Microsoft 365: Attack Tool User Agents

Microsoft 365: Attack Tool User Agents

There is no shortage of tools available for enumerating the users in a Microsoft 365 tenant (AKA Office365) and testing password security. But what do these 'attack tools' look like from a blue team perspective and what can you do to alert yourself of their use.

This blog lists the User Agents used by specific attack tools (in their default settings) as recorded in both the Security Center's Unified Audit Logs (UAL) and the Defender for Cloud Apps Activity Log.

MSSpray

UAL: python-requests/2.25.1

Activity Log: ;;Python Requests 2

O365Spray

UAL: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0

Activity Log: Mac OS X 10;Firefox 69.0

Spray365

UAL: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36

Activity Log: PC, Windows 10 10, Chrome 94.0

Go365

UAL: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)

Activity Log: Windows 7;IE 10.0

ROADRecon

UAL: python-requests/2.25.1

Activity Log: ;;Python Requests 2.25

PowerShell (Connect-ExchangeOnline)

UAL: Other

Activity Log: ;;Rich Client 4.30.1.0;

TeamFiltration V3.3

UAL: Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763

Activity Log: ;Windows 10;Edge 18.17763;

TeamFiltration V3.5

UAL: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.30866 Chrome/80.0.3987.165 Electron/8.5.1 Safari/537.36

Activity Log: ;Windows 10;Chrome 80.0.3987

BAV2ROPC

I have observed the User Agent "BAV2ROPC" in brute-force attempts and password spraying activity. BAV2ROPC's appearance is likely is determined by the use of legacy clients and authentication such as IMAP, and applied by Exchange regardless of attack tool.

Whilst I wasn't able to find any specific documentation for it, I figured BAV2ROPC is an acronym for "Basic Authentication Version OAuth2 Resource Owner Password Credentials".

It is worth noting though, the User Agent itself is not necessarily an indication of attack. From my experience the User Agent "BAV2ROPC" is also often noted for legitimate logons by legacy clients using legacy authentication (typically service accounts).

You should be able to identify pretty quickly if the authentication is legitimate or not through IP geolocation, reputation etc. but also be on the lookout for multiple 'UserLoginfailed' operations which are followed by a 'UserLoggedIn' operation involving the UserAgent.

See below for some screenshots of what BAV2ROPC authentication activity looks like in the UAL and Azure Active Directory Sign-In Logs.

BAV2ROPC UserLoginFailed Operation in the UAL

BAV2ROPC UserLoggedIn Operation in the UAL

BAV2ROPC in Azure Active Directory Sign-in Logs

BAV2ROPC in Azure Active Directory Sign-in Logs

'Passive' User Enumeration

Whilst not truly passive, some tools can enumerate users in a Microsoft 365 tenant without entering a password. This is done by looking at the codes returned by Microsoft infrastructure when entering a username. 

When using these user enumeration techniques, as a password isn't entered the event is not recorded as a failed logon attempt in the tenant logs. This technique is used by tools such as O365Creeper but it can also be performed with BurpSuite.

Tools:
MSSpray - https://github.com/SecurityRiskAdvisors/msspray
O365Spray - https://github.com/0xZDH/o365spray
Spray365 - https://github.com/MarkoH17/Spray365
Go365 - https://github.com/optiv/Go365
ROADRecon - https://github.com/dirkjanm/ROADtools
TeamFiltration - https://github.com/Flangvik/TeamFiltration

Research conducted in September 2022, by John A, Senior Security Researcher.