CloudSEK Success Stories
4
mins read

50,000+ Azure AD Users Exposed via Unsecured API: BeVigil Uncovers Critical Flaw

An unsecured API endpoint buried inside a JavaScript file gave attackers the keys to the kingdom—direct access to sensitive Microsoft Graph data of thousands of employees, including top executives. CloudSEK’s BeVigil platform uncovered how this silent slip could lead to identity theft, phishing attacks, and regulatory nightmares. Here’s how it unfolded—and what your organization must do to stay safe.

May 30, 2025
Green Alert
Last Update posted on
May 30, 2025
Stay Ahead of External Threats with comprehensive Attack Surface Monitoring

Did you know that 70% of successful breaches are perpetrated by external actors exploiting vulnerabilities in an organization's attack surface? With CloudSEK BeVigil Enterprise, you can proactively detect and mitigate potential threats, ensuring a robust defense against cyber attacks.

Schedule a Demo
Table of Contents
Author(s)
Coauthors image
Niharika Ray

CloudSEK’s BeVigil platform recently identified a critical security lapse on a publicly accessible of an aviation giant. The vulnerability stemmed from an exposed JavaScript file that contained an unauthenticated API endpoint. This endpoint granted access tokens to Microsoft Graph with elevated privileges, ultimately leading to unauthorized exposure of sensitive data belonging to more than 50,000 Azure AD users.

What Went Wrong

BeVigil’s API Scanner found that a JavaScript bundle with subdomain included on a hardcoded endpoint that was being accessed without authentication. This endpoint issued a Microsoft Graph API token with excessive permissions, specifically User.Read.All  and AccessReview.Read.All. These permissions are typically restricted due to their ability to access full user profiles and critical identity governance data.

Using this token, an attacker could query Microsoft Graph endpoints to retrieve detailed employee information, including names, job titles, contact details, reporting structures, and even access review configurations. Such exposure not only undermines user privacy but also opens the door to privilege escalation, identity theft, and targeted phishing campaigns, especially since executive-level data was also exposed.

Scale and Severity

The impact is far-reaching. Data associated with over 50,000 users was accessible, and the endpoint continued to return records for newly added users. Among the exposed information were personal identifiers, user principal names, access role assignments, and other governance details. The exposure of this magnitude significantly increases the organization’s attack surface and introduces compliance risks under frameworks such as GDPR and CCPA.

Security and Compliance Implications

  • Unauthorized Data Access: Attackers could exploit the API to retrieve confidential employee records directly from Azure AD.
Snapshot of the Vulnerable API Endpoint

  • Token Misuse: The leaked token could grant unrestricted visibility into internal directory structures and governance decisions.
Snapshot of the Generated Authorization Token
  • Executive Exposure: The data of senior leadership was accessible, making them high-value targets for impersonation or social engineering.

Open Screenshot 2025-05-30 at 12.33.26 PM.png

Snapshot of Executive Data Exposure

  • Regulatory Violations: The exposure of personally identifiable information without proper safeguards raises serious compliance concerns. Data breaches erode user trust and can lead to long-term reputational harm and operational disruption.

Recommended Remediations

BeVigil suggested that following actions are implemented on priority:

  1. Disable Public API Access: Restrict the vulnerable endpoint and enforce strict authentication controls.
  2. Revoke Compromised Tokens: Invalidate exposed tokens and rotate affected credentials.
  3. Enforce Least Privilege: Review and limit token scopes to only what is necessary.
  4. Monitor API Usage: Implement logging and alerting to detect abnormal Microsoft Graph activity.
  5. Secure Front-End Code: Avoid embedding sensitive endpoints or token logic in client-side scripts.
  6. Review Permissions and Roles: Audit all Azure AD roles and access reviews to eliminate overprovisioned permissions.
  7. Implement Rate Limiting: Protect API endpoints with rate controls and anomaly detection.

Final Thoughts

This incident underscores the importance of securing front-end components and ensuring that sensitive backend services are never directly exposed. Organizations must proactively monitor their digital infrastructure and enforce strict access controls to protect user data and maintain regulatory compliance. Vigilance at every layer of the tech stack is not just best practice, it is essential for safeguarding trust in today’s interconnected world.

Author

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
No items found.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
CloudSEK Success Stories

4

min read

50,000+ Azure AD Users Exposed via Unsecured API: BeVigil Uncovers Critical Flaw

An unsecured API endpoint buried inside a JavaScript file gave attackers the keys to the kingdom—direct access to sensitive Microsoft Graph data of thousands of employees, including top executives. CloudSEK’s BeVigil platform uncovered how this silent slip could lead to identity theft, phishing attacks, and regulatory nightmares. Here’s how it unfolded—and what your organization must do to stay safe.

Authors
Co-Authors
Niharika Ray

CloudSEK’s BeVigil platform recently identified a critical security lapse on a publicly accessible of an aviation giant. The vulnerability stemmed from an exposed JavaScript file that contained an unauthenticated API endpoint. This endpoint granted access tokens to Microsoft Graph with elevated privileges, ultimately leading to unauthorized exposure of sensitive data belonging to more than 50,000 Azure AD users.

What Went Wrong

BeVigil’s API Scanner found that a JavaScript bundle with subdomain included on a hardcoded endpoint that was being accessed without authentication. This endpoint issued a Microsoft Graph API token with excessive permissions, specifically User.Read.All  and AccessReview.Read.All. These permissions are typically restricted due to their ability to access full user profiles and critical identity governance data.

Using this token, an attacker could query Microsoft Graph endpoints to retrieve detailed employee information, including names, job titles, contact details, reporting structures, and even access review configurations. Such exposure not only undermines user privacy but also opens the door to privilege escalation, identity theft, and targeted phishing campaigns, especially since executive-level data was also exposed.

Scale and Severity

The impact is far-reaching. Data associated with over 50,000 users was accessible, and the endpoint continued to return records for newly added users. Among the exposed information were personal identifiers, user principal names, access role assignments, and other governance details. The exposure of this magnitude significantly increases the organization’s attack surface and introduces compliance risks under frameworks such as GDPR and CCPA.

Security and Compliance Implications

  • Unauthorized Data Access: Attackers could exploit the API to retrieve confidential employee records directly from Azure AD.
Snapshot of the Vulnerable API Endpoint

  • Token Misuse: The leaked token could grant unrestricted visibility into internal directory structures and governance decisions.
Snapshot of the Generated Authorization Token
  • Executive Exposure: The data of senior leadership was accessible, making them high-value targets for impersonation or social engineering.

Open Screenshot 2025-05-30 at 12.33.26 PM.png

Snapshot of Executive Data Exposure

  • Regulatory Violations: The exposure of personally identifiable information without proper safeguards raises serious compliance concerns. Data breaches erode user trust and can lead to long-term reputational harm and operational disruption.

Recommended Remediations

BeVigil suggested that following actions are implemented on priority:

  1. Disable Public API Access: Restrict the vulnerable endpoint and enforce strict authentication controls.
  2. Revoke Compromised Tokens: Invalidate exposed tokens and rotate affected credentials.
  3. Enforce Least Privilege: Review and limit token scopes to only what is necessary.
  4. Monitor API Usage: Implement logging and alerting to detect abnormal Microsoft Graph activity.
  5. Secure Front-End Code: Avoid embedding sensitive endpoints or token logic in client-side scripts.
  6. Review Permissions and Roles: Audit all Azure AD roles and access reviews to eliminate overprovisioned permissions.
  7. Implement Rate Limiting: Protect API endpoints with rate controls and anomaly detection.

Final Thoughts

This incident underscores the importance of securing front-end components and ensuring that sensitive backend services are never directly exposed. Organizations must proactively monitor their digital infrastructure and enforce strict access controls to protect user data and maintain regulatory compliance. Vigilance at every layer of the tech stack is not just best practice, it is essential for safeguarding trust in today’s interconnected world.