The Silent Data Breach: Unintended Exposure of Sensitive Information in Microsoft Enterprise Enrollment, Entra, and Intune

Okay, so our next presentation is titled the silent data breach unintended exposure of sensitive information in Microsoft enterprise enrollment entra and intune. Please welcome to the stage Jeffrey and Pam.

Hello. Hear me, guy. Yeah. All right. Before we begin, does anyone hear a U love doing breaking stops? Those pentesting guy. Anyone in the crowd? All right. So, how about for the SOC folks or uh SOC team? Yeah. Who's on night ship? I believe. So, there's only one any JC here. Hola forensics. All right. Cool. So, yeah. Um, next so forgive me on the formatting because it uh transferred to I mean from Mac to Windows. So who am I? Um, currently leading the cyber security assessment at the back global essentially it's a um cyber security the boutique company um based in Switzerland and Singapore. So our clients are APAC, EMA and beyond. So Dr. Global is for VIP impo we offer pent

testing service, GRC um integrations and implementation uh as well as academy. So um apart from my day um um day-to-day job I actively participate in bag bounty program with findings um acknowledged by some of the world's or some of the u big companies like Apple Oracle Toyota and uh Morgan Stanley and more and um one of my um early standout work back in 2023 and 24 I found CVE ids Um and also I have had a privilege to speak at some of the um major conference cyber security including back in um in in Singapore at Black Hat Arsenal and besides Bristol in um 2025 which is last two months as well as rootcon in Philippines.

Uh next slide. uh Parmes introduction. Thank you Jeffrey. >> Hi good morning everyone. Yep this is myself. Thanks Jeffrey for bringing me in. So my name is Pisuren. I'm actually from Daka as well. Me and Jeffrey used to be like good friends back in da working on it. So myself I used to be like a solution architect as well as now I'm going into engineering role and I love research as well. So the previous talk was actually very interesting for me to be honest. And yeah apart from that more into the OT security right now that's a quick intro for myself. So moving on to the topic itself. What are we actually speaking about today? I used

to be a very favorite fan of Microsoft itself. I think a lot of people like work with Microsoft closely and I see Microsoft there itself. So this is just um default configuration in the Microsoft settings in Azour ready actually. So we'll be running through the security implications based on that and Jeffrey will be doing a hands-on demo on that itself. So first thing the introduction to Microsoft Entrop I think um I've been using Microsoft like for at least the past 10 years before that it was Azour. Now we have turned into entra is actually one of the best things where you're able to actually log into one portal and you're able to do everything. So this is one of the part that will be

going through itself. So it's like a crown jewel where you'll be able to get all the information just to give a background if you're not hands-on in Microsoft and in tune is where the all the devices comes in hand and you're able to do device registration control all the devices be your laptops be your mobiles every single device you're able to do the policies basically a domain controller term yeah and enterprise enrollment this works well with your in tune as well where how your different devices uh get joined and how we are able to actually pull the policies across the different devices. This is just a background just to before we go deep dive into the topic itself. So what

are we actually speaking about today? Uh this is actually about data exposure. I think this term is very common now from ransomware from data exposure what is it actually about and what is the background is enrollment and try and tune. This is the reason why we actually went to give a brief about it. So my friend Jeffrey he will go into the de demo of the what we are speaking about today. All right it's

so unchecked by default. So as you can see here retreat access to Microsoft entry admin center is uh unchecked by default. Reason is because historically in um in uh in a self-service task like MFA registration, password reset app and uh security info management were managed directly into the uh the Microsoft Entra. However, uh Microsoft left this unchecked by default for u for backward compatibility. So um previous tenants wouldn't break but now Microsoft had service portal that provides this my signins secure info my apps and SSR for self service portal which means that you can now safely enable this to restrict um anyone. What does restrict access to entry admin center mean? Is that if it's

unchecked meaning to say if you're having like like different access like service account or uh typical access that you use to log to your office 365 Microsoft Outlook you can actually able to access the entry admin center if that is if that is um unchecked by default. So yeah and uh on this attack sequence let me walk you through how this um play out in uh real engagement. So you can see here the team and I um we were doing external pentest engagement in our previous pass uh engagement. It is a blackbox pent test engagement wherein we only provided a uh company domain but here as you can see we reducted uh the the company or that we

pest before. So that's why you see insecure subdomain plus the company incope.com. So going back we only provided a uh company name. So in the typical web pentest usually gray box we provided a uh two types of account which is an admin account and the normal account but in this previous project we only have given a domain domain a uh domain name or company name. So when we do a uh so like we do subcon or subd domain enumeration so tools like publicly accessible like certifa source engine uh so on and so forth and tools like subdomain amass basically the tools you use for subdomain enumerations basically the purpose is to gather um as many as subdomain that a company has. So

we came across an insecure subdomain here that has a g ignore it basically displays a path that that zip that caught at our attention. So when when we copy that zip uh it actually insecure allow us to download that zip and that zip inside contains as you can see on the screen contains um plain text uh credential which is actually SMPP which is used for uh email communications. So on the next slide. So um now here's the issue of the service account cuz as you know most of the service account um do not have MFA or multifactor authenticator enabled. So because it's designed for automation, right? And um to illustrate the impact of what we discover on the credentials

um plain text that we discover, we you know we need to write a report. We need to show the PC. So um we team and I managed to to log into the the entry admin center because there by design service account doesn't have any MFA but um I can actually everyone can log in if you have laptop there you can try this is the link enterprise enrollment company come your company name.com or you can log in either the inun or entra where for you to to access this. So basically every access that you have the typical access that you use to log into office you can access to this because in most company as I mentioned actually uh

this uh entry admin center is unchecked by default. So and going back to to this. So on this this slide um using the SMTP service that we discover on the inserture website we we try to log to the outlook uh but however since it's it is um it is a service account it doesn't have any email. So we stack there and uh I remember uh in my previous engagement um there was a misconfiguration that I came across that and as I mentioned for most company the entry admin center is disabled or unchecked by default. So I leverage that that uh SMTP service and then we came into the access the entra admin center. So from a blackbox uh

perspective uh we managed to to leverage the SMTP service account that by design does an M MFA and then login here. So, so when we do uh when we do P to the client because typically when when you submit a a findings to a client, typically when it developer uh submit like those credentials that I mentioned before, it typically says that it's for UAT. It doesn't have anything like I me like you showed before to Maybox. It doesn't have anything. So to showcase the impact, we're able to leverage or abuse the default settings misconfigurations on the on the admin center for us to be able to log in here. So any user account type actually able

to to pull out or download that 4,300 user that contains PII basically like the the phone number, the email, the the um the date start of their employment is also there. address. So it's basically a PII. So this is where the real impacts becomes undenile to the developer. So we were able to to showcase the impact of that uh of that plain text credential that we discovered on the uh on the insecure subdomain. So next is the the the summarize of the so the diagram here is basically that summarize the entire attack chain. So we have the service account found on the insecure website and because it's by default we're by design pay you will able to

leverage that and log into entry admin center and um from there we're able to to download 4,000 or 4k user PII and then um showcase the impact to our client and then the silent data breach occurs of because of the misconfiguration s that it says benign and there is usually uh no detections were config figureed on there. So next slide for security implications risk analysis. >> Thank you. >> Yeah. So quickly Jeff actually went through how the attack actually happens and how easy it is actually to run through the get the access into your Azour AD and getting username and passwords. It's not as hard right now. There's quite a number of data leaks happening

right now. You can even go to darknet get them as well. So through all of this what is the implications that you are getting your directory read permissions which again exposes your data your username your maybe your address or more information about the employees itself that will lead to PIA exposure and recon is able to happen from there itself so step by step and then social engineering risk which is quite trending now there's a lot of social engineering like um fuels targeted fishing campaigns happening as well and attack surface expansion. So one service account and then you slowly go on to the privilege account. So that leads on itself. It the initial attack might not be as big and

it could be a simple setting like how Jeffrey just showed could be just that do not log to the Azour ID even with a normal account but from there how we are able to actually escalate to the different uh attacks from there. >> Okay. Uh back to Jeffrey. So um when I first submitted this talk actually to the B side lids um and one of the reviewer I'm not sure if he's here one of the reviewer comment out that um that uh it was actually on May 9 as a very fair questions it has just been uh responsibly disclosed or submitted to Microsoft. So what I did from the very next day which is May 10, I actually submitted to

the Microsoft and I got this um ticket but um but then they actually came back on May 23 and anyone guess what's the result when I submitted like well that's common common uh results when we do background bounty because of the uh exaggerated security researcher or exhausted but what actually happened here in the next slide is I got received this um message that it is this by design so well I don't get any well at least you know I I share with with them so it's by design okay so just to recap um so yeah to to wrap this up uh a single low privilege account which is the service account and then insecurity default was enough to you know for us to

to expose thousands of users of PII too and um of course there is no exploit there's no malware it's default uh left uncheck or misconfiguration but of course this is a precondition um exploit or precondition flow from a insecure website portal that we gather plain text credentials And yeah, so take away one leak account as equals to plus insecure reports equals to selling breach. And for the best practice to mitigations uh please. >> Thank you Jeffrey. >> Yeah. So for the best practices um I mean every uh product be it Microsoft or non-Microsoft itself there is certain gaps that we need to fill up and if you are just putting in default policies uh default configurations definitely we are

missing out certain things. So this is where in terms of the practice that he came in about these are the few things one of the few things that we could do definitely is restricting the admin center access giving them lease privilege principle and also restrict tenant creation as well basically restricting the SS itself and conditional access so this is one of my favorite part in Microsoft itself you're able to have clear uh defined level of access be it in a user level device level or location level IP level wherever it this you're able to give the access. So I think this is something that all of us could actually make use of. Can I just have a quick hand show

how many of y'all are using Microsoft admin or you all are already using it. Okay, great. That's a lot of y'all. So do you all know about this quick setting whether you all are able to turn off whether everyone is able to access your admin center? Okay great. So that's about that and lastly questions and answers. Any questions from everyone from Jeffrey himself as well?

Closer. Okay. Uh yep. So thanks for the talk. Uh so I guess my question is uh were audit logs are they even useful in this case? just figuring out, hey, there's a low pre low private uh service account that's looking at an area that they shouldn't be in. >> Hello. >> Yeah, sorry. Um don't get quite the question. Could you >> uh I guess more in regards to okay is there a way where you can actually detect possibly by order some other way that hey these people are actually going to the uh admin center yes definitely there is uh in terms of Microsoft audio locks there is I think I I can't remember the limitation uh I

believe it's 60 days up to 60 days or 90 days it's not of my mind so from there you are able to definitely see who have been logged on or who have changed their credentials and all of that but not really like sometimes it might not occur to your mind until an incident actually happens those unless you are reviewing the audio logs daily on a daily basis to be honest I'm not sure how many people do that so but yeah it definitely shows over there as well to answer your question hey how's it going um thanks for the talk uh if you do set that setting correctly can't you still get that data from just API as well or what was your v

submission to Microsoft is that is it what that you could get the data in the first place or the insecure default it's insecure by default for us that allow us to to navigate to admin center and pull out the 4K users PII yeah >> but if you if someone does set it securely can you still not just get that data through APIs >> it is still possible in AP as well. Yeah. >> Yeah, that's right. >> Yeah. Cool. >> Thanks.

>> Hi, uh I'm Mark, cyber security project manager at Mccor University. We actually encountered almost the exact same situation and this is another case of you know it's it's not a bug, it's a feature because it's meant to be like an address book. Um, in your experience, do you think there's other sort of similar policies like this where you know they defend it's meant to be accessible but as a result as a security um re vulnerability because it's we're always trying to balance accessibility against security. Um, do you know of any other such cases where you have to balance this for the end user?

>> Yeah. Well, um that's that's why in my talk actually I mean in in a previous slide I actually mentioned a second on this one

sorry previous slide um there is explanation here actually because as mentioned before on on a previous tenant or historically the MFA registration password, reset, app consent were managed entirely on the admin center. But now what Microsoft did is they have self-service which means they're not reliable now on the entry admin center which separates like self um self-service reset portal my signins which can no longer dependent on the admin center. So if that answers your query. >> Oh that's good. Thank you so much. >> Let me just add on to that part as well. So in terms of uh flexibility or accessibility right I think there is still um high level of um whether companies are want to get secured or

they don't want accessibility in terms of their production and all of that there is definitely pros and con especially IT industry I think we are still okay but uh from what I've seen in OT industry itself it's a tough fight within security and we working on availability side itself so it's either money making or you want to get it secured so it's still there But it just depends on how you're seeing the attack surface. What kind of limitation you're going to give in and you're going to put in what kind of products. So it's a balance and it's based on the company approach itself.

>> Yeah, exactly. >> Thank you. >> I think you just answered my question. I was going to say, is MFA the mitigator? And it sounds like it is. Uh yes, definitely.

Uh yes, and the conditional access as well. That adds on to the MFA cuz I think MFA is getting exploited a bit as well, right? Right now. Yeah. >> Yeah. Thanks for the talk, guys. Um so probably along the same similar lines to what Alexa was saying earlier. Um, I don't really see the additional risk. Uh, if you if you've got this disabled, you can pull all that data from graph API anyway. And if you've got an advanced not even an advanced thread actor like someone who's got road recon or or a zero hound would probably be able to find and pull the same data anyway. So, what do you guys think about that? Was

that a consideration when that submission was made?

can't hear me. All right. Well, there is actually no consideration of that because they explicitly mention that it's designed by default but then it is misconfiguration. That is why um we come up with this um talk for everyone. awareness as well. Yeah. >> Yeah. Because I mean, yeah, you can a UI is obviously nicer to pull data from, but when you've got tools that are already built to pull that data programmatically and really quickly, um it's sort of it's the path of least resistance to pulling all that information. So, yep. Uh just to add on that part I think yes you can definitely pull in data but I think this um compared to the other

penetration ways I think this one of the easiest ways anyone can you know like passwords and username is I've seen like two simple passwords and even usernames I think you can just go in and login you'll be able >> but are you able to get passwords through this? >> Uh no you not able to get passwords through this but you can get in through the hash or password link and all that. Do you want to add on something Jeff? >> The hash >> what happened here is um as mentioned it's a precondition um meaning say that we managed to log in here because of SMTP service that we we uh got it from the insecure

subdomain which contains plain text password. So that's why we it's a precondition uh chain. Yeah. >> Yeah. No definitely that's not not a good thing to have this. Yeah. >> Thank you guys. >> Any more questions? >> In that case, can we please have a huge round of applause for Jeffrey and PL? >> Thank you everyone. >> Uh we will now break for lunch. It's downstairs on level three. And additionally um our keynote speaker, he forgot to mention his company Apartate is hiring. So if you're interested in uh working for that company, please email hello.ai. Thank you all.