Backup applications are designed to protect your data, but when over-permissioned, they can become high-value targets for threat actors. I’ve been co-presenting an Entra ID App Governance webinar series about the potential dangers of Entra ID (formerly Azure AD) App registrations that may have significant abilities to perform functions on your data, due to the permissions they contain. In this article, I’m going to break down a real-world exploit using a well-known backup application. Ironically, many of the real-world applications I used in my webinar demos, highlighting potentially over-permissioned apps, were backup applications themselves. By understanding how these vulnerabilities and breaches take place, we can all be better prepared to close security and governance gaps.
On February 20, 2025, Microsoft notified Commvault about unauthorized activity within its Azure environment by a suspected nation-state threat actor. Attackers exploited a zero-day vulnerability (CVE-2025-3928) in the web server underpinning Commvault’s Metallic SaaS platform, used for Microsoft 365 backups.
The vulnerability allowed attackers to deploy web shells after authenticating, which in turn gave them access to stored client secrets. That opened the door to unauthorized access into customers’ Microsoft 365 environments. Customer data including OAuth credentials and the data in downstream Exchange, SharePoint, Teams, and Dynamics 365 data was at risk.
I’ll start by calling out the terms and the parties for the rest of this article:
Commvault is a long-standing player in enterprise backup and recovery. Known for their software and services around data protection, including Commvault Metallic, their managed SaaS offering. It is backup-as-a-service, hosted in Microsoft Azure, designed for workloads like M365, Azure Virtual Machines, Salesforce, and more.
CVE-2025-3928 is the identifier assigned to a zero-day vulnerability, meaning it was exploited before there was a patch for it. It affected Metallic, and it was used in the wild by a nation-state actor.
CISA is the U.S. Cybersecurity and Infrastructure Security Agency. On 22 May 2025, CISA published an updated advisory warning that threat actors had been actively exploiting this flaw in Commvault’s SaaS platform.
Threat actors exploited the zero-day (CVE-2025-3928) to gain unauthorized access to Commvault’s internal infrastructure, including components tied to Metallic. Once in, they gained access to customer M365 service principal credentials.
You’ll note here that Commvault uses separate Client Secrets as the credentials required to manage access to Exchange Online, OneDrive for Business, SharePoint Online, and Dynamics 365. However, that describes only the credentials used within your own tenant. Metallic is a cross-tenant application, meaning that once Commvault’s tenant was compromised, downstream customer tenants also were in scope for attackers to access.
OAuth Credentials are the way Metallic accesses a customer's M365 tenant for backup; essentially, they are tokens granting programmatic access to Exchange Online, SharePoint, OneDrive, Teams, etc. In many cases, these were:
Once attackers obtain these, they gain durable, high-privilege, impersonation-level access to tenants and data. With access to the M365 service principal, they could use the Microsoft Graph API to enumerate tenants, users, and any connected apps, depending, of course, on how generous the granted scopes were and how the tenant was configured.
For affected customers, it isn’t just a risk to Exchange or SharePoint. It’s a potential bridgehead into other registered third-party platforms like Salesforce, ServiceNow, Box, etc. Since attackers can act as the application, their resultant activities tend to blend in and are hard to discern.
Most monitoring and alerting focuses on user activity, such as logins, MFA, and suspicious travel. Application-to-application activity, Service principal tokens doing what they’re “supposed” to do, tends to fly under the radar.
For most customers, the real issue is the limited visibility into what our applications and service principals are up to. Attackers' activities blending into other normal behavior are known as masquerading or living off the land attacks.
To their credit, Commvault has published several advisories and updates:
In response to the breach, Commvault has patched affected components, rotated credentials, and issued guidance for regenerating service principals. Commvault now recommends using modern OAuth scopes with expiry limits going forward.
The Commvault attack is a supply chain attack, wherein a downstream component was compromised to gain upstream access to further application components. What about your backup vendor?
Scrolling through the Application permissions for your vendor's backup application, you may find permissions like the picture below, via your Entra administration blade:
A casual look through any of these permissions, which are un-scoped and therefore tenant-wide, should cause some concern, due to the nature and the reach of these permissions.
You’ll further notice that for most of the applications, the Enterprise Application Owners field is empty, which means that any attacker who takes ownership of the Enterprise Application can now act with impunity as that Application.
We must gain an understanding of the risk surface when we entrust our core platforms, like Microsoft 365, to backup services. Metallic’s value proposition, as well as other backup vendors, hinges on delegated access. That delegation must be scoped, monitored, and revocable since once those tokens are out in the wild, they’re keys to the kingdom.
While trawling through each application in your Entra Tenant is an option, several prepared reports in App Governance Accelerator will kickstart your journey, including Enterprise Applications: Enterprise Applications with API Permissions, Risk Analysis, and Ownerless Apps, among others.
Each of these reports is filterable, allowing you to catalog and understand your risk exposure, down to each individual permission.
ENow’s App Governance Accelerator helps you uncover app risks fast and strengthen your application governance posture.
✅ Quickly identify high-risk applications
✅ Filter by API permissions and scopes
✅ Pinpoint apps with no assigned owners or expiring credentials
🔍 Don’t wait for an incident. Start your Entra ID AppGovernance risk assessment now with ENow AppGov Score and get a 7-day upgrade to App Governance Accelerator Standard to try it for yourself.