Phishing PoC for Entra Rebranding

Phishing PoC for MS Entra ID Rebranding

Microsofts rebranding of Azure AD to Entra ID allows attackers to craft a nice fullchain attack. There were a lot good phishing domains not claimed, seems like Microsoft did not care about this. Made a PoC for my employer https://cyvisory.group/.

tl;dr

This is a fullchain phishing attack, starting via a crosstenant MS Teams message, using a VNC container Phishing technic and resulting in a complete account compromise via a session highjack.

Take me to the PoC

Whats going on:

• Crosstenant Teams message
• Fake message design
• Nice phishing domain : entra-id.cloud
• Phishing via VNC container (NoPhish)
• Session Takeover after login
• Complex Passwort and MFA does not protect against this

PoC

By chaining all together, we get a nice simple flow here.

General conditions and what might protect you:

• Default Azure settings (no conditional access)
• Default Teams settings (external collaboration allowed)
• No Defender for Identity

Links

The PoC was first published on Twitter.

• https://twitter.com/pfiatde/status/1679146335629459458 \
• https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/azure-ad-is-becoming-microsoft-entra-id/ba-p/2520436