I, Too, Stole a Microsoft 365 Account. Here's How. (Stealing Access Tokens from Office Desktop Apps)
Вставка
- Опубліковано 7 жов 2024
- Attacking & Defending Azure & M365 - Xintra Training: training.xintr...
mrd0x original writeup: mrd0x.com/stea...
TokenFinder: github.com/dor...
I also reimplemented TokenFinder in C#: github.com/Hus...
Come for the content, but I stay for Cosmo.
Top notch stuff as always Matt
Love your teaching mate! Keep up the great content.
Thanks! The information about the jwt token helped me find a big vulnerability
Nice work!
Looking good husky 👍
tyty king
Very cool!
What if we have the access token
Interesting. It's not clear to me what the remediation would be in that case, what kind of protections could be used other than low permissions?
So it turns out that Microsoft ended up publishing a blog on token theft security last year and they include detection and mitigation guidance for this kind of attack:
www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/
Mitigation is the easier part of the problem and basically boils down to implementing conditional access policies for user logins and revoking refresh tokens if you suspect a user has been compromised. The blog goes into detail on this.
Detection is a harder problem to approach and the blog calls out that Entra Identity Protection and Defender for Cloud Apps *should* both catch a token replay attack like this and they can flag it as an anomalous sign-in, but I'm skeptical.
@@huskyhacks I will review the article. Thank you very much Husky! 👍
Dumping the access tokens is nice but dumping the refresh tokens would be cooler :)
Great Video! Thanks for sharing!
Doesn't work.
even with renewed token it errors out:
{"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError....
What's the audience for that token and which resource are you trying to access?
Not sure about the audience, but the token is for outlook for sure.
@@cyberus15 Unfortunately, the Outlook API was deprecated sometime last year
learn.microsoft.com/en-us/previous-versions/office/office-365-api/api/version-2.0/use-outlook-rest-api
You might be able to get lucky and find an older on-prem Exchange server that still uses the API but I haven't tested that. Your best bet is to hunt for Graph API tokens and use those