M365 Relay Attack: A Live Example (August 2024)

Jake Elsley

Aug 7, 2024 — 2 min read

The login page featured real-time feedback, something that is not common on traditional phishing pages.

Yesterday, I received an email from HR (me) informing me (the owner) that I was getting a pay rise. Intrigued to see this attack in real life, I played along. This is what I saw.

It started with an email from a Japanese domain

What surprised me the most was the level of sophistication in this first email. They had scraped our webclip icon (albeit with poor compression) and you could be forgiven for thinking that it was genuine. Of course, the M365 known sender banner alerts us that this is not from within our tenant, and the domain is definitely not our of ours.

Within the PDF is a QR code

I assume this is to get you to leave a corporate controlled device where security controls may be reduced.

This is where it gets really interesting. I won't speculate on how they do this, but not only does it capture the login wallpaper from our tenant, but it also provides user validation, showing an error message if the account does not exist in our tenant.

This is then live-tested within your tenant

Of course, I provided a dummy password. But as soon as I did, the login was tested from what could be considered a "known location", Washington US. I have long questioned the efficacy of IP or geo-based restrictions, as it is so easy to spoof your actual location. For the M365 known location flag, this most likely would have been deemed a safe location.

FIDO and Zero Trust to the rescue

Within Computle, we utilise phishing-resistant FIDO2/WebAuthn hardware keys in association with device attestation rules. If a user did enter their genuine password, and this was relayed to the attacker, they would be unable to access the resource from a non-trusted device, and unable to pass the MFA check.

I have reported this domain to Linode, NCSC, Microsoft, and Google Chrome's phishing reporting scheme. At the time of writing, the page is not being flagged as suspicious.

You can blacklist the domain by adding the information below to your firewalls:

piopkeitvcpnvcxapusjhwuwztsbiy.us-lax-1.linodeobjects.com

KBA: Intune/Entra ID and Computle, BitLocker

This knowledge base article covers common enrolment and device management issues seen when utilising Microsoft services in conjunction with Computle. [1] You experience irregular MFA prompts or irregular sign-in prompts. [2] You may experience issues with Windows 11 Enterprise uplifts. Synopsis: Users may experience irregular Microsoft Authenticator requests when using

Computle vs Inevidesk: 3x faster, 8x lower buy-in, 22% lower TCO

At Computle, we provide high-performance workstations accessed through our innovative end user hardware. Simply connect our device and within seconds, you are connected to your Computle machine. You can get started with just one device, and there is no hardware to install or maintain. Computle provides you with: * Hassle-free setup:

May 2024 Development Update

I'm Jake, the founder of Computle, a remote workstation subscription for the AEC and VFX industries. In this post, I'll be walking you though our May 2024 development updates. Management Portal (RC) After our internal migration away from VMWare, we decided to pause development of our

Coming soon at Computle: April 2024 Development Updates

I'm Jake, the founder of Computle, a remote workstation subscription for the AEC and VFX industries. In this post, I'll be walking you though the latest development updates showcasing our-end user device, our new login experience, and an update on our portal. 1) End-user device (under