Microsoft Entra ID is under active nation-state exploitation via the ROADtools framework, with APT29, APT33, and UTA0355 achieving persistent MFA-bypassing access through rogue device registration and Primary Refresh Token abuse. Separately, CVE-2025-33073 (CVSS 9.5, EPSS 96.7th percentile) is being exploited as the Active Directory escalation pivot in a multi-stage attack chain originating from an EOL F5 BIG-IP appliance. Both campaigns require immediate hardening action; neither is resolved by a single patch.