Microsoft Token Forgery Attack Explained: How It Happened and What It Means for You

Read full article here: https://www.slashid.com/blog/actor-token-forgery-overview/?utm_source=nhimg

Actor Token Forgery (ATF) represents one of the most stealthy and high-impact identity attacks against Microsoft Entra ID (formerly Azure AD). By forging legitimate-looking OAuth 2.0 tokens signed with trusted keys, attackers can impersonate users and service principals, bypass MFA, Conditional Access, and even logging visibility.

This attack exploits Microsoft’s service-to-service (S2S) trust model—the same mechanism that allows Exchange and SharePoint to communicate seamlessly. But when that trust is abused, it becomes an invisible backdoor for full tenant compromise.

What Makes Actor Token Forgery Unique

Unlike traditional phishing or password-based attacks, ATF doesn’t rely on user interaction. Instead, it manipulates trusted certificates and application keys to create forged tokens that Microsoft’s own Security Token Service (STS) accepts as valid.

Once an attacker injects or steals a valid certificate from a trusted app registration or hybrid Exchange service, they can mint tokens that appear fully legitimate. These tokens grant delegated or application-level access to Microsoft Graph, Exchange Online, SharePoint, and OneDrive — with no login events, no MFA prompts, and no alerts.

“Actor Token Forgery is effectively the Golden SAML of Microsoft Entra ID — but with deeper automation potential and almost zero visibility,” notes the report.

How the Attack Works

Actor Token Forgery follows a predictable, repeatable sequence — often executed with tools like ROADtools or ROADtx:

1. Initial Access: Attackers gain a foothold via a compromised admin account, exposed CI/CD token, or misconfigured app registration.
2. Discovery: Using Microsoft Graph queries (/servicePrincipals, /applications), they enumerate apps and their keyCredentials.
3. Certificate Theft or Injection: A stolen or newly inserted certificate lets the attacker forge OAuth tokens trusted by Entra’s STS.
4. Token Forgery: The forged token impersonates either a Microsoft service (actor token) or a tenant user (impersonation token).
5. Lateral Movement: The forged identity accesses high-value APIs like Microsoft Graph, Exchange, or SharePoint—without triggering logs or alerts.

Each step leverages legitimate Microsoft APIs, meaning defenders see normal traffic patterns even as attackers move laterally and escalate privileges.

Why It’s So Dangerous

• No Visibility: Actor tokens don’t generate issuance or usage logs.
• No Revocation: Tokens can’t be revoked and remain valid up to 24 hours.
• No Conditional Access: S2S authentication bypasses policy enforcement.
• No MFA: There’s no interactive challenge; tokens are accepted by design.
• Trusted Issuer: The forged tokens appear to come from Microsoft’s STS and pass validation checks.

In hybrid Exchange deployments, unsigned bearer tokens (“alg”: “none”) can still be accepted by Exchange Online, making detection nearly impossible.

Detection & Defense Strategies

While Actor Token Forgery is highly stealthy, forensic correlation and proactive monitoring can expose it.
Defenders should focus on the following actions:

1. Audit and Rotate Certificates

• Query Entra for all service principals with keyCredentials or preferredTokenSigningKeyThumbprints.
• Rotate certificates older than 90 days and enforce shorter validity windows.
• Example command:
• az ad app credential reset --id <appid> --append --years 0.25

2. Monitor Certificate Insertions

• Alert on “Add keyCredentials” events in AuditLogs.
• Flag any new certificates on high-privilege apps (Graph, Exchange, EWS) without corresponding appRoleAssignment changes.

3. Detect Unsigned Tokens

• Identify JWTs using "alg": "none".
• Cross-verify token thumbprints (x5t/kid) against registered keyCredentials to detect unregistered or offline-forged tokens.

4. Correlate Exchange/SharePoint Access

• Look for mailbox or file access that lacks Entra sign-in logs.
• S2S flows leave no Entra footprint — anomaly detection must rely on resource-level logs.

5. Minimize Trusted Delegation

• Reduce or remove trustedForDelegation settings.
• Restrict client-credential flow apps by disabling implicit grant (oauth2AllowImplicitFlow=false).

Real-World Impact

Actor Token Forgery grants attackers the ability to:

• Impersonate any user (including admins) within a tenant
• Access sensitive data across Microsoft 365 services
• Create new privileged accounts or app registrations
• Exfiltrate mailboxes and OneDrive contents
• Maintain long-term persistence even after password resets or MFA enforcement

In short, ATF turns Microsoft’s trust fabric against itself — enabling invisible, credential-less compromise through legitimate identity infrastructure.

Detection & Mitigation with SlashID

SlashID provides behavioral detection and continuous monitoring for attacks like Actor Token Forgery by identifying:

• Dangerous OAuth 2.0 scopes in service accounts
• Anomalous keyCredentials or appRoleAssignment changes
• Unusual app-to-app Graph activity
• Privilege escalation through certificate or token anomalies

These detections give defenders the visibility Entra ID’s native telemetry currently lacks.

Key Takeaways

• Actor Token Forgery is the most advanced form of identity-based privilege escalation in Microsoft Entra ID.
• It exploits trusted app certificates and hybrid Exchange delegation to impersonate users invisibly.
• Traditional controls like MFA and Conditional Access do not apply to forged tokens.
• Defense requires treating app certificates and service principals as sensitive assets, with short-lived credentials, active rotation, and continuous telemetry correlation.
• Tools like SlashID fill the visibility gap by monitoring certificate changes, API behavior, and anomalous token issuance.