Depending on role permissions, this PowerShell module will allow you higher functionality such as adding owners to service principals, getting credentials for service principals, adding roles to members and creating users and administrative members. If there are things I have missed, please let me know and I will amend the matrix.Īzure AD PowerShell– Any users in the domain can utilise this Graph module to export the full list of users, domain information, user roles. This is by no means a comprehensive list of all attacks on O365. I will be posting a second part to this blog that will explore detection mechanisms. The following section provides a high-level explanation of the various attacks in the matrix. This is by no means comprehensive and if you notice anything I have missed, please let me know on twitter and I will amend this matrix. I will be writing a Part II follow up that describes the methods of detection for each attack.Īs a part of my own learning as well as a way of bringing more attention to these styles of attacks, I’ve decided to build out a matrix of various attack techniques that can be leveraged on O365. This blog post explores the various ways O365 can be attacked. In conversations with several clients, I couldn’t help but notice that there’s still a heavy focus on “endpoint” style attacks and not much resource / thought put into attacks that can occur in the cloud.Īttacking O365 gives an attacker many benefits… it allows an attacker to impersonate users, alter MFA settings, register malicious devices, access Teams messages, download sensitive emails, access SharePoint, OneDrive, register malicious applications and various other actions that could allow them to maintain persistence in your environment. When I was looking through the Mitre mapping of O365 attacks, I noticed that it didn’t include many methods of intrusion and actions on objectives that can occur with O365. APTs are actively attacking Office 365 (O365) – finding mechanisms to bypass MFA and to impersonate users regardless of whether you reset their passwords.
0 Comments
Leave a Reply. |