BingBang: Hacking Bing.com (and much more) with Azure Active Directory

In cloud-managed environments, exposing one of your most sensitive assets to external attackers can be as simple as clicking a checkbox.

This was the case for Bing.com with their Azure Active Directory (AAD) integration, where a single misconfiguration enabled us to bypass authentication, alter search results, and launch XSS attacks on its users stealing their Office 365 tokens. However, Bing was not an isolated case. Join us to learn how to identify and map exposed Azure AD applications, as well as how to protect them in your environment.