This talk showcased a number of ways to phish victims’ Microsoft Entra ID credentials directly from the legitimate login.microsoftonline.com domain. From simple open-redirects to an attacker AitM phishing domain to a complex, multi-attacker-tenant approach that keeps the victim on login.microsoftonline.com and can steal credentials and MFA codes/app PINs, the research is fantastic.

I particularly enjoyed the technique of creating a custom font to render the attacker-owned fake domain as the victim domain (e.g., micro-oft.com -> microsoft.com).