G :donor: :Tick:<p>🚨 OuttaTune — The Microsoft Intune Conditional Access bypass I reported is now officially closed by MSRC (again).</p><p>It began as “By Design”… then was reclassified as a Moderate severity vulnerability… led to a product group meeting… and ultimately forced Microsoft to revise their official Conditional Access guidance.</p><p>Yet now it’s closed - with no fix timeline, no CVE, and no researcher credit. 🤷♂️<br>Let’s unpack it. 👇</p><p>⸻</p><p>🔍 The Issue<br>Intune lets you apply Conditional Access policies using device filters - say, “block access to Office 365 from DevBox VMs.”</p><p>But that device model? It’s just a registry key.<br>A local admin can change one line, sync the device, and suddenly it’s not a DevBox anymore. It’s “Compliant.” It’s trusted. It’s in.</p><p>⸻</p><p>🧪 Microsoft’s Initial Response</p><p>“This is by design.”<br>“Assignment filters should be used sparingly.”<br>“Intune cannot accurately lock down a device if an admin on the machine is actively working against management.”</p><p>Wait - imagine Microsoft saying that about Defender for Endpoint:</p><p>“Sorry, if someone has admin, Defender just gives up.”</p><p>Of course they wouldn’t say that. Because security controls must assume hostile actors. Why should Intune be any different?</p><p>⸻</p><p>🛠️ The Outcome<br> • I pushed back, published my findings, and spoke directly with Microsoft’s product teams.<br> • They reclassified the issue as a Moderate security vulnerability.<br> • They changed official documentation to warn against using properties like device.model in isolation.<br>“Microsoft recommends using at least one system defined or admin configurable device property…”</p><p>That change exists because of this research.</p><p>⸻</p><p>📉 But the Case Is Now Closed</p><p>MSRC insists that:</p><p>“This requires admin and knowledge of policy filters, so it remains Moderate.”</p><p>But attackers don’t need to know your exact filters - they can just trial different registry values and sync until they’re in. No alerts. No resistance. No risk of detection unless you’ve layered in custom EDR rules.</p><p>And admin access is table stakes. We can’t keep pretending that post-exploitation scenarios don’t matter.</p><p>⸻</p><p>💬 Final Thoughts</p><p>Conditional Access isn’t just about who you are - it’s supposed to account for where and what you’re accessing from.</p><p>But when enforcement relies on unverified local data, the door isn’t locked. It’s not even shut.<br>We’ve just convinced ourselves that it is.</p><p>🔐 Trust nothing. Validate everything.<br>Even the registry keys your policies depend on.</p><p>⸻</p><p>Blog link: <a href="https://cirriustech.co.uk/blog/outtatune-vulnerability" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">cirriustech.co.uk/blog/outtatu</span><span class="invisible">ne-vulnerability</span></a></p><p><a href="https://infosec.exchange/tags/Intune" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Intune</span></a> <a href="https://infosec.exchange/tags/Microsoft365" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Microsoft365</span></a> <a href="https://infosec.exchange/tags/ConditionalAccess" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ConditionalAccess</span></a> <a href="https://infosec.exchange/tags/SecurityResearch" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SecurityResearch</span></a> <a href="https://infosec.exchange/tags/ZeroTrust" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ZeroTrust</span></a> <a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a> <a href="https://infosec.exchange/tags/OuttaTune" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OuttaTune</span></a> <a href="https://infosec.exchange/tags/M365" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>M365</span></a> <a href="https://infosec.exchange/tags/Defender" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Defender</span></a> <a href="https://infosec.exchange/tags/EndpointSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EndpointSecurity</span></a> <a href="https://infosec.exchange/tags/MSRC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MSRC</span></a> <a href="https://infosec.exchange/tags/SecurityCommunity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SecurityCommunity</span></a></p>