While investigating a different Azure AD vulnerability in December 2022, Secureworks Counter Threat Unit researchers discovered that stored NTHashes could be recovered via the Microsoft Graph API and decrypted using a certificate stored on Azure AD Domain Services (Azure AD DS) domain controllers.