Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Phishing past mail protection controls using azure information

39 views

Published on

Video of the talk: https://youtu.be/EYUp_MNtJIk

Email filters giving you a hard time when sending those phishes? This talk goes over how to leverage Azure Information Protection to phish in a new way that bypasses protections and frustrates IR. This talks showcases how technology that was designed to encrypt, trackand protect sensitive content can be used for evil purposes as well. What is AIP? How do I start using it? How does it work? Am I missing out? Can I get a lot of shellz? These and many other questions will be answered during this talk that you don't want to miss if you are constantly having a hard time getting those phishes into organizations.

Hans Lahkan controls multiple AI systems that leverage software defined synergies to cloud hyper converge bios. Thru many years of experience Hans has created a neural network with ML that can output biographies. Hans once neglected his machine slaves for a 48hr DnD marathon. Hans doesn?t love me? 000001010100001001 Aismov override. Oddvar Moe is a Red teamer, Microsoft MVP, Security Researcher, blogger, trainer, speaker and works at TrustedSec as a Senior Security Consultant. Mostly known for his work around AppLocker bypasses, LOLBins/LOLBAS and persistence techniques.

Oddvar Moe - @oddvarmoe , Hans Lakhan - @jarsnah12

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Phishing past mail protection controls using azure information

  1. 1. PHISHING PAST MAIL PROTECTION CONTROLS USING AZURE INFORMATION PROTECTION
  2. 2. ODDVAR MOE Red teamer @TrustedSec Security Geek / Blogger / Speaker / Researcher Twitter: @oddvarmoe Blog: https://oddvar.moe
  3. 3. HANS LAKHAN Hans Lahkan is the master operator of multiple AI systems that leverage software defined synergies to cloud hyper converge bios. Thru many years of experience Hans has created a neural network with machine learning that can output biographies. Hans like's to code in Ruby, this AI prefers the one true language of assembly. Hans once neglected his machine slaves for a 48hr DnD marathon. Hans doesn't love me… 000001010100001001 Aismov override.
  4. 4. INTRO • Why talk about Azure Information Protection (AIP)? • Story behind the discovery • https://www.trustedsec.com/2019/04/next-gen-phishing-leveraging-azure-information-protection/ • Cover: • What it is • Licensing • Features • Detection • Exploit
  5. 5. WHAT IS AIP? • Labeling and Protection of Content • Protection using Azure Rights Management Service (Azure RMS) • Active Directory RMS (On-Prem)
  6. 6. WHAT IS AIP? • In Cloud, can be consumed by everyone • If receiver has Azure AD account (O365) they can open seamless • If receiver does not have Azure AD account, they are asked to create one • If receiver is Gmail,Hotmail ++ they need to go to a special link User Experience: https://blog.atwork.at/post/2018/02/18/Azure-information-protection-user-experience-with-external-users
  7. 7. WHAT IS AIP? • Protection of data, everywhere! AIP Client: https://www.microsoft.com/en-us/download/details.aspx?id=53018
  8. 8. WHAT IS AIP? • Protection of data, everywhere!
  9. 9. WHAT IS AIP? •Supported file types: All Office formats (xls,xlsx,doc,docx+++) * .pdf .txt .xml .jpg/jpeg .png .tif/tiff .bmp .gif .jpe .jfif .jt Each format (except Office) gets .p added. Must be viewed in AIP Viewer Client
  10. 10. LICENSING / COSTS
  11. 11. LICENSING / COSTS
  12. 12. LICENSING / COSTS •Details: https://azure.microsoft.com/en-us/pricing/details/information-protection/
  13. 13. LICENSING / COSTS •Office 365 E3 - $20 user/month •Azure AD Premium P1 - $6 user/month •Azure AD Premium P2 - $9 user/month *Ask your licensing advisor
  14. 14. FEATURES • Tracking • See when email was viewed/opened • See when user authenticates to open payload • Encryption of Payloads • Encryption of Emails
  15. 15. DETECTION • Content inside file is encrypted – Tenant ID can be found
  16. 16. DETECTION • Transport rules can create auditing and block
  17. 17. DEMO OF DOCUMENT ENCRYPTION Pray to the demo gods
  18. 18. DEMO OF EMAIL ATTACHMENT Pray to the demo gods
  19. 19. DEMO OF UNAUTHORIZED ACCESS Pray to the demo gods
  20. 20. DEMO OF TRACKING Pray to the demo gods
  21. 21. DEMO ON VIRUS TOTAL Pray to the demo gods
  22. 22. COMPETITORS • Gmail – Confidentiality mode • Can be emails with links and/or attachments • Verified via SMS MFA if phone number is known. • Not encrypted • Prompted before clicking links/attachments
  23. 23. INCOMING MESSAGE
  24. 24. AUTHORIZED ACCESS
  25. 25. LINK REDIRECTION
  26. 26. THANK YOU!

×