Windows 365 credentials can be dumped in plaintext
On August 2nd, 2021, Microsoft launched their Windows 365 cloud-based desktop service, allowing users to rent Cloud PCs and access them via remote desktop clients or a browser.
One of the lucky few who could get a free trial was Benjamin Delpy, creator of Mimikatz which is an open-source cybersecurity project that allows researchers to test various credential stealing and impersonation vulnerabilities. Delpy quickly began testing the new service’s security. He found that the brand-new service allows a malicious program to dump the Microsoft Azure plaintext email address and passwords for logged-in users.
Delpy says he would typically recommend 2FA, smart cards, Windows Hello, and Windows Defender Remote Credential Guard to protect against this method. However, these security features are not currently available in Windows 365.
Why’s this a big deal? What happens if a threat actor gains access to your Windows PC device to run commands? The threat actor could spread laterally through Microsoft services and potentially a company’s internal network.
Read more on this important find and see how you can help protect yourself, your users, and your organization.