gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-06-12 19:11:44 -07:00
Code Issues Packages Projects Releases Wiki Activity

Add content from: Ghost-Sender - Universal Email Spoofing against Exchange Onl...

Browse Source
This commit is contained in:
HackTricks News Bot
2026-06-10 03:40:02 +00:00
parent b81257def6
commit 94cb3da491
1 changed files with 41 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md
+41
View File
@@ -250,6 +250,43 @@ Invoke-EnumerateAzureSubDomains -Base corp -Verbose
- [**Common Phishing**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html) for credentials or via [OAuth Apps](az-oauth-apps-phishing.md) - [**Common Phishing**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html) for credentials or via [OAuth Apps](az-oauth-apps-phishing.md)
- [**Device Code Authentication** Phishing](az-device-code-authentication-phishing.md) - [**Device Code Authentication** Phishing](az-device-code-authentication-phishing.md)
### Exchange Online direct-to-tenant SMTP spoofing
If a target uses **Exchange Online / EOP** but its public **MX** points to a **third-party mail gateway** (Mimecast, Proofpoint, Mailgun, on-prem filtering, etc.), test whether Exchange Online still accepts mail sent **directly** to the tenant host `*.mail.protection.outlook.com`. In that case, an attacker can **skip the external gateway** and submit phishing mail straight to EOP.
This is useful for **initial access / phishing** because delivery can still happen even when the spoofed sender fails **SPF**, **DKIM**, and **DMARC**. For internal senders, Outlook may also resolve the spoofed sender as a real employee, increasing trust.
**Recon / triage:**
```bash
# If the MX already points to Microsoft, this specific path is usually not the issue
dig +short MX target.com
# Typical vulnerable pattern: the MX points to a third-party filter
# 10 mxb.eu.mailgun.org.
```
The direct EOP host is usually the tenant-specific `mail.protection.outlook.com` name (for example `target-com.mail.protection.outlook.com`). You can often recover the tenant naming pattern from public tenant/domain enumeration and Exchange-related autodiscover responses.
**Minimal PoC:**
```powershell
Send-MailMessage -SmtpServer target-com.mail.protection.outlook.com -To victim@target.com -From ceo@target.com -Subject "Urgent" -Body "Review the attached payment change" -BodyAsHTML
```
**Validation signals:**
- Mail is sent to `*.mail.protection.outlook.com` instead of the public MX host.
- The message is delivered even though headers show failures such as `spf=fail`, `dkim=none`, `dmarc=fail`, or `compauth=none`.
- A secure Partner connector usually rejects the `RCPT TO` stage with `5.7.51 TenantInboundAttribution; Rejecting.`
**Technical notes / defensive hunting:**
- **Enhanced Filtering for Connectors** helps Exchange attribute the original sender correctly, but by itself it is **not** the boundary that blocks direct-to-tenant delivery.
- Microsoft documents two practical controls when using an external MX in front of Exchange Online:
- Create a **Partner inbound connector** with `SenderDomains *` and `RestrictDomainsToCertificate` or `RestrictDomainsToIPAddresses` so only the approved gateway can deliver to the tenant.
- Create a **priority 0 transport rule** that quarantines inbound mail unless the sender IP belongs to approved gateway ranges **or** `X-MS-Exchange-Organization-AuthAs` contains `Internal`.
- Hunt for mail where **Received** shows `*.mail.protection.outlook.com` as the first Microsoft hop but sender-authentication headers still show **SPF/DKIM/DMARC failures**.
- If the target still allows **Direct Send**, disabling it mainly reduces **internal** sender spoofing; it doesn't replace the connector / transport-rule mitigation for arbitrary **external** spoofing.
## Filesystem Credentials ## Filesystem Credentials
The **`az cli`** stores a lot of interesting information inside **`<HOME>/.Azure`**: The **`az cli`** stores a lot of interesting information inside **`<HOME>/.Azure`**:
@@ -267,6 +304,10 @@ Note that in macOS and linux these files are **unprotected** stored in clear tex
- [https://aadinternals.com/post/just-looking/](https://aadinternals.com/post/just-looking/) - [https://aadinternals.com/post/just-looking/](https://aadinternals.com/post/just-looking/)
- [https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/](https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/) - [https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/](https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/)
- [https://www.netspi.com/blog/technical-blog/cloud-penetration-testing/enumerating-azure-services/](https://www.netspi.com/blog/technical-blog/cloud-penetration-testing/enumerating-azure-services/) - [https://www.netspi.com/blog/technical-blog/cloud-penetration-testing/enumerating-azure-services/](https://www.netspi.com/blog/technical-blog/cloud-penetration-testing/enumerating-azure-services/)
- [https://labs.infoguard.ch/posts/ghost-sender/](https://labs.infoguard.ch/posts/ghost-sender/)
- [https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/manage-mail-flow-using-third-party-cloud](https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/manage-mail-flow-using-third-party-cloud)
- [https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-about](https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-about)
- [https://techcommunity.microsoft.com/blog/exchange/direct-send-vs-sending-directly-to-an-exchange-online-tenant/4439865](https://techcommunity.microsoft.com/blog/exchange/direct-send-vs-sending-directly-to-an-exchange-online-tenant/4439865)
{{#include ../../../banners/hacktricks-training.md}} {{#include ../../../banners/hacktricks-training.md}}