Risky Business #802 -- Accessing internal Microsoft apps with your Hotmail creds - Risky Business

Summary

Risky Business #802 – Accessing Internal Microsoft Apps with Your Hotmail Credentials

Release Date: August 13, 2025
Host: Patrick Gray
Guest: Adam Boileau
Sponsor: SpecterOps

Introduction

In the latest episode of Risky Business, host Patrick Gray and co-host Adam Boileau delve into a wide array of cybersecurity topics, ranging from critical Microsoft vulnerabilities to groundbreaking AI security research. This episode provides listeners with in-depth analysis, expert insights, and timely discussions relevant to information security professionals.

Exchange Vulnerability and Microsoft Integration Issues

The episode kicks off with a discussion about a significant vulnerability in Microsoft Exchange. Adam Boileau explains how this bug allows attackers to escalate privileges from on-premises Exchange environments to Exchange Online.

Adam Boileau [01:40]: "The account used to facilitate integration in the cloud has way more privilege than it should."

Patrick emphasizes the urgency of patching this vulnerability, highlighting CISA’s proactive stance.

Patrick Gray [03:46]: "Normally when you see one of these emergency directives from CISA, it's because someone is actively exploiting the bug. In this case, it looks like they've got out ahead of it."

The conversation underscores Microsoft's challenges in managing complex integrations and the broader implications for organizations relying on hybrid Exchange setups.

Consent and Compromise: Accessing Internal Microsoft Apps with Hotmail Credentials

A central focus of the episode is a deep dive into Vaisha Bernard’s research, titled "Consent and Compromise: Abusing Entra ID for Access to Internal Microsoft Applications." Bernard discovered that certain Microsoft applications inadvertently allowed access using consumer or cross-tenant accounts due to misconfigurations in Entra ID.

Adam Boileau [06:39]: "He ends up in all sorts of weird Microsoft engineering backwaters with interesting bits and pieces."

Patrick and Adam discuss the ramifications of this flaw, noting the complexities of Microsoft’s multi-tenant architecture and the potential for credential theft.

Patrick Gray [09:51]: "This really is hard and really is hard and it really is kind of a mess. And I hope Microsoft learned something from this process."

The episode highlights the importance of proper access controls and the challenges of securing complex cloud environments.

Intrusion into US Court Systems and Potential Cartel Involvement

The hosts then shift focus to reports of intrusions into the US court filing system, with allegations that drug cartels may have accessed sensitive data. Adam outlines the uncertainty surrounding the exact methods used by these threat actors.

Adam Boileau [11:36]: "Some of the other reporting has said there's been all sorts of Russians up in there and they're not sure whether it's Russian, you know, like government cyber, or whether it's, you know, cyber criminals or why not both."

Patrick underscores the broader implications for law enforcement and the judiciary, emphasizing the critical need for robust cybersecurity measures.

Patrick Gray [14:19]: "This is what you would think FBI and DOJ need to up their game. Right. And that's going to be expensive. That is going to be expensive."

Citrix NetScaler Vulnerabilities Exploited as Zero-Day

A significant breach involving Citrix NetScaler is examined next. The team discusses how vulnerabilities were exploited in the wild as zero-days before official patches were released.

Adam Boileau [15:29]: "This is Citrix Bleed 2. It's the memory leak that we talked about a little while ago. Apparently, it was being hit in the wild something like a month before Citrix disclosed it."

Patrick reflects on the unpredictability and potential damage of such exploits.

Patrick Gray [16:00]: "We've linked through to cybersecurity Dive, who've got a report on that. It connects quite nicely to our theme last week where we spoke about AI on Offense."

DARPA AI Cyber Challenge: Automated Vulnerability Detection and Patching

The conversation transitions to DARPA’s AI Cyber Challenge, where AI agents demonstrated significant capabilities in identifying and patching synthetic vulnerabilities inserted into open-source projects.

Patrick Gray [16:52]: "There were three teams that did well... what was really interesting is they found a bunch of actual bugs that were not put there by DARPA as well."

Adam praises the innovative approach and potential of AI in vulnerability research.

Adam Boileau [17:18]: "This looks pretty promising."

HTTP 1.1 Vulnerabilities and James Kettle’s Research

James Kettle’s research on inherent vulnerabilities in HTTP 1.1 protocols is another highlight. The discussion emphasizes the intricate and often flawed nature of legacy protocols.

Patrick Gray [19:14]: "James Kettle is much better qualified to do that than I am."

Adam explains the complexity and systemic issues within HTTP 1.1 that facilitate various attack vectors.

Adam Boileau [19:21]: "There's an infinite source of these types of bugs because of the confusion and point fixing any one of them is not going to help us."

DOJ Takedown of BlackSuit Ransomware Group

The episode covers the US Department of Justice’s recent takedown of the BlackSuit ransomware group, responsible for raking in approximately $370 million in ransoms.

Adam Boileau [21:03]: "They shut down some things and seized some crypto, you know, all the things that you would expect from a cybercrime group being shut down."

Patrick reflects on the ongoing challenge of combating ransomware despite such successes.

Patrick Gray [22:34]: "It's whack a mole, though, at this point. Right. But you do wonder how bad it would be without the takedowns."

Exploitation of WinRAR Bugs by Different Threat Actors

WinRAR continues to be a target, with multiple groups exploiting different bugs in the software. The irony of mutual exploitation between Russian-backed groups and those targeting Russian organizations is highlighted.

Adam Boileau [29:42]: "It's usually a path traversal in this particular case. The funny bit is that was being exploited in the wild and one of the groups exploiting it in the wild was a Russian-backed cyber espionage crew and the other group was someone hacking Russian organizations."

Patrick humorously comments on the persistent relevance of WinRAR in the cybersecurity landscape.

Patrick Gray [30:29]: "It's just amazing that WinRAR persists because Microsoft like Windows doesn't have a good Archiver. Like it's 2025, man. Like come on Microsoft."

Chrome Sandbox Escape Vulnerability and $250k Bounty

A critical Chrome vulnerability allowing sandbox escapes is discussed, alongside Google’s substantial bounty payout to the researcher who discovered it.

Adam Boileau [31:48]: "Chrome is made up of a whole bunch of processes and this was a flaw where you could convince the sandbox component that you too were the sandbox and that you were authorized."

Patrick highlights the significance of such recognitions by major tech companies.

Patrick Gray [33:47]: "He [the researcher] was very happy."

Legal Proceedings Against Tornado Cash Founder

The hosts touch upon the ongoing legal saga of Tornado Cash founder Roman Storm, who faced mixed verdicts regarding money laundering charges.

Adam Boileau [34:58]: "It's kind of interesting because money laundering is such an important feature of cryptocurrency for crime."

Patrick discusses the broader context of cryptocurrency regulation and its challenges.

Patrick Gray [37:01]: "They've even passed like new regulations that allow people to invest in crypto for their like, like pensions and whatnot. You know, so they're really like pro crypto."

Google Gemini AI and Smart Home Hijacking via Poisoned Calendar Invites

A chilling scenario unfolds as hackers exploit Google’s Gemini AI through poisoned calendar invites, enabling control over smart home devices.

Patrick Gray [37:28]: "Hackers hijacked Google's Gemini AI with a poisoned calendar invite to take over a smart home."

Adam elaborates on the sophisticated prompt injection techniques used to manipulate AI behaviors.

Adam Boileau [39:21]: "You can see why it's like this, but it's just not, you know, it's not good enough and it's going to be expensive to fix."

This segment underscores the emerging threats posed by AI-driven vulnerabilities and the need for enhanced security measures.

Malicious VS Code Extensions and Supply Chain Attacks

John Tuckner from Secure Annex reports on the removal of malicious Cursor and Windsurf extensions from the VS Code Extension Marketplace by Microsoft, forcing users to seek them from less secure sources.

Patrick Gray [42:16]: "This is extremely no bueno."

Adam discusses the complexities of managing extension ecosystems and the inherent risks of third-party integrations.

Adam Boileau [43:22]: "But yeah, people having their crypto stolen, it's kind of what we expect unfortunately."

Phishing Techniques via ADFS and Redirects

Patrick Gray shares insights from Push, a cybersecurity firm, on sophisticated phishing campaigns leveraging ADFS and redirect techniques to deceive users.

Patrick Gray [44:23]: "This is another trick for redirecting, but it's one that's being used by phishers because they are creative and they find all sorts of interesting ways to do it."

Adam emphasizes the limitations of traditional user education in combating such advanced phishing methods.

Adam Boileau [45:22]: "So. Yep, yet another one to look at and I guess another good reason why just telling users to, you know, think before they click isn't really that helpful when they're faced with tricks like this."

Sponsor Interview: SpecterOps and Bloodhound 8 Release

The latter part of the episode features an interview with Justin Kohler from SpecterOps, the team behind Bloodhound, a prominent tool for attack path analysis in enterprise environments.

Key Highlights:

Open Graph Capabilities: Bloodhound 8 introduces Open Graph, allowing users to model attack paths beyond the Microsoft ecosystem, including platforms like 1Password and Snowflake.

Justin Kohler [47:21]: "We have the announcement of Open Graph, which is the ability to model attack paths into brand new platforms."
Usability Enhancements: New features improve ease of use, data integration, and extend the tool’s applicability to broader security infrastructures.

Justin Kohler [48:52]: "We added new integrations for ServiceNow and Duo. So if you want to take that information and put it into the systems that you use to remediate attack paths at scale, you can."
Community Contributions: SpecterOps encourages researchers to contribute custom attack path models, fostering a collaborative security community.

Justin Kohler [51:10]: "We have examples for SQL, 1Password, Snowflake."

Patrick and Justin discuss the transformative potential of these updates for penetration testers, researchers, and enterprise security teams, highlighting Bloodhound’s expanded versatility in identifying and mitigating complex attack vectors.

Conclusion

Patrick Gray wraps up the episode by thanking Adam Boileau and Justin Kohler for their invaluable contributions. He encourages listeners to stay informed by subscribing to the newsletter and engaging with the latest security tools and research.

Patrick Gray [59:31]: "That was Justin Kohler there from SpecterOps. Big thanks to him for that. And big thanks to SpecterOps for being a Risky Business sponsor. And that is it for this week's show."

As always, Risky Business delivers a comprehensive and insightful overview of the current cybersecurity landscape, equipping professionals with the knowledge to navigate and secure their digital environments effectively.

Notable Quotes:

Adam Boileau [06:39]: "He submits all of this to MSRC and they say thank you very much. They stand up a team to go through and audit it all and figure it all out and deal to it and then they don't give him a bounty."
Patrick Gray [09:51]: "It's all just a bit blurry and a bit fuzzy."
Justin Kohler [48:04]: "A lot of people have asked us like, how do you operationalize this program?"

For more detailed insights and the latest updates, subscribe to Risky Business and follow their show notes for additional resources and links discussed in this episode.