BEGIN:VCALENDAR
PRODID:-//vBulletin 6//EN
VERSION:2.0
CALSCALE:GREGORIAN
BEGIN:VEVENT
UID:00d0e0b4-3c99-441b-9fe1-8d537ad9da13
DTSTAMP:20260420T105330Z
SUMMARY:(Intermediate) O365Squatting
DESCRIPTION:Title: (Intermediate) O365Squatting\n\nDescription:\n0365Squatt
 ing is a python tool created to identify that domains before the attack st
 art. The tool can create a list of typo squatted domains based on the doma
 in provided by the user and check all the domains against O365 infrastruct
 ure\, (these domains will not appear on a DNS request).\n\nAt the same tim
 e\, this tool can also be used by red teams and bug bunters\, one of the c
 lassic attacks is the domain takeover so\, the second option of this too i
 s to check if the domain is registered in O365 in order to launch a domain
  takeover attack.\n\nOne of the main benefits of cloud technology is to de
 ploy quickly services\, with minimum interaction from the administrator si
 de\, this is an advantage exploited by cyber criminals too. Nowadays the m
 ain threats all size companies are facing is phishing\, every day cyber cr
 iminals are creating more sophisticated techniques to cheat users and make
  more difficult the job of blue teams. The most common technique used is t
 ypo squatting.\nPart of the Blue team mission is to detect phishing\, typo
  squatters\, and attack domains before the phishing campaign begins\, ther
 e is outside plenty of tools trying to detect that domains based on DNS\, 
 however none of them are focus into the cloud.\n\n0365Squatting is an Open
 Source tool created on Pyhton3\, that can be launched automatically using 
 cron. This is a unique tool\, not only because of the cloud capabilities\,
  if not because is prepared to be integrated with commercial SIEM as ArcSi
 ght based on the output possibilities\, on screen or in format CEF and JSO
 N.\n\nWhen you create an account into O365 you can get a domain to use on 
 your server mail on O365\, however this domain is not published into DNS s
 ervers. Not publishing the domain automatically as AWS or GCloud is doing 
 create a serious problem for organizations and blue team keeping a grey ar
 ea for monitoring of domains. Our team has detected 100's of attacks using
  this method that classic tools are not detecting\n0365Squatting runs loca
 lly without sharing any info allowing:\n\nCreate list of squatted domains\
 nCheck squatted domains on O365\nCheck possible domain takeover on O365\nE
 xport in several formats (CEF\, JSON)\n\nSpeaker(s): Juan Francisco\, Jose
  Miguel Gómez-Casero Marichal\n\nLocation: Blue Team Vlg / Blue Team Vlg 
 - Talks Track 1\n\nDiscord: https://discord.com/channels/70820826769994550
 3/732454317658734613\n\nEvent starts: 2020-08-08 10:30 (10:30 AM) PDT (UTC
  -07:00)\n\nEvent ends: 2020-08-08 11:00 (11:00 AM) PDT (UTC -07:00)\n\nFo
 r the most up-to-date information\, please either visit https://info.defco
 n.org\, or use HackerTracker\, which is available for iOS and Android. Thi
 s is an automated message\, and this data was last modified 2020-08-03T00:
 12 (UTC).
URL:https://forum.defcon.org/node/234102
DTSTART:20200808T183000Z
DTEND:20200808T190001Z
LOCATION:Blue Team Vlg / Blue Team Vlg - Talks Track 1
END:VEVENT
END:VCALENDAR