MS guidance only specifies blocking 445 outbound, no mention of webdav. If smb is blocked at the edge wouldn’t it just fall back to webdav as in your example?
Great stuff! What’s confusing to me, what if you have O365 but using PTA authentication ? I mean they state O365 is not vulnerable but that’s ultimately the Outlook client that will initiate communication with the adversary controlled UNC path, so the hash could be stolen anyway. What the adversary can then do with the hash is a different story. Am I correct?
MS guidance only specifies blocking 445 outbound, no mention of webdav. If smb is blocked at the edge wouldn’t it just fall back to webdav as in your example?
Great stuff! What’s confusing to me, what if you have O365 but using PTA authentication ? I mean they state O365 is not vulnerable but that’s ultimately the Outlook client that will initiate communication with the adversary controlled UNC path, so the hash could be stolen anyway. What the adversary can then do with the hash is a different story. Am I correct?