1. NOTES:
   1. Victim environment setup: The attacker does not need a Microsoft account or environment, only the victim
   2. DO NOT run this in a production environment.
   3. Existing account: An existing Azure+Office365 account can be used, in which case just check that Azure+O365 access woorks for the existing accounts in steps 3 and 5.
   4. New account: These instructions are only needed if you want to create a new set of accounts to serve as the victim accounts.
   5. Admin privileges: You need administrator privileges to manage user accounts within Azure and Office 365.
   6. Trial accounts: this is the easiest way to create new accounts to test this POC (creating an O365 account should create the Azure account)
      • https://www.microsoft.com/en-us/microsoft-365/try
      • https://azure.microsoft.com/en-us/free/
      • Then the inital administrator account can be the example victim account. Otherwise, follow steps below to create a separate victim account in an existing Azure AD and Office 365 environment
2. AD Setup: Within Azure AD, login as an AD administrator and create victim account
   1. portal.azure.com > Azure Active Directory > Users
   2. ensure a subscription exists and some example resources exist that the user can access
3. Check AD: Ensure the victim has read access to an Azure subscription and resources
   1. log into portal.azure.com as the victim, Search on subscriptions, should see at least 1
   2. search on All Resources, make sure at least one resource exists
   3. create some additional resources if you wish
4. Office 365 Setup: Within the Office 365, login as the administrator and check that a license of Office 365 is associated with the victim
   1. login.onmicrosoft.com > Admin icon > Users > Active Users
5. Check Office 365: Ensure the Office 365 Outlook email works for the victim
   1. login.onmicrosoft.com as the victim account > Outlook icon

• Set victim user email address in the "to" propery
• Set SMTP settings if you want to have the demo code send an email phish
• Keep other config settings as is (page=true, interactive=true, verbose=1, etc.)

• command-line: Powershell.exe|pwsh demo_msft.ps1 -config demo_cfg.json
• Step #0: user and device codes generated
• Step #1: phish email sent (to user/victim set in demo_cfg.json)
• Step #2: will loop waiting for user/victim to authenticate/authorize
• In browser, <log in as user/victim to login.microsoft.com, check Outlook, follow phishing email link, authenticate)
• Step #3: retrieve user''s oauth access tokens
• Step #4: use access token to list users in Azure AD
• Step #5: retrieve user''s email
• Step #6: move laterally and use refresh token to get new access token for Azure
• Step #7: will list resources within Azure subscriptions that the user/victim has access to

Evolving Phishing Attacks

• A Big Catch: Cloud Phishing from Google App Engine and Azure App Service
• Microsoft Seizes Malicious Domains Used in Mass Office 365 Attacks
• Phishing Attack Hijacks Office 365 Accounts Using OAuth Apps
• Office 365 Phishing Attack Leverages Real-Time Active Directory Validation
• Demonstration - Illicit Consent Grant Attack in Azure AD https://securecloud.blog/2018/10/02/demonstration-illicit-consent-grant-attack-in-azure-ad-office-365/)
• Detection and Mitigation of Illicit Consent Grant Attacks in Azure AD
• HelSec Azure AD write-up: Phishing on Steroids with Azure AD Consent Extractor
• Pawn Storm Abuses OAuth In Social Engineering Attack

OAuth Device Code Flow

• OAuth 2.0 RFC
• OAuth 2.0 Device Authorization Grant RFC
• OAuth 2.0 for TV and Limited-Input Device Applications
• OAuth 2.0 Scopes for Google APIs
• Introducing a new phishing technique for compromising Office 365 accounts
• Office Device Code Phishing

Additional OAuth Research Areas

• Poor OAuth implementation leaves millions at risk of stolen data
• How did a full access OAuth token get issued to the Pokémon GO app?