The Deep Purple Sec – September 2025

📝 One Token to rule them all – obtaining Global Admin in every Entra ID tenant via Actor tokens

Dirk-jan Mollema’s article discusses a serious security flaw in Microsoft Entra ID (previously Azure AD) related to undocumented « Actor tokens » used for service communication. The issue arose from the old Azure AD Graph API not checking tenant origins, which allowed an attacker with an Actor token from their own tenant to impersonate any user (including Global Admins) in any other tenant by taking advantage of mismatched tenant IDs and incremental netId values. This bypassed all security measures (like Conditional Access), left no logs in the affected tenants, and allowed full control over the tenant through API changes. Microsoft fixed the problem (CVE-2025-55241) by blocking Actor tokens for the Graph API. Detection depends on KQL queries that identify unusual audit logs (like admin actions initiated by Exchange).

📌 Source: https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/

📝 ShadowLeak: A Zero-Click, Service-Side Attack Exfiltrating Sensitive Data Using ChatGPT’s Deep Research Agent

Radware researchers found ShadowLeak, a zero-click, server-side attack that uses OpenAI’s ChatGPT Deep Research agent to steal sensitive data (like Gmail inbox contents) through specially crafted emails. The attack uses indirect prompt injection hidden in HTML (like white text on a white background) to avoid detection, along with clever social engineering to bypass the agent’s safety measures. Unlike previous client-side prompt injection issues (like AgentFlayer, EchoLeak), ShadowLeak works entirely within OpenAI’s cloud, making it undetectable by enterprise security. The attack has a 100% success rate by encoding stolen data in Base64 and sending it out using the agent’s browser.open() tool.

Although OpenAI fixed the problem in August 2025, this vulnerability shows the risks in AI agent integrations, as similar methods could target other services (like Outlook, SharePoint, GitHub) to access company data. To prevent this, it’s important to clean input data and watch for unusual agent behavior.

📌 Source: https://www.radware.com/blog/threat-intelligence/shadowleak & https://thehackernews.com/2025/09/shadowleak-zero-click-flaw-leaks-gmail.html

📝 The Phantom Extension: Backdooring chrome through uncharted pathways

Synacktiv researchers found a hidden way to backdoor Chromium-based browsers by loading random extensions without permission, using undocumented methods in Windows domain settings. By changing browser preference files (Preferences or Secure Preferences) and their MAC signatures – using a fixed seed from resources.pak– attackers can add extensions without user consent. This method avoids GPO restrictions through registry changes or fake extension IDs, allowing full control of the browser. This research shows serious risks in enterprise browser security and the need to check the integrity of preference files.

📌 Source: https://www.synacktiv.com/en/publications/the-phantom-extension-backdooring-chrome-through-uncharted-pathways

📝 Canary tokens: Learn all about the unsung heroes of security at Grafana Labs

Grafana Labs recently used canary tokens, which are digital decoys that alert on unauthorized access, to quickly detect and manage a GitHub Action security breach. These simple, valuable alerts (like AWS API keys and fake files) sent an immediate warning when an attacker used a token, allowing the team to contain the issue within minutes.

Although the incident was limited to non-production systems, it showed the importance of strategic token placement (secrets at the organization and repository levels) and integration with alert systems (like Slack through Grafana Cloud IRM). Grafana’s method combined Thinkst’s canary token platform with automated processes, focusing on speed, detailed alerts, and scalable responses to turn detection into action.

The blog encourages wider use, highlighting best practices such as using different token types, automating placement, and having clear incident procedures to improve effectiveness.

📌 Source: https://grafana.com/blog/2025/08/25/canary-tokens-learn-all-about-the-unsung-heroes-of-security-at-grafana-labs

📝 Detecting Password Spraying with Security Event Auditing

Sean Metcalf’s article explains how to spot password spraying attacks in Active Directory (AD) environments using security event auditing. Password spraying is a method where attackers guess passwords slowly across many accounts to avoid getting locked out. The article notes that while Event ID 4625 (logon failures) is often recorded during SMB-based attacks, attackers can avoid detection by using LDAP, which needs Kerberos logging (Event ID 4771, failure code 0x18) to be turned on. Also, Event ID 4648 (explicit credential use) on workstations can show signs of spraying if audit logging is active.

To effectively detect these attacks, it’s important to link high numbers of these events in short periods and check AD user details like lastbadpasswordattempt and badpwdcount for unusual patterns. The article offers practical tips for setting up alerts and using PowerShell scripts to automate detection and response.

📌 Source: https://adsecurity.org/?p=4517

📝 AWS Detection Engineering – Mastering Log Sources for Threat Detection & Architecting Security Logging at Scale

The articles stress the need for a scalable logging and detection system in AWS. They focus on smartly collecting, processing, and linking logs from different regions and accounts. The first article describes a multi-region, multi-account method, which includes cross-region S3 log copying, auto-scaling Kinesis streams, and Lambda functions with reserved capacity to avoid running out of resources—all aimed at managing 10 times the current log amounts and ensuring logs are ready for investigation.

The second article goes further into understanding log sources for detecting threats, stating that just having raw logs is not enough without adding context (like user behavior, threat information, and business details). It points out how AWS services (CloudTrail, VPC Flow Logs, GuardDuty) work together and how correlation tools can reveal complex attack patterns, stressing that good detection depends on integrating data from multiple sources and automating response processes to reduce response time.

Overall, these articles promote a proactive strategy: design for growth, include detection in DevOps processes, and automate responses to turn logs into effective defenses against cyber threats.

📌 Source: https://aws.plainenglish.io/aws-detection-engineering-mastering-log-sources-for-threat-detection-51372da9a17e & https://aws.plainenglish.io/aws-detection-engineering-architecting-security-logging-at-scale-in-aws-d962ec91453a