npub17lgy0rj5a2nwpnyc4hup6ufpfz7wz6dzcgd3crm6fm2yd34dcz0qlk9uux (npub17lg…9uux)
Doesn't the post say as much in the following:
Threat actors like Midnight Blizzard compromise user accounts to create, modify, and grant high permissions to OAuth applications that they can misuse to hide malicious activity. The misuse of OAuth also enables threat actors to maintain access to applications, even if they lose access to the initially compromised account. Midnight Blizzard leveraged their initial access to identify and compromise a LEGACY TEST OAUTH APPLICATION THAT HAD ELEVATED ACCESS TO THE MICROSOFT CORPORATE ENVIRONMENT. The actor created additional malicious OAuth applications. They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications. THE THREAT ACTOR THEN USED THE LEGACY TEST OAUTH APPLICATION TO GRANT THEM THE OFFICE 365 EXCHANGE ONLINE FULL_ACCESS_AS_APP ROLE, WHICH ALLOWS ACCESS TO MAILBOXES."
Or does being the tenant admin go beyond the above? If it does, can you or someone explain how?
Dan Goodin /
npub1yy…p6r3v
2024-01-26 20:42:35
in reply to nevent1q…2n6d
Author Public Key
npub1yyl6ktycvjymch9hyzq5yqphj89kalfqmtswcjpjmp7s67ms6g9sdp6r3vPublished at
2024-01-26 20:42:35Event JSON
{
"id": "95ba424b4be715e231d9bd573d357e7c4f82b630f8fb8308c0481b78417a7ba4",
"pubkey": "213fab2c986489bc5cb7208142003791cb6efd20dae0ec4832d87d0d7b70d20b",
"created_at": 1706298155,
"kind": 1,
"tags": [
[
"p",
"f7d0478e54eaa6e0cc98adf81d712148bce169a2c21b1c0f7a4ed446c6adc09e",
"wss://relay.mostr.pub"
],
[
"p",
"f6870afcde4480ec8508f50304859e14a51309ff24ab3f0f862c52bdc4af8747",
"wss://relay.mostr.pub"
],
[
"e",
"11914b1034cb0608218a3d867cbfc991404eea481b78d1057b97fa0891dd140e",
"wss://relay.mostr.pub",
"reply"
],
[
"proxy",
"https://infosec.exchange/users/dangoodin/statuses/111823955911954422",
"activitypub"
]
],
"content": "nostr:npub17lgy0rj5a2nwpnyc4hup6ufpfz7wz6dzcgd3crm6fm2yd34dcz0qlk9uux \n\nDoesn't the post say as much in the following:\n\nThreat actors like Midnight Blizzard compromise user accounts to create, modify, and grant high permissions to OAuth applications that they can misuse to hide malicious activity. The misuse of OAuth also enables threat actors to maintain access to applications, even if they lose access to the initially compromised account. Midnight Blizzard leveraged their initial access to identify and compromise a LEGACY TEST OAUTH APPLICATION THAT HAD ELEVATED ACCESS TO THE MICROSOFT CORPORATE ENVIRONMENT. The actor created additional malicious OAuth applications. They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications. THE THREAT ACTOR THEN USED THE LEGACY TEST OAUTH APPLICATION TO GRANT THEM THE OFFICE 365 EXCHANGE ONLINE FULL_ACCESS_AS_APP ROLE, WHICH ALLOWS ACCESS TO MAILBOXES.\"\n\nOr does being the tenant admin go beyond the above? If it does, can you or someone explain how?",
"sig": "79fc884cbd70bdf16d1212b222370f909cbced11fc8841474c0f9fad2ac821caab9891bb463a212c8034f9c9c87e6bc4eab6c34a935018c6fba54c33bc1b560c"
}