![](/blog/misc/CVE-2024-6387-400.jpg)
Blog: regreSSHion, critical vulnerability on OpenSSH CVE-2024-6387
Author: Vlad
Published on
Strong authentication is an authentication performed with an identifier (login, email...) and, at least, two different factors among :
For more details, I refer you to the Wikipedia god: https://fr.wikipedia.org/wiki/Authentification_forte
Once authenticated on a system (website, API, application...), you usually get a session identifier (cookie, token, JWT, PHPSESSIONID...) valid for a given time, sent back at each action, to avoid re-authentication.
Yes, there are many "..." π.
Therefore, we should not confuse :
Office 365 is your email (and many others things) managed by Microsoft in SaaS and that you pay every month without any possible amortization.
The solution is adapted to a large number of companies (except for very competitive or secret sectors), works really well, simplifies the management of your email (and part of the information system such as SharePoint), and allows you to have a higher level of security than when the email was managed internally.
The problem is that cybercriminals massively attack companies using Office 365 because it gives an almost unique entry point to use the same attack tools with simple techniques:
Many organizations get Office 365 accounts compromised due to weak, predictable or reused passwords. This usually results in dozens of account compromises every week, costing security people a lot of time and energy.
The easiest way to block these attacks is to implement strong authentication. Even if the attacker finds your password, they'll be blocked by requiring the second authentication factor.
To benefit from MFA on Office 365, at this time, you just need a Microsoft 365 license (plan) (or Azure AD Premium P1 or P2). You have many documentations at Microsoft on the different ways to activate the MFA, the main one being here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
Note that as a bonus, some companies use an internal identifier (I5178Y1, X171819, apricot for Alexandre BRICOT...) but not the full email. If the company uses an Office 365 authentication based on an identity repository kept internally (ADFS), the strong authentication is then done in several steps on the Office 365 website:
MFA is great but unfortunately it is possible to bypass it and it is a feature!
However, you still need a valid login and password (but if you knew how many people put "CompanyName2019!" or 2020, as their password...).
Generally, you use one of these two access methods:
You will find in this article several of these workarounds, using MailSniper: https://www.blackhillsinfosec.com/bypassing-two-factor-authentication-on-owa-portals/
Here is the list of the different protocols and workarounds:
Note that EWS was supposed to be deprecated on October 13, 2020 (https://techcommunity.microsoft.com/t5/exchange-team-blog/upcoming-changes-to-exchange-web-services-ews-api-for-office-365/ba-p/608055) but because of COVID, its end is postponed to mid-2021 (see last comment of the article). This in order to favor modern protocols like OAuth 2.0 (I'll do an article soon about OAuth, SAML, OpenID Connect...).
Here is my account with a client with a code sent by SMS as MFA:
And here is how to bypass the MFA in 3 lines (and again, I'm being generous with the count), using the MailSniper tool (https://github.com/dafthack/MailSniper) which by default will look for mails containing "password", "creds"... :
powershell -exec bypass
Import-Module .mailSniper.ps1
Invoke-SelfSearch -Mailbox vladimir.kolla@****.com -ExchHostname outlook.office365.com -remote
In 1 line for fun :
powershell -exec bypass -c "Import-Module .\MailSniper.ps1; Invoke-SelfSearch -Mailbox vladimir.kolla@****.com -ExchHostname outlook.office365.com -remote;"
This opens a window to ask (again) for the email and especially the password, but no second factor:
Then the magic happens, I'm connected to my mail bypassing the MFA and the tool looks for the keywords in my mails (I had sent me mails with the word "password" to get a result) :
You can also do it manually in PowerShell, here is an example (dirty) listing the titles of the first 200 mails of each mailbox:
No, but my detection experts will detect your underworld rebus technique!
Having logs is good, watching them is better.
However, since we operate in the world of witchcraft, if you use Microsoft's CloudAppSec log analysis tool, you won't see these accesses.
That's beautiful!
From what I understand, this category of access is filtered upstream and does not show up in Microsoft's security tools so as not to pollute the console. So either you do what you need to do and get drowned in useless logs or... uh... Joker!
So as it is, if someone uses this technique and steals all the emails of a user, it will be almost invisible.
To see these accesses, you have to go to the Azure administration portal (https://portal.azure.com) > then to :
Azure Active Directory
Sign-Ins (yes, the thing on the left, at the very bottom, almost hidden, as if they were ashamedπ)
Create a "Client App" filter with the "Add Filter" button.
Set this filter to select "Exchange Web Services" (because in my case I used EWS but otherwise you would have to select all the workarounds listed above)
And there, finally, under your amazed eyes, you can see the users legitimately using a protocol that will soon be deprecated or ... Tajik cybercriminals from the south of North Korea of the CIA (note that I added a filter displaying only the successes) :
Countermeasures
First of all, as said above, Microsoft is progressively depreciating all these old ways of access with a high risk of breaking stuff but that's your problem, not theirs : << Welcome to the jungleCloud !!! >>
In the meantime, you'll have to create a conditional access policy, applied to all users and blocking those old accesses. On the other hand, remember to activate it because recently, despite an accompaniment from Microsoft, a "none" was put instead of an "All cloud apps" which allowed to continue to bypass the MFA π:
Note also that the activation of the strategy may take 24 hours to be applied (see comments): https://techcommunity.microsoft.com/t5/exchange-team-blog/modern-auth-and-unattended-scripts-in-exchange-online-powershell/ba-p/1497387
Blog: regreSSHion, critical vulnerability on OpenSSH CVE-2024-6387
Blog: CaRE program: healthcare facilities close the cybersecurity gap with Patrowl
Blog: Leaking private posts of more than 700.000 sites