#NSBCS.102 - Conditional Access Policies - Are they working as expected?
Conditional Access Policies - Are they working as expected?
Conditional Access is one of the most important security controls for businesses in environments such as Microsoft 365 and Azure AD (Entra ID). Having these configured is not the same as having them working as intended and Threat Actors take advantage of these being misconfigured.
Conditional Access Policies allow businesses to enforce rules such as, requiring Multi Factor Authentication (MFA), blocking sign-ins from specific locations or allowing access only from compliant devices. These are implemented to ensure the right people are accessing the account, using trusted devices and are in safe conditions before they proceed to the companies environment.
Sounds simple, but we are consistently seeing misconfigured Conditional Access Policies which are resulting in Threat Actors successfully gaining access to companies environments.
Recommendation:
Here’s how to ensure your Conditional Access policies are truly protecting your organisation:
1. Audit existing policies for common misconfigurations
Look out for:
Named locations not correctly defined or assigned
Policies that don’t require MFA for all users (or worse, exclude high-privilege accounts)
“All cloud apps” or specific resources not properly targeted
Policies that are configured… but still sitting in Report-only or Disabled mode
2. Align policies with your current business reality
Organisations evolve – new offices open, remote work expands, third-party apps are adopted. A policy that was airtight two years ago may now have dangerous gaps. Regularly review whether your controls still reflect how, where, and when your people actually work.
3. Ruthlessly prune exceptions and exclusions
Temporary break-glass accounts and “just this once” exclusions have a habit of becoming permanent. Every exception is a potential bypass for attackers. Ask yourself:
Does this exclusion still serve a valid business need?
Is it time-bound and documented?
Who has visibility of it?
4. Test your policies regularly – don’t just trust the configuration
Use the What If tool, Sign-in logs, and Report-only mode for new policies, but also carry out real-world testing:
Try signing in from an untrusted location or unmanaged device
Test with both standard and privileged accounts
Validate that MFA, device compliance, and session controls trigger as expected
Well-implemented and actively maintained Conditional Access policies are one of the highest-return security investments you can make in Microsoft 365/Entra ID. Take 30 minutes this week to review yours. Your future incident response team will thank you.
What we read this week
Sha1-Hulud NPM Supply Chain Attack Compromises Hundreds of Packages - Cybersecurity firms including Aikido, JFrog, and Socket have exposed a sophisticated supply chain campaign dubbed Sha1-Hulud, which has trojanised over 200 npm packages uploaded between 21 and 23 November 2025. The malware, disguised as legitimate dependencies, employs remote dynamic dependencies to fetch malicious code from attacker-controlled servers, evading static analysis by appearing dependency-free. Once installed, it exfiltrates npm tokens, GitHub credentials, and developer secrets to a command-and-control infrastructure. The attack targets developers globally, with telemetry showing infections across corporate and cloud environments. This resurgence of the Sha1-Hulud worm highlights vulnerabilities in open-source ecosystems, urging developers to audit dependencies rigorously, enable two-factor authentication on registries, and use tools like npm audit for behavioural scanning.
Qilin Ransomware Targets Industrial Tools Provider HYTORC - The Qilin ransomware group has claimed a breach against HYTORC, a US-based manufacturer of industrial bolting tools, announcing the attack on 25 November 2025 via its leak site. Attackers allegedly exfiltrated sensitive data including customer contracts, employee records, and proprietary designs before encrypting systems, demanding payment to prevent publication. HYTORC confirmed the incident but stated operations remain unaffected, with no evidence of client data compromise. Qilin, active since mid-2022, has intensified operations in late 2025, focusing on manufacturing and engineering sectors with tactics like credential stuffing and unpatched vulnerabilities. Firms are advised to segment networks, enforce least-privilege access, and maintain immutable backups to counter such double-extortion schemes.
Hackers Hijack US Radio Equipment for Bogus Emergency Broadcasts - The US Federal Communications Commission (FCC) has warned of a rising threat where cybercriminals are compromising radio transmission infrastructure to air fake emergency alerts and profane messages, with incidents reported across multiple states in late November 2025. Attackers exploit weak authentication on legacy broadcast systems, injecting audio streams via remote access tools to sow panic or disrupt communications. This tactic, linked to hacktivist and prankster groups, echoes historical EAS hijackings but leverages modern IoT vulnerabilities. Broadcasters should upgrade firmware, implement multi-factor authentication, and monitor for anomalous signals, while regulators push for mandatory encryption standards to safeguard public alert mechanisms.
CISA Alerts on Commercial Spyware Targeting Signal and WhatsApp Users - The US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on 25 November 2025 detailing active campaigns using commercial spyware and remote access trojans to compromise high-profile individuals on encrypted apps like Signal and WhatsApp. Vendors such as NSO Group and Paragon are implicated, with infections delivered via zero-click exploits or phishing lures leading to surveillance of journalists, activists, and officials. The alert emphasises zero-day flaws in mobile OSes, urging users to enable lock screen protections, avoid suspicious links, and organisations to deploy endpoint detection for anomalous app behaviour. This underscores the proliferation of state-sponsored digital espionage tools.
Years of Exposed Secrets in JSONFormatter and CodeBeautify Tools - WatchTowr Labs research published on 25 November 2025 reveals that popular online code formatting sites JSONFormatter.org and CodeBeautify.org have inadvertently leaked over 80,000 files since 2020, exposing thousands of API keys, passwords, and private credentials from sectors including government and critical infrastructure. Users unwittingly pasted sensitive data into these unsecured tools, which lacked proper input sanitisation, allowing public scraping. The dataset includes telecom configs and auth tokens, potentially enabling lateral movement in breaches. Developers are recommended to use offline alternatives, implement secret scanning in CI/CD pipelines, and rotate compromised credentials immediately to mitigate ongoing risks.
Referenceshttps://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromisedhttps://www.dexpose.io/qilin-ransomware-attack-on-hytorc/https://www.reuters.com/world/us/fcc-says-hackers-hijack-us-radio-gear-send-fake-alerts-obscenities-2025-11-26/https://www.cisa.gov/news-events/alerts/2025/11/24/spyware-allows-cyber-threat-actors-target-users-messaging-applicationshttps://thehackernews.com/2025/11/years-of-jsonformatter-and-codebeautify.html