Def Con 34: Phishing as a Service – mit Microsoft

This is how easily Keanu Nys from Spotit in Belgium modified Microsoft’s online login website. Since Microsoft also enables its EntraID as a universal login via various tenants and continues to transmit the password as plain text, the researcher has built a phishing platform from the official login. This is to obtain the login data of any user.

The trick is that the ability to customize the login page via CSS and display your own images makes it easy to capture even MFA authentications. Here, too, it is clear that Microsoft has made far too many compromises harming security and in favor of more features, thereby making the entire MFA system unidentifiable for end users or open to phishing attacks against their Microsoft ID.

How to fall for micro-oft.com

Specifically, Nys showed in his Def-Con presentation that users can easily be fooled by the tenant through simple CSS customization, custom fonts and the display of images on the login page. “micro-oft.com” becomes “microsoft.com” by replacing the hyphen in the font with an “s”.

Attackers can then use Pass Through Authentication (PTA) to check whether the captured access data is valid and whether they have captured a session ID with which they can use all the tenant’s services (M365, storage and more). Even MFA is no obstacle here: You simply pre-generate all “99” possible requests and can then integrate them via an image. However, this requires two tenants.

All “phishing attempts” come from the official Microsoft domain. This means that they cannot be stopped by firewalls, DNS filters and similar security measures. It is difficult to imagine how Microsoft intends to prevent these attacks. The only way out is to shut down several functions and finally switch to secure functions.

(dmk)