From Simulation to Tenant Takeover: Exploiting Microsoft 365 Attack Simulation Platform
media.ccc.de via YouTube
Lead AI-Native Products with Microsoft's Agentic AI Program
Power BI Fundamentals - Create visualizations and dashboards from scratch
Overview
Google, IBM & Meta Certificates – 40% Off
One plan covers every Professional Certificate on Coursera.
Unlock All Certificates
Explore a 30-minute conference talk from the Chaos Communication Congress (38C3) that reveals a fascinating security research journey sparked by a simple request to automate phishing simulations in Microsoft 365. Follow along as the speaker uncovers multiple vulnerabilities in Microsoft's Attack Simulation platform, leading to several bug bounty rewards. Learn how the investigation deepened when attempting to build a custom phishing simulation tool, exposing concerning practices in Microsoft's outsourced support operations to a Chinese company requesting access tokens. Discover how manipulating parameters in the Security & Compliance center led to the ability to hijack remote PowerShell sessions, potentially compromising data across multiple Microsoft 365 tenants. Gain insights into the complex security implications of enterprise software systems and the unexpected vulnerabilities that can emerge from seemingly routine tasks.
Syllabus
38C3 deu - From Simulation to Tenant Takeover
Taught by
media.ccc.de