vuln disclosure
Authentication Bypass in Microsoft Defender for Endpoint Cloud Communication Allows Command HijackingMicrosoft Defender for Endpoint Cloud Communication Authentication Bypass
Researchers discovered that Microsoft Defender for Endpoint's cloud backend does not validate authentication tokens on several endpoints, allowing an attacker with a machine ID and tenant ID to hijack incident response commands. This enables interception of commands like host isolation, spoofing of responses, and planting malicious files in investigation packages. Microsoft classified the issue as low severity and has not committed to a fix.