BlackHat Arsenal 2025 - msInvader : Automating Adversary Simulation in M365 and Azure

mvelazco 7 views 29 slides Oct 21, 2025
Slide 1
Slide 1 of 29
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26
Slide 27
27
Slide 28
28
Slide 29
29

About This Presentation

msInvader is an adversary simulation tool built for blue teams, designed to simulate adversary techniques within M365 and Azure environments. This tool generates attack telemetry, aiding teams in building, testing, and enhancing detection analytics. By implementing multiple authentication mechanisms...

Size: 2.66 MB
Language: en
Added: Oct 21, 2025
Slides: 29 pages

Slide Content

#BHUSA   @BlackHatEvents
msInvader: Automating Adversary
Simulation in M365 & Azure

Mauricio Velazco
@mvelazco

#BHUSA   @BlackHatEvents
●From Arequipa, Peru


●Security Researcher at Microsoft


●@mvelazco


●https://github.com/mvelazc0

#whoami

#BHUSA   @BlackHatEvents

●Personal Views: The opinions and views expressed in this presentation are
my own and do not reflect those of my employer.
●Independence: The content presented is based on my personal research
and experience.
●No Endorsement: Mention of specific tools, technologies, or companies
does not imply endorsement by my employer.
●Responsibility: I assume full responsibility for any errors or omissions in
the presentation.

Disclaimer

#BHUSA   @BlackHatEvents
The New Cloud Reality

#BHUSA   @BlackHatEvents

●Threat actors abuse trusted identities,
not endpoints.

●API-based access bypasses endpoint
and network controls

●Evolving cloud techniques challenge
defenders’ understanding of attacks
and telemetry


Cloud Attacks Redefine Visibility

#BHUSA   @BlackHatEvents

●Realistic, repeatable cloud attack
simulations

●Visibility into post-compromise
techniques


●Attack telemetry to test and tune
detections
What Defenders Need

#BHUSA   @BlackHatEvents
msInvader
https://github.com/mvelazc0/msInvader

#BHUSA   @BlackHatEvents
●Adversary simulation tool designed to
execute attacker techniques against
EntraID/M365 tenants and Azure
subscriptions.

●Generates attack telemetry to help
defenders improve detection and
response capabilities.

●Leverages APIs like MS Graph,
EWS and ARM for comprehensive
simulations and technique variations.


msInvader

#BHUSA   @BlackHatEvents
Microsoft Identity Platform
https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols

#BHUSA   @BlackHatEvents
OAuth Grant Flows
https://learn.microsoft.com/en-us/entra/fundamentals/introduction-identity-access-management

#BHUSA   @BlackHatEvents
●Stolen Credentials (Phishing, Keylogger, Brute Force)

-> Resource Owner Password Credentials Flow

●MFA Bypass (AITM, Token Theft, MFA Fatigue)

-> Device Code Flow

●Compromised Service Principal Secrets (Keys, Certs)

-> Client Credentials Flow



Token Acquisition

#BHUSA   @BlackHatEvents
Device Code Flow

#BHUSA   @BlackHatEvents
●Microsoft Graph

●Exchange Web Services (EWS)

●Exchange Online Pws Module API

●Azure Resource Management API

●Security & Compliance API


Supported APIs

#BHUSA   @BlackHatEvents
●Flexible configuration of simulation
playbooks using a YAML file.

●The YAML configuration file consists
of two main sections:
authentication and techniques.




Configuration File

#BHUSA   @BlackHatEvents
Demos

#BHUSA   @BlackHatEvents
●Storm‑2372 abuses device code
phishing to steal OAuth tokens and
bypass MFA in M365 environments

●Post-compromise access is fully
API-driven, using MS Graph to search
and exfiltrate email and directory data.

●Lateral movement is achieved by
sending internal phishing emails,
expanding access to additional users.



Storm-2372
https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/

#BHUSA   @BlackHatEvents
Storm-2372
Device Code Phishing Email Exfiltration Email Lateral Movement

#BHUSA   @BlackHatEvents
Extending Storm-2372
Email Lateral Movement Mailbox Rule Creation File Exfiltration
Device Code Phishing Tenant Enumeration Email Exfiltration

#BHUSA   @BlackHatEvents
Extending Storm-2372
read_email
method: EWS
Limit:10
enumerate_directory_roles
method:Graph
enumerate_applications
method:Graph
search_email
method: Graph
keyword:*Contract
search_email
method: Graph
keyword:*Contract
search_onedrive
method: Graph
keyword: invoice
device_code
enumerate_users
method:Graph
enumerate_groups
method:Graph
send_email
method:Graph
subject: Action Required: Install...
create_rule
method:EWS
type:moving_rule
search_onedrive
method: Graph
keyword: invoice

#BHUSA   @BlackHatEvents
Demo 1: Extending Storm-2372

#BHUSA   @BlackHatEvents
●SignInLogs

Tracks user sign-ins, methods, IPs, and risk
info.

●MicrosoftGraphActivityLogs

Logs Graph API calls like email access and
user enumeration.

●OfficeActivity

Shows actions in Exchange, OneDrive,
SharePoint, and Teams.





Demo 1: Log Insights

#BHUSA   @BlackHatEvents
●Attackers abuse legitimate cloud
services and configurations

●Access often escalates through
over-permissioned identities

●Cloud lateral movement doesn’t
require malware or code execution

●Misconfigured roles and secrets are
common pivot points
Key Vault Lateral Movement

#BHUSA   @BlackHatEvents
Key Vault Lateral Movement

Email Exfiltration Service Principal Hijack Key Vault Exfiltration
Password Spray Graph Enumeration ARM Enumeration

#BHUSA   @BlackHatEvents
Key Vault Lateral Movement
list_key_vaults
enumerate_arm_role_assignments
method:ARM
enumerate_arm_resources
method:ARM
access_key_vault_item add_keyvault_access_policy access_key_vault_item
password_spray
enumerate_users
method:Graph
enumerate_groups
method:Graph
enumerate_app_role_assignments get_ms_token_clientread_email

#BHUSA   @BlackHatEvents
Demo 2: Key Vault Lateral Movement

#BHUSA   @BlackHatEvents
●AADServicePrincipalSignInLogs

Captures sign-ins by service principals.

●AzureActivity

Tracks control plane actions like role
assignments and access policy changes.

●AzureDiagnostics

Logs resource-level activity such as Key Vault
secret reads.








Demo 2: Log Insights

#BHUSA   @BlackHatEvents
●Reveal Visibility Gaps

Simulations highlight what logs you have —
and what you’re missing.

●Drive Detection Engineering

Turn real attack behavior into custom, tested
detections.

●Validate Security Assumptions

Validate whether your controls work as
expected — or fail silently.



Takeaways

#BHUSA   @BlackHatEvents
msInvader
https://github.com/mvelazc0/msInvader

#BHUSA   @BlackHatEvents
msInvader: Automating Adversary
Simulation in M365 & Azure

Mauricio Velazco
@mvelazco
Tags
Categories
Technology
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 7
  • Slides 29
  • Age 41 days
Related Slideshows
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx 11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
45 views
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx 10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx 13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx 11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
Know for Certain 21
Know for Certain
DaveSinNM
19 views
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx 17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views
View More in This Category