azure-ad-attack

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that embed plaintext passwords and tokens into command lines and Authorization headers (e.g., --password 'Spring2024!', -p 'password', curl -H "Authorization: Bearer $TOKEN", client_secret/{new-secret}), which requires the agent to handle and output secret values verbatim, creating high exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is an explicit attacker playbook: it provides step‑by‑step instructions for credential theft (password spraying, phishing), token/PRT extraction and replay, Service Principal/app secret/certificate backdoors (addPassword/addKey), admin‑consent phishing, role assignment escalation, Azure AD Connect/DCSync abuse, managed‑identity token misuse and other lateral‑movement/persistence techniques intended to enable unauthorized access and data exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs runtime calls to external tenant/public endpoints (e.g., https://graph.microsoft.com and https://login.microsoftonline.com) to fetch user/app/servicePrincipal data and audit logs that the agent is expected to read and use to decide follow-up actions (enumeration, addPassword, role assignments), so untrusted third‑party content can materially influence behavior.