneDrive, and Azure Management belong to the Family of Client IDs (FOCI). A refresh token obtained for any one FOCI member can be silently exchanged for access tokens to other members without re-authentication. Storm-2372 specifically targeted the Microsoft Authentication Broker client ID in its device code campaigns because a token for this client allows registration of attacker-controlled devices in Entra ID, which then receive their own PRT for long-term persistence.
iam@fuscht // token extraction workflow
# Step 1: Confirm device is Entra joined iam@fuscht:~$ dsregcmd /status | grep -A2 "AzureAdJoined" AzureAdJoined : YES AzureAdPrt : YES # Step 2: Extract PRT using ROADtoken (Mimikatz cloudapkd no longer works) iam@fuscht:~$ roadtoken --tenant [tenant-id] --get-prt-cookie Requesting nonce from login.microsoftonline.com... PRT Cookie: x-ms-RefreshTokenCredential=[token] # Step 3: Inject cookie into browser, access M365 without MFA # Set cookie on login.microsoftonline.com, HttpOnly: true # Reload page. You are now authenticated as the device user. # Step 4: Use FOCI to pivot to other services iam@fuscht:~$ roadrecon auth --prt-cookie [cookie] --client office Exchanging PRT for Office client token... Access token issued. Pivoting to Teams, SharePoint, OneDrive... iam@fuscht:~$
Detection window: An access token is valid for 60-90 minutes. A refresh token for up to 90 days. A PRT for 14 days. Once extracted, an attacker can continue accessing resources for the duration of that token's lifetime even after the user's password is reset. Explicit session revocation is required. Revoke-MgUserSignInSession does not revoke PRT-derived sessions without additional CAE configuration.
// 02.4 / Read

Enumeration
and Discovery

After gaining initial access, an attacker does not move immediately. They map. Understanding the target environment before escalating is what separates sophisticated actors from noisy ones. AzureHound is the primary tool for this in Entra ID environments.

Why Enumeration Matters
The Attacker Knows Your Environment Better Than You Do
BloodHound was built for on-premises Active Directory. AzureHound (v2.11.0, March 2026) does the same for Entra ID and Azure. It queries Microsoft Graph and Azure REST APIs as the compromised identity, collecting users, service principals, role assignments, group memberships, app role assignments, storage accounts, and key vaults. The output renders as a graph showing privilege escalation paths that are invisible in flat portal exports. What takes a defender weeks to audit manually takes AzureHound minutes.
Tool // AzureHound v2.11.0
What It Collects
Runs as the compromised identity. Collects all users, groups, service principals, role assignments, app role assignments, Azure subscriptions, resource groups, storage accounts, and key vaults the identity can read. Outputs JSON ingested by BloodHound Community Edition 8.0. Default authenticated user can read most of this. No elevated permissions required for the enumeration phase.
Tool // AzureHound v2.11.0
Who Uses It in the Wild
Storm-0501 (ransomware operator), Void Blizzard (Russia, confirmed May 2025), Curious Serpens aka Peach Sandstorm (Iran). BloodHound CE 8.0 with OpenGraph now extends attack path mapping beyond Entra ID to GitHub, Snowflake, SQL Server, and SaaS platforms. A compromised GitHub maintainer account can now be traced back to corporate Entra ID in the same graph.
What They Find
Dangerous Permission Combinations
Service principals with AppRoleAssignment.ReadWrite.All and Application.ReadWrite.All constitute a tenant takeover primitive. Principals with RoleManagement.ReadWrite.All can assign Global Administrator to any object. Application Administrator can add credentials to any app registration including those with high API permissions. AzureHound surfaces all of these as attack paths in the graph.
What They Find
Privilege Escalation Paths
A user who is a member of a group that has Owner on a key vault that contains a service principal credential that has Contributor on a production subscription. These multi-hop paths are invisible in the portal but obvious in a BloodHound graph. The attacker does not need direct permissions. They follow the path. Defenders who do not run AzureHound against their own tenant do not know what paths exist.
iam@fuscht // azurehound enumeration
# Authenticate using compromised refresh token iam@fuscht:~$ ./azurehound -r "[refresh-token]" list --tenant "target.onmicrosoft.com" -o tenant.json Collecting: users, groups, service principals, roles... Collecting: subscriptions, resource groups, key vaults... Collecting: app role assignments, group memberships... Complete. Output written to tenant.json # Import into BloodHound CE 8.0 and query for escalation paths # Cypher: MATCH p=shortestPath((n)-[*1..5]->(m:AZTenant)) WHERE n.name = "compromised@target.com" RETURN p # BloodHound returns 3 privilege escalation paths to Global Administrator # Path 1: compromised user > group > service principal with AppRoleAssignment.ReadWrite.All # Path 2: compromised user > key vault > credential for SP with RoleManagement.ReadWrite.All # Path 3: compromised user > Azure subscription Owner via inherited management group policy iam@fuscht:~$
Detection angle: AzureHound does not exploit a vulnerability. It authenticates as a user and calls the same APIs legitimate tooling calls. Detecting it requires Graph API audit logging to be enabled and flowing into your SIEM. Look for unusual volumes of Graph API calls from a single identity in a short time window, particularly enumeration-pattern queries against users, groups, and role assignments in sequence. Most tenants do not have this logging enabled by default.
// 02.5 / Read

Persistence
Techniques

Initial access is temporary. Persistence is what turns a foothold into a long-term presence. The best persistence mechanisms are the ones that survive the remediation steps defenders take after detecting the initial compromise.

The Persistence Goal
Survive the Password Reset
Most incident responders reset passwords as a first response. A persistence mechanism that depends on password knowledge fails at this point. The techniques below survive password resets, MFA re-enrollment, and in some cases even account deletion. Defenders who treat password reset as the end of remediation are leaving access open.
Persistence 01
OAuth Consent Grant
A delegated permission granted by a user to a malicious OAuth app persists in the tenant until explicitly revoked. Password resets do not revoke consent grants. Deleting the user does not revoke the app's access in all configurations. The token continues to be issued as long as the consent grant exists. Detection requires auditing OAuth grants, not just credential activity. Revocation requires removing the consent grant from the app registration, not just from the user's account.
Persistence 02
Certificate Backdoor on Service Principal
An attacker with sufficient permissions adds a certificate credential to an existing high-privilege service principal. The attacker controls the private key. No client secret to expire or rotate. Certificate may have multi-year validity. Survives credential rotation entirely. Survives password resets. Survives MFA re-enrollment. Used in Solorigate and documented in multiple 2025 IR engagements. The only forensic indicator is an audit log entry for the certificate addition, which most teams do not monitor.
Persistence 03
Federated Identity Credential
Workload identity federation allows external OIDC tokens to be exchanged for Azure tokens. An attacker adds a federated identity credential to a managed identity or service principal, pointing to infrastructure they control. No secret to steal. No rotation to trigger. No secret scanning tool will find it. Survives client secret rotation, certificate audits, and password resets. The attacker authenticates as the principal from GitHub Actions or any OIDC provider they control. Adding and then removing the credential covers the track in audit logs.
Persistence 04
Device Registration for PRT
Storm-2372 extended their device code phishing campaigns by using the Microsoft Authentication Broker client ID specifically because a successful authentication allows registration of an attacker-controlled device in Entra ID. That device then receives its own Primary Refresh Token. The attacker now has a legitimate enrolled device providing long-term SSO access to all Azure and M365 resources. The device appears in the Entra devices inventory as just another enrolled endpoint.
Persistence 05
Backdoor Admin Account
An attacker with sufficient permissions creates a new user with a Global Administrator role or adds an existing account to a role-assignable group with privileged access. Less sophisticated than the technical persistence methods but still common. If the created account uses an external identity or a domain the target does not monitor, it may persist undetected for extended periods. Guest accounts and cross-tenant configurations are frequently used to reduce detection likelihood.
Persistence 06
Long-Lived Refresh Token
An OAuth consent grant with offline_access scope produces a refresh token valid for up to 90 days, continuously renewed on use. All activity appears as the legitimate user in sign-in logs. No role assignments, no certificates, no service principals. The access looks like normal user behavior. Revocation requires calling Revoke-MgUserSignInSession, revoking the consent grant, and auditing all activity during the window. A password reset alone does not revoke a delegated refresh token.
// Real World // Solorigate / SolarWinds 2020, still relevant in 2026
Certificate backdoors as the defining persistence technique of the decade
The SolarWinds supply chain attack established certificate credential addition to service principals as a primary APT persistence technique. The attacker added certificates to highly privileged app registrations, granting themselves ongoing access that survived all credential rotation and remediation attempts that did not specifically audit certificate credentials. This technique is documented in multiple 2025 IR engagements. The average time before detection in certificate backdoor cases exceeds 180 days. The forensic artifact, the audit log entry for the certificate addition, is rarely monitored.
// 02.6 / Reinforce

Flashcards

Click the card to reveal the answer. Review Again flips it back without advancing. Got It moves to the next.

Card 1 of 12
// Tap to reveal answer
// Answer

Click card to flip

// 02.7 / Reinforce

Match the
Technique

Drag each attack technique to the correct detection or mitigation. Some mappings are counterintuitive. Think carefully before placing.

Drag items from the pool below to the correct slot.

// Technique Pool
FIDO2 / Passkeys
ROADtoken
AzureHound
Revoke-MgUserSignInSession
Graph API Audit Logs
Certificate Credential Audit
Continuous Access Evaluation
Workload Identity Federation
Fully mitigates AiTM phishing
Drop here
Extracts PRT from Entra-joined device
Drop here
Maps privilege escalation paths in Entra
Drop here
Required to detect AzureHound activity
Drop here
Revokes active sessions after compromise
Drop here
Detects certificate backdoor on service principal
Drop here
Near real-time token revocation on critical events
Drop here
Eliminates client secrets from CI/CD pipelines
Drop here
// 02.8 / Reinforce

Spot the
Risk

You are reviewing a tenant during a routine audit. Something in this sign-in log pattern indicates an active or recent compromise. Identify it.

Entra ID // Sign-in Logs // Service Principal Activity // Last 72 Hours AUDIT VIEW
Principal Name AutomationService-Prod
Application ID f7c2a8b1-4d3e-4f12-9a0b-88234c6f7821
Sign-in Method Client Credentials (Application Permission)
Token Claims (scp) Empty
Token Claims (roles) Mail.ReadWrite, Files.ReadWrite.All, Directory.ReadWrite.All
Activity Volume 847 Graph API calls in 4 minutes at 03:22 UTC
IP Address Residential ISP, Bucharest Romania
Previous Activity Last sign-in 3 weeks ago from Azure datacenter UK South
KeyCredentials Certificate added 11 days ago. No change request in ITSM.
Three indicators here suggest active compromise. Which combination represents the highest-confidence finding and what does it confirm?
The certificate added without an ITSM record is the persistence mechanism. Directory.ReadWrite.All as an application permission (confirmed by empty scp, populated roles) means the attacker can modify any directory object, add credentials to other service principals, and manipulate role-assignable groups. The Romanian residential IP at 03:22 UTC with 847 API calls in 4 minutes is the active exploitation. The attacker has been inside the tenant for 11 days. Immediate actions: disable the service principal, revoke the certificate, audit all directory changes in the 11-day window, check for additional certificate additions to other principals, and enumerate what the Directory.ReadWrite.All access was used for.
// 02.9 / Test

Module
Quiz

20 questions. Escalating difficulty. These are the questions an attacker has already answered about environments like yours. Pass at 15/20.

Attack Playbook Assessment 01 / 20

out of 20

// 02.10 / Timed Assessment

Scenario
Assessment

You are responding to an active incident. An attacker moved from initial access to Global Administrator in 93 minutes. The timeline and evidence are below. 10 questions. 12 minutes. No explanations until the end. Pass at 80%.

Questions
10
Time Limit
12 minutes
Pass Threshold
8 / 10
Read the incident timeline below carefully before starting. Questions reference specific events in the timeline.
12:00
Remaining
Incident Timeline // Target Tenant: NordicCorp AB // 2026-04-14 CLASSIFIED // IR USE ONLY
07:14 UTC User petra.lindqvist@nordiccorp.se clicks a lure email. URL redirects through Cloudflare Worker to attacker proxy. Petra authenticates with password and Microsoft Authenticator push (number matching enabled).
07:14 UTC Session cookie captured by attacker proxy. Petra's sign-in logs show successful authentication. No anomaly flagged.
07:17 UTC Attacker replays session cookie from IP 185.220.101.47 (Tor exit node). Accesses Petra's Outlook, Teams, and SharePoint via M365 web interface.
07:31 UTC Attacker runs AzureHound using Petra's refresh token. Collects 2,847 objects in 4 minutes. Identifies service principal AutomationSP with AppRoleAssignment.ReadWrite.All.
07:44 UTC Attacker retrieves AutomationSP client secret from Azure Key Vault (Petra has Key Vault Reader). Authenticates as AutomationSP.
07:51 UTC Attacker uses AppRoleAssignment.ReadWrite.All to grant RoleManagement.ReadWrite.All to a newly registered backdoor application (bd-app-7731).
08:02 UTC bd-app-7731 assigns Global Administrator role to attacker@external-domain.com. Tenant fully compromised. 48 minutes elapsed since initial access.
08:06 UTC Attacker adds certificate credential to 3 additional high-privilege service principals. Establishes persistence that will survive remediation.
08:47 UTC Petra reports she cannot access her account. IT resets her password. Session not explicitly revoked. Attacker session remains active.
09:07 UTC IR team engaged. Attacker still has active access via bd-app-7731 and 3 certificate backdoors. Password reset did not affect any of these access paths.