www.cyberis.com Open in urlscan Pro
2606:4700:3108::ac42:286c  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Skip to main content
Toggle Navigation
 * Our Solutions
   * Our Solutions
   * Assess
     * Penetration Testing
     * Red Teaming (Adversary Simulation)
     * Cloud Risk Management
     * Ransomware Defence Audit
     * Continuous Vulnerability Assessment
     * Attack Surface Discovery
     * Cyber Essentials
   * Detect and Respond
     * Incident Readiness
     * Incident Response
   * Remediation
     * Remediation Planning
 * Sectors
   * Sectors
   * Financial Services
   * Public Sector & Government
   * Defence and Law Enforcement
   * Retail
   * Education
   * Healthcare
   * Legal
   * SME
   * Technology
 * Blog
 * Careers
 * About Us
 * Contact Us


Geoff Jones 8 November, 2024


MICROSOFT BOOKINGS – FACILITATING IMPERSONATION

 * Detect and respond
 * Red teaming
 * Research



TL;DR: Allowing end users to create accounts in Entra, as Microsoft Bookings
does by default, poses significant security risks. An attacker could
potentially:

 * Purchase TLS certificates or transfer domain names and services relying on
   email verification (e.g., AWS Certificate Manager, Facebook/Meta Business
   Manager, Cloudflare).
 * Impersonate high-profile individuals to conduct phishing attacks on internal
   and external users.
 * Hijack dormant accounts previously associated with former employees.

--------------------------------------------------------------------------------


THE ISSUE

Microsoft Bookings includes a feature to create “Shared Booking Pages,” enabled
by default for users assigned an appropriate Microsoft 365 licence. To check if
you’re licensed, visit Bookings in Outlook.



Figure 1 - The option to create a shared Bookings page

Behind the scenes, the feature operates in a way that could make it very useful
for adversaries who have compromised the Microsoft 365 account of a user in an
organisation.  

Imagine a scenario where an adversary has phished a Microsoft 365 user and
gained access to their account.  In most business email compromise situations,
the attacker may well communicate with internal and external parties using the
identity of the compromised user, and will use information from existing email
communications to try to gain financial advantage or improve their positioning
on the network.  Depending on which user has been compromised, this can be
impactful, but often the compromised user may have limited rights or power in
the business.

Where Shared Bookings pages are enabled, the adversary suddenly has better
options available to them.  Using the features in the Shared Bookings pages, the
attacker can create a very convincing impersonation of another identity in the
compromised tenant and use this to good effect.  For example, having compromised
a low privileged worker, they may be able to create an internal email address
that convincingly impersonates the CEO and can then email other members of staff
passing instructions for the transfer of funds, bypassing impersonation filters.
 There's also the potential for an adversary to create "special" email addresses
inside the domain (think "admin@" or "hostmaster@") which might allow for very
convincing social engineering of external parties aimed at the transfer of
infrastructure control.

The impact of misuse of these features is difficult to quantify and will depend
on circumstances, but as with all features, leaving this functionality enabled
when it's not required expands your attack surface area; if you're not using
Shared Bookings, disabling this feature is recommended.

For a step-by-step breakdown of the "weaknesses" see below.


SECURITY WEAKNESSES

1. UNAUTHORISED ACCOUNT CREATION

When a user creates a shared Booking page, it generates a fully-fledged account
in Entra—created by an end user without administrative permissions.

The account:

 * Display Name: Matches the Booking page name.
 * Email Address: Formed by removing spaces (e.g., a page named "Firstname
   Surname" creates FirstnameSurname@<tenantdefaultmaildomain>).
 * The account can send and receive emails, regardless of sharing settings.

An attacker could impersonate legitimate users by:

 1. Creating a Booking page named after a target (e.g., "Geoff Jones").
 2. This automatically creates a mailbox with the space removed -
    geoffjones@cyberis.com - that mimics the legitimate address
    geoff.jones@cyberis.com.
 3. Adding a profile image or email signature identical to the target (referred
    to as a 'logo' when creating the page).

This makes internal phishing (i.e. from an account that has been compromised)
and lateral movement attacks significantly easier and harder to detect.  These
attacks would bypass Microsoft's impersonation detection mechanisms, as they
would be coming from a legitimate Exchange mailbox.



Figure 2 - Side by side comparison of a genuine email vs an impersonated email
from a shared Bookings page


2. MAILBOX ACCESS AND DELEGATION

The mailbox associated with the Booking page:

 * Is fully functional, allowing the user to send emails internally and
   externally.
 * Automatically forwards emails to the creator of the page (but this can be
   turned off in the mailbox).
 * Can be accessed by the user that created the shared Bookings page (or anybody
   with access to that shared Bookings page) via Outlook Web App (OWA) under
   "Open another mailbox".



Figure 3 - 'Opening another mailbox'

An attacker could exploit this to impersonate a CEO, manager, or finance
department and send outbound emails.  An attacker for example could target
customers to redirect payments to their own bank account by impersonating
legitimate businesses invoices.

3. EMAIL ADDRESS HIJACKING

It is possible to create Booking pages matching email addresses of former
employees.

For instance:

 * A malicious user could create a Booking page for "Joe Bloggs" (a former
   employee).
 * They would then receive all inbound mail for joebloggs@cyberis.com.
 * This could allow:
   * Resetting passwords for external services tied to the email.
   * Verifying domain ownership for SSL certificates (AWS ACM email validation).

4. LICENCE-FREE MAILBOXES

Creating shared Booking pages provides a hidden, fully functional mailbox that
does not consume a Microsoft 365 licence.

Steps:

 1. Create a Booking page and reset the associated password in Entra (would
    require admin privileges).
 2. Sign in at Outlook Web.

The mailbox:

 * Functions like a standard 50GB Exchange Online mailbox.
 * Remains invisible in the Exchange Admin Center but detectable via PowerShell
   modules.

--------------------------------------------------------------------------------


HOW TO DETECT AND MITIGATE

We recommend the following steps to identify and address the issue:

1. AUDIT SHARED BOOKINGS PAGES

Use ExchangeOnline PowerShell to identify hidden mailboxes created by shared
Booking pages.

PS C:\Users\user> Get-Mailbox



2. RESTRICT BOOKINGS ACCESS

Disable the ability for end users to create shared Booking pages unless
absolutely necessary.

PS C:\Users\user> Connect-ExchangeOnline
PS C:\Users\user> set-OrganizationConfig -BookingsEnabled $false

3. MONITOR ENTRA ACCOUNTS

Set up alerts for unusual account creation activity.

4. REVIEW AND REVOKE PERMISSIONS

Regularly audit mailbox permissions for and remove unnecessary delegate access.

5. ENSURE HIGH-VALUE EMAIL ADDRESSES ARE SECURED

To mitigate risks of email impersonation and hijacking, ensure that high-value
email addresses commonly used for domain or service validation are claimed and
associated with an administrator-controlled account in your tenant. Examples of
these addresses include:

administrator@your_domain_name
hostmaster@your_domain_name
postmaster@your_domain_name
webmaster@your_domain_name
admin@your_domain_name
root@your_domain_name


DISCLOSURE

At Cyberis, we take a proactive approach to identifying security vulnerabilities
that could impact organisations using widely adopted tools like Microsoft
Bookings. These findings highlight the importance of rigorous security
configuration and monitoring within your Microsoft 365 environment.

If you need assistance mitigating risks or enhancing your organisation's
security posture, please get in touch with our team.

Geoff Jones


FURTHER READING

 * Tools and techniques


EXPLOITING KEEPASS CVE-2023-32784

KeePass is a popular open-source password manager which allows users to securely
store and manage their passwords in an encrypted database. On May 10 2023 a high
risk vulnerability was discovered. This vulnerability allows an attacker with
access to the system where KeePass is running to exploit the flaw by analysing a
memory dump to extract the master password to the database. The memory dump
containing the password can include KeePass process dump, RAM dump of the entire
system, hibernation files, or swap files. In this article we will extract the
password from KeePass process dump.

Read more
 * Penetration testing
 * Tools and techniques


CUPS SECURITY FLAWS

On 23rd September 2024, a zero-day vulnerability was highlighted by security
researcher Simone Margaritelli in the Linux CUPS printing system, which gained
widespread attention due to the unofficial CVSS severity rating of 9.9 allocated
to it. Following the ever-growing attention and comparisons to catastrophic
global security incidents such as Heartbleed and Log4J, further details emerged
on the vulnerability, and the overall risk was found to be lower than first
expected. However, the impact of a successful exploit is still agreed to be
significant.

Read more
 * Cyber Essentials


CYBER ESSENTIALS CHARITY MONTH 2024

During Charity Awareness Month this year, IASME and participating partners are
offering a reduction of £75 to all qualified participants. If assessed through
Cyberis, qualified participants will also receive a discount towards Cyber
Essentials Plus assessments. This will allow an organisation to gain further
insight into their security posture and assess if they are correctly following
IASME's pillars of security.

Read more


IMPROVE YOUR SECURITY

Our experienced team will identify and address your most critical information
security concerns.

Contact us About Cyberis

CONTACT

info@cyberis.com
‪+44 1684 353514‬

ADDRESS

Cyberis Limited
Unit E, The Courtyard
Tewkesbury Business Park
Tewkesbury, Gloucestershire
GL20 8GD

FOLLOW US



ASSESS

 * Penetration Testing
 * Red Teaming
 * Cloud Risk Management
 * Ransomware Defence Audit
 * Continuous Vulnerability Assessment
 * Attack Surface Discovery
 * Cyber Essentials

REMEDIATION

 * Remediation Planning

DETECT AND RESPOND

 * Incident Readiness
 * Incident Response

SECTORS

 * Financial Services
 * Public Sector & Government
 * Defence & Law Enforcement
 * Retail
 * Technology
 * Healthcare
 * SME
 * Education

COMPANY

 * About us
 * Blog
 * Careers
 * Contact us
 * Terms and Conditions
 * Privacy Policy
 * Cookie Policy


 * Terms & conditions
 * Privacy policy
 * Cookie policy

Copyright © 2024, Cyberis Limited

We'd like to use analytics and advertising cookies. These send information about
how our site is used to services like Google Analytics and support personalised
advertising, managed via Google Tag Manager. We use this information to improve
our site and to enhance your browsing experience with more relevant ads.

Let us know if this is OK. We'll use a cookie to save your choice. You can read
more about our cookies before you choose.

I'm OK with analytics and advertising cookies
Do not use analytics and advertising cookies