BSides Toronto 2023

Bypassing Browser-Based MFA for Outlook Web Application
10-21, 10:30–10:55 (US/Eastern), ENG 103

Microsoft Azure and Entra ID have become mainstays in modern corporate environments. As cloud environments grow, so too does the complexity. Many organizations have implemented Multi-Factor Authentication and employ Conditional Access Policies (CAPs) within their Azure tenant to enforce MFA requirements. We'll walk through a technique we developed to bypass Browser-Based MFA to access Microsoft Outlook Web Application by leveraging an overly permissive Conditional Access Policy.

We'll discuss the foundations of CAP's and how they might be bypassed. We'll walk through the research process to develop an MFA bypass then see the technique in action.

Slide Layout
- What are Conditional Access Policies?
- What purpose to Conditional Access Policies serve?
- How can they be bypassed?
- How we performed the research to develop the technique
- Demonstration of the technique

David Storie is an Adversarial Collaboration Engineer at Lares LLC. He is a seasoned Red Team operator that leverages his knowledge of modern adversarial tradecraft while delivering Purple Team engagements. Dave spent nearly a decade as a Systems Administrator prior to working in Information Security.