Turning Microsoft's Login Page into our Phishing Infrastructure

Presented at DEF CON 33 (2025), Aug. 9, 2025, 4 p.m. (45 minutes).

Microsoft Entra ID – one of the most used identity providers in the enterprise market. Or from our perspective: the most targeted platform in phishing attacks. Getting our phishing infrastructure up and running is usually the easy part. The real challenge is often keeping it online long enough to deliver the phishing link and collect credentials without detection before it gets burned. But what if we could use Microsoft's official login domain for our phishing purposes? And no, I'm not talking about the heavily mitigated OAuth Consent or Device Code Phishing techniques, or simply hosting a phishing page on Azure Web App subdomains. I'm talking about stealing credentials directly from the legitimate login.microsoftonline.com domain. In this talk, I will share multiple novel methods that can be used to achieve this. And the best of all? It all relies on legitimate functionality, making it mostly unpatchable. 😈 References: - [link](https://github.com/RedByte1337/GraphSpy/wiki/Device-Codes#device-code-phishing) - [link](https://aadinternals.com/post/phishing/) - [link](https://www.mdsec.co.uk/2019/07/introducing-the-office-365-attack-toolkit/) - [link](https://insights.spotit.be/2024/06/03/clipping-the-canarys-wings-bypassing-aitm-phishing-detections/)

Presenters:

• Keanu "RedByte" Nys - Spotit
  Keanu Nys (aka RedByte) is an information security researcher from Belgium, and currently leads spotit's offensive security team. While he has a passion for all offensive cybersecurity topics, he mostly specializes in Active Directory, Microsoft Entra ID (Azure AD), and Social Engineering. He is the author of the Microsoft 365 and Entra attack toolkit GraphSpy. Additionally, Keanu is the trainer for the Certified Azure Red Team Expert (CARTE) bootcamps at Altered Security, and has presented at hacker conferences such as BruCON. He has presented at security conferences such as BruCon, and is the author of the Microsoft 365 and Entra attacking toolkit GraphSpy. He is an instructor for various Azure Red Teaming courses with Altered Security - a company focusing on hands-on enterprise security learning - https://www.alteredsecurity.com/

Similar Presentations:

• DerbyCon 3.0 All in the Family (2013) / Phishing Frenzy: 7 seconds from hook to sinker
• DerbyCon 3.0 All in the Family (2013) / Phishing Like The Pros
• THOTCON 0x5 (2014) / Phishing Frenzy: 7 seconds from hook to sinker