Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/isotopp/statuses/113770923743406770">Kris (isotopp@infosec.exchange)'s status on Monday, 06-Jan-2025 23:07:23 JST</a><a href="https://infosec.exchange/@isotopp" title="isotopp@infosec.exchange"><img src="https://gnusocial.jp/avatar/283617-48-20250423130554.webp" width="48" height="48" alt="Kris" style="position: absolute; left: 0; top: 0;">Kris</a><div><a href="https://infosec.exchange/@isotopp/113725012275487030" rel="in-reply-to">in reply to</a></div></section><article><p>Microsoft not only can't cloud, they actually can't. Like not anything at all.</p><p><a href="https://media.ccc.de/v/38c3-from-simulation-to-tenant-takeover" rel="nofollow noreferrer">https://media.ccc.de/v/38c3-from-simulation-to-tenant-takeover</a></p>From Simulation to Tenant Takeover<p>Then I tried building a phishing simulation program myself and the last thing I needed was to allowlist my IP address in Exchange Online.</p><p>I ended up in a rabbit hole where I discovered that Microsoft outsourced their support department to a Chinese company that wanted all my access tokens. </p><p>I then tried intercepting client-side requests made by the Security &amp; Compliance center with the goal of replaying these to a backend API, only to discover that by fiddling with some parameters I could now hijack remote PowerShell sessions and access Microsoft 365 tenants that were not mine. Tenants where I could now export everything, e-mail, files, etc.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4102855#notice-8448913">In conversation</a><time datetime="2025-01-06T23:07:23+09:00" title="Monday, 06-Jan-2025 23:07:23 JST">about 5 months ago</time> <span>from <span><a href="https://infosec.exchange/@isotopp/113770923743406770" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@isotopp/113770923743406770">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Kris (isotopp@infosec.exchange)'s status on Monday, 06-Jan-2025 23:07:23 JST Kris
in reply to
Microsoft not only can't cloud, they actually can't. Like not anything at all.
https://media.ccc.de/v/38c3-from-simulation-to-tenant-takeover
From Simulation to Tenant Takeover
Then I tried building a phishing simulation program myself and the last thing I needed was to allowlist my IP address in Exchange Online.
I ended up in a rabbit hole where I discovered that Microsoft outsourced their support department to a Chinese company that wanted all my access tokens.
I then tried intercepting client-side requests made by the Security & Compliance center with the goal of replaying these to a backend API, only to discover that by fiddling with some parameters I could now hijack remote PowerShell sessions and access Microsoft 365 tenants that were not mine. Tenants where I could now export everything, e-mail, files, etc.
In conversationabout 5 months ago from infosec.exchangepermalink

Public

Embed Notice

HTML Code

Corresponding Notice