![]() The authentication flow is handled entirely by Microsoft, so using multi-factor authentication isn’t a viable mitigation. The link in the email directs the user to our attacker-controlled website (e.g., ) which seamlessly redirects the victim to Microsoft’s login page. Once we set up shop, we can send a phishing campaign with a link to install the Azure app: To perform this attack, the adversary must have a web application and an Azure tenant to host it. A clever attacker can use this opportunity to trick a user into giving their malicious app access to one or more sensitive cloud resources. ![]() Similar to how your iOS phone will ask you if it’s OK for an app to access your contacts or location, the Azure app authorization process will ask the user to grant the app access to the resources it needs. This API allows apps to interact with the user’s 365 environment-including users, groups, OneDrive documents, Exchange Online mailboxes, and conversations. One of the more common Azure APIs is the MS Graph API. Microsoft created the Azure App Service to give users the ability to create custom cloud applications that can easily call and consume Azure APIs and resources, making it easy to build powerful, customizable programs that integrate with the Microsoft 365 ecosystem. ![]() Once the attacker convinces the victim to click-to-install malicious Azure apps, they can map the user’s organization, gain access to the victim’s files, read their emails, send emails on their behalf (great for internal spear phishing), and a whole lot more. ![]() Azure apps don’t require approval from Microsoft and, more importantly, they don’t require code execution on the user’s machine, making it easy to evade endpoint detection and A/V. "I was kind of shocked how open the sharing with Teams can be, one mis-click and your data is accessible to anyone on the Internet."Īs you’ll see below, attackers can create, disguise, and deploy malicious Azure apps to use in their phishing campaigns. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |