Phishing Threats to Cloud Users

1. Yevhen Teleshyk
Phishing Threats to
Cloud Users

2. Phishing
- spear phishing
- clone phishing
- whaling

3. OAuth2
Application
Authorization
server
Resource
Server
Resource
owner
Authorization request
Authorization grant
Authorization grant
Access Token
Protected Resource
Access Token

4. Registration

5. Authorizations request
Application
Resource
owner
Authorization request
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_
type=code&client_id={}&redirect_uri={}&scope={}

6. Scopes

7. Authorization grant

8. OAuth2
Application
Authorization
server
Access Token

9. JWT
JWT=
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiIyZDRkMTFhMi1mODE0LTQ2Y
TctODkwYS0yNzRhNzJhNzMwOWUiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm
5ldC83ZmU4MTQ0Ny1kYTU3LTQzODUtYmVjYi02ZGU1N2YyMTQ3N2UvIiwiaWF0Ijo
xMzg4NDQwODYzLCJuYmYiOjEzODg0NDA4NjMsImV4cCI6MTM4ODQ0NDc2Mywid
mVyIjoiMS4wIiwidGlkIjoiN2ZlODE0NDctZGE1Ny00Mzg1LWJlY2ItNmRlNTdmMjE0Nzd
lIiwib2lkIjoiNjgzODlhZTItNjJmYS00YjE4LTkxZmUtNTNkZDEwOWQ3NGY1IiwidXBuIjoi
ZnJhbmttQGNvbnRvc28uY29tIiwidW5pcXVlX25hbWUiOiJmcmFua21AY29udG9zby5j
b20iLCJzdWIiOiJKV3ZZZENXUGhobHBTMVpzZjd5WVV4U2hVd3RVbTV5elBtd18talg
zZkhZIiwiZmFtaWx5X25hbWUiOiJNaWxsZXIiLCJnaXZlbl9uYW1lIjoiRnJhbmsifQ.iwid
W5pcXVlX25hbWUiOiJmcmFua21
JWT = base64(header.payload.signature)
Header = {"typ","nonce","alg","x5t","kid"}
Payload = {"aud":"https://graph.microsoft.com","iss","iat","nbf",
"exp","acr","aio","amr","app_displayname","appid","appidacr",
"family_name","given_name","ipaddr","name","oid","onprem_sid",
"platf","puid","scp","sub","tid","unique_name","upn","uti","ver"}

10. Revoking

11. Questions?

12. References:
• https://tools.ietf.org/html/rfc6749
• https://msdn.microsoft.com/en-us/office/office365/api/mail-rest-operations
• https://docs.microsoft.com/en-us/outlook/rest/node-tutorial#using-the-mail-api
• https://www.elevenpaths.com/new-ransomcloud-o365-report/index.html