2025-09-15 –, Main Room
In this talk, we unveil attack techniques and vulnerabilities —SyncJacking and SoftMatching Abuse—that exploit inherent weaknesses in Microsoft Entra Connect’s synchronization mechanisms to hijack or impersonate cloud identities in hybrid environments. These techniques abuse architectural trust assumptions between Active Directory and Microsoft Entra ID (formerly Azure AD), enabling attackers with limited access to gain unauthorized control over cloud accounts.
SyncJacking, a vulnerability in the Hard Matching process, allows an attacker to forcibly associate a cloud-only identity with an on-premises account under their control—without modifying source anchors or triggering alerts. This stealthy takeover method was confirmed as a valid security issue by Microsoft’s MSRC, which is actively working on a fix.
SoftMatching Abuse targets the second half of the Entra Connect synchronization model. By exploiting overlooked weaknesses in the Soft Matching process, attackers can maliciously link accounts, revive orphaned identities, and persist across tenants with minimal footprint.
This session will feature live demonstrations and practical tooling to showcase how both vulnerabilities can be leveraged end-to-end—from reconnaissance to exploitation and privilege escalation. Attendees will gain both red team insights and defensive strategies for securing hybrid identity synchronization.
Tomer Nahum is a Security Researcher at Semperis, where he works to find new attacks, and how to defend against them, in on-prem identity stacks such as Active Directory, as well as cloud identity systems. Tomer was awarded Most Valuable Researcher (MVR) in 2023 by Microsoft Security Response Center (MSRC).