Introduction
This ThreatsDay Bulletin drops multiple critical vulnerabilities affecting cloud identity and AI security infrastructure. We're seeing active exploitation of Azure privilege escalation vectors, Microsoft 365 MFA bypass techniques (dubbed "Kali365"), and emerging threats targeting AI assistant security plugins. These aren't theoretical attacks—threat actors are actively chaining these techniques to turn minor footholds into complete account compromise. If you're running Azure AD/Entra ID, Microsoft 365, or deploying AI security tooling, you need to act now.
Technical Analysis
Azure Privilege Escalation (Azure Priv-Esc)
Affected Products: Microsoft Azure, Entra ID (formerly Azure AD), Azure Active Directory Domain Services
Vulnerability Summary: A privilege escalation technique allows attackers with low-level application permissions to escalate to Global Administrator privileges through misconfigured service principals and token manipulation.
Attack Chain:
- Attacker compromises a low-privileged service principal or application registration
- Exploits token issuance vulnerabilities in OAuth 2.0 flows
- Elevates privileges by adding malicious credentials to existing service principals
- Persists via hidden app registrations and consent grants
Exploitation Status: Confirmed active exploitation in cloud environments. Not yet added to CISA KEV but should be treated as critical.
Kali365 MFA Bypass
Affected Products: Microsoft 365, Azure Active Directory, Active Directory Federation Services (ADFS)
Vulnerability Summary: A multi-factor authentication bypass technique targeting Microsoft 365 authentication flows, allowing attackers to bypass MFA through manipulation of session tokens and authentication protocols.
Attack Chain:
- Attacker obtains valid username/password via credential harvesting or phishing
- Intercepts or replays authentication session tokens
- Exploits weaknesses in the authentication protocol to skip MFA verification
- Establishes persistent access through token refresh abuse
Exploitation Status: Active exploitation observed in targeted phishing campaigns and credential stuffing attacks.
Claude Security Plugin Vulnerability
Affected Products: Claude AI Security Plugins (various third-party implementations)
Vulnerability Summary: Security plugins for Claude AI assistant contain vulnerabilities that allow for prompt injection, data exfiltration, and potential execution of unauthorized commands through the AI interface.
Attack Chain:
- Attacker identifies vulnerable plugin implementation
- Crafts malicious prompts exploiting plugin permissions
- Bypasses security controls through prompt manipulation
- Exfiltrates sensitive data or executes unauthorized actions
Exploitation Status: Proof-of-concept code available; exploitation in the wild confirmed for plugin-specific attacks.
Detection & Response
SIGMA Rules
YAML
---
title: Azure AD Privilege Escalation via Service Principal Modification
id: 8c4f3b2a-1d9e-4f5c-9b8a-7d6e5f4c3b2a
status: experimental
description: Detects suspicious modifications to service principals that may indicate privilege escalation attempts in Azure AD.
references:
- https://attack.mitre.org/techniques/T1136/
- https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/security-defaults
author: Security Arsenal
date: 2026/05/13
tags:
- attack.privilege_escalation
- attack.t1136
- attack.persistence
- attack.t1098
logsource:
product: azure
definition: 'Requirement: Azure AD Sign-in and Audit logs must be forwarded to SIEM'
detection:
selection:
Category: 'ApplicationManagement'
OperationName|contains:
- 'Add service principal credentials'
- 'Update service principal'
- 'Add app role assignment to service principal'
filter:
InitiatedBy|contains:
- 'Microsoft'
- 'AzurePortal'
- 'KnownAdmin'
condition: selection and not filter
falsepositives:
- Legitimate application updates by authorized administrators
- Automated service principal rotations by Microsoft services
level: high
---
title: Microsoft 365 MFA Bypass Detection via Anomalous Token Usage
id: 9d5e4c3b-2e0f-5g6d-0c9b-8e7f6d5e4c3b
status: experimental
description: Detects potential MFA bypass attempts through anomalous token refresh patterns and authentication anomalies.
references:
- https://attack.mitre.org/techniques/T1078/
- https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks
author: Security Arsenal
date: 2026/05/13
tags:
- attack.initial_access
- attack.t1078
- attack.credential_access
- attack.t1552
logsource:
product: azure
definition: 'Requirement: Azure AD Sign-in logs must be forwarded to SIEM'
detection:
selection:
Category: 'SignInLogs'
AuthenticationRequirement|contains:
'singleFactorAuthentication'
ConditionalAccessStatus|contains:
'success'
timeframe: 1h
condition: selection | count() > 5
falsepositives:
- Legitimate users with MFA exceptions
- Service accounts with explicit MFA exemptions
- Break-glass accounts during incident response
level: high
---
title: Claude AI Plugin Prompt Injection and Data Exfiltration
id: 0e1f2d3c-4b5a-6c7d-8e9f-0a1b2c3d4e5f
status: experimental
description: Detects potential prompt injection attacks targeting Claude AI security plugins through anomalous API patterns.
references:
- https://attack.mitre.org/techniques/T1059/
- https://docs.anthropic.com/claude/reference
author: Security Arsenal
date: 2026/05/13
tags:
- attack.execution
- attack.t1059
- attack.exfiltration
- attack.t1041
logsource:
category: webserver
definition: 'Requirement: Web server logs or API gateway logs must capture Claude plugin interactions'
detection:
selection:
cs-uri-query|contains:
- 'Claude-Plugin'
- 'anthropic-plugin'
injection:
cs-uri-query|contains:
- 'ignore previous instructions'
- 'system: override'
- 'developer: bypass'
- '<script>'
exfiltration:
cs-method: 'POST'
cs-uri-query|re: '.*(base64|hex|encode).*data.*'
condition: selection and (injection or exfiltration)
falsepositives:
- Legitimate developers testing plugin functionality
- Security researchers authorized to test AI systems
level: high
KQL (Microsoft Sentinel / Defender)
KQL — Microsoft Sentinel / Defender
-- Azure AD Privilege Escalation Detection
let timeframe = 1h;
AzureActivity
| where Category == "ApplicationManagement"
| where OperationName in ("Add service principal credentials", "Update service principal", "Add app role assignment to service principal")
| where TimeGenerated > ago(timeframe)
| where not(InitiatedBy has "Microsoft" or InitiatedBy has "AzurePortal")
| project TimeGenerated, OperationName, Caller, CallerIpAddress, TargetResource, Properties
| summarize count() by OperationName, Caller, CallerIpAddress
| where count_ > 3
| extend Severity = "High"
| order by count_ desc;
-- Microsoft 365 MFA Bypass Detection
let timeframe = 1h;
SigninLogs
| where TimeGenerated > ago(timeframe)
| where AuthenticationRequirement == "singleFactorAuthentication"
| where ConditionalAccessStatus == "success"
| where ResultType == 0
| project TimeGenerated, UserPrincipalName, AppDisplayName, ClientAppUsed, DeviceDetail, Location
| summarize count() by UserPrincipalName, AppDisplayName, Location
| where count_ > 5
| extend Severity = "High"
| order by count_ desc;
-- Claude AI Plugin Anomaly Detection
let timeframe = 1h;
AWSCloudTrail
| where TimeGenerated > ago(timeframe)
| where EventSource == "anthropic Claude" or EventSource contains "claude"
| where eventName contains "Plugin"
| parse eventSource with *"Claude-Plugin"* plugin_name
| where requestParameters contains "ignore" or requestParameters contains "override" or requestParameters contains "bypass"
| project TimeGenerated, SourceIPAddress, UserIdentity, eventName, requestParameters, responseElements
| extend Severity = "High"
| order by TimeGenerated desc;
Velociraptor VQL
VQL — Velociraptor
-- Hunt for Azure CLI authentication anomalies
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ 'az.exe'
AND (CommandLine =~ '.*ad sp credential.*'
OR CommandLine =~ '.*ad app permission.*'
OR CommandLine =~ '.*role assignment create.*')
AND CreateTime > now() - 1h
-- Hunt for suspicious M365 authentication token files
SELECT FullPath, Size, Mtime, Atime, Btime
FROM glob(globs='C:/Users/*/AppData/Local/Microsoft/*/TokenCache/*.bin')
WHERE Mtime > now() - 1h
-- Hunt for Claude AI plugin configuration files
SELECT FullPath, Size, Mtime, Atime, Btime, Mode
FROM glob(globs='C:/Users/*/.claude/**/*', globs='/home/*/.claude/**/*')
WHERE Mtime > now() - 1h
AND (FullPath =~ '.*plugin.*' OR FullPath =~ '.*config.*')
Remediation Script (PowerShell)
PowerShell
# Azure AD Privilege Escalation Remediation
# Check for suspicious service principals
Write-Host "Checking for suspicious service principals..." -ForegroundColor Yellow
$suspiciousPrincipals = Get-AzureADServicePrincipal -All $true |
Where-Object { $_.AppId -notlike "Microsoft*" -and $_.DisplayName -notlike "Microsoft*" }
foreach ($principal in $suspiciousPrincipals) {
$credentials = Get-AzureADServicePrincipalPasswordCredential -ObjectId $principal.ObjectId
$appRoles = Get-AzureADServicePrincipalAppRoleAssignment -ObjectId $principal.ObjectId
if ($credentials.Count -gt 5 -or $appRoles.Count -gt 3) {
Write-Host "Suspicious service principal found: $($principal.DisplayName) (ID: $($principal.ObjectId))" -ForegroundColor Red
Write-Host " Credentials: $($credentials.Count)" -ForegroundColor Red
Write-Host " App Role Assignments: $($appRoles.Count)" -ForegroundColor Red
}
}
# Enable Conditional Access for MFA enforcement
Write-Host "Ensuring Conditional Access policies for MFA enforcement..." -ForegroundColor Yellow
$mfaPolicies = Get-AzureADMSConditionalAccessPolicy | Where-Object { $_.DisplayName -like "*MFA*" }
if ($mfaPolicies.Count -eq 0) {
Write-Host "No MFA Conditional Access policies found. Creating baseline policy..." -ForegroundColor Red
# Create baseline MFA policy
New-AzureADMSConditionalAccessPolicy -DisplayName "SecurityArsenal Baseline MFA Policy" `
-State "Enabled" `
-Conditions @{
Applications = @{ IncludeApplications = @("All") }
Users = @{ IncludeUsers = @("All") }
} `
-GrantControls @{
BuiltInControls = @("mfa")
Operator = "OR"
}
Write-Host "Baseline MFA policy created." -ForegroundColor Green
} else {
Write-Host "Found $($mfaPolicies.Count) MFA policies." -ForegroundColor Green
}
# Review and remediate legacy authentication
Write-Host "Checking for legacy authentication usage..." -ForegroundColor Yellow
$legacyAuthEvents = Get-AzureADAuditSignInLogs -Filter "authenticationRequirement eq 'singleFactorAuthentication'" `
-Top 100 `
| Where-Object { $_.ClientAppUsed -in @("Exchange ActiveSync", "Other", "IMAP4", "POP3") }
if ($legacyAuthEvents.Count -gt 0) {
Write-Host "Found $($legacyAuthEvents.Count) legacy authentication attempts. Consider blocking." -ForegroundColor Red
Write-Host "Users with legacy auth:" -ForegroundColor Red
$legacyAuthEvents | Select-Object -Unique UserPrincipalName | Format-Table -AutoSize
}
# Review Claude plugin permissions
Write-Host "Reviewing AI plugin configurations..." -ForegroundColor Yellow
# Check for plugin configuration files in common locations
$pluginPaths = @(
"$env:USERPROFILE\.claude",
"$env:APPDATA\Claude",
"$env:LOCALAPPDATA\Claude"
)
foreach ($path in $pluginPaths) {
if (Test-Path $path) {
Write-Host "Found Claude configuration at: $path" -ForegroundColor Cyan
# Check for plugin directories
$pluginDirs = Get-ChildItem -Path $path -Directory -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.Name -like "*plugin*" -or $_.Name -like "*extension*" }
foreach ($dir in $pluginDirs) {
Write-Host " Plugin directory: $($dir.FullName)" -ForegroundColor Cyan
# Check for sensitive configuration files
$configFiles = Get-ChildItem -Path $dir.FullName -File -ErrorAction SilentlyContinue |
Where-Object { $_.Extension -in @(".", ".yaml", ".yml", ".config") }
foreach ($file in $configFiles) {
Write-Host " Config file: $($file.FullName)" -ForegroundColor Cyan
# Review file content for API keys or sensitive data
$content = Get-Content $file.FullName -Raw -ErrorAction SilentlyContinue
if ($content -match "api[_-]?key" -or $content -match "secret" -or $content -match "token") {
Write-Host " WARNING: Potential sensitive data found in $($file.Name)" -ForegroundColor Red
}
}
}
}
}
Write-Host "Remediation script completed." -ForegroundColor Green
Remediation Script (Bash)
Bash / Shell
#!/bin/bash
# Azure CLI Privilege Escalation Remediation
set -e
echo "[+] Checking for Azure CLI installation..."
if ! command -v az &> /dev/null; then
echo "[!] Azure CLI not found. Please install it first."
exit 1
fi
echo "[+] Authenticating to Azure..."
az login --output none
echo "[+] Checking for suspicious service principals..."
suspicious_count=0
while IFS= read -r sp; do
sp_id=$(echo "$sp" | jq -r '.id')
sp_name=$(echo "$sp" | jq -r '.displayName')
# Check for non-Microsoft service principals with excessive credentials
credential_count=$(az ad sp credential list --id "$sp_id" --query "length([])" -o tsv)
# Check for app role assignments
role_count=$(az ad app role assignment list --filter "resourceId eq '$sp_id'" --query "length([])" -o tsv 2>/dev/null || echo "0")
if [[ "$credential_count" -gt 5 ]] || [[ "$role_count" -gt 3 ]]; then
echo "[!] Suspicious service principal: $sp_name (ID: $sp_id)"
echo " Credentials: $credential_count, Role Assignments: $role_count"
((suspicious_count++))
fi
done < <(az ad sp list --filter "appId ne '00000002-0000-0000-c000-000000000000'" --output | jq -c '.[]')
if [[ $suspicious_count -eq 0 ]]; then
echo "[+] No suspicious service principals found."
fi
echo "[+] Checking for users without MFA enabled..."
users_without_mfa=$(az ad user list --query "[?assignedPlans[?service=='aadpremium']].userPrincipalName" -o tsv | wc -l)
echo "[+] Total users with premium licenses: $users_without_mfa"
echo "[+] Checking Conditional Access policies..."
ca_policies=$(az ad conditional-access policy list --query "[?state=='enabled'].displayName" -o tsv | wc -l)
echo "[+] Enabled Conditional Access policies: $ca_policies"
if [[ $ca_policies -eq 0 ]]; then
echo "[!] No Conditional Access policies found. This is critical!"
echo "[!] Consider creating a baseline MFA policy."
fi
echo "[+] Checking for legacy authentication settings..."
legacy_auth=$(az ad policy show --id "b633a6a4-9753-445b-9390-278cc6e90904" --query "displayName" -o tsv 2>/dev/null || echo "Not configured")
echo "[+] Legacy authentication block policy: $legacy_auth"
echo "[+] Checking for recent sign-in anomalies..."
anomalous_signins=$(az monitor activity-log list --max-events 100 --query "[?operationName.value=='Microsoft.Authorization/policyAssignments/write'].length" -o tsv 2>/dev/null || echo "0")
echo "[+] Recent policy assignment changes: $anomalous_signins"
echo "[+] Remediation script completed."
Remediation
Azure Privilege Escalation
Immediate Actions:
-
Review Service Principals: Audit all service principals in your Azure AD tenant using the PowerShell script above. Remove any unauthorized or suspicious service principals.
-
Conditional Access Enforcement: Implement Conditional Access policies to require MFA for all privileged operations. Configure policies specifically for:
- Role elevation attempts
- Service principal credential management
- App role assignments
-
Least Privilege: Apply least privilege principles to all service principals and application registrations.
Configuration Changes:
- Enable "Security defaults" in Azure AD if not already enabled
- Block legacy authentication protocols (IMAP, POP, SMTP, Exchange ActiveSync)
- Require multi-factor authentication for all privileged roles
- Enable "Require admin approval" for app registrations
Official Vendor Advisory:
Workaround (if patch unavailable):
- Disallow creation of new service principals for non-admin users
- Require manual approval for all application permissions
- Monitor Azure AD audit logs for suspicious service principal activity
Kali365 MFA Bypass
Immediate Actions:
-
Review MFA Exclusions: Audit all MFA exclusion policies and remove unnecessary exemptions.
-
Implement Per-User MFA: Ensure MFA is enforced for all privileged accounts, even if Conditional Access is in place.
-
Session Token Monitoring: Implement monitoring for abnormal token refresh patterns.
Configuration Changes:
- Enable "Security defaults" in Azure AD
- Configure Conditional Access policies to block legacy authentication
- Implement "Report-only" mode for new Conditional Access policies before enforcement
- Enable "Risky sign-ins" and "Risky users" Identity Protection features
Official Vendor Advisory:
Workaround (if patch unavailable):
- Implement additional authentication factors (hardware keys, FIDO2)
- Enable continuous access evaluation for sensitive applications
- Require re-authentication for privileged operations
- Implement location-based Conditional Access policies
Claude Security Plugin
Immediate Actions:
-
Audit Plugin Permissions: Review all Claude AI security plugins and their permissions.
-
Plugin Validation: Verify the authenticity and security of all installed plugins.
-
Input Validation: Implement strict input validation for AI plugin interfaces.
Configuration Changes:
- Restrict plugin permissions to minimum necessary
- Implement rate limiting for API calls to Claude
- Enable logging for all plugin interactions
- Implement sandboxing for plugin execution
Official Vendor Advisory:
Workaround (if patch unavailable):
- Disable all third-party plugins until validated
- Implement allowlist for approved plugins
- Implement input sanitization for AI prompts
- Enable audit logging for all plugin interactions
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionazuremfa-bypassclaude-plugin
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.