diff --git a/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md index ca8000f72..861505113 100644 --- a/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md +++ b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md @@ -250,6 +250,43 @@ Invoke-EnumerateAzureSubDomains -Base corp -Verbose - [**Common Phishing**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html) for credentials or via [OAuth Apps](az-oauth-apps-phishing.md) - [**Device Code Authentication** Phishing](az-device-code-authentication-phishing.md) +### Exchange Online direct-to-tenant SMTP spoofing + +If a target uses **Exchange Online / EOP** but its public **MX** points to a **third-party mail gateway** (Mimecast, Proofpoint, Mailgun, on-prem filtering, etc.), test whether Exchange Online still accepts mail sent **directly** to the tenant host `*.mail.protection.outlook.com`. In that case, an attacker can **skip the external gateway** and submit phishing mail straight to EOP. + +This is useful for **initial access / phishing** because delivery can still happen even when the spoofed sender fails **SPF**, **DKIM**, and **DMARC**. For internal senders, Outlook may also resolve the spoofed sender as a real employee, increasing trust. + +**Recon / triage:** + +```bash +# If the MX already points to Microsoft, this specific path is usually not the issue +dig +short MX target.com + +# Typical vulnerable pattern: the MX points to a third-party filter +# 10 mxb.eu.mailgun.org. +``` + +The direct EOP host is usually the tenant-specific `mail.protection.outlook.com` name (for example `target-com.mail.protection.outlook.com`). You can often recover the tenant naming pattern from public tenant/domain enumeration and Exchange-related autodiscover responses. + +**Minimal PoC:** + +```powershell +Send-MailMessage -SmtpServer target-com.mail.protection.outlook.com -To victim@target.com -From ceo@target.com -Subject "Urgent" -Body "Review the attached payment change" -BodyAsHTML +``` + +**Validation signals:** +- Mail is sent to `*.mail.protection.outlook.com` instead of the public MX host. +- The message is delivered even though headers show failures such as `spf=fail`, `dkim=none`, `dmarc=fail`, or `compauth=none`. +- A secure Partner connector usually rejects the `RCPT TO` stage with `5.7.51 TenantInboundAttribution; Rejecting.` + +**Technical notes / defensive hunting:** +- **Enhanced Filtering for Connectors** helps Exchange attribute the original sender correctly, but by itself it is **not** the boundary that blocks direct-to-tenant delivery. +- Microsoft documents two practical controls when using an external MX in front of Exchange Online: + - Create a **Partner inbound connector** with `SenderDomains *` and `RestrictDomainsToCertificate` or `RestrictDomainsToIPAddresses` so only the approved gateway can deliver to the tenant. + - Create a **priority 0 transport rule** that quarantines inbound mail unless the sender IP belongs to approved gateway ranges **or** `X-MS-Exchange-Organization-AuthAs` contains `Internal`. +- Hunt for mail where **Received** shows `*.mail.protection.outlook.com` as the first Microsoft hop but sender-authentication headers still show **SPF/DKIM/DMARC failures**. +- If the target still allows **Direct Send**, disabling it mainly reduces **internal** sender spoofing; it doesn't replace the connector / transport-rule mitigation for arbitrary **external** spoofing. + ## Filesystem Credentials The **`az cli`** stores a lot of interesting information inside **`/.Azure`**: @@ -267,6 +304,10 @@ Note that in macOS and linux these files are **unprotected** stored in clear tex - [https://aadinternals.com/post/just-looking/](https://aadinternals.com/post/just-looking/) - [https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/](https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/) - [https://www.netspi.com/blog/technical-blog/cloud-penetration-testing/enumerating-azure-services/](https://www.netspi.com/blog/technical-blog/cloud-penetration-testing/enumerating-azure-services/) +- [https://labs.infoguard.ch/posts/ghost-sender/](https://labs.infoguard.ch/posts/ghost-sender/) +- [https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/manage-mail-flow-using-third-party-cloud](https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/manage-mail-flow-using-third-party-cloud) +- [https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-about](https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-about) +- [https://techcommunity.microsoft.com/blog/exchange/direct-send-vs-sending-directly-to-an-exchange-online-tenant/4439865](https://techcommunity.microsoft.com/blog/exchange/direct-send-vs-sending-directly-to-an-exchange-online-tenant/4439865) {{#include ../../../banners/hacktricks-training.md}}