Windows 365 can be used to expose Azure credentials in plain text
Windows 365 is less than two weeks old, but researchers are already finding security vulnerabilities in the service. Researcher Benjamin Delpy, creator of the mimikatz project, has found that it’s possible to expose a user’s Azure credentials in plain text while using Windows 365. The vulnerability does require administrative privileges to exploit, but it’s still a threat window.
As BleepingComputer explains, the exploit builds off a vulnerability in the Microsoft Remote Desktop connection, which Delpy initially discovered in May. When you create a cloud PC, it’s essentially a virtual machine installed in the cloud, and you access through a Remote Desktop connection. This vulnerability allowed users to expose the Remote Desktop credentials being used on a client using a tool like mimikatz.
Accessing a cloud PC with Windows 365 uses the Remote Desktop Protocol, too, so the vulnerability works similarly here. Since Windows 365 is tied to Azure, the credentials that are exposed this time are for your Azure account. Plus, this works even if you’re accessing your Windows 365 cloud PC through the web browser, because it still uses the Remote Desktop Protocol.
As we’ve mentioned, though, this does require access to the PC and administrative privileges, too. But there are other vulnerabilities that can be exploited to gain access to a system. A malicious email attachment can grant an attacker access to your PC, and other vulnerabilities can be exploited to gain administrative privileges. The thing is, obtaining your credentials here is about more than accessing your own PC, it could potentially allow attackers to spread to other Microsoft services in your organization, eventually affecting the entire company’s internal network. It could potentially expose hundreds of users, even if just one of them opens the initial attack window.
Typically, one way to avoid this kind of threat is to use alternatives to traditional passwords. Windows Hello or two-factor authentication can usually prevent this, but Windows 365 doesn’t support these features yet. Presumably, Microsoft is working on a way to enable these features for cloud PCs, but for now, it’s best to be extra careful if you’re using Windows 365.