Security researcher Dirk-Jan Mollema from Outsider Security unveiled advanced lateral movement techniques that enable threat actors to compromise Microsoft’s cloud infrastructure through on-premises Active Directory vulnerabilities during his presentation at Black Hat USA 2025.
The 40-minute briefing, delivered on August 6th, highlighted critical security gaps in hybrid AD environments that could allow attackers to bypass multi-factor authentication and exfiltrate sensitive data without detection.
Exploiting Hybrid Trust Relationships
Mollema’s research focuses on the evolving security boundary between traditional Active Directory (AD) and Microsoft’s cloud-based Entra ID (formerly Azure Active Directory) systems.
The presentation detailed how Advanced Persistent Threat (APT) groups have been leveraging undocumented authentication flows to escalate privileges across hybrid environments.
These techniques exploit the inherent trust relationships that exist between on-premises Active Directory domains and their cloud counterparts, allowing attackers to pivot from compromised local systems to cloud-based resources.
The researcher emphasized that while Microsoft has implemented hardening measures over recent years to reduce cloud trust in on-premises data, significant attack vectors remain viable.
The lateral movement techniques demonstrated bypass traditional security controls, including MFA implementations, enabling stealthy data exfiltration operations that leave minimal forensic evidence.
Mollema noted that these attack methods are “not vulnerabilities, but part of the design,” highlighting fundamental architectural challenges in hybrid identity management systems.
Stealth Operations and Detection Evasion
A particularly concerning aspect of these attack techniques is their ability to operate beneath the detection threshold of most security monitoring systems.
Mollema revealed that the majority of these lateral movement methods generate few useful audit logs when executed, making incident response and threat hunting significantly more challenging.
The presentation included live demonstrations of tenant compromise scenarios originating from on-premises AD infrastructure, showcasing how attackers can maintain persistent access across both environments.
The timing of this research is critical as organizations increasingly adopt hybrid cloud architectures while facing sophisticated nation-state actors.
Mollema’s findings suggest that traditional security boundaries may be more porous than previously understood, requiring organizations to reassess their hybrid identity security postures.
The presentation materials, including detailed slides, have been made available to help security professionals understand and defend against these emerging threat vectors.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=The 40-minute briefing, delivered on August 6th, highlighted critical security gaps in hybrid AD environments that could allow attackers to bypass multi-factor authentication and exfiltrate sensitive data without detection.){kind=link}