SMTP Matching Abuse in Azure AD


In his TROOPERS19 talk (“I’m in your cloud … reading everyone’s email”), Dirk-jan Mollema discussed an issue he discovered that enabled the use of SMTP matching (also called soft matching) to synchronize Active Directory (AD) users to Azure AD, with the goal of hijacking unsynchronized accounts. Jan stated that Microsoft blocked the ability to synchronize on-prem accounts that had active assignments to administrative roles within Azure AD.

We dug into this statement. Bad news: Our research show…

Read More