Attackers stealing the SAML signing certificate is like crooks stealing the machinery to make *authentic* fake IDs...no way to spot a fake in the wild other than to see it in use and say “there is something fishy about this perfect passport, even though it has no flaws.”
Please read the above blog to appreciate multiple backdoors used, careful & unique tradecraft used on-premise...
We just published more details on what we’ve been finding post-compromise: https://t.co/UX1wCkhhYu
ADFS key material compromise, SAML shenanigans, OAuth keys added...