Fishnet cases - how Microsoft Azure helps in conducting a phishing attack
We are publishing an article following the footsteps of our performance at Fast Track OFFZONE-2019 with the report “Fishnet deals - how Microsoft Azure helps in conducting a phishing attack.”
When conducting a phishing attack with the distribution of malicious attachments, the main problem is to bypass spam filters on the victim's mail server. Many companies have mail in the Microsoft cloud - so you really need to be a mailing list guru for a malicious attachment to slip past Microsoft trained spam filters.
When conducting RedTeam, we try to use legal means that users use. For example, the presence of a VPN service in the company helps us to get into the company with user rights and at the same time cause a minimum of suspicion (or not cause at all).
There was an idea to see how Microsoft can help us. We looked at what kind of protection Microsoft provides and decided to see what kind of beast such Azure Information Protection is.
In this study, we will consider Azure Information Protection (AIP), a tool that allows you to classify documents according to their degree of confidentiality and restrict access to them for different users of the organization.
It is very simple to use - software is downloaded, with the help of which certain rights can be set for each document. Labels and privacy levels are configured for each company - the administrator has such rights and obligations. By default, only 2 levels are created - Confidential and Highly Confidential.

It is also possible to allow access to individual users and assign them rights to use the document. For example, if you need a specific user to be able to change nothing in a document, but to receive information, you can set Viewer mode specifically for him.

Azure Information Protection is integrated with Office365 and the user does not need additional software to open the document and perform the permitted actions with it (from reading to edits and full rights to the document).
When using AIP not for Office365 - the protected document has the pfile extension and it is not possible to open it without the Azure Information Protection Viewer.
In general, the solution seemed interesting and we decided to conduct a study.
For reshech we need:
For this study, we chose a Microsoft business account because it has Azure Information Protection. AIP is also in other tariff plans, they can be found here .
We will not describe in detail what difficulties had to be encountered when registering an account. We will write briefly - it is impossible to register a business account on your own from Russia. All because of sanctions. But you can turn to partners (official companies, there are 4 of them in Russia) or register on vacation from Europe, having previously bought a local SIM card there.
Registered 2 companies. 1 company - the victim company MyMetalCompany with the domain mymetalcompany.club and two users - Petr Petrov, Vasya Vasechkin. The victim company does not use AIP.

2 company - the attacking company - Gem Company with a standard domain from Microsoft - gemcompany.onmicrosoft.com and the only user - Evil User, who will send phishing emails to Petrov and Vasechkin.

Evil User will conduct an experiment with a malicious document, which is classified as DDEDownloader - a document with a built-in link by which the power shell script is downloaded and launched on the command line. Gem Company uses AIP.
Recall that our main goal is to make the malicious document pass spam filters and reach the user in the Inbox folder.
The first thing to check is whether a malicious document arrives to the user if we send it in the so-called “clean form”. We will send the document just generated from Evil User to comrade Vasechkin.
The result was predictable - Microsoft didn’t like our letter and he decided that Vasechkin was worthless to pay attention to such garbage. Actually, the letter did not come to Vasechkin.
We’ll try to put through Azure Information Protection that only Vasechkin can read a document in read mode. Why only in read mode? Because it is important for us that the user opens the document, and what actions he can perform with this document is completely indifferent. Therefore, the reading mode is quite enough. Note that we do not change anything in the document. We simply set restrictions on working with the document. Then there is some magic with encryption, which organizes AIP, but in this study we do not care.

We will send such a document to Petrov and Vasechkin. Let's see what will happen for each of them. Note that Petrov generally has no rights to work with the document.
The first thing you should pay attention to is that the malicious document ended up in both the Petrov and Vasechkin’s inboxes!
Vasechkin calmly opens the document using Microsoft Word. He does not need any additional software.

We see that access is limited, but all the contents of the document are also visible.
Another point - a document protected by AIP can be opened only in Word, i.e. you can’t see it in the viewing mode in the mail client or in some online services.
Petrov’s situation is the opposite - he cannot open the document, because he has “no documents” (as they say in one famous cartoon).

Of the minuses - you can see the account under which they protected the document using AIP. This may provide some sort of clue for BlueTeam when investigating the incident. Otherwise, everything works according to the rules that we set.
Great, but what happens if we try to put just the privacy levels? We don’t need anyone to be able to open the document - the main thing in this study is to get into the inbox.
They tried to set the document's Confidential level of confidentiality - the document was cut with a spam filter.
Also, restrictions can be set on the letter. An add-on appears in the Outlook client, which allows you to set restrictions on the letter, and they (according to how Microsoft writes in the documentation) apply to the entire contents of the letter, including attachments. Add-on appears if the user is using AIP. In our case, Evil User uses it and it has such an add-on.
They tried to put the Highly Confidential label on the letter with the attachment - the letter did not go into the inbox.
We understand that “for all users” should not be set, because “all users” also include service accounts that check incoming letters for malware.
One of the cool features of AIP is the tracking system, which allows you to determine who, when and from where opened the document or tried to open.
In this case, we see that Petrov tried to open the document, but he did not succeed. And Vasechkin opened the document. When conducting a phishing attack, such a system - just salvation - you don’t have to think of anything, we immediately see whether the friend you have opened is the attachment or not.

You can also configure the notification system so that an email arrives when you try to open a document.
The aim of the study was to bypass Microsoft spam filters using Microsoft itself (using the means of protection offered by the company).
The presentation from the very presentation can be found on our GitHub .
Thanks to the organizers of OFFZONE for the conference! It was interesting!
When conducting a phishing attack with the distribution of malicious attachments, the main problem is to bypass spam filters on the victim's mail server. Many companies have mail in the Microsoft cloud - so you really need to be a mailing list guru for a malicious attachment to slip past Microsoft trained spam filters.
When conducting RedTeam, we try to use legal means that users use. For example, the presence of a VPN service in the company helps us to get into the company with user rights and at the same time cause a minimum of suspicion (or not cause at all).
There was an idea to see how Microsoft can help us. We looked at what kind of protection Microsoft provides and decided to see what kind of beast such Azure Information Protection is.
Azure information protection
In this study, we will consider Azure Information Protection (AIP), a tool that allows you to classify documents according to their degree of confidentiality and restrict access to them for different users of the organization.
It is very simple to use - software is downloaded, with the help of which certain rights can be set for each document. Labels and privacy levels are configured for each company - the administrator has such rights and obligations. By default, only 2 levels are created - Confidential and Highly Confidential.

It is also possible to allow access to individual users and assign them rights to use the document. For example, if you need a specific user to be able to change nothing in a document, but to receive information, you can set Viewer mode specifically for him.

Azure Information Protection is integrated with Office365 and the user does not need additional software to open the document and perform the permitted actions with it (from reading to edits and full rights to the document).
When using AIP not for Office365 - the protected document has the pfile extension and it is not possible to open it without the Azure Information Protection Viewer.
In general, the solution seemed interesting and we decided to conduct a study.
For reshech we need:
- choose and register a suitable Microsoft account for us
- register 2 companies (attacker and victim)
- create a malicious document that we will send in a phishing email
Microsoft account registration
For this study, we chose a Microsoft business account because it has Azure Information Protection. AIP is also in other tariff plans, they can be found here .
We will not describe in detail what difficulties had to be encountered when registering an account. We will write briefly - it is impossible to register a business account on your own from Russia. All because of sanctions. But you can turn to partners (official companies, there are 4 of them in Russia) or register on vacation from Europe, having previously bought a local SIM card there.
Registered 2 companies. 1 company - the victim company MyMetalCompany with the domain mymetalcompany.club and two users - Petr Petrov, Vasya Vasechkin. The victim company does not use AIP.

2 company - the attacking company - Gem Company with a standard domain from Microsoft - gemcompany.onmicrosoft.com and the only user - Evil User, who will send phishing emails to Petrov and Vasechkin.

Evil User will conduct an experiment with a malicious document, which is classified as DDEDownloader - a document with a built-in link by which the power shell script is downloaded and launched on the command line. Gem Company uses AIP.
Testing
Recall that our main goal is to make the malicious document pass spam filters and reach the user in the Inbox folder.
The first thing to check is whether a malicious document arrives to the user if we send it in the so-called “clean form”. We will send the document just generated from Evil User to comrade Vasechkin.
The result was predictable - Microsoft didn’t like our letter and he decided that Vasechkin was worthless to pay attention to such garbage. Actually, the letter did not come to Vasechkin.
We’ll try to put through Azure Information Protection that only Vasechkin can read a document in read mode. Why only in read mode? Because it is important for us that the user opens the document, and what actions he can perform with this document is completely indifferent. Therefore, the reading mode is quite enough. Note that we do not change anything in the document. We simply set restrictions on working with the document. Then there is some magic with encryption, which organizes AIP, but in this study we do not care.

We will send such a document to Petrov and Vasechkin. Let's see what will happen for each of them. Note that Petrov generally has no rights to work with the document.
The first thing you should pay attention to is that the malicious document ended up in both the Petrov and Vasechkin’s inboxes!
Vasechkin calmly opens the document using Microsoft Word. He does not need any additional software.

We see that access is limited, but all the contents of the document are also visible.
Another point - a document protected by AIP can be opened only in Word, i.e. you can’t see it in the viewing mode in the mail client or in some online services.
Petrov’s situation is the opposite - he cannot open the document, because he has “no documents” (as they say in one famous cartoon).

Of the minuses - you can see the account under which they protected the document using AIP. This may provide some sort of clue for BlueTeam when investigating the incident. Otherwise, everything works according to the rules that we set.
Great, but what happens if we try to put just the privacy levels? We don’t need anyone to be able to open the document - the main thing in this study is to get into the inbox.
They tried to set the document's Confidential level of confidentiality - the document was cut with a spam filter.
Also, restrictions can be set on the letter. An add-on appears in the Outlook client, which allows you to set restrictions on the letter, and they (according to how Microsoft writes in the documentation) apply to the entire contents of the letter, including attachments. Add-on appears if the user is using AIP. In our case, Evil User uses it and it has such an add-on.
They tried to put the Highly Confidential label on the letter with the attachment - the letter did not go into the inbox.
We understand that “for all users” should not be set, because “all users” also include service accounts that check incoming letters for malware.
Tracking system
One of the cool features of AIP is the tracking system, which allows you to determine who, when and from where opened the document or tried to open.
In this case, we see that Petrov tried to open the document, but he did not succeed. And Vasechkin opened the document. When conducting a phishing attack, such a system - just salvation - you don’t have to think of anything, we immediately see whether the friend you have opened is the attachment or not.

You can also configure the notification system so that an email arrives when you try to open a document.
conclusions
The aim of the study was to bypass Microsoft spam filters using Microsoft itself (using the means of protection offered by the company).
- The goal was successfully achieved with one remark - you need to use AIP specifically for setting access rights for specific users. Bypassing other security features - antiviruses, intrusion detection systems that are activated when the document is opened (we took a deliberately malicious document that is detected by all security features) - depends on your imagination. We sought only letters in the inbox.
- Azure Information Protection only works for authorized Office365 users (this is the magic of encryption). In almost all organizations, users are logged in to Office365 and there are no difficulties. But consider this fact is necessary.
- The tracking system is generally a gorgeous thing and it is convenient and practical to use it.
- Using AIP to protect documents (so to speak for its intended purpose) is also cool and will cause a headache for attackers - access to documents becomes more difficult to obtain.
The presentation from the very presentation can be found on our GitHub .
Thanks to the organizers of OFFZONE for the conference! It was interesting!