Bypassing MDO (Microsoft Defender for Office 365) Phishing Filter.

By -

How it Started: Background and Initial Observations:

As part of an internal cybersecurity awareness initiative, I was asked by my organization to provide cybersecurity awareness session that included live demonstrations using tools such as Flipper Zero, OMG cables, and a phishing simulation - Gophish (why?: easy and free). 

Everything was working fine, except for Gophish, After configuring Gmail SMTP in Gophish and sending test emails to my corporate account, the messages were consistently blocked by Microsoft Defender for Office 365 (MDO) and did not reach the inbox. 

Further analysis revealed that emails generated by Gophish were being flagged as phishing by multiple detection layers within MDO, including general filtering, mixed analysis, and advanced filtering mechanisms. This indicated that the framework was effectively identified and blocked by default protections.

During investigation of the email headers, I observed that the default "X-Mailer:Gophish" header could be the reason to these detections. Based on this hypothesis, I modified the header value to a generic value (e.g., “Yahoo” or similar).

Following this change, the emails were successfully delivered to user mailboxes, despite MDO being configured with recommended security settings. The messages were no longer blocked or quarantined at delivery time, allowing user interaction.

============== End of theory ==========

==========Technical details and POC========

1. Let's start with the detected email sent from Gophish tool:

 
In above image you can clearly see that Gophish header was sent which is detected by MDO.
Below is the detected information from Microsoft security portal.



==== POC/Bypass =======

Assuming that you have already configured your GoPhish Tool including sending profile etc. if not you can search on youtube "How to configure GoPhish"

To bypass MDO filters: Edit your sending profile in GOphish Tool, There is a section of "Email Headers:"

In 1st field write: X-Mailer

In 2nd field write: Anything(i wrote Yahoo)

Click Add custom Header. Your settings will look like this:


That's it, try sending the email and you will get it in your inbox, completely bypassing MDO below is one email of sent email with our custom header.


Below is a snap from security portal. No detection.

=========Report to Microsoft??====

This issue was reported to Microsoft they classified it as low severity, with no immediate servicing planned, and approval granted for public disclosure. 

In my view, the severity may be higher than currently classified, as the behavior could weaken phishing detection controls and increase exposure to socially engineered attacks.

My research was conducted using Gophish; however, similar techniques could be applied to other platforms such as King Phisher and SET (Social-Engineer Toolkit) etc.

===========Solution??======

Currently there is no solution to stop this bypass. The only solution is "User awareness sessions"


Thanks












Comments

Post a Comment

Popular posts from this blog

Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS (CVE-2020-29144, CVE-2020-29145)

By -
Image
Dear Reader, I was able to identify stored XSS in multiple web base modules of Ericsson BSCS iX R18 Billing & Rating platform  Below are its details: # Software description: Ericsson Billing is a convergent billing solution for telecoms that combines an unrivaled combination of out-of-the box features and high configurability. As an evolution of the widely-installed Ericsson BSCS iX, Ericsson Billing provides a low-risk but effective route to capture and secure revenue streams and take advantage of business opportunities from both traditional telecom services as well as digital services, 5G and IoT. # Technical Details & Impact: There are multiple web base modules in BSCS iX e.g. ADMX, MX (monitoring center), CX etc. It was observed that ADMX and MX are vulnerable to stored XSS, In most test cases session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admin's browsers using beef...
Read more

Autoconfiguration ipv4 address 196.254.x.x IP Problem

By -
Image
Today when i connect my laptop to Lan it wasn't getting the ip from my DHCP server. Instead it gives me some weird IP like 196.254.x.x . while my Wifi was working fine, I searched Alot to get to know until i found a great piece of code on a blog. so going to share with you guys. Problem with my Ip. Steps to follow: If you are Using any Firewall disable it (like i use comodo so i disable it temporary) Click on start and click on RUN (or simple press windowsKey+R ) type CMD   Now type the below Codes  netsh interface ipv4 show inter It will show like this.  As we have problem in LAN so my LAN here is Local Area Connection  and Its Idx=11 (we will use this idx number in next code) Now type in this code and replace your Idx number, as mine is 11    netsh interface ipv4 set interface 11 dadtransmits=0 store=persistent   It will show like this.  If it says OK. Congratulations you have done the difficult part Now Click on ...
Read more

Enjay CRM 1.0 - Multiple code executions via Unrestricted Terminal

By -
Image
  Enjay CRM is a collection which contains the CRM software along with Linux Ubuntu, however normal user don't have access to the underlying OS. Once the OS boots its runs the Enjay CRM software which has multiple read-only options.  However some of these options opens a terminal to perform a specific activity, This terminal is unrestricted and user can access the underlying OS as a ROOT and can run any command on OS. Underlying OS can be accessed using two methods; Also CVEs are assigned to these findings. 1. Using Ping menu (CVE-2024-41308):  it will open a terminal and user can click on File menu -> New Tab/New window. And root level terminal will be open. 2. Using Hardware info (CVE-2024-41309): Once the Hardware info page opens click on Help menu and either select "Open HardInfo Website" or "Report bug", it will open an unrestricted terminal where user can click on File menu -> New Tab/New window. And root level terminal will be open. Both the vulner...
Read more