Black and white photo of a lone man standing still among blurred crowds in a public space, symbolizing identity vulnerability and unnoticed threats.

Hybrid Identity at Risk: Microsoft Exchange Vulnerability Disclosed at Black Hat 2025

Last Updated August 7, 2025
A newly disclosed flaw in on‑prem Microsoft Exchange environments could allow attackers to compromise identity systems and move laterally across environments, without detection.

Vulnerability Overview

At Black Hat USA 2025, security researcher Dirk‑jan Mollema (Outsider Security) revealed a high‑severity vulnerability affecting hybrid Microsoft Exchange deployments, where on‑prem Exchange connects to Microsoft 365 via Entra ID.The flaw enables attackers to:

  • Manipulate hybrid identities
  • Change user passwords
  • Convert cloud‑only accounts into hybrid accounts
  • Modify service principal permissions
  • Exploit unrevokable 24‑hour access tokens

While no active exploitation has yet been observed, Microsoft and CISA have confirmed the issue, and CISA is preparing an emergency directive for federal systems.

Attack Vectors

  1. Hybrid Identity Manipulation
    Exploiting on‑prem Exchange to alter credentials and gain escalated access across identity boundaries.
  2. Service Principal Tampering
    Modifying permissions to gain persistent or elevated roles across cloud and on‑prem environments.
  3. Persistent, Non‑Revocable Tokens
    Access tokens valid for 24 hours—and not revocable—allow undetected lateral movement.
  4. Hybrid Environment as a Launchpad
    Attackers can pivot from email infrastructure to broader enterprise systems through hybrid linkages.

Recommended Mitigations

  1. Apply Microsoft’s April 2025 Hybrid Configurations
    Ensure the latest hybrid guidance is fully implemented.
  2. Temporarily Block Exchange Web Services (EWS)
    Microsoft will begin phased blocks—restrict access now where possible.
  3. Audit Hybrid Identity Hygiene
    Review and clean up hybrid accounts, service principal permissions, and configuration drift.
  4. Enhance Monitoring for Token Activity
    Deploy alerts for anomalous or excessive token usage.
  5. Limit Exposure
    Restrict EWS and management interfaces to secure, segmented networks.
  6. Harden Hybrid Architecture
    Reduce hybrid dependencies and improve segmentation between cloud and on‑prem.
  7. Prepare for Incident Response
    Ensure your team is ready to investigate misuse and respond quickly.

Closing Insight

The vulnerability revealed at Black Hat underscores how hybrid environments can introduce complex identity risks. With a single misconfiguration, attackers can escalate privileges across domains and bypass traditional detection. Now is the time to patch, monitor, and harden your hybrid Exchange setup.

Need help auditing or hardening your hybrid Exchange environment?
Kalles Group partners with enterprise teams to secure hybrid identity infrastructure and reduce risk. Get in touch to start a conversation.

Glen Willis is Director of Cyber and Technology at Kalles Group.
Glen advises organizations,from fast-growing startups to global enterprises, on cybersecurity strategy, secure architecture, and hybrid identity design. He’s particularly experienced in helping teams navigate complex incidents and strengthen their long-term security posture.
Your future is secured when your business can use, maintain, and improve its technology

Request a free consultation

Incident Response
Incident Response