New AD Lateral Movement Tactics Expose Hybrid Environments

New Active Directory Lateral Movement Tactics Expose Hybrid Environments

The cybersecurity landscape continues to evolve, and not always in your favor. At Black Hat USA 2025, security researchers revealed dangerous new ways attackers are infiltrating hybrid Microsoft environments, undermining trusted defenses like MFA and audit logs in ways that challenge “Detect and Respond” paradigms.

From Detection to Deception

According to a detailed write-up in Cyber Security News, two major attack vectors have emerged:

1. Forged Kerberos Tickets via SSO Key Manipulation
   By injecting backdoor symmetric keys into the OnPremAuthenticationFlowPolicy, attackers can craft Kerberos service tickets for any user—completely bypassing MFA and evading audit detection, even in .onmicrosoft.com environments.

2. Exploit of Exchange Hybrid Certificates for Silent Global Admin Access
   Threat actors have been extracting hybrid Exchange certificates and using them to request Service-to-Service (S2S) tokens from Microsoft's ACS. These tokens carry Global Admin privileges for 24 hours, don’t trigger audit logs, bypass Conditional Access, and cannot be revoked.

Although Microsoft patched some of these flaws in August 2025, risks persist—especially across Exchange and SharePoint environments. Microsoft plans to enforce separation between on-prem and online service principals by October 2025.

Why “Detect and Respond” Falls Short

Even with strong detection tools, attackers exploiting forged tickets or silent tokens can slip by without tripping alarms. Here’s why traditional detection strategies are failing:

• Stealthy abuse of authentication flows leaves no visible markers in audit logs.

• Token-based lateral movement avoids MFA and Conditional Access mechanisms.

• Privilege escalation and impersonation occur without generating alerts.

These are not brute-force password guesses or signature-based attacks that a SOC can easily flag. These are trusted, silent maneuvers hiding in plain sight.

Isolation and Containment: The Game Changer

With the growing sophistication of such attacks, relying solely on detection leaves large gaps. The only reliable defense: isolate and contain threats at the endpoint level before they can traverse the network.

This is where AppGuard comes in.

Why AppGuard Makes the Difference

For over 10 years, AppGuard has been trusted to prevent endpoint compromises by isolating critical system components and enforcing containment—regardless of attacker technique. Now available for commercial use, AppGuard’s approach:

• Blocks unauthorized use of forged tickets or token credentials at the process level.

• Prevents fileless or certificate-based attacks from executing or escalating.

• Maintains strict isolation of privileged processes, even if credentials are compromised.

• Operates silently and proactively—no reliance on detection triggers.

In effect, AppGuard flips the security model: rather than chasing threats post-breach, it neutralizes them at the source.

Conclusion: It’s Time to Move from “Detect and Respond” to “Isolation and Contain”

The new AD lateral movement tactics—bypassing MFA and audit logs through clever policy and certificate abuse—underscore the limitations of detection-first strategies. Isolation-based protection is no longer optional—it’s mission-critical.

If your organization relies on hybrid Active Directory or Microsoft 365 infrastructure, especially with Exchange Online and SharePoint in the mix, AppGuard offers a robust safeguard against these evasive attacks.

Call to Action:

Business owners, talk with us at CHIPS about how AppGuard can stop incidents like these before they begin. It's time to transition from “Detect and Respond” to “Isolation and Containment.” Let’s secure your endpoints today.

Like this article? Please share it with others!