following rabbit holes through the tech stack

Automating the enumeration of missing reply URLs in Azure multitenant apps

In my previous post, I showed the impact that an unregistered reply URL can have in an Azure tenant and how to enumerate them for single tenant applications. This time, we take it one step further and introduce a tool that allows enumerating single and multitenant applications without user interaction.

Arbitrary 1-click tenant take over via MS application

In this blog post I explain how reply URLs in Azure Applications can be used as a vector for phishing. The impact of this can range from data leaks to complete tenant takeover; just by luring a victim to clicking on a link.