Elements Identity Security

WithSecure Identity Security in Action - How a Simple GitHub Leak Led to a Major Security Breach

An attacker exploited identity information found on GitHub to bypass security measures and gain access to a company's Azure portal. By identifying a misconfiguration in conditional access policies, they bypassed MFA and created a malicious application to access company emails. The attack was eventually detected and monitored by WithSecure Elements Identity Security, highlighting the critical role of identity security in protecting sensitive information and preventing breaches.

Try Elements
Check product page

1.

Initial Compromise and Scope Enumeration

The attacker discovers identity information embedded in a GitHub project. Using this information, they sign in via Resource Owner Password Credentials (ROPC) and receive a token. With the compromised credentials, the attacker enumerates available scopes and finds that they can read conditional access policies.

2.

Exploitation of Misconfiguration

The attacker reads the conditional access policies and identifies a misconfiguration: the London office is excluded from Multi-Factor Authentication (MFA). By spoofing their IP address to appear as if they are in the London office, the attacker bypasses MFA. This allows them to sign into the Azure portal without additional authentication.

3.

Persistence and Detection

In the Azure portal, the attacker creates a malicious application and grants it read access to company emails by adding a service principal to the application registration. This action secures persistent access to the company's email system. The attack chain is monitored in the Element Security Center, where the initial ROPC sign-in triggers a broad context detection. Subsequent actions, such as the new app registration and adding a new service principal, are detected and detailed, including IP addresses and recommendations for remediation.

Check this out

Experience our award-winning endpoint solutions in action

The trial is easy to implement and can begin just 5 minutes after you've filled in the form. No credit card needed.

Find out more

What's next?

Try

Get free 30-day Elements Trial

Try Elements

See

Explore more capabilties

Check All Resources

Demo

Talk with our best experts

Get a demo

More about this topic

Brochures
Check all brochures
Video tutorials
Check all video tutorials
Product tours
Check all product tours
Demos
Check all demos
Trials
Check all trials