Full Disclosure: A Third (and Fourth) Azure Sign-In Log Bypass Found
Summary
TrustedSec's Nyxgeek reports two additional Azure Entra ID sign-in log bypasses (GraphGoblin and a fourth variant) that can yield tokens without sign-in logs. The piece reviews earlier bypasses GraphNinja and GraphGhost, details how the bypasses work via OAuth2 token flows, and presents detection approaches using KQL and session/token identifiers. It also discusses CVSS scoring, Microsoft MSRC handling, and notes that Microsoft patched these issues quickly after demo videos and reporting.