Phishing Azure Accounts
phishing with aadinternals
Illicit Consent Attack
This depends upon allow user consents for all apps
set on the target tenant. This is not done by default, but very often the case. This cannot be enumerated from a non-authenticated account, a blue-teamer can check this through:
Setup phishing infrastructure
In an attacker-controlled tenant, setup a new ‘App Registration’ in https://portal.azure.com:
- Accounts in any organizational directory (
Any Microsoft Entra ID tenant - Multi-Tenant
) - redirect to web → point this to your stealer installation, e.g., https://172.16.150.64/login/authorized
- add a client secret
- select low-privilege permissions first, in
API permissions
(permissions are inms graph
→delegated
):user.read
User.ReadBasic.All
Note the application-id (called client-id
in the application registration overview
pane) and the generated client secret.
Now setup o365-stealer
and configure it.
- run xampp control panel as administrator and start apache
- copy 365-Stealer from
c:\AzAD\Tools
toc:\xampp\htdocs
- go to http://localhost:82/365-stealer/yourVictims
- configuration
- applciation-id, client-secret, redirect to web url, 1sec delay
- configuration
Now you can start the stealer and copy the OAuth2 link (that is output in the shell output):
phishing for credentials with evilginx
And send the lure to a phishing victim.