From Simulation to Tenant Takeover

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
Not yet available
Language
English
Abstract
All I wanted was for Microsoft to deliver my phishing simulation. This journey took me from discovering trivial vulnerabilities in Microsoft's Attack Simulation platform, to a Chinese company to which Microsoft outsourced its support department that wanted all my access tokens. I finally ended up hijacking remote PowerShell sessions and obtaining all data from random Microsoft 365 tenants, all the while reeling in bug bounties along the way.

This talk is the result of what happens when you ask a hacker to simply automate sending out a phishing simulation.

My first attempt with Microsoft's new Attack Simulation platform resulted in three bug bounties for the most trivial vulnerabilities and no more faith in the product.

Then I tried building a phishing simulation program myself and the last thing I needed was to allowlist my IP address in Exchange Online.

I ended up in a rabbit hole where I discovered that Microsoft outsourced their support department to a Chinese company that wanted all my access tokens.

I then tried intercepting client-side requests made by the Security & Compliance center with the goal of replaying these to a backend API, only to discover that by fiddling with some parameters I could now hijack remote PowerShell sessions and access Microsoft 365 tenants that were not mine. Tenants where I could now export everything, e-mail, files, etc.

Talk ID
38c3-281
Event:
38c3
Day
4
Room
Saal 1
Start
11 a.m.
Duration
00:40:00
Track
Security
Type of
Talk
Speaker
Vaisha Bernard
Vaisha Bernard
Talk Slug & media link
38c3-281-from-simulation-to-tenant-takeover

The video is not yet available