04-27, 15:35–16:05 (Europe/London), Main Room (Ballroom) - Track 1
An employee's M365 account has become a pivotal asset, guarding business-critical data such as internal emails and SharePoint data. In this talk, we dive into modern tradecraft used by JUMPSEC to compromise M365 in our adversary simulation engagements, some of which were recently used by an advanced threat group to successfully breach Microsoft. The talk will outline our methodologies in obtaining unauthorised access, followed by strategies for post-compromise actions.
Introduction
M365 accounts have never been mere email inboxes; they are the linchpins of internal communications and data repositories. An attacker's access to such accounts often leads to sensitive internal data exposure and facilitates lateral movement within an organization, especially in hybrid or cloud-native environments.
Initial Access Methodologies
We dive into the methodologies tested and refined in red team operations in our consultancy, to infiltrate Microsoft 365, which include:
-
Revival of Password Spraying: The password spraying technique is revisited, utilizing AWS API Gateway proxying to bypass Microsoft's Smart Lockout. This innovative approach enables us to exploit often-seen gaps in multi-factor authentication (MFA) setups, which got us into highly-sophisticated clients. Microsoft's security team reported in January 2024 that one of their own tenants were compromised by a threat group using a similar approach.
-
MitM Phishing Via Productivity Apps: Tools like Microsoft Teams can be leveraged for phishing, effectively circumventing traditional email controls. Our social engineering methodology employs Man-in-the-Middle (MitM) tactics to hijack post-MFA access tokens. We will outline key steps in readily setting up a believable front that gets past web filters.
Post-Compromise
Our Tactics, Techniques, and Procedures (TTPs) for data mining, persistence and lateral movement within Office 365 are highlighted, and thereby the potential business impact too. Threat actors, and by extension attack simulations target M365 more and more for a reason, and it's not just about breaking into accounts.
I work in the adversary simulation team at JUMPSEC. Having been offensive security for a number of years, these days I am passionate in exploring and researching latest techniques and paradigms in cloud red teaming, a relatively nascent field in our industry.
In my free time I listen to math rock and play the guitar.