Steve Borosh


Black Hills Information Security

  • Azure Cloud Shell
    • Capabilities
    • Demo: SSH Tunnel to access cloud database.
  • Dynamic Device Code phishing
    • Overview
  • Phishing Direct Send
    • Overview
    • Unban a burned IP
    • Demo: Dynamic Device Code
  • Offensive Azure Command and Control
    • C2 redirection
    • Demo: C2 Redirection
  • Payload Hosting
    • Demo: Serve IPFS Payload
  • Yammer Phishing
    • Overview

Talking Points


Beware of the terms of service. Microsoft may suspend and ban your subscription for violations such as hosting malware and domain fronting.

Operator Setup

  • Windows 10/11 VM
  • WSL
  • Azure tenant
  • Microsoft 365 business account
  • Wireguard
  • DBeaver
  • SSH Tunnel

Azure Cloud Shell

Azure Cloud Shell Overview

  • Requires a subscription to Microsoft Azure (trial/pay-as-you-go)
  • PowerShell or Bash hosted by Microsoft

Key Concepts

  • Cloud Shell runs on a temporary host provided on a per-session, per-user basis
  • Cloud Shell times out after 20 minutes without interactive activity
  • Cloud Shell requires an Azure file share to be mounted
  • Cloud Shell uses the same Azure file share for both Bash and PowerShell
  • Cloud Shell is assigned one machine per user account
  • Cloud Shell persists $HOME using a 5-GB image held in your file share
  • Permissions are set as a regular Linux user in Bash
  • IPv4 (Currently)

Deploying a VM

az group create --name myResourceGroup --location eastus


az vm create -n MyVm -g MyResourceGroup --image UbuntuLTS --generate-ssh-keys --public-ip-sku Standard


Setup SSH Tunnel

Azure Databases


Allow Azure Resources



SSH Tunnel to AzureSQL

Dynamic Device Code Phishing

Access_tokens FTW

Device Codes

  • Login to your device from your computer
  • Code or QR code
  • Netflix, Discord, Slack as examples
  • Provides remote access to services



  • Receive access and refresh tokens from device logins

  • RefreshTo-OtherServices

  • Read / Send Email

  • Read / Send Teams

  • Enumerate AzureAD

Co-Developer @0xBoku

Important Info

  • 15 Minute expiration from code generation
  • 1 hr access_token expiration
  • 90 day refresh_token expiration
  • Adheres to conditional access

Example Request

Example Request

Example Request Sign-in LOg

Dynamic Codes

  • Hosted on VPS and Azurewebsites
  • Azurewebsite requests code from the VPS and displays to visitor
  • 15 minutes from time of website visit


  • Assortment of Azure apps

  • Easily deployable with Az

  • Phishing sites*

  • Drive-by downloads*

  •  C2 redirection*

  • *

  • Dynamic Device Codes

* Subject to Microsoft Terms of Use

How it works

Azure Log - Source IP

How it works v2

Azure Log - Source IP


Phishing Direct Send

Direct Send

  • Unauthenticated SMTP !!
  • External -> Internal
  • Internal -> Internal



Send-MailMessage -SmtpServer -From 
-To -Subject "Ticket for upgrade" -Message "Totally legit" -Attachment .\ClickMe.rdp

Unban IP Address

Dynamic Device Code PHISHING

I have a code, Now what?


  1. Check your access token (client-side)




                  Token Audience


User and Permissions



2. Switch Audience









POST /owa/ HTTP/2

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 2703
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Te: trailers


post-access tooling

  • RoadRecon
  • BARK
  • AzureHound
  • TeamsFiltration

Offensive Azure Command and Control

C2 Redirection

  • Azure CDN
  • Azure Apps
  • Azure Service Bus

C2 Redirector Protection

  • "Magic Header"
  • X-ASPNet-Version: 1.5
  • CDN-level
  • web.config for Azure Websites

IIS redirector

Mythic settings

AZ Website settings

Azure C2 Redirection

Payload Hosting

File sharing

  • SharePoint
  • OneNote
  • Yammer

azure websites file hosting

  • Trusted domain/IP ranges
  • Easy deployment via Az cli "az webapp up"
  • Web.config for Mime Types

One Two Punch

  • IPFS

Payload Hosting

Yammer phishing

Yammer Community

Yammer Community invite received

Attach Files

Share Directly

Hack Miami X

By rvrsh3ll

Hack Miami X

  • 917