 Hello everyone, my name is Paranar Ked and I welcome you to O365 squatting. If you are not already joining the Discord chat, please go to the Blue Team Village org website, click on the Discord link and join. Please give a warm welcome to Juan Francisco and Jose Miguel. Thank you. Thank you. Thank you very much. Thank you for coming to this virtual talk. We're going to talk about the tool that we have developed O365 squatting, but we are going to make a very brief introduction. I'm working as a manager on IT security in a pharma company. I have been working during the last years in insecurity. I have published a book and I am also collaborating with 11 paths as a chief security envoy. Jose. Hey guys, this is Jose Miguel Gomez. I've been working in security from the very beginning in my working life. I've been my main role has been IT security analyst. Nowadays I'm working in a pharma sector company, but I am also a researcher and security enthusiast. I've been working with several multinational enterprise companies assisting and helping them to do a more secure company and also being studying for a more routine acknowledged as OSCP and OSCE. So let's start with the real part. The challenge in Azure, of course. Of course, all of us know that Azure and the cloud in general, it's helping all of us and also the ATV people to create easy services and domains. So there is a clear benefit. However, the attacker have also a really good benefit. When you create an account on Azure, you have associated a domain on Microsoft.com for you, for your account. So you are getting Microsoft domain for you and this is something that we are going to see during this speak. That is something that attackers are going to explore. This research and these two has been performing our experience and the cases that we are seeing every day coming from the attackers. So what is going on with the on Microsoft domain? When you create, let's say an account called DefCon with these three and no in the middle on Azure, you are automatically granted an on Microsoft domain dot your username. So if you try to, if you try to find what is on the DNS, how is it resolved? It is resolved directly to the Azure DNS. And of course, the whiz is talking about is part of the Microsoft. So it's a good starting point that we are being able to have domain on Microsoft. So what is the problem? The problem is that you can use this domain in order to create exchange servers. And of course the hackers and the attackers are going to be using this technique. This technique will allow you to see a kind of image like this. We have seen that it was requesting some payments and what's coming from on Microsoft domain. Of course, the first idea of a blue teamer is okay, let's block that domain, but it's not a really good idea block on a Microsoft domain. It will have a lot of impact into your infrastructure and to real emails. So other of the problems is below beyond this small black box. It was the attacker was trying also to create confusion, creating similar domains to the original one. So it was increasing the problem for the users to identify these emails. So we were finding, we encountered a problem and we tried to find a solution. We started to analyze the headers. Of course, all the headers are coming from all look domains and protect you on all look domains. So everything looks good, good that is coming from Microsoft. We analyzed one of the IP addresses and of course was belonging to Microsoft domain. So we cannot block it neither because it was part of the all look infrastructure and it will again have a lot of impact on our users. Also part of the header was the message ID again pointing to all look domains and also we were considering the SPF part. The SPF part is what it was not working, mainly because Microsoft has configured to known and known is equal to neutral, what it will not block by using this protection the receiving of females. There is other headers like transport or anti-span mailbox and anti-span message. So a lot of protections are there. So we were finding a problem. We are creating, attackers are creating domains on Microsoft and using it to send it to spam, but we are not able to detect it. So something that we detect is as soon as you create an account, not only the Microsoft account or domain is created, is also creating automatically a SharePoint site with your name following this pattern. So if the original one is the first, the attackers will going to start to create all these similar type of squaring attacks related with all Microsoft. So what is the case? We need to detect, we need to be able to detect these domains and we need to be able to block it. We are not able to do it with on Microsoft because it's not creating a real website. It's only on the Azure DNS. It's not in the public DNS. So it's something that we need to work with it. We detected the SharePoint.com and we applied this technique creating of detection of these websites to detect this. So we are going to spam code. We are going to detect these domains on this new creation based on SharePoint.com. It's not possible neither to detect these SharePoint domains based on reputation. We have been using a malware type that is a well known reputation site for checking the reputation of the sites and we detected that the ones that have been already sending spam or sending users as a phishing was detected was already detected as a SharePoint.com. However, the ones that are created but still not used didn't, it wasn't phoned. So we are subluting, we need to be able to protect before the attack happens and we thought, okay, let's do something by yourself to check what code to block it. So what we do is we created a list of possible domains of our company or the company that you want using type of squaring or mission bit squaring or omoglyph. And then we found a pattern that all the domains related to SharePoint have two answers. If the domain exists, then it has a 302 server direction answer and it's going to the login page of Azure. If the domain does not exist or is still not created by the attacker, then it's a 503 service available and we can detect it. So why to do it manually? Let's automate the attack and then let's export it to a JSON or a CIF file in order to import it into our systems. So this is the idea of our tool, how to demonstrate these steps. And Michael will show you a little bit more about how to work with it. You guys, so we are just leaving the presentation part. Let's go with the well known part of all of this. What we're going to show you is how this tool is working as Francisco told us is that we are going to create a several number of well-known type domain squatting techniques to create this list of potential domains that could be impersonating a company in the Microsoft infrastructure. So with all this we are working with our tool. This is our old argument you can use. You can check by one single domain in the Microsoft infrastructure. You can also check for one single domain and start generating the all possible domains. And you can also use a file with a list of domains that you want to monitor. It's just the same as the single domain but you can do more bulky jobs with this. The rest of the arguments are just for helping you guys with the script. You can create as a service. It's very service friendly. You can create a cron job with all this. So you are entering into business. You want to check for one single domain. This is the response it's giving you. The domain is up. But if you are trying for one single that we already know is not existing, it's not available. But you take a closer look of this. This is one of the domains that is up. And it seems if you are of course a Microsoft company you need to monitor all these responses. But of course if you want the full list you can create this. And you can have some kind of verbose output and record the output on a file with a format in CEF format. So this is where the scripts start checking in Microsoft.com infrastructure. What kind of domains are up and running. In the meantime we are going to show you part of the code. This is where we are starting to do some tests in Microsoft infrastructure. Single domain is generating all domain squaring possible domains. And all these are being passed to the test on Microsoft function for everyone instance in the list. With all this we are just having you know the rest of the job is done. You can see now. Just for let you know what kind of technique we are registering we are having for instance here all domain squaring being registered for keyboard typos. We are having here for beta squatting homoglyph. Because you are comparing every single letter in the language with similar ones that are likely to be used for impersonates in the companies. And after this as you can see on the left you have the output of the file. You can see that you are having a very beautiful output for a CEF format that either syslog or something can interpret. So you can pass this to your CM tools and you can start monitoring these kind of domains. And that's all for the tool. After this we are working to upload this tool on GitHub. This is the link where you have available the source code. And this is not the end of this project. We are working for have a lot of work the next months. We would like to have some kind of automation for the domain takeover. We also want to convert it in a container to be policy in Docker hub because we know there is a lot of a blue team fellows that would like to have this in the Kubernetes. We also want to expand the check in other domains in Azure because it's not over with only a monitor shape point. We believe that there is more things to do in the Microsoft infrastructure. And very important we should expand this to other big company clouds such as Amazon or Google even Alibaba. We are working with looking for patterns that will help us and will help our tool to monitor these kind of impersonations. We also would like to hear your voice and know what kind of other output would be fine for this tool. And every idea is welcome. And also why not check repetition on abuse public databases because we would like to help these public databases to create more information when we detect one of our domain detected could be nice to be reported automatically if we check that something is wrong, something is trying to harm our company prior because keep in mind that this is just anticipation. There is no attacks yet. We are just covering the potential attackers in domain scoring. And after this I believe we are done. We are just any questions. Thank you for your time. We know it's for you guys Saturday morning. You have a still a long way today in Bluetin Billets. I hope you enjoy our talk and our tool. You can also access to the GitHub and start using it in your companies. You want to talk to us. Here you have our Twitter. You can also contact us in our GitHub. And we are working for any suggestions or heads. So still thank you guys. Thank you very much. And any questions? Any questions? Yeah. Yeah, we are seeing the link is now available. We are deploying the code after this talk because we we did not want it to because you know, this is a we are in a cloud. So we would like to have this working up and running after this right before this talk. So now we are going to deploy this code. Yeah. On the next day, you will have available on this GitHub the full code. So don't worry. It will be not later than Monday. Okay. Is there any kind is there any kind of trolling you run into with the tool like with other no, I believe not just we did not have any trolling. The thing is we were the very first step was like we were attacking a lot Microsoft infrastructure because we were throwing a lot of requests, you know, so far we've been only detecting without any issues and every single domain is what we detected and it was not fine for us. We have been reported to Microsoft. So yeah, this is answering the question. If we have been contacting with Microsoft, we are contacting with Microsoft each time that we detect a fake report or a fake domain and we are reporting it to abuse. Of course, it's not, you know, you know all these abuse websites that request thousands of data from the information. So we need something more agile in order to protect our infrastructure. So we always report this kind of active domains, but before the attack, we're importing it into the into our solutions. But yes, we are contacting Microsoft reporting these domains. Yeah. Yes. For Cyborg 42 is asking, can the tool be used to generate a list of type of squatting domains in Json XML format, which can be imported into ELQS plan? The answer is yes. You can, well, and yes and no, because you can create a list of detected and detected domains. But for the part that is a list of type of squatting domains not being detected, there are already several tools in the wild that you can use for your own purpose. But if you are looking for a Json well-formatted file that includes all detected domains in the Microsoft infrastructure, yes. It's one of the outputs allowed by our tool. Yeah, we see. Yeah. Thank you for the offer. You work in, yeah. In Azure. Yeah. You need something on Spark. Just let us know you have for our contacts. So feel free to reach us. Okay. Thanks. Any other question? Nice. I think that's all. We solved all the questions on each other, right? Yeah. All right. Thank you for your time then and continue with the plan on DevCon Blue Team. It's a lot of information and a lot of good values there. So thank you for this time and thank you for your good feedback about the talk.