{"guid":"5a7f47a6-3f4f-5496-8d05-f9b229aad0fc","title":"From Simulation to Tenant Takeover","subtitle":null,"slug":"38c3-from-simulation-to-tenant-takeover","link":"https://events.ccc.de/congress/2024/hub/event/from-simulation-to-tenant-takeover/","description":"All I wanted was for Microsoft to deliver my phishing simulation. This journey took me from discovering trivial vulnerabilities in Microsoft's Attack Simulation platform, to a Chinese company to which Microsoft outsourced its support department that wanted all my access tokens. I finally ended up hijacking remote PowerShell sessions and obtaining all data from random Microsoft 365 tenants, all the while reeling in bug bounties along the way.\n\nThis talk is the result of what happens when you ask a hacker to simply automate sending out a phishing simulation.\n\nMy first attempt with Microsoft's new Attack Simulation platform resulted in three bug bounties for the most trivial vulnerabilities and no more faith in the product. \n\nThen I tried building a phishing simulation program myself and the last thing I needed was to allowlist my IP address in Exchange Online. \n\nI ended up in a rabbit hole where I discovered that Microsoft outsourced their support department to a Chinese company that wanted all my access tokens. \n\nI then tried intercepting client-side requests made by the Security \u0026 Compliance center with the goal of replaying these to a backend API, only to discover that by fiddling with some parameters I could now hijack remote PowerShell sessions and access Microsoft 365 tenants that were not mine. Tenants where I could now export everything, e-mail, files, etc.\n\nLicensed to the public under http://creativecommons.org/licenses/by/4.0","original_language":"eng","persons":["Vaisha Bernard"],"tags":["38c3","281","2024","Security","Saal 1"],"view_count":4934,"promoted":false,"date":"2024-12-30T11:00:00.000+01:00","release_date":"2024-12-30T00:00:00.000+01:00","updated_at":"2026-03-31T13:15:07.410+02:00","length":1795,"duration":1795,"thumb_url":"https://static.media.ccc.de/media/congress/2024/281-5a7f47a6-3f4f-5496-8d05-f9b229aad0fc.jpg","poster_url":"https://static.media.ccc.de/media/congress/2024/281-5a7f47a6-3f4f-5496-8d05-f9b229aad0fc_preview.jpg","timeline_url":"https://static.media.ccc.de/media/congress/2024/281-5a7f47a6-3f4f-5496-8d05-f9b229aad0fc.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/congress/2024/281-5a7f47a6-3f4f-5496-8d05-f9b229aad0fc.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/38c3-from-simulation-to-tenant-takeover","url":"https://media.ccc.de/public/events/5a7f47a6-3f4f-5496-8d05-f9b229aad0fc","conference_title":"38C3: Illegal Instructions","conference_url":"https://media.ccc.de/public/conferences/38c3","related":[],"recordings":[{"size":null,"length":null,"mime_type":"text/vtt","language":"eng","filename":"5a7f47a6-3f4f-5496-8d05-f9b229aad0fc-eng.vtt","state":"todo","folder":"","high_quality":true,"width":null,"height":null,"updated_at":"2025-01-25T23:20:02.397+01:00","recording_url":"https://cdn.media.ccc.de/congress/2024/5a7f47a6-3f4f-5496-8d05-f9b229aad0fc-eng.vtt","url":"https://media.ccc.de/public/recordings/84697","event_url":"https://media.ccc.de/public/events/5a7f47a6-3f4f-5496-8d05-f9b229aad0fc","conference_url":"https://media.ccc.de/public/conferences/38c3"},{"size":27,"length":1795,"mime_type":"audio/mpeg","language":"deu","filename":"38c3-281-deu-From_Simulation_to_Tenant_Takeover_mp3-2.mp3","state":"new","folder":"mp3-translated","high_quality":false,"width":0,"height":0,"updated_at":"2025-01-01T22:40:28.543+01:00","recording_url":"https://cdn.media.ccc.de/congress/2024/mp3-translated/38c3-281-deu-From_Simulation_to_Tenant_Takeover_mp3-2.mp3","url":"https://media.ccc.de/public/recordings/84071","event_url":"https://media.ccc.de/public/events/5a7f47a6-3f4f-5496-8d05-f9b229aad0fc","conference_url":"https://media.ccc.de/public/conferences/38c3"},{"size":19,"length":1795,"mime_type":"audio/opus","language":"deu","filename":"38c3-281-deu-From_Simulation_to_Tenant_Takeover_opus-2.opus","state":"new","folder":"opus-translation","high_quality":false,"width":0,"height":0,"updated_at":"2025-01-01T22:38:37.752+01:00","recording_url":"https://cdn.media.ccc.de/congress/2024/opus-translation/38c3-281-deu-From_Simulation_to_Tenant_Takeover_opus-2.opus","url":"https://media.ccc.de/public/recordings/84064","event_url":"https://media.ccc.de/public/events/5a7f47a6-3f4f-5496-8d05-f9b229aad0fc","conference_url":"https://media.ccc.de/public/conferences/38c3"},{"size":243,"length":1795,"mime_type":"video/webm","language":"eng-deu","filename":"38c3-281-eng-deu-From_Simulation_to_Tenant_Takeover_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-01-02T00:49:56.830+01:00","recording_url":"https://cdn.media.ccc.de/congress/2024/webm-hd/38c3-281-eng-deu-From_Simulation_to_Tenant_Takeover_webm-hd.webm","url":"https://media.ccc.de/public/recordings/84359","event_url":"https://media.ccc.de/public/events/5a7f47a6-3f4f-5496-8d05-f9b229aad0fc","conference_url":"https://media.ccc.de/public/conferences/38c3"},{"size":98,"length":1795,"mime_type":"video/webm","language":"eng-deu","filename":"38c3-281-eng-deu-From_Simulation_to_Tenant_Takeover_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2025-01-02T00:47:05.584+01:00","recording_url":"https://cdn.media.ccc.de/congress/2024/webm-sd/38c3-281-eng-deu-From_Simulation_to_Tenant_Takeover_webm-sd.webm","url":"https://media.ccc.de/public/recordings/84354","event_url":"https://media.ccc.de/public/events/5a7f47a6-3f4f-5496-8d05-f9b229aad0fc","conference_url":"https://media.ccc.de/public/conferences/38c3"},{"size":19,"length":1795,"mime_type":"audio/opus","language":"eng","filename":"38c3-281-eng-From_Simulation_to_Tenant_Takeover_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2025-01-01T22:41:43.638+01:00","recording_url":"https://cdn.media.ccc.de/congress/2024/opus/38c3-281-eng-From_Simulation_to_Tenant_Takeover_opus.opus","url":"https://media.ccc.de/public/recordings/84075","event_url":"https://media.ccc.de/public/events/5a7f47a6-3f4f-5496-8d05-f9b229aad0fc","conference_url":"https://media.ccc.de/public/conferences/38c3"},{"size":97,"length":1795,"mime_type":"video/mp4","language":"eng-deu","filename":"38c3-281-eng-deu-From_Simulation_to_Tenant_Takeover_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2025-01-01T22:41:10.006+01:00","recording_url":"https://cdn.media.ccc.de/congress/2024/h264-sd/38c3-281-eng-deu-From_Simulation_to_Tenant_Takeover_sd.mp4","url":"https://media.ccc.de/public/recordings/84073","event_url":"https://media.ccc.de/public/events/5a7f47a6-3f4f-5496-8d05-f9b229aad0fc","conference_url":"https://media.ccc.de/public/conferences/38c3"},{"size":27,"length":1795,"mime_type":"audio/mpeg","language":"eng","filename":"38c3-281-eng-From_Simulation_to_Tenant_Takeover_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2025-01-01T22:37:15.659+01:00","recording_url":"https://cdn.media.ccc.de/congress/2024/mp3/38c3-281-eng-From_Simulation_to_Tenant_Takeover_mp3.mp3","url":"https://media.ccc.de/public/recordings/84061","event_url":"https://media.ccc.de/public/events/5a7f47a6-3f4f-5496-8d05-f9b229aad0fc","conference_url":"https://media.ccc.de/public/conferences/38c3"},{"size":416,"length":1795,"mime_type":"video/mp4","language":"eng-deu","filename":"38c3-281-eng-deu-From_Simulation_to_Tenant_Takeover_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2024-12-30T21:31:27.281+01:00","recording_url":"https://cdn.media.ccc.de/congress/2024/h264-hd/38c3-281-eng-deu-From_Simulation_to_Tenant_Takeover_hd.mp4","url":"https://media.ccc.de/public/recordings/83590","event_url":"https://media.ccc.de/public/events/5a7f47a6-3f4f-5496-8d05-f9b229aad0fc","conference_url":"https://media.ccc.de/public/conferences/38c3"},{"size":330,"length":1795,"mime_type":"video/mp4","language":"deu","filename":"38c3-281-deu-From_Simulation_to_Tenant_Takeover.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2024-12-30T21:31:08.406+01:00","recording_url":"https://cdn.media.ccc.de/congress/2024/h264-hd/38c3-281-deu-From_Simulation_to_Tenant_Takeover.mp4","url":"https://media.ccc.de/public/recordings/83589","event_url":"https://media.ccc.de/public/events/5a7f47a6-3f4f-5496-8d05-f9b229aad0fc","conference_url":"https://media.ccc.de/public/conferences/38c3"},{"size":331,"length":1795,"mime_type":"video/mp4","language":"eng","filename":"38c3-281-eng-From_Simulation_to_Tenant_Takeover.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2024-12-30T21:30:59.311+01:00","recording_url":"https://cdn.media.ccc.de/congress/2024/h264-hd/38c3-281-eng-From_Simulation_to_Tenant_Takeover.mp4","url":"https://media.ccc.de/public/recordings/83588","event_url":"https://media.ccc.de/public/events/5a7f47a6-3f4f-5496-8d05-f9b229aad0fc","conference_url":"https://media.ccc.de/public/conferences/38c3"}]}