Microsoft Entra ID – one of the most used identity providers in the enterprise market. Or from our perspective: the most targeted platform in phishing attacks. Getting our phishing infrastructure up and running is usually the easy part. The real challenge is often keeping it online long enough to deliver the phishing link and collect credentials without detection before it gets burned. But what if we could use Microsoft's official login domain for our phishing purposes? And no, I'm not talking about the heavily mitigated OAuth Consent or Device Code Phishing techniques, or simply hosting a phishing page on Azure Web App subdomains. I'm talking about stealing credentials directly from the legitimate login.microsoftonline.com domain. In this talk, I will share multiple novel methods that can be used to achieve this. And the best of all? It all relies on legitimate functionality, making it mostly unpatchable.

DEF CON 34 - DEF CON Policy Announcement - Katie Noble, Heather West
5.4K views

DEF CON 33 - DisguiseDelimit: Exploiting Synology NAS with Delimiters and Novel Tricks - Ryan Emmon
11.1K views

DEF CON 33 - Browser Extension Clickjacking: One Click and Your Credit Card Is Stolen - Marek Tóth
8.5K views

DEF CON 33 - Can't Stop the ROP: Automating Universal ASLR Bypasses - Bramwell Brizendine
3.6K views

DEF CON 33 Recon Village - Building Local Knowledge Graphs for OSINT - Donald Pellegrino
5.4K views

DEF CON 33 Recon Village - Mapping the Shadow War From Estonia to Ukraine - Evgueni Erchov
6.4K views