I think the more appropriate question is not 'how do we hack an O365 account' rather, how do we stop this form of attack from working? MS currently only have CA or device registration as options that work to protect a user, but anyone using unregistered devices is basically screwed if that user gets phished. Many small businesses aren't licensed with (and cannot afford) the correct product to implement the security needed and many more, such as charities, have volunteers world-wide that use their own devices. How do these businesses implement CA effectively over such a widely distributed user-base? Would it be possible for MS to invalidate MFA tokens if the device isn't MDM registered and the IP address being used for the connection doesn't match the one against which the token was issued ??? I know they can report on this and it shows as Anomalous Token usage in Sentinel
Not sure about prevent but at my org we have script automation to programmatically audit the unified log and search for M365 log-in IPs that vary in location in a specific time interval . So say a user logs in from IP A but then within a 4-hr window they are logged in to IP A and IP B a notification is sent to us. Yes, there are false positives but it has also helped us find some previously unknown compromises.
Great video as usual. Another defense for this attack would be Identity Protection, with controls such as "Impossible travel situation", and Continuous Access Evaluation. Such different signals would probably trigger the defenses and block access
John Hammond is it possible to hack a outlook account with no password and only with the Microsoft authenticator app, so if you login it send a notification to you app with a number is there also a way to bypass this?
@paulus9660 secondly all good company security has smtp auth disabled for internal users meaning you need to do modernauth smtp to send that email which you cant as you need to satisfy MFA
I’ve never heard of this before. My logarithm suggested this video for me. I’m sure I’m missing something but why are we teaching people to steal a Microsoft account?
I think the more appropriate question is not 'how do we hack an O365 account' rather, how do we stop this form of attack from working? MS currently only have CA or device registration as options that work to protect a user, but anyone using unregistered devices is basically screwed if that user gets phished. Many small businesses aren't licensed with (and cannot afford) the correct product to implement the security needed and many more, such as charities, have volunteers world-wide that use their own devices. How do these businesses implement CA effectively over such a widely distributed user-base?
Would it be possible for MS to invalidate MFA tokens if the device isn't MDM registered and the IP address being used for the connection doesn't match the one against which the token was issued ??? I know they can report on this and it shows as Anomalous Token usage in Sentinel
Not sure about prevent but at my org we have script automation to programmatically audit the unified log and search for M365 log-in IPs that vary in location in a specific time interval . So say a user logs in from IP A but then within a 4-hr window they are logged in to IP A and IP B a notification is sent to us.
Yes, there are false positives but it has also helped us find some previously unknown compromises.
Did you bypass the email spam filter because you were apart of an active user within?
I literally stood up and clapped. Well played legend!
Your videos are incredible, they never disappoint.
Thanks for sharing
Great video as usual.
Another defense for this attack would be Identity Protection, with controls such as "Impossible travel situation", and Continuous Access Evaluation. Such different signals would probably trigger the defenses and block access
Damn John, you just keep putting me on a list with these video titles. lmao
John Hammond is it possible to hack a outlook account with no password and only with the Microsoft authenticator app, so if you login it send a notification to you app with a number is there also a way to bypass this?
luckily no one uses teams, mail or calendar from them
Do you need special permissions for Send-MailMessage? If not then that's a concern...
@paulus9660 secondly all good company security has smtp auth disabled for internal users meaning you need to do modernauth smtp to send that email which you cant as you need to satisfy MFA
not AGAIN!
idk if i missed something but why is the link in the phishing mail the actual microsoft link , how does this work?
The phish is not the link but the real remote login capability...the link only relays this(remote login capability) to the attacked
@@Al-Fisaa ok wait … is thos device Code the Remote Login , if he used the wrong Code it would not work. ?
can you share the powershell script please
Clean
I’ve never heard of this before. My logarithm suggested this video for me. I’m sure I’m missing something but why are we teaching people to steal a Microsoft account?
badass :)
🎉🎉🎉🎉🎉🎉🎉😊😊😊😊
yoooooooo
Your on Powershell and you use ECHO , Fail ,
:)
Second
third.
first
not first :|
second
second