Illicit Consent Grant Attack – 365-Stealer

Introduction

In our previous Microsoft Midnight Blizzard Attack blog, we executed the Illicit Consent Grant manually; in this new entry, we will automate the attack. Before we begin automating the attack, it’s important to explain what this attack entails.

An Illicit Consent Grant Attack occurs when an attacker registers a malicious application in Azure to gain access to sensitive information such as contacts, emails, and documents. The attacker deceives the user into authorizing this application, and upon receiving consent, the attacker can access the user’s data without requiring an organizational account. Once the user clicks “Accept,” Azure AD provides an access token to the attacker’s application, enabling it to perform actions like reading and sending emails or accessing files on behalf of the user.

Video Walkthrough

  • Tenant Creation: We created two tenants to demonstrate the attack, one for attacker controlled environment i.e securitytesttenant.onmicrosoft.com and the other for the victim’s environment i.e pentestsec.onmicrosoft.com.
  • Application Registration: We registered a multi-tenant application in Azure AD named “Multi-Env-App”.
  • API Permissions: We configured the application with permissions like Files.ReadWrite.All, Mail.Read, MailboxSettings.ReadWrite, User.ReadBasic.All, User.Read, User.ReadWrite.All etc,. to access and extract data once user consent is granted.
  • Consent Link Creation: We created the phishing link with the malicious application’s client ID using 365-stealer and phished the targeted users to gain consent.
  • Authorization and Access Tokens: Upon consent, We can request access tokens and extracts information via GraphAPI.
  • Automation: To perform the attack and data extraction, We used a tool named 365-Stealer, following specific steps to efficiently perform the Illicit consent grant attack.

What is 365-Stealer

365-Stealer is a Python tool designed to automate the process of executing Illicit consent grant attacks. It simplifies data extraction from victims’ accounts by leveraging granted permissions.

The main features of 365-Stealer are to facilitate Illicit consent grant attacks to steal user tokens, enable extensive post-exploitation activities such as email manipulation, keyword search in email, OneDrive file theft, the creation of Outlook rules, and feature a management portal for data handling and customizable configurations.

Setup Attacking Environment on Azure

  • Login to Azure Portal: Navigate to Azure Active Directory.
  • App Registration: Register a new application with a name indicative of a legitimate service.
  • Redirect URL: Set the redirect URL to point to your phishing server domain/IP.
  • Client Secret: Generate and securely store the client secret.

After registering the application, we will be redirected to the app’s overview tab. We must take note of the Application (client) ID

  • Open API permissions
  • Add a permission
  • Open Microsoft Graph
  • Go to Delegated permissions – select the following permissions.
    • User.Read
    • User.ReadWrite.All
    • Files.ReadWrite.All
    • Mail.Read
    • Mail.Send
    • MailboxSettings.ReadWrite

Illicit Consent Grant Attack – Walkthrough

Clone the 365-Stealer tool from GitHub using the below command.

git clone https://github.com/AlteredSecurity/365-Stealer.git

Install the required application

  • Python3.2
  • PHP CLI

Install the required python modules

pip install -r requirements.txt 
#URL for the Script :

https://github.com/rbtsecurity/OffsecScripts/blob/main/365-Stealer-Installation/install.sh

By default, access is restricted to localhost via whitelisting. You can add a remote IP or disable whitelisting (set $enableIpWhiteList = false) to control portal access to specific IP addresses.

nano /opt/365-Stealer/yourVictims/index.php

Go to the path where 365-Stealer is installed and set the configuration.

root@365-stealer:/opt/365-Stealer# python3 365-Stealer.py --set-config
  • Configurations
    • Client Id: This will be the Application(Client) Id of the application that we registered (i.e Multi-Env-App).
    • Client Secret: Secret value from the “Certificates & Secrets” tab that we created.
    • Redirect URL: Specify the redirect URL (check the screenshot below).
    • Extension in OneDrive: We can provide file extensions that we want to download from the victims account or provide “*” to download all the files present in the victims OneDrive. The file extensions should be comma separated like “txt, pdf, docx etc”.
    • Delay: Delay the request by specifying time in seconds while stealing (1).

Corroborate the previous configuration by executing –get-config command.

root@365-stealer:/opt/365-Stealer# python3 365-Stealer.py --get-config

We need to start the php webapp by executing the “php -s 0.0.0.0:8080” inside the “yourVictims” folder.

root@365-stealer:/opt/365-Stealer/yourVictims# php -s 0.0.0.0:8080

We can also configure the 365-stealer using the management portal instead of using the CLI.

  • Run the 365-Stealer app to host the phishing page. We can find the Phishing URL in the console.
  • Now we can send the phishing URL to the victim and wait for the user to grant the consent.
  • Once the victim grants the consent, 365-Stealer will start doing its job.
root@365-stealer:/opt/365-Stealer# python3 365-Stealer.py --run-app

The next step is to find a target (admin@pentestsec.onmicrosoft.com) for phishing and send a phishing email. We will need to wait for the victim to click on the “Accept” button.

Once the victim grants us consent, we will see on the 365-stealer terminal windows traffic. We can view all the user’s data from the Port, as shown in the screenshots below.

Once the victim grants us consent we can view all the data of the user from the Port as shown in the below screenshots

We can see the access token, App_Config and the Refresh Token of the user in the below screenshot.

We can see the User info of the target tenant

We can see the OneDrive in the screenshot below.

We can obtain sensitive information as shown in the below screenshot.

We can filter the emails as shown in the below screenshot.

Conclusion

Illicit Consent Grant Attacks represent a sophisticated and evolving threat in cybersecurity. Unlike traditional attacks that rely on phishing or malware, these attacks exploit the trust users place in legitimate applications, making them particularly insidious. By manipulating OAuth permissions, attackers gain access to sensitive data without needing to compromise user credentials directly.

To mitigate these risks, organizations must adopt a proactive security posture. This includes implementing robust application vetting processes, educating users about the dangers of granting unnecessary permissions, and employing advanced monitoring tools to detect anomalous behavior. Additionally, regular audits of OAuth tokens and permissions can help identify and revoke illicit consents before significant damage occurs.

Ultimately, staying vigilant and informed about emerging threats is key to protecting both organizational and personal data from the growing menace of Illicit Consent Grant Attacks. As technology continues to advance, so too must our defenses, ensuring that security measures evolve in step with the tactics employed by cyber-criminals.

  • Preventive Measures
    • Restrict User Consents: Disable user consent for unverified applications.
    • Admin Consent Workflow: Implement admin consent for granting permissions.
    • Regular Audits: Periodically review permissions granted to applications.
  • Monitoring
    • mail Forwarding Rules: Monitor for suspicious email forwarding rules.
    • Application Permissions: Regularly check the permissions granted to third-party applications.

Credits & References

Author

  • Red Team Lead

    As a security computer expert with over 15 years of experience, he specializes in various areas such as web applications, cloud computing (AWS, Azure & GCP), infrastructure penetration testing, red & purple team assessments, vulnerability analysis, exploit development, and malware analysis. He has conducted numerous successful black-and-grey box penetration testing and adversary emulation engagements throughout his career. He has demonstrated expertise in testing SOAP and RESTful web API services, thick clients, wireless networks, internal/external assessments, SAP ERP servers, ATMs, Tactics Techniques and Procedures (TTPs), and forensics.

Share the Post:

Subscribe To Our Blog