Infecting the Enterprise: Abusing Office365+Powershell for Covert C2

Black Hat USA 2017

Presented by: Craig Dods
Date: Thursday July 27, 2017
Time: 11:00 - 11:50
Location: Mandalay Bay EF

As Enterprises rush to adopt Office365 for increased business agility and cost reduction, too few are taking time to truly evaluate the risk associated with this decision. This briefing will attempt to shine a light on the potential hazards of Microsoft's SaaS offerings while also demonstrating a practical example of what a malicious actor can do when Office365 is allowed into the Enterprise.

Specifically, this presentation will outline in detail how an attacker can leverage the combination of Office365+PowerShell to take advantage of native features which:

• Mount external Office365 storage and conceal its presence from end-users • Encrypt and facilitate innocuous external communication with C2 • Exfiltrate data at high speed • Bypass AV, DLP, Sandboxes, and NGFW along the way.

Craig Dods

Craig Dods is the Chief Architect for Security within Juniper Networks' Strategic Verticals. He currently maintains top-level industry certifications, holds multiple networking and security-related patents, as well as having disclosed multiple critical-level CVE's in a responsible manner. Prior to joining Juniper, Craig served as IBM Security Services' Chief Security Architect, and held previous security roles at Check Point Software Technologies and Nokia. He has also appeared in articles from leading security publications such as Krebsonsecurity.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats