Dumping user’s Microsoft Azure credentials in plaintext from Windows 365

A security expert devised a method to retrieve a user’s Microsoft Azure credentials in plaintext from Microsoft’s new Windows 365 Cloud PC service using Mimikatz.

Benjamin Delpy, the popular security researcher and author of the Mimikatz tool, has devised a method to retrieve a user’s Microsoft Azure credentials in plaintext from Microsoft’s new Windows 365 Cloud PC service using Mimikatz.

Mimikatz is an open-source project that allows gathering credential data from Windows systems.

Early this month, Microsoft launched the Windows 365 Cloud PC service that allows its customers to deploy Windows 10 desktops in the cloud and access them via RDP or using a browser.

Delpy discovered that the service allows a malicious program to dump the Microsoft Azure plaintext credentials (email address and passwords) for logged-in users.

The experts exploited a vulnerability he discovered in May that allows him to retrieve the plaintext credentials for users logged into a Terminal Server.

BleepingComputer, who first reported the news, successfully tested the technique on a free Cloud PC trial on Windows 365.

“After connecting through the web browser and launching mimikatz with Administrative privileges, we entered the “ts::logonpasswords” command and mimikatz quickly dumped our login credentials in plaintext, as shown below.” states BleepingComputer.

The attack scenario described by Bleeping computer sees the victim opening a phishing email with a malicious Office attachment on his Windows 365 Cloud PC. Upon enabling the macros in the document, it can install a remote access tool that allows an attacker to access the Cloud PC.

Then the attacker can escalate privileges using multiple issues, including PrintNightmare flaws, and then dump the credentials using Mimikatz.

Delpy explained that 2FA and Windows Defender Remote Credential Guard can protect the users against this technique, but Windows 365 has yet to support it.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Mimikaz)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.