Exploiting JSON Injection in Microsoft 365 Admin Portal for Email Security Evasion in Spear-Phishing Operations
Utilizing Microsoft M365 services enables the circumvention of email security measures, allowing for the successful delivery of spear-phishing emails with malicious JSON injection content to targeted users. This method has been demonstrated effectively in an environment featuring Microsoft SafeLinks. Notably, the attacker does not require hosting the payload externally. The lack of sanitization of the ‘displayname’ and ‘Password’ input allows for the inclusion of special characters and links that can bypass Safe Links and other email security detections.
Note : This is the continuity of first part which I shared in Avar 2022, This is the findings and study of another new vector which I found latest
This scenario is indicative of JSON injection, effectively circumventing security mechanisms like Safe Links. While CWE-91 is traditionally referred to as ‘XML Injection’, it broadly encompasses the manipulation of structured data formats, including JSON.
**Research Status**
These vulnerabilities were responsibly reported to Microsoft. Microsoft validated the findings but has not fixed them as of now, marking them for future review.
**Message for Review Board Only**
This research highlights the potential for spear-phishing campaigns utilizing the Microsoft 365 domain ‘.onmicrosoft.com’ to have an immense success rate. The unpatched vulnerability poses a significant risk, as it could be increasingly exploited by threat adversaries. Your selection of my talk would be highly appreciated.
Reegun Richard Jayapaul – Trustwave
As a Principal Threat Hunter at Trustwave, I work the SpiderLabs team to conduct threat hunting and research, simulate, and discover new attacks, and develop enhanced detection and prevention mechanisms. With over 13 years of experience in security research, malware analysis, reverse engineering, incident response, security training, and offensive security, I have served clients across diverse sectors and technologies. I am a contributor to the LOLBAS (Living Off the Land Binaries and Scripts) project, documenting binaries and scripts that attackers use to circumvent security controls. My discoveries and reporting of multiple vulnerabilities, including a Microsoft Teams RCE and privacy issues. My mission is to bolster the defensive capabilities of the cybersecurity community by sharing my offensive methodologies and findings. I possess extensive experience in addressing various security threats and malware, particularly exploit kits, and APT groups from DPRK, Russia, PRC, and TA505. Notably, I have been a principal contributor to the investigation of the GoldenSpy and GoldenHelper threat groups, further showcasing my expertise in the field of cybersecurity.