Imagine locking your front door, only to leave the key under the doormat. It’s a habit many know is risky, but it’s still surprisingly common. In cybersecurity terms this is the equivalent of storing credentials in plain text fields within Active Directory.
Microsoft Defender can now help eliminate this vulnerability with a new, AI-powered posture alert that uses layers of intelligence to spot exposed credentials.
Understanding free text fields in identity systems:
Within identity systems like Active Directory (AD) and Microsoft Entra ID, free text fields are customizable attributes that allow administrators to store unstructured or semi-structured data. Because they are flexible and not tightly governed by schema constraints, free text fields can also be used to support integrations with HR systems, email signature tools, or Privileged Access Management (PAM) solutions.
In hybrid identity environments clear text fields play a pivotal role in bridging operational gaps. Administrators rely on them to carry over business-critical context such as cost centers, project tags, or legacy system references during synchronization. Their unstructured nature however, also introduces risk. If sensitive data like credentials or personal identifiers are stored in these fields without proper controls, they can become a vector for exposure.
Non-human identities (NHI) are often disproportionately impacted by this issue. And it makes sense, in addition to substantially outnumbering their human counterparts, NHI’s cannot interact with systems through traditional authentication methods like MFA. Administrators, under pressure to maintain uptime and ensure seamless automation, may store the credentials for these accounts in clear text fields. For example, a service account used by an application might have its password stored in the description or info field of an AD object to simplify troubleshooting or integration. These practices, while expedient, create a high-value target for attackers. NHI also often operate with elevated privileges and are frequently overlooked in traditional security models making them an even more tantalizing target for would be attackers.
But it’s not just NHI that are at risk. In our initial research and testing we identified more than 40,000 exposed credentials across 2,500 tenants. More importantly we increasingly see bad actors and red teams targeting these fields to gain access and move laterally and thanks to the speed, scale and precision of AI-powered enumeration tools the time to exploit them has shifted from hours to seconds.
Turning the tables with layered intelligence
Microsoft is leveling the playing field with a powerful new posture alert in Defender that can help detect exposed credentials with unprecedented precision. This alert is part of a broader initiative to help organizations proactively identify and remediate identity misconfigurations before they’re exploited, but what sets it apart is its layered AI-driven detection model.
First, a detailed scan of identity directories flags potential credential exposures. This includes everything from base64-encoded secrets to strings that match known password structures. Once complete, a more advanced AI model steps in to analyze the context, language, and structure. Looking at everything from the type of identity its associated with, if the value is static or recently changed and whether it’s referenced in automation scripts or log. This additional layer dramatically reduces false positives and ensures that alerts are both high-confidence and actionable.
By embedding AI directly into posture management, Microsoft is giving security teams the same speed and scale that attackers have been using only now it’s to help stop compromise before an attack ever occurs.
Getting started:
This new posture recommendation is now in public preview and available to all Defender for Identity customers. To learn more about the recommendation check out our documentation here or to see if any credentials were left under your digital doormat, navigate to the “Exposure Management” section within the Defender portal and search for the recommendation.