David Storie
David Storie is an Adversarial Collaboration Engineer at Lares LLC. He is a seasoned Red Team operator that leverages his knowledge of modern adversarial tradecraft while delivering Purple Team engagements. Dave spent nearly a decade as a Systems Administrator prior to working in Information Security.
Session
Microsoft Azure and Entra ID have become mainstays in modern corporate environments. As cloud environments grow, so too does the complexity. Many organizations have implemented Multi-Factor Authentication and employ Conditional Access Policies (CAPs) within their Azure tenant to enforce MFA requirements. We'll walk through a technique we developed to bypass Browser-Based MFA to access Microsoft Outlook Web Application by leveraging an overly permissive Conditional Access Policy.