Phishing PoC for MS Entra ID Rebranding
Microsofts rebranding of Azure AD to Entra ID allows attackers to craft a nice fullchain attack. There were a lot good phishing domains not claimed, seems like Microsoft did not care about this. Made a PoC for my employer https://cyvisory.group/.
This is a fullchain phishing attack, starting via a crosstenant MS Teams message, using a VNC container Phishing technic and resulting in a complete account compromise via a session highjack.
Whats going on:
- Crosstenant Teams message
- Fake message design
- Nice phishing domain : entra-id.cloud
- Phishing via VNC container (NoPhish)
- Session Takeover after login
- Complex Passwort and MFA does not protect against this
By chaining all together, we get a nice simple flow here.
General conditions and what might protect you:
- Default Azure settings (no conditional access)
- Default Teams settings (external collaboration allowed)
- No Defender for Identity
The PoC was first published on Twitter.
- https://twitter.com/pfiatde/status/1679146335629459458 \