The Deep Purple Sec – November 2025

📝 One Token to rule them all – obtaining Global Admin in every Entra ID tenant via Actor tokens

Dirk-jan Mollema discovered a critical vulnerability (CVE-2025-55241) in Microsoft Entra ID that allowed attackers to obtain Global Admin privileges by exploiting undocumented « Actor tokens » and a flaw in the Azure AD Graph API. Actor tokens could be requested from an attacker-controlled tenant and abused to impersonate any user, including Global Admins, bypassing security policies and leaving no logs. The root cause was the Graph API’s failure to validate the originating tenant, enabling cross-tenant impersonation by modifying the tenant ID and user netId. Attackers could brute-force or harvest netId values to impersonate Global Admins and access resources without generating audit logs.

The vulnerability was dangerous because no pre-existing access or credentials were required, with only unusual audit logs as potential detection. Microsoft patched the issue quickly, highlighting risks of legacy APIs and undocumented authentication mechanisms in cloud identity systems.

📌 Source: https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens

📝 Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery

NVISO’s analysis shows the Contagious Interview campaign, linked to DPRK actors, uses legitimate JSON storage services to deliver malware disguised as demo projects for fake job interviews. Victims are targeted via LinkedIn by impersonating recruiters, tricked into running trojanized Node.js code that fetches obfuscated JavaScript. The payload starts with BeaverTail (an infostealer) and escalates to InvisibleFerret, a modular RAT for data exfiltration.

The campaign’s use of trusted platforms and multi-stage obfuscation complicates detection, targeting software developers and Web3 professionals for financial gain. Attackers use Tsunami Installer for persistence and hardcoded .onion addresses for C2 communication, highlighting the trend of abusing legitimate cloud services to evade security controls.

📌 Source: https://blog.nviso.eu/2025/11/13/contagious-interview-actors-now-utilize-json-storage-services-for-malware-delivery

📝 I’m in Your Logs Now, Deceiving Your Analysts and Blinding Your EDR

New research reveals a novel EDR evasion technique by manipulating Microsoft’s Event Tracing for Windows (ETW). Attackers can inject fake events for legitimate GUIDs, tricking EDRs into logging phantom activity. They can also overflow ETW buffers, causing EDRs to miss real events or stop logging until reboot.

Attackers can poison EDR telemetry by injecting fake events, flooding logs with false positives, or crashing ETW buffers. This shifts evasion from avoiding events to weaponizing them, forcing defenders to rethink alert validation in an era of deceptive telemetry.

📌 Source: Thinkst Scapes 2025 Q3 https://thinkst.com/ts

🛠️ Entra ID Log Analyzer: Turning Raw Logs into Stories

Entra ID Log Analyzer is a browser-based tool that provides instant insights from Entra ID sign-in logs. It parses, enriches, and visualizes authentication data, mapping outcomes, correlating user-IP data, and highlighting high-risk targets while assigning risk scores. Its behavioral analytics help identify anomalies like impossible travel and brute-force attempts, ensuring privacy with local-only processing.

For defenders, this means faster triage and immediate context for suspicious activity without complex KQL or SIEM queries. The analyzer exports structured data for deeper investigation, making it a versatile tool for ITDR and cloud security teams to extract actionable insights.

📌 Source: https://cyberdom.blog/entra-id-log-analyzer-turning-raw-logs-into-stories

📝 Shai-Hulud 2.0 Supply Chain Attack: 25K+ Repos Exposing Secrets

Wiz Research’s analysis of the Shai-Hulud 2.0 supply-chain attack reveals a high-impact campaign where threat actors compromised over 700 npm packages to inject malicious preinstall scripts that exfiltrate developer and CI/CD secrets to attacker-controlled GitHub repositories, with cross-victim exfiltration. The attack also introduces a persistence backdoor via a malicious GitHub Actions workflow (discussion.yaml), allowing arbitrary command execution on infected machines. It leverages multi-cloud SDKs to harvest credentials from various sources.

For blue teams, this campaign is a critical wake-up call: it shows how supply-chain attacks can bypass defenses by abusing trusted packages and CI/CD pipelines, using legitimate platforms for exfiltration. Wiz provides actionable detection and remediation guidance, including IOCs and steps to rotate exposed credentials, empowering defenders to audit environments, harden pipelines, and monitor for suspicious activity. The scale (25,000+ malicious repos) and automation (1,000+ new repos every 30 minutes) highlight the need for real-time monitoring and least-privilege enforcement.

📌 Source: https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack

📝 Hitchhiker’s Guide to Attack Surface Management

Devansh Batham’s « Hitchhiker’s Guide to Attack Surface Management » is a practical resource for blue teams, offering a breakdown of overlooked attack vectors from subdomains to IoT devices and social media reconnaissance. It demystifies how attackers exploit assets, providing insights into enumeration techniques and highlighting real-world risks like exposed admin panels and hardcoded secrets. It’s a blueprint for proactive defense, helping teams prioritize visibility and automate asset discovery before adversaries exploit gaps.

The guide’s focus on « unknown unknowns »—assets and misconfigurations that traditional tools miss—makes it ideal for CISOs, SOC analysts, and developers aiming to harden their environment against threats.

📌 Source: https://devansh.bearblog.dev/attack-surface-management