Skip to content

Ghost-Sender - Universal Email Spoofing against Exchange Onl... #304

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
+41 −0
Open

Ghost-Sender - Universal Email Spoofing against Exchange Onl... #304

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions ...esting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -250,6 +250,43 @@ Invoke-EnumerateAzureSubDomains -Base corp -Verbose
- [**Common Phishing**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html) for credentials or via [OAuth Apps](az-oauth-apps-phishing.md)
- [**Device Code Authentication** Phishing](az-device-code-authentication-phishing.md)

### Exchange Online direct-to-tenant SMTP spoofing

If a target uses **Exchange Online / EOP** but its public **MX** points to a **third-party mail gateway** (Mimecast, Proofpoint, Mailgun, on-prem filtering, etc.), test whether Exchange Online still accepts mail sent **directly** to the tenant host `*.mail.protection.outlook.com`. In that case, an attacker can **skip the external gateway** and submit phishing mail straight to EOP.

This is useful for **initial access / phishing** because delivery can still happen even when the spoofed sender fails **SPF**, **DKIM**, and **DMARC**. For internal senders, Outlook may also resolve the spoofed sender as a real employee, increasing trust.

**Recon / triage:**

```bash
# If the MX already points to Microsoft, this specific path is usually not the issue
dig +short MX target.com

# Typical vulnerable pattern: the MX points to a third-party filter
# 10 mxb.eu.mailgun.org.
```

The direct EOP host is usually the tenant-specific `mail.protection.outlook.com` name (for example `target-com.mail.protection.outlook.com`). You can often recover the tenant naming pattern from public tenant/domain enumeration and Exchange-related autodiscover responses.

**Minimal PoC:**

```powershell
Send-MailMessage -SmtpServer target-com.mail.protection.outlook.com -To victim@target.com -From ceo@target.com -Subject "Urgent" -Body "Review the attached payment change" -BodyAsHTML
```

**Validation signals:**
- Mail is sent to `*.mail.protection.outlook.com` instead of the public MX host.
- The message is delivered even though headers show failures such as `spf=fail`, `dkim=none`, `dmarc=fail`, or `compauth=none`.
- A secure Partner connector usually rejects the `RCPT TO` stage with `5.7.51 TenantInboundAttribution; Rejecting.`

**Technical notes / defensive hunting:**
- **Enhanced Filtering for Connectors** helps Exchange attribute the original sender correctly, but by itself it is **not** the boundary that blocks direct-to-tenant delivery.
- Microsoft documents two practical controls when using an external MX in front of Exchange Online:
- Create a **Partner inbound connector** with `SenderDomains *` and `RestrictDomainsToCertificate` or `RestrictDomainsToIPAddresses` so only the approved gateway can deliver to the tenant.
- Create a **priority 0 transport rule** that quarantines inbound mail unless the sender IP belongs to approved gateway ranges **or** `X-MS-Exchange-Organization-AuthAs` contains `Internal`.
- Hunt for mail where **Received** shows `*.mail.protection.outlook.com` as the first Microsoft hop but sender-authentication headers still show **SPF/DKIM/DMARC failures**.
- If the target still allows **Direct Send**, disabling it mainly reduces **internal** sender spoofing; it doesn't replace the connector / transport-rule mitigation for arbitrary **external** spoofing.

## Filesystem Credentials

The **`az cli`** stores a lot of interesting information inside **`<HOME>/.Azure`**:
Expand All @@ -267,6 +304,10 @@ Note that in macOS and linux these files are **unprotected** stored in clear tex
- [https://aadinternals.com/post/just-looking/](https://aadinternals.com/post/just-looking/)
- [https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/](https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/)
- [https://www.netspi.com/blog/technical-blog/cloud-penetration-testing/enumerating-azure-services/](https://www.netspi.com/blog/technical-blog/cloud-penetration-testing/enumerating-azure-services/)
- [https://labs.infoguard.ch/posts/ghost-sender/](https://labs.infoguard.ch/posts/ghost-sender/)
- [https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/manage-mail-flow-using-third-party-cloud](https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/manage-mail-flow-using-third-party-cloud)
- [https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-about](https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-about)
- [https://techcommunity.microsoft.com/blog/exchange/direct-send-vs-sending-directly-to-an-exchange-online-tenant/4439865](https://techcommunity.microsoft.com/blog/exchange/direct-send-vs-sending-directly-to-an-exchange-online-tenant/4439865)

{{#include ../../../banners/hacktricks-training.md}}

Expand Down