Cybersecurity researcher Nyxgeek reveals third and fourth Azure Entra ID sign-in log bypasses discovered in 2025, allowing attackers to validate passwords invisibly. These flaws—GraphGoblin and GraphGhost v2—build on prior vulnerabilities fixed in 2023-2024, exposing gaps in Microsoft’s authentication logging. GraphGoblin exploits scope parameter overflows to bypass logging entirely, while GraphGhost v2 manipulates client ID validation to hide credential checks. Both methods return functional tokens without triggering audit trails, undermining administrators’ ability to detect breaches.

Microsoft addressed earlier bypasses like GraphNinja (2023) and GraphGhost (2024) by adding password success indicators to logs. However, GraphGoblin’s scale—using scripts to repeat valid scopes 10,000+ times—overwhelms logging systems, while GraphGhost v2 fails post-password validation steps, masking successful guesses as failed logins. A demo curl command shows how attackers can automate these attacks undetected.

The bypasses highlight persistent risks in OAuth2 implementations and underscore the need for robust KQL-based detection. Microsoft’s delayed fixes suggest ongoing challenges in securing identity systems. Nyxgeek’s findings, shared via a detailed technical walkthrough, emphasize proactive monitoring and the importance of scrutinizing authentication endpoint behaviors.

Key entities: Microsoft, Azure Entra ID, GraphGoblin, GraphGhost v2, KQL detection. Expert