Author: thalpius

Microsoft announced four new detections in Azure Active Directory Identity Protection last month. One of the four detections is “Workload Identities Leaked Credentials.” During a Microsoft webinar where I demonstrated this new feature in Microsoft Identity Protection, multiple people requested the tool I created, so I decided to release it.

This blog post will briefly explain the new Workload Identities Leaked Credentials detection and link to a tool I created to scan GitHub repositories for leaked credentials, specifically AadSecrets using the GitHub API requested by some people during a webinar.

Workload Identities Leaked Credentials

Azure Active Directory Identity Protection is a risk-based feature to protect identities in the cloud based on many indicators (atypical travel, malware-linked IP address, and many more). Conditional Access uses these detections to prevent an identity from accessing cloud services based on risk classifications. Using Azure Active Directory Identity Protection makes it possible to mitigate an attack within seconds due to an automated response.

Note: Conditional Access policies, at their simplest, are if-then statements. If a user wants to access a resource, they must complete an action. An action is forcing the user to use Multi-Factor Authentication or forced to change their password.

The new feature in Azure Active Directory Identity Protection now supports the detection of leaked credentials for workload identities. A workload identity is an identity used to authenticate and access other services and resources. Think of a Service Principal created when you create an Enterprise Application.

Microsoft scans GitHub, Pastebin, etc., for leaked credentials, and if there is a match with your environment, by comparing the hash of the password, it will trigger an alert and mitigate the risk.

Leaked credentials are a common mistake made by many administrators. GitHub already supported the “Leaked Credentials” feature, but no comparison in any environment occurs. Still, with Azure Active Directory Identity Protection, the hash is compared with the hash in Azure Active Directory to see if there is a match. Suppose there is a match, an alert triggers.

Microsoft GitHub Scanner

For demonstration purposes, I created a tool to scan for leaked credentials on GitHub. The tool uses the GitHub API to get all files in the repository and scans for AadSecrets. As I created it for demonstration purposes only, it is not perfect. PowerShell could be an option, but I decided to use C# core for fun.

The tool is simple. I use an API to list all files in a repository and re-write the URL to get the raw contents. Then I scan for AadSecret in the raw contents for leaked credentials. I do not have to download any repository as some tools do to make it simple, fast, and accessible.

Conclusion

In my opinion, Azure Active Directory Identity Protection is a must to protect identities in any corporate environment. The combination of Azure Identity Protection and Conditional Access drastically lowers the risk of a compromised identity. Now that workload identities are also protected makes it even more powerful.

In my previous blog post, I mentioned you need a URL shortener instead of the Azure Function URL to send to a mailbox to identify Microsoft Defender for Office 365 Safe Links. The reason to use a shortener is that using the direct Function App URL bypasses Microsoft Defender for Office 365 Safe Links active scanning. This blog post will briefly explain how this bypass works and how an attacker can use it to their advantage.

As a reminder, here is the flow used to identify Microsoft Defender for Office 365 Safe Links.

To my surprise, when sending the Function App URL, Microsoft Defender for Office 365 Safe Links does not actively scan the URL. So I was thinking, what if I create a URL forwarder using the Function App forwarding the user to a malicious website? Does it “bypass” the active scanning using Microsoft Defender for Office 365 Safe Links?

After some testing, I was surprised Microsoft Defender for Office 365 Safe Links is not actively scanning the URL. Here is the code for the forwarder using an Azure Function App.

#r "Newtonsoft.Json"
 
using Microsoft.AspNetCore.Mvc;
 
public static IActionResult Run(HttpRequest req, ILogger log)
{
    return new RedirectResult("https://malicious.com", true);
}

So sending the Function App URL using a phishing e-mail redirects the user to a malicious website and bypasses Microsoft Defender for Office 365 Safe Links active scanning.

Conclusion

Microsoft Defender for Office 365 is a product that is hard to bypass, mainly because it can be a black box. When using this bypass, layered security should stop a user from visiting malicious websites, like enabling Smartscreen, so using layered security is always a good idea.

A few months ago, I wrote a script that checks if a company uses Microsoft Defender for Identity. I then wondered if there is a way to identify if a company uses Microsoft Defender for Office 365. Safe Links, a Microsoft Defender for Office 365 feature, actively scans incoming URLs. So checking if Microsoft Defender for Office 365 scans the URL to identify Microsoft Defender for office 365 is manageable. This blog post will briefly explain how I identified if a company uses Microsoft Defender for Office 365 Safe Links, possibly without sending a single valid e-mail.

Microsoft Defender for Office 365

I do not want to detail what Microsoft Defender for Office 365 is, but an important feature to understand is Safe Links. Safe Links is a feature in Microsoft Defender for Office 365 that provides malicious URL scanning and time-of-click verification of links in e-mail messages and Microsoft Teams.

So if you sent an e-mail to a mailbox, URL scanning takes place by Microsoft Defender for Office 365 Safe Links. If you can identify if Microsoft performs the scan, you can determine if Microsoft Defender for Office 365 is enabled. So simply running an HTTP listener for incoming requests should do the trick.

Azure Function App

First, I thought running a simple HTTP server was enough, but then I had the idea to use a Function App since that already contains an HTTP trigger that I can use. If I could capture the incoming request, I could validate who is actively scanning the URL. But since I wanted to send myself an e-mail with the information, I thought it would be easier to use a Logic App instead.

Azure Logic App

When an HTTP request is received, the Logic App triggers. So capturing the request would be enough to get all the information I need. Unfortunately, I could not get the IP address of the initial request since the Logic App did not provide me with the correct information.

What I could do, though, is use an Azure Function App to send all the information I need to a Logic App and then send the e-mail.

Function Code

I ended up with a function using the HTTP trigger template. The HTTP trigger function runs whenever it receives an HTTP request, responding based on data in the body or query string. My function checks if the IP address to scan the URL is from Microsoft and sends a POST request to a Logic App.

using namespace System.Net
 
param($Request, $TriggerMetadata)
 
$IPAddress = $Request.Headers["x-forwarded-for"]
$UserAgent = $Request.Headers["user-agent"]
 
if($IPAddress -like "40.94.*.*") {
    $MDODetected = "Yes"
}
Else {
    $MDODetected = "No"
}
 
$params = @{'IP Address' = "$IPAddress";
'MDO Detected' = "$MDODetected";
'User Agent' = "$UserAgent";
} | ConvertTo-Json
 
Invoke-WebRequest -Uri 'https://prod-165.westeurope.logic.azure.com:443/workflows/<SNIP>' -Method POST -Body $params -ContentType 'application/json'
 
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
    StatusCode = [HttpStatusCode]::OK
    Body = $params
})

Note: I identified Microsoft Defender for Office 365 Safe Links using the IP address, but technically you can identify any active scanning based on any header.

Pasting the Function App URL in a browser shows the following information.

Sending an e-mail

Now that we identify who is scanning the URL by capturing the GET request, we can forward it to a Logic App and send ourselves an e-mail with the information we need.

We can trigger the Logic App with a POST request, parse it to JSON, and send the information from the JSON parsing using an e-mail. Here is a screenshot of the Logic Apps steps.

We have to send the Function App URL to an e-mail address and see if Microsoft scans the URL. Sending the Function App URL is enough to get the information needed to identify if Microsoft scans the URL.

Note: To ensure that Microsoft scans the URL, you need to use a URL shortener and send the shortener URL to a mailbox. More information about that in a future blog post.

An e-mail to a non-existing mailbox also does the trick, depending on the configuration. So first, try to send an e-mail to a non-existing mailbox. If it identifies as “Microsoft Defender for Office 365 Identified,” you know Microsoft Defender for Office 365 is running, and you do not have to send an e-mail to an existing mailbox to be more stealthy.

Conclusion

Using this technique makes it possible to also identify other e-mail scanning services, but my main goal was to identify Microsoft Defender for Office 365, and it worked.