Microsoft Azure provides many methods for enumerating its users. Since Microsoft does not consider user enumeration to be a security flaw, this is a feature, not a bug. We are going to look at weaponizing these disclosures by performing data collection at a large scale against OneDrive, Teams, and Graph.
Over the last 2 years I have enumerated over 26 million email addresses in Azure. As preparation for this talk, I have focused on enumerating Norwegian companies and users in the cloud. I will be sharing the results of this Azure census, and we will look at how Norway compares in terms of number of users, number of organizations, and types of username formats used.
Another feature of Azure user enumeration is that it also enables us to enumerate Azure guest accounts. This allows relationships between companies to be identified. As part of this talk we will also explore identifying and mapping these relationships.
This presentation will be held by nyxgeek. nyxgeek is a hacker at TrustedSec. He has CVEs for products including Microsoft Skype for Business, and Tenable Nessus, and is currently engaged in a quest to get Microsoft to fix user enum. Other areas of interest include password spraying and password cracking. He has previously presented at DerbyCon, THOTcon, and DefCon.
We can promise that you don’t want to miss this session!