Fishnet Cases - How Microsoft Azure Helps with a Phishing Attack
We publish an article following the traces of our performance on Fast Track OFFZONE-2019 with the report "Openwork Cases - How Microsoft Azure Helps with a Phishing Attack."
When conducting a phishing attack with the distribution of a malicious attachment - the main problem is to bypass spam filters on the victim's mail server. Mail for many companies is located in the Microsoft cloud - so you really need to be a mailing list guru so that a malicious attachment will skip past Microsoft's trained spam filters.
When conducting RedTeam, we try to use legal means that users use. For example, having a VPN service in a company helps us get into a company with user rights and, at the same time, cause a minimum of suspicion (or not at all).
')
There was an idea to see how Microsoft can help us. We looked at what protection Microsoft provides and decided to see what kind of an animal this Azure Information Protection is.
In this study, we will look at Azure Information Protection (AIP) - a tool that allows you to classify documents according to the degree of confidentiality and limit access to them for different users of the organization.
It is very simple to use - software is swinging, with the help of which certain rights can be set for each document. Tags and privacy levels are configured for each company - the administrator has these rights and responsibilities. By default, created only 2 levels - Confidential and Highly Confidential.
It is also possible to allow access to individual users and assign them the right to use the document. For example, if you need a specific user to change nothing in the document, but to get information, you can put the Viewer mode specially for him.
Azure Information Protection is integrated with Office365 and the user does not need additional software to open the document and perform authorized actions with it (from reading to revisions and full rights to the document).
When using AIP not for Office365 - the pfile extension appears in the protected document and it is not possible to open it without Azure Information Protection Viewer.
In general, the decision seemed interesting and we decided to conduct a study.
To do a search we need:
For this study, we chose a Microsoft business account, because it has Azure Information Protection. There are AIP in other tariff plans, you can get acquainted with them here .
We will not describe in detail the difficulties encountered in registering an account. We will write briefly - from Russia it is impossible to register a business account yourself. All because of the sanctions. But you can contact your partners (official companies, there are 4 of them in Russia) or register on holiday from Europe after purchasing a local SIM card there.
Registered 2 companies. 1 company - the company of the victim MyMetalCompany with the domain mymetalcompany.club and two users - Petr Petrov, Vasya Vasechkin. The victim company does not use AIP.
2 company - an attacker company - Gem Company with a standard Microsoft domain - gemcompany.onmicrosoft.com and a single user - Evil User, which will send phishing emails to Petrov and Vasechkin.
Evil User will conduct an experiment with a malicious document, which is classified as DDEDownloader - a document with an embedded link that downloads the power shell script and runs on the command line. Gem Company uses AIP.
Recall that our main goal is to make the malicious document go through spam filters and get to the user in the Inbox folder.
The first thing to check is whether a malicious document arrives to the user if we send it in the so-called “pure form”. Let's send the just-formed document from Evil User to Comrade Vasechkin.
The result was predictable - Microsoft didn’t like our letter and he decided that Vasechkin shouldn’t pay attention to such garbage. Actually the letter to Vasechkin did not come.
Let's try through Azure Information Protection to deliver that only Vasechkin in reading mode can open a document. Why only in read mode? Because it is important for us that the user opens the document, and what actions he will be able to perform with this document is completely indifferent. Therefore, the reading mode is enough. Note that we do not change anything in the document. We simply set limits on working with the document. Then some magic happens with encryption, which is organized by the AIP, but in this study it does not matter to us.
Let's send such a document to Petrov and Vasechkina. Let's see what will happen with each of them. Note that Petrov has no right to work with a document at all.
The first thing you should pay attention to is that the malicious document got into the Inbox folder of both Petrov and Vasechkina!
Vasechkin calmly opens the document using Microsoft Word. No additional software is needed.
We see that access is limited, but the entire contents of the document is also visible.
Another point is that a document protected with AIP can be opened only in Word, i.e. can not be viewed in the view mode in the mail client or in some online services.
In Petrov, the situation is the opposite - he cannot open a document, because he has no “documents” (as they say in one famous cartoon).
From the minuses - you can see the account under which the document was protected using AIP. This may provide some clue for BlueTeam when investigating an incident. Otherwise, everything works according to the rules that we set.
Great, but what happens if we just try to set privacy levels? We don’t necessarily need someone to open a document - the main thing in this study is to get into the Inbox folder.
We tried to set the Confidential confidentiality level for the document - the document was killed with a spam filter.
Also restrictions can be put on the letter. In the Outlook client, an add-on appears, which allows you to set restrictions on a letter, and they (according to how Microsoft writes in the documentation) - apply to the entire contents of the letter, including attachments. An add-on appears if the user is using AIP. In our case, Evil User uses it and has such an addition.
We tried to put the label Highly Confidential on the letter with the attachment - the letter did not pass to the Inbox.
We understand that “for all users” cannot be placed, because “all users” includes service accounts that check incoming emails for malware.
One of the coolest AIP chips is the tracking system, which allows you to determine who, when and from where opened the document or tried to open it.
In this case, we see that Petrov was trying to open the document, but he failed. And Vasechkin opened the document. When conducting a phishing attack, such a system is just a salvation — you don’t need to think of anything, we immediately see whether the necessary comrade discovered the attachment or not.
You can also configure the notification system so that an email arrives when you try to open a document.
The purpose of the study was to get around the Microsoft spam filters using Microsoft itself (using the company's proposed protection).
The presentation from the very speech can be found on our GitHub .
Thanks to the OFFZONE organizers for the conference! It was interesting!
When conducting a phishing attack with the distribution of a malicious attachment - the main problem is to bypass spam filters on the victim's mail server. Mail for many companies is located in the Microsoft cloud - so you really need to be a mailing list guru so that a malicious attachment will skip past Microsoft's trained spam filters.
When conducting RedTeam, we try to use legal means that users use. For example, having a VPN service in a company helps us get into a company with user rights and, at the same time, cause a minimum of suspicion (or not at all).
')
There was an idea to see how Microsoft can help us. We looked at what protection Microsoft provides and decided to see what kind of an animal this Azure Information Protection is.
Azure Information Protection
In this study, we will look at Azure Information Protection (AIP) - a tool that allows you to classify documents according to the degree of confidentiality and limit access to them for different users of the organization.
It is very simple to use - software is swinging, with the help of which certain rights can be set for each document. Tags and privacy levels are configured for each company - the administrator has these rights and responsibilities. By default, created only 2 levels - Confidential and Highly Confidential.
It is also possible to allow access to individual users and assign them the right to use the document. For example, if you need a specific user to change nothing in the document, but to get information, you can put the Viewer mode specially for him.
Azure Information Protection is integrated with Office365 and the user does not need additional software to open the document and perform authorized actions with it (from reading to revisions and full rights to the document).
When using AIP not for Office365 - the pfile extension appears in the protected document and it is not possible to open it without Azure Information Protection Viewer.
In general, the decision seemed interesting and we decided to conduct a study.
To do a search we need:
- select and register a suitable Microsoft account
- register 2 companies (attacker and victim)
- create a malicious document that we will send in a phishing email
Microsoft account registration
For this study, we chose a Microsoft business account, because it has Azure Information Protection. There are AIP in other tariff plans, you can get acquainted with them here .
We will not describe in detail the difficulties encountered in registering an account. We will write briefly - from Russia it is impossible to register a business account yourself. All because of the sanctions. But you can contact your partners (official companies, there are 4 of them in Russia) or register on holiday from Europe after purchasing a local SIM card there.
Registered 2 companies. 1 company - the company of the victim MyMetalCompany with the domain mymetalcompany.club and two users - Petr Petrov, Vasya Vasechkin. The victim company does not use AIP.
2 company - an attacker company - Gem Company with a standard Microsoft domain - gemcompany.onmicrosoft.com and a single user - Evil User, which will send phishing emails to Petrov and Vasechkin.
Evil User will conduct an experiment with a malicious document, which is classified as DDEDownloader - a document with an embedded link that downloads the power shell script and runs on the command line. Gem Company uses AIP.
Testing
Recall that our main goal is to make the malicious document go through spam filters and get to the user in the Inbox folder.
The first thing to check is whether a malicious document arrives to the user if we send it in the so-called “pure form”. Let's send the just-formed document from Evil User to Comrade Vasechkin.
The result was predictable - Microsoft didn’t like our letter and he decided that Vasechkin shouldn’t pay attention to such garbage. Actually the letter to Vasechkin did not come.
Let's try through Azure Information Protection to deliver that only Vasechkin in reading mode can open a document. Why only in read mode? Because it is important for us that the user opens the document, and what actions he will be able to perform with this document is completely indifferent. Therefore, the reading mode is enough. Note that we do not change anything in the document. We simply set limits on working with the document. Then some magic happens with encryption, which is organized by the AIP, but in this study it does not matter to us.
Let's send such a document to Petrov and Vasechkina. Let's see what will happen with each of them. Note that Petrov has no right to work with a document at all.
The first thing you should pay attention to is that the malicious document got into the Inbox folder of both Petrov and Vasechkina!
Vasechkin calmly opens the document using Microsoft Word. No additional software is needed.
We see that access is limited, but the entire contents of the document is also visible.
Another point is that a document protected with AIP can be opened only in Word, i.e. can not be viewed in the view mode in the mail client or in some online services.
In Petrov, the situation is the opposite - he cannot open a document, because he has no “documents” (as they say in one famous cartoon).
From the minuses - you can see the account under which the document was protected using AIP. This may provide some clue for BlueTeam when investigating an incident. Otherwise, everything works according to the rules that we set.
Great, but what happens if we just try to set privacy levels? We don’t necessarily need someone to open a document - the main thing in this study is to get into the Inbox folder.
We tried to set the Confidential confidentiality level for the document - the document was killed with a spam filter.
Also restrictions can be put on the letter. In the Outlook client, an add-on appears, which allows you to set restrictions on a letter, and they (according to how Microsoft writes in the documentation) - apply to the entire contents of the letter, including attachments. An add-on appears if the user is using AIP. In our case, Evil User uses it and has such an addition.
We tried to put the label Highly Confidential on the letter with the attachment - the letter did not pass to the Inbox.
We understand that “for all users” cannot be placed, because “all users” includes service accounts that check incoming emails for malware.
Tracking system
One of the coolest AIP chips is the tracking system, which allows you to determine who, when and from where opened the document or tried to open it.
In this case, we see that Petrov was trying to open the document, but he failed. And Vasechkin opened the document. When conducting a phishing attack, such a system is just a salvation — you don’t need to think of anything, we immediately see whether the necessary comrade discovered the attachment or not.
You can also configure the notification system so that an email arrives when you try to open a document.
findings
The purpose of the study was to get around the Microsoft spam filters using Microsoft itself (using the company's proposed protection).
- The goal was successfully achieved with one remark - it is necessary to use AIP just for setting access rights to specific users. Bypassing other means of protection - antivirus, intrusion detection systems that are activated when you open a document (we took a deliberately malicious document, which is detected by all means of protection) - it depends on your imagination. We only sought letters in the Inbox.
- Azure Information Protection only works for users authorized by Office365 (this is the magic of encryption). In almost all organizations, users are logged in to Office365 and there are no difficulties. But take this fact into account.
- Tracking system is generally a smart thing and its use is convenient and practical.
- Using AIP to protect documents (as it were, for its intended purpose) is also cool and will give a headache to attackers - access to documents becomes more difficult.
The presentation from the very speech can be found on our GitHub .
Thanks to the OFFZONE organizers for the conference! It was interesting!
Source: https://habr.com/ru/post/458364/
All Articles