TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

Spamming Microsoft 365 Like It’s 1995

Kassie Kimball · 2023-12-14 · Read original ↗

ATT&CK techniques detected

10 predictions
T1071.003Mail Protocols
95%
"to send messages via smtp through the target organization ’ s direct send smart host “ < domain >. mail. protection. outlook. com ”. though it is possible to use telnet ( yes, i said telnet ), powershell provides the send - mailmessage command that wraps the connection for you. y…"
T1566.002Spearphishing Link
81%
"##bound email controls and secure the direct send smart host from allowing arbitrary unauthenticated users from sending spoofed emails into the organization. references - https : / / learn. microsoft. com / en - us / microsoft - 365 / security / office - 365 - security / anti - s…"
T1566.002Spearphishing Link
61%
"code phishing emails in a default tenant inbox, and discuss mitigations. default protections some default protections do apply from the start, as documented here : https : / / learn. microsoft. com / en - us / microsoft - 365 / security / office - 365 - security / anti - spam - p…"
T1566.002Spearphishing Link
54%
"the receiving tenant id. these tests were performed using default tenant settings in exchange online protection. additional testing was performed against black hills information security ( bhis ) antisoc customers using a mix of additional filters, transport rules, and third - pa…"
T1534Internal Spearphishing
47%
"spamming microsoft 365 like it ’ s 1995 spamming microsoft 365 like it ’ s 1995 i previously blogged about spoofing microsoft 365 using the direct send feature enabled by default when creating a business 365 exchange online instance ( https : / / www. blackhillsinfosec. com / spo…"
T1566.002Spearphishing Link
46%
"##eeky / decode - spam - headers — to further analyze the headers. it can output a handy html file for review. python. \ decode - spam - headers. py. \ globo _ header. txt - f html - o report. html the script will identify spam headers. using a different domain email from address…"
T1566.002Spearphishing Link
43%
"note : the azure console will timeout after 20 minutes of inactivity. i suggest using “ start - job ” to background your command. then, keep the terminal alive with “ watch ls ”. if you ’ re testing a single target domain, you might use a command like : start - job - name asciide…"
T1566.001Spearphishing Attachment
39%
"seen below. the ascii encoded email landed in two of three mailboxes ’ junk folders. it did not land in the “ bydesign @ ” mailbox. oddly, it was not in quarantine either. i tried the same email again from the same ip address and cloud shell hostname. this time with utf32 encodin…"
T1586.002Email Accounts
34%
"spamming microsoft 365 like it ’ s 1995 spamming microsoft 365 like it ’ s 1995 i previously blogged about spoofing microsoft 365 using the direct send feature enabled by default when creating a business 365 exchange online instance ( https : / / www. blackhillsinfosec. com / spo…"
T1589.002Email Addresses
34%
"the receiving tenant id. these tests were performed using default tenant settings in exchange online protection. additional testing was performed against black hills information security ( bhis ) antisoc customers using a mix of additional filters, transport rules, and third - pa…"

Summary

I previously blogged about spoofing Microsoft 365 using the direct send feature enabled by default when creating a business 365 Exchange Online instance (https://www.blackhillsinfosec.com/spoofing-microsoft-365-like-its-1995/). Using the direct send feature, it […]

The post Spamming Microsoft 365 Like It’s 1995  appeared first on Black Hills Information Security, Inc..