Researchers at Mandiant have detailed a stealthy way for attackers to forge Microsoft logins by recovering an active identity signing key that a common misconfiguration leaves exposed on disk. The technique targets Active Directory Federation Services (ADFS), the on premises component many organizations use to sign users into cloud apps, and it revives a long standing attack known as Golden SAML, in which an attacker who steals the ADFS token signing key can mint a valid login token for any user.
With that key, an attacker can authenticate as anyone to any federated application, including Microsoft 365 and Entra ID, and sail straight past multifactor authentication and conditional access, because to the identity provider the forged token looks completely legitimate. Golden SAML was first described by CyberArk in 2017 and further documented by Mandiant in 2021; the new twist, disclosed by Mandiant's Shebin Mathew, is where the live key can hide.
The ghost certificate
In environments where automatic certificate rollover is turned off and administrators rotate the ADFS signing certificate by hand, the service can quietly drift out of sync. The ADFS configuration database keeps pointing at an old, expired certificate (the ghost), while the certificate actually used to sign tokens lives elsewhere on the system. Tools that follow the usual extraction path read that database and walk away with the wrong, useless key. The real signing key sits in the machine scoped cryptographic store, protected by Windows Machine DPAPI, and recovering it requires SYSTEM level access rather than a normal user logon session.
Mandiant notes the technique is worth attention because the underlying configuration is common in enterprises, and because it avoids touching heavily monitored components such as the LSASS process, it may generate less alarm depending on an organization's telemetry.
What defenders should do
This is a hardening problem, not a bug with a single patch. Re enable automatic certificate rollover, or make sure the ADFS configuration database is updated whenever a certificate is rotated by hand. Treat Windows Event ID 385, which flags certificate validity drift in ADFS, as a signal worth investigating rather than noise. Tightly control SYSTEM level access to ADFS servers, and watch federated sign ins for tokens that were not issued through a normal authentication. The stakes are the same identity bypass that has powered earlier intrusions, from session hijacking that defeats MFA to the quiet theft of cloud access tokens.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.