All I wanted was for Microsoft to deliver my phishing simulation. This journey took me from discovering trivial vulnerabilities in Microsoft's Attack Simulation platform, to a Chinese company to which Microsoft outsourced its support department that wanted all my access tokens. I finally ended up hijacking remote PowerShell sessions and obtaining all data from random Microsoft 365 tenants, all the while reeling in bug bounties along the way.

This talk is the result of what happens when you ask a hacker to simply automate sending out a phishing simulation.

My first attempt with Microsoft's new Attack Simulation platform resulted in three bug bounties for the most trivial vulnerabilities and no more faith in the product.

Then I tried building a phishing simulation program myself and the last thing I needed was to allowlist my IP address in Exchange Online.

I ended up in a rabbit hole where I discovered that Microsoft outsourced their support department to a Chinese company that wanted all my access tokens.

I then tried intercepting client-side requests made by the Security & Compliance center with the goal of replaying these to a backend API, only to discover that by fiddling with some parameters I could now hijack remote PowerShell sessions and access Microsoft 365 tenants that were not mine. Tenants where I could now export everything, e-mail, files, etc.

Vaisha Bernard

https://events.ccc.de/congress/2024/hub/event/from-simulation-to-tenant-takeover/

#38c3 #Security

Licensed to the public under http://creativecommons.org/licenses/by/4.0