Explore a 30-minute conference talk from the Chaos Communication Congress (38C3) that reveals how a simple request to automate phishing simulations led to discovering major security vulnerabilities in Microsoft's systems. Follow along as security researcher Vaisha Bernard details her journey from finding basic flaws in Microsoft's Attack Simulation platform to uncovering how Microsoft outsourced support to a Chinese company requesting access tokens, and ultimately discovering a method to hijack remote PowerShell sessions that enabled unauthorized access to Microsoft 365 tenant data. Learn about the multiple bug bounties earned while exposing these security issues, and understand the implications of these vulnerabilities that allowed potential access to emails, files, and other sensitive data across various Microsoft 365 tenants.