Hack like the GRU
Pen testers are being offered a toolkit specifically aimed at probing for vulnerabilities and exploits in corporate Office 365 environments.
The free utility – developed by security researchers at MDSec – is designed to assist red teamers in engagements where Office 365 is in heavy use.
The toolkit allows users to pull off authentication token phishing, a technique already in use by the more advanced cadres of cyber-spies.
For example, groups such as Fancy Bear (APT28, a presumed hacking unit of the Russia’s GRU military intelligence corps) have used OAuth phishing to during its campaigns in the past when targeting Google.
MDSec explains that the features bundled in its Office 365 Attack Toolkit include:
- Extraction of emails matching specific keywords
- Creation of malicious Outlook rules. A possible rogue rule, for example, would forward every email that contains the ‘password’ keyword in the body to an attacker-controlled email address
- Keyword-based extraction of files from OneDrive/Sharepoint drives
- Macro injection of Word documents stored on OneDrive. “After backdooring the documents, they cannot be edited online which increases the chances of our payload execution,” MDSec explains
Looking under the hood, the Office 365 Attack Toolkit is made up of a number of components, including a phishing endpoint that serves the HTML file that performs token phishing; a backend service that uses ‘stolen’ tokens to mount attacks; and a management interface.
A blog post from MDSec provides more information on the toolkit, together with setup and configuration information.
The security services firm acknowledges an existing toolkit (PwnAuth) created by FireEye offers similar functionality.
FireEye describes PwnAuth (which is also available via GitHub) as a “web application framework for launching and managing OAuth abuse campaigns”, a tactic in spear-phishing attacks.
OAuth abuse attacks involve attempt to trick prospective marks into authorizing a third-party application to access their account.