During a red team engagement, we discovered a situation where domains registered to the client’s Azure tenant had expired and were available for purchase. Instead of using them for phishing, we attempted to enroll a user through Microsoft’s PowerBI application and found to our surprise that we were given an account in the client’s tenant! At the end of the engagement, we provided the technical details to our client and followed up with MSRC. Microsoft’s stance at the time was “clients were responsible for maintaining their domains” and closed our request.
A few weeks later we happened upon a well-timed tweet regarding some PowerShell which birthed the idea of LetItGo: a tool that allows red and blue teamers to scan tenants in Azure and return any domains that have been expired. Preliminary results found that 1 in 5 of the Fortune 500, including Microsoft, had tenants that were vulnerable to this attack path.
Our talk will include a demonstration of the attack, the impact to the tenant, the gaps in Microsoft’s Azure console for reporting state and the necessary TTPs for organizations to detect if this activity has occurred, and finally the release of the tool.