Phishing PoC for MS Entra ID Rebranding

Microsofts rebranding of Azure AD to Entra ID allows attackers to craft a nice fullchain attack. There were a lot good phishing domains not claimed, seems like Microsoft did not care about this. Made a PoC for my employer


This is a fullchain phishing attack, starting via a crosstenant MS Teams message, using a VNC container Phishing technic and resulting in a complete account compromise via a session highjack.

Take me to the PoC

Whats going on:

  • Crosstenant Teams message
  • Fake message design
  • Nice phishing domain :
  • Phishing via VNC container (NoPhish)
  • Session Takeover after login
  • Complex Passwort and MFA does not protect against this


By chaining all together, we get a nice simple flow here.

General conditions and what might protect you:

  • Default Azure settings (no conditional access)
  • Default Teams settings (external collaboration allowed)
  • No Defender for Identity


The PoC was first published on Twitter.