f-bader
Added MFA bypass via definition of a Custom User Agent
Added a -CustomUserAgent parameter to all the (Get|Invoke)-*Token functions.
This essentially allows the bypass of MFA enablement gaps related to Device Platforms, as shown in the image below.
Using an out-of-the-ordinary user agent, like Yahoo! Slurp (Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) bypasses the interaction_required warning when combinations of the -Device & -Browser parameters fail. The MFA bypass happens because the current configuration that seems secure works as a blacklist, allowing every other User Agent that is not included in it.
| Bypassed CAP Policy Example | |
|---|---|
| Applies to | Including: Users: |
| Applications | Including: All applications |
| On platforms | Including: Android, iOS, Windows, Windows_Phone, macOS, Linux |
| Using clients | Including: Legacy Clients, Mobile and Desktop clients, Exchange ActiveSync, Browser |
| Controls | Requirements (any): Mfa |
| Session controls | SignInFrequency |
Moreover, this argument could also contribute to OPSEC. If one knows the devices that a user utilizes to perform their everyday tasks (e.g. through OSINT), they can use the corresponding User Agent to avoid detection through out-of-the-ordinary User Agents in authentication logs.
The bypass has been successfully battle-tested. PoC can be provided if needed.
@f-bader I have resolved the conflicts and tested the proper functionality of the tool to successfully include the new MFA bypass feature.
I have also closed the previous PR.
Sorry @Pri3st that it me so long to test and approve the PR. Thank you for your contribution and your gentle reminder
