About “Office 365 Man-in-the-Middle Attack Demo”
Presented By
Ryan O'Boyle
Our incident response team is seeing an uptick in adversaries using a very tricky man-in-the-middle attack to bypass MFA and breach Office 365 tenants.
Here’s an outline of how the attack works:- We trick a user into entering creds into our fake O365 login page (made with evilginx)
- We make Microsoft send a passcode to the user’s phone
- User enters their passcode on OUR fake page
- We hijack the user’s session token
- Gain access to SharePoint Online environment
- Exfiltrate data from O365
- Pivot to on-prem and steal CEO’s emails (because why not?)
|