Updated: Feb 2
I have been currently working on Azure and Office365 to explore and learn various techniques to abuse its features. In this blog we will see how Azure app registration feature can be leveraged to phish users in the same tenant and steal their access token which will allow us to do malicious activity.
Before introducing my tool, I would like to thank 0x09AL for writing office365-attack-toolkit.
Office365 Attack Toolkit was originally written in Golang when I first started using this tool. It was a bit difficult to understand the setup since it requires many things to be installed like gcc (MinGw 64 bit), Git, and some Golang packages.
Also, there is no option where we can clear the database or save the access token for a particular user. And it doesn't create outlook rules due to some minor issue.
So, I decided to create a replica of Office365 Attack Toolkit in python to learn and improve my programming skills and I have tried to keep the setup very simple and easy.
365-Stealer is the tool written in python3 which steals data from victims office365 by using access_token which we get by phishing.
It steals outlook mails, attachments, OneDrive files, OneNote notes and injects macros.
You can find the tool here https://github.com/AlteredSecurity/365-Stealer/
Before setting up the tool let's first register an application in Azure Active Directory.
Create App registration
Registering your application establishes a trust relationship between your app and the Microsoft identity platform.
1. Register an app in Azure active directory and enable access_token and token_id in authentication.
2. Copy the clientId from overview tab and replace it with $client_id value in index.php also the $redirect_uri if its not the same as yours
Now will see how to set up this tool:
Make sure to run this tool in a Windows machine that has Microsoft Word installed.
We will need to install python3 and xmapp server. (We can use any other web server that can help us to host php files)
Move all the files of the tool to its resources to C:\xampp\htdocs directory.
Run the following command in cmd pip install requests crayons
Open index.php and replace the client_id and redirect_uri with the one that we setup while registering our application on Azure. Then we are ready to use the tool.
Start the apache server from xampp and visit http://localhost/
Note - This application can also be hosted on the cloud infrastructure.
This is just a simple page we can further edit as per our needs.
As soon as a user clicks on the Read more button or any link and accepts the requested permissions, for now it will be redirected back to http://localhost but the same can be modified.
In the background our 365-Stealer will be stealing all emails, attachments, OneNote notes and files from OneDrive.
Visit http://localhost/yourVictims/ to see all the users who got hacked also you can find an access_token.txt file that contains the user's access token that will be valid for 1 hour. Access tokens are the thing that applications use to make API requests on behalf of a user. The access token represents the authorization of a specific application to access specific parts of a user's data.