Microsoft 365 Authentication Attacks

Microsoft 365 Authentication Attacks: A Comprehensive Guide for GIAC GCIH

Why Microsoft 365 Authentication Attacks Matter

Microsoft 365 (formerly Office 365) is one of the most widely deployed cloud productivity platforms in the world, used by millions of organizations. This makes it a prime target for attackers. Understanding how authentication attacks work against Microsoft 365 is critical for incident handlers because:

- Massive attack surface: Nearly every enterprise uses Microsoft 365, making it a universal target.
- Gateway to sensitive data: Compromising a Microsoft 365 account can give attackers access to email, SharePoint, OneDrive, Teams, and other services containing sensitive corporate data.
- Lateral movement potential: A compromised M365 account can be leveraged for phishing, business email compromise (BEC), and further lateral movement within an organization.
- Cloud-based persistence: Attackers can establish persistent access through OAuth tokens, app registrations, and mail forwarding rules that survive password resets.

What Are Microsoft 365 Authentication Attacks?

Microsoft 365 authentication attacks are techniques used by threat actors to compromise user credentials or bypass authentication mechanisms to gain unauthorized access to Microsoft 365 tenants. These attacks target the identity layer of the Microsoft cloud ecosystem, primarily through Azure Active Directory (now Microsoft Entra ID).

Key attack types include:

1. Password Spraying
Password spraying involves trying a small number of commonly used passwords against many accounts simultaneously. This technique avoids account lockout thresholds by limiting the number of attempts per account. Tools like MSOLSpray, SprayingToolkit, and Ruler are commonly used.

- Attackers enumerate valid usernames first (often via SMTP enumeration or the Azure AD autodiscover endpoint).
- A single password (e.g., "Spring2024!") is tried against hundreds or thousands of accounts.
- The attacker waits between sprays to avoid lockout detection.
- This is extremely effective because organizations often have at least a few users with weak passwords.

2. Credential Stuffing
Attackers use previously breached username/password combinations from other services, betting on password reuse. Large credential databases from prior breaches are automated against Microsoft 365 login endpoints.

3. Phishing for Credentials
Attackers create convincing replicas of Microsoft login pages to harvest credentials. Common techniques include:
- Adversary-in-the-Middle (AiTM) phishing: Tools like Evilginx2 and Modlishka act as transparent proxies that capture both credentials and session tokens, effectively bypassing MFA.
- Device code phishing: Attackers abuse the OAuth 2.0 device authorization grant flow by tricking users into entering a code on the legitimate Microsoft device login page (microsoft.com/devicelogin), which grants the attacker an OAuth token.
- Traditional credential harvesting pages sent via phishing emails.

4. Token Theft and Replay
Rather than stealing passwords, attackers steal OAuth tokens or session cookies. These can be extracted from:
- Browser cookie stores
- Memory dumps
- AiTM proxy attacks
- Compromised endpoints

Stolen tokens can be replayed to access Microsoft 365 services without needing the password or MFA.

5. OAuth/Consent Phishing (Illicit Consent Grant)
Attackers register a malicious Azure AD application and trick users into granting it permissions (e.g., read email, access files). Once consent is granted, the attacker has persistent API access to the user's data without needing their credentials. This persists even if the user changes their password.

6. Brute Force Against Legacy Protocols
Legacy authentication protocols such as IMAP, POP3, SMTP, and Exchange ActiveSync do not support modern authentication or MFA. Attackers target these endpoints because:
- MFA is not enforced on legacy auth.
- They can brute-force passwords without triggering Conditional Access policies.
- Tools like MailSniper can be used to enumerate and authenticate via these protocols.

How These Attacks Work — Technical Flow

Password Spray Example:
1. Reconnaissance: Attacker uses tools to enumerate valid email addresses (e.g., querying Azure AD endpoints, LinkedIn scraping, or using tools like o365creeper).
2. Spray execution: The attacker uses a tool like MSOLSpray to authenticate against the Microsoft Online login endpoint (login.microsoftonline.com) using one password across all enumerated accounts.
3. Success identification: Successful authentications are logged. The attacker now has valid credentials.
4. Post-exploitation: The attacker logs in, sets up mail forwarding rules, searches for sensitive data, or uses the compromised account to send internal phishing emails.

AiTM Phishing Example:
1. Attacker deploys Evilginx2 with a phishlet configured for Microsoft 365.
2. A phishing email lures the victim to a URL controlled by the attacker's proxy.
3. The proxy forwards requests to the real Microsoft login page and relays responses back to the victim — the experience looks completely legitimate.
4. The victim enters credentials and completes MFA.
5. The proxy captures the session cookie/token after successful authentication.
6. The attacker uses the captured session cookie to access the victim's Microsoft 365 account, bypassing MFA entirely.

Device Code Phishing Example:
1. Attacker initiates a device code flow request to Microsoft's OAuth endpoint, receiving a user code and device code.
2. The attacker sends the user code to the victim via email, Teams, or social engineering (e.g., "Enter this code to access the shared document").
3. The victim navigates to https://microsoft.com/devicelogin and enters the code.
4. The victim authenticates (including MFA) on the legitimate Microsoft page.
5. The attacker's device receives the OAuth access and refresh tokens, granting persistent access.

Key Tools Used in Microsoft 365 Authentication Attacks

- MSOLSpray: PowerShell-based password spraying tool targeting Microsoft Online.
- SprayingToolkit: A suite for password spraying O365, OWA, and Lync/Skype.
- MailSniper: Searches through email after gaining access; also useful for password spraying Exchange/OWA.
- Evilginx2: AiTM phishing framework for capturing credentials and session tokens.
- Modlishka: Another reverse-proxy phishing tool.
- o365creeper: Tool for validating email addresses against Office 365.
- AADInternals: PowerShell module for Azure AD and M365 reconnaissance and exploitation.
- ROADtools: Framework for Azure AD enumeration and exploitation.
- TokenTactics: Tool for working with Azure AD OAuth tokens, useful for device code phishing.

Detection and Defense

Understanding defenses is critical for the GCIH exam:

- Disable legacy authentication: Use Conditional Access policies to block legacy auth protocols (IMAP, POP3, SMTP AUTH, ActiveSync with basic auth).
- Enable MFA: Enforce MFA for all users, but understand that AiTM attacks and device code phishing can bypass standard MFA.
- Phishing-resistant MFA: FIDO2 security keys and certificate-based authentication are resistant to AiTM attacks because they are bound to the legitimate domain.
- Conditional Access Policies: Restrict sign-ins by location, device compliance, risk level, and application.
- Monitor Azure AD Sign-In Logs: Look for signs of password spraying (many failed logins with the same password across accounts), unusual sign-in locations, and suspicious token usage.
- Review OAuth app consent: Regularly audit enterprise applications and user consent grants in Azure AD. Restrict user ability to consent to apps.
- Mailbox rules audit: Check for malicious inbox rules (forwarding, deletion) created after compromise.
- Unified Audit Log (UAL): Enable and monitor the UAL for suspicious activities like mass file downloads, new inbox rules, or admin role changes.
- Microsoft Defender for Cloud Apps: Can detect impossible travel, risky sign-ins, and unusual email activity.
- Token protection (Token Binding): Emerging Microsoft feature that binds tokens to specific devices, preventing token replay from other machines.

Post-Compromise Indicators

When investigating a potential M365 compromise, look for:
- New inbox rules forwarding email to external addresses
- OAuth applications with excessive permissions
- Unusual sign-in patterns (new locations, impossible travel)
- Changes to MFA settings
- New mail delegates added
- Mass email access or downloads
- Admin role assignments to previously non-admin accounts

---

Exam Tips: Answering Questions on Microsoft 365 Authentication Attacks

1. Know the difference between password spraying and brute force: Password spraying uses one or few passwords against many accounts (horizontal attack), while brute force tries many passwords against one account (vertical attack). Spraying avoids lockout thresholds. Exam questions often test this distinction.

2. Understand why legacy authentication is dangerous: Legacy protocols like IMAP and POP3 do not support modern authentication/MFA. This is a very commonly tested concept. If a question asks about bypassing MFA in M365, legacy authentication is a key answer.

3. Know how AiTM phishing bypasses MFA: The attacker acts as a transparent proxy between the victim and the real login page, capturing the session token after the user completes MFA. The key detail is that the attacker gets the session cookie/token, not just the password.

4. Understand device code phishing: This abuses the legitimate OAuth device authorization flow. The victim authenticates on the real Microsoft site, but the attacker receives the tokens. Know that this happens at microsoft.com/devicelogin.

5. Remember that phishing-resistant MFA (FIDO2) defeats AiTM: Because FIDO2 keys verify the origin domain, they won't authenticate to a proxy domain. This is a likely test point.

6. Know key tools by name: Be able to associate tools with their functions — MSOLSpray for password spraying, Evilginx2 for AiTM phishing, MailSniper for email searching and spraying, AADInternals for Azure AD manipulation.

7. Focus on detection artifacts: Questions may ask what log entries or indicators to look for. Know that Azure AD sign-in logs show authentication attempts, the Unified Audit Log captures mailbox and admin activities, and suspicious inbox rules are a top post-compromise indicator.

8. Understand OAuth/consent phishing: Know that attackers can register malicious apps that request permissions. Once a user consents, the attacker has API-level access that persists through password changes. The defense is restricting user consent and auditing app registrations.

9. Conditional Access is the primary defense framework: Many questions about defending M365 will have Conditional Access policies as the answer — whether blocking legacy auth, enforcing MFA, restricting by location, or requiring compliant devices.

10. Scenario-based questions: When given a scenario describing an attack (e.g., "an attacker used one common password against 500 accounts"), identify the attack type (password spraying), the likely tool, and the appropriate detection/mitigation strategy. Read carefully — the specific details in the scenario will point to the correct answer.

11. Understand the kill chain post-compromise: After credential theft, attackers typically: establish persistence (inbox rules, OAuth apps), harvest data (email search, SharePoint access), and expand access (internal phishing, privilege escalation). Questions may test your knowledge of this sequence.

12. Time management: These questions are usually straightforward if you know the terminology. Don't overthink — match the attack description to the correct technique name and its corresponding defense.