Microsoft Secure Boot certificates from 2011 begin expiring in June 2026. Here’s how to check whether your Windows PC has the 2023 update.

The post Millions of Windows PCs Face a Secure Boot Update Deadline in 2026 appeared first on TechRepublic.

The post The 1.6 Billion User Pivot: Satya Nadella’s Plan to Fix Windows 11 and Save the 8GB PC appeared first on Daily CyberSecurity.

Cloud identity security relies heavily on Microsoft Entra ID (formerly Azure AD) Conditional Access. It acts as the primary digital gatekeeper, checking user locations, calculating risk scores, and verifying device health before granting access.

However, an authorized red team engagement by Howler Cell recently revealed a critical attack path that entirely bypasses these vital protections.

Starting with a single set of valid credentials, often purchased for just a few hundred dollars on cybercriminal markets, researchers successfully compromised a production tenant containing over 16,000 users.

This attack required no interaction with corporate endpoints. It deployed no malware, highlighting severe gaps in default device registration and compliance validation.

The engagement by Howler Cell closely mirrored real-world tactics used by Storm-2372, a suspected Russian state-aligned threat actor.

Both the researchers and threat actors exploited unprotected Device Registration Service (DRS) endpoints to establish initial footholds, proving that blocked credentials are not a dead end for sophisticated attackers.

Azure AD Conditional Access Bypassed

According to Howler Cell’s comprehensive research, the operation began with valid credentials explicitly blocked by a CA policy, resulting in an AADSTS53003 error.

To bypass this, researchers targeted the DRS endpoint using the device code authentication flow, an avenue left open by unenforced security policies.

This allowed them to authenticate successfully and proceed to the next phase of the attack.

Using a single command, the Howler Cell team registered a phantom device with a signed Azure AD certificate and private key.

The DRS API does not validate if the caller is a physical Windows machine, allowing a Linux laptop to masquerade as a legitimate endpoint.

This step leveraged the MITRE ATT&CK technique for Account Manipulation (T1098.005).

With the phantom device registered, researchers minted a Primary Refresh Token (PRT) containing false device claims.

When this PRT was exchanged for an access token, Azure AD determined that the session was device-authenticated.

This completely bypassed CA policies that required a compliant or joined device, granting access to the broader tenant environment for directory enumeration.

To bypass policies strictly requiring an Intune-compliant device, the researchers exploited a known gap in Intune enrollment restrictions.

By claiming hybrid domain-join status, the phantom device bypassed pre-registration requirements.

Intune trusted the client’s self-declared domain membership without verifying it against on-premises Active Directory.

Once enrolled, the device achieved compliance despite lacking BitLocker, Secure Boot, or antivirus software.

Intune’s evaluation logic treated missing health attestation responses as “not applicable” rather than non-compliant.

This permissive default posture allowed the researchers to download internal enterprise applications, and extracting a single package revealed critical internal server naming conventions and network architecture.

Escalation and Mitigation

Independent of device spoofing, researcher Howler Cell from Cyderes identified a structural risk in hybrid identity environments.

They discovered 255 highly privileged directory roles, including multiple Global Administrators, synced directly from on-premises Active Directory. 

Compromising these on-premises accounts provides attackers with a direct path to complete cloud tenant takeover without needing any cloud-specific exploits.

To defend against these complex attack chains, organizations must harden their device trust models.

Crucial mitigations include:

• Enforcing report-only CA policies that block device code flows and require MFA for device registration.
• Mandating TPM 2.0 attestation as a strict prerequisite for all PRT issuance.
• Requiring external validation of device health through the Microsoft Health Attestation Service rather than relying on self-reported data.
• Scoping user-level Graph API access to prevent unauthorized bulk directory enumeration.
• Restricting privileged directory roles exclusively to cloud-only accounts managed through Privileged Identity Management.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Azure AD Conditional Access Bypassed Via Phantom Device Registration and PRT Abuse appeared first on Cyber Security News.

Microsoft is set to bridge the gap in enterprise unified communications with a highly anticipated update to its conference room hardware. Starting in June 2026, Microsoft Teams Rooms on Android will officially support joining third-party external meetings through Session Initiation Protocol (SIP). This strategic development aims to deliver seamless cross-platform interoperability for organizations relying on […]

The post Microsoft Teams on Android Now Lets Users Join External Meetings Through SIP appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

CloudZ is a new modular remote access trojan that abuses Microsoft’s built‑in Phone Link feature to steal SMS one‑time passwords (OTPs) and other mobile notifications directly from Windows PCs, without infecting the phone itself. Microsoft Phone Link (formerly “Your Phone”) is integrated into Windows 10 and 11 to mirror smartphone SMS messages, application notifications, call […]

The post CloudZ RAT Exploits Microsoft Phone Link to Steal SMS OTPs appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Microsoft fixed a Defender false positive that flagged legitimate DigiCert certificates as malware, disrupting Windows trust stores for some IT teams.

The post Microsoft Defender Bug Triggers False Malware Alerts for DigiCert Certificates appeared first on TechRepublic.

Microsoft flagged 8.3 billion phishing emails as attackers turned to QR codes, fake CAPTCHAs, PhaaS kits, and file-based payloads.

The post Microsoft Flagged 8.3B Phishing Emails in Q1 as QR Codes, CAPTCHAs Rise appeared first on TechRepublic.

Microsoft confirmed a Windows zero-click flaw tied to an incomplete patch is being exploited, putting credentials at risk for unpatched users.

The post Microsoft Confirms Windows Flaw Is Being Exploited After Incomplete Patch appeared first on TechRepublic.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a newly discovered zero-day vulnerability affecting Microsoft Windows. On April 28, 2026, the agency officially added CVE-2026-32202 to its Known Exploited Vulnerabilities (KEV) catalog. This critical flaw involves a failure of a protection mechanism within the Microsoft Windows Shell, and active exploitation […]

The post CISA Warns of Windows Shell Zero-Day Exploited in Attacks appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.