The rise in popularity of phishing simulations has led to rushed implementations driven by commercial interests. This rush has resulted in the acquisition of platforms and the introduction of some immature and unfinished products aimed at tapping into this rapidly expanding market.
In this talk, I will highlight glaring issues with Microsoft’s phishing simulation framework launched in 2023. Additionally, I will shed light on an obscure vulnerability within the Microsoft Security & Compliance center, which surfaced during attempts to allowlist externally-originated phishing simulations at scale. This vulnerability unveiled a disturbing fact: I could gain Administrator access to the Security & Compliance center of a completely random Microsoft 365 tenant consistently within minutes by hijacking remote PowerShell sessions on a backend server.
