Tweet
Title: (Intermediate) O365Squatting
Description:
0365Squatting is a python tool created to identify that domains before the attack start. The tool can create a list of typo squatted domains based on the domain provided by the user and check all the domains against O365 infrastructure, (these domains will not appear on a DNS request).
At the same time, this tool can also be used by red teams and bug bunters, one of the classic attacks is the domain takeover so, the second option of this too is to check if the domain is registered in O365 in order to launch a domain takeover attack.
One of the main benefits of cloud technology is to deploy quickly services, with minimum interaction from the administrator side, this is an advantage exploited by cyber criminals too. Nowadays the main threats all size companies are facing is phishing, every day cyber criminals are creating more sophisticated techniques to cheat users and make more difficult the job of blue teams. The most common technique used is typo squatting.
Part of the Blue team mission is to detect phishing, typo squatters, and attack domains before the phishing campaign begins, there is outside plenty of tools trying to detect that domains based on DNS, however none of them are focus into the cloud.
0365Squatting is an OpenSource tool created on Pyhton3, that can be launched automatically using cron. This is a unique tool, not only because of the cloud capabilities, if not because is prepared to be integrated with commercial SIEM as ArcSight based on the output possibilities, on screen or in format CEF and JSON.
When you create an account into O365 you can get a domain to use on your server mail on O365, however this domain is not published into DNS servers. Not publishing the domain automatically as AWS or GCloud is doing create a serious problem for organizations and blue team keeping a grey area for monitoring of domains. Our team has detected 100's of attacks using this method that classic tools are not detecting
0365Squatting runs locally without sharing any info allowing:
Create list of squatted domains
Check squatted domains on O365
Check possible domain takeover on O365
Export in several formats (CEF, JSON)
Speaker(s): Juan Francisco, Jose Miguel Gómez-Casero Marichal
Location: Blue Team Vlg / Blue Team Vlg - Talks Track 1
Discord: https://discord.com/channels/7082082...54317658734613
Event starts: 2020-08-08 10:30 (10:30 AM) PDT (UTC -07:00)
Event ends: 2020-08-08 11:00 (11:00 AM) PDT (UTC -07:00)
For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-03T00:12 (UTC).
Description:
0365Squatting is a python tool created to identify that domains before the attack start. The tool can create a list of typo squatted domains based on the domain provided by the user and check all the domains against O365 infrastructure, (these domains will not appear on a DNS request).
At the same time, this tool can also be used by red teams and bug bunters, one of the classic attacks is the domain takeover so, the second option of this too is to check if the domain is registered in O365 in order to launch a domain takeover attack.
One of the main benefits of cloud technology is to deploy quickly services, with minimum interaction from the administrator side, this is an advantage exploited by cyber criminals too. Nowadays the main threats all size companies are facing is phishing, every day cyber criminals are creating more sophisticated techniques to cheat users and make more difficult the job of blue teams. The most common technique used is typo squatting.
Part of the Blue team mission is to detect phishing, typo squatters, and attack domains before the phishing campaign begins, there is outside plenty of tools trying to detect that domains based on DNS, however none of them are focus into the cloud.
0365Squatting is an OpenSource tool created on Pyhton3, that can be launched automatically using cron. This is a unique tool, not only because of the cloud capabilities, if not because is prepared to be integrated with commercial SIEM as ArcSight based on the output possibilities, on screen or in format CEF and JSON.
When you create an account into O365 you can get a domain to use on your server mail on O365, however this domain is not published into DNS servers. Not publishing the domain automatically as AWS or GCloud is doing create a serious problem for organizations and blue team keeping a grey area for monitoring of domains. Our team has detected 100's of attacks using this method that classic tools are not detecting
0365Squatting runs locally without sharing any info allowing:
Create list of squatted domains
Check squatted domains on O365
Check possible domain takeover on O365
Export in several formats (CEF, JSON)
Speaker(s): Juan Francisco, Jose Miguel Gómez-Casero Marichal
Location: Blue Team Vlg / Blue Team Vlg - Talks Track 1
Discord: https://discord.com/channels/7082082...54317658734613
Event starts: 2020-08-08 10:30 (10:30 AM) PDT (UTC -07:00)
Event ends: 2020-08-08 11:00 (11:00 AM) PDT (UTC -07:00)
For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-03T00:12 (UTC).