logo

Track the Planet! Mapping Identities, Monitoring Presence, and Decoding Business Alliances in the Azure Ecosystem

Conference:  Defcon 31

2023-08-01

Authors:   nyxgeek hacker at TrustedSec


Abstract

Microsoft Azure is ripe with user information disclosures. We are going to look at weaponizing these disclosures by performing data collection at a large scale against OneDrive, Teams, and Graph. OneDrive and Teams present silent enumeration methods, requiring no logon attempts and creating no logs. This enables enumeration at a massive scale against the biggest corporations, educational instututes, and government entities in the world. Over the last 1.5 years I have enumerated over 20m users. We will explore the techniques used and the data that was collected, including Azure adoption rates and analysis of username formats. Microsoft Teams suffers from information dislcosure due to default settings allowing users to see the online presence of others. An undocumented, unauthenticated Microsoft Teams Presence lookup trick will be shared, which enables easy unauthenticated enumeration of the online Teams Presence of users at many organizations. To demonstrate this we will monitor approximately 100,000 Microsoft employees' online presence and any out-of-office messages that are stored. Finally, Azure supports Guest users, allowing two companies to collaborate on a project. I will unveil a method of identifying Azure Guest users at other tenants. In this way, hidden corporate relationships can be revealed.

Materials:

Post a comment

Related work

Conference:  Defcon 31
Authors: Dr Nestori Syynimaa Senior Principal Security Researcher, Secureworks
2023-08-01

Conference:  Defcon 31
Authors: John Novak Technical Director, Praetorian
2023-08-01


Authors: Michael Hrivnak, Rajula Vineet Reddy, Francisco Barros, Varsha Prasad Narsing
2023-04-19


Conference:  BlackHat USA 2019
Authors:
2019-08-07