The vulnerability involves a cross-tenant authentication flaw affecting Entra ID integrations – attackers could execute full account takeover with just access to an Entra tenant and the victim's email.
The report explains that the attack is a low-complexity, low-effort one that bypasses even multi-factor authentication (MFA), conditional access policies and zero-trust security architecture – all things that are generally characteristics of companies with strong cybersecurity postures.
Additionally, attackers can get away without leaving much trace, and the Entra ID vulnerability cannot be defended against without vendor-side fixes.
More Info