Octoberfest7
commented
1 year ago How would that be used or useful in this project?
Open okazymyrov opened 1 year ago
Octoberfest7
commented
1 year ago How would that be used or useful in this project?
okazymyrov
commented
1 year ago There are several scenarios when this would be useful. getInviteLink might fail in the case of a real tenant. Sharing with anyone is usually prohibited. The above scenario allows getting a link even "Allow by enyone" is disabled. White hat hackers during red teaming usually work with multi-tenancy. TeamsPhisher could become a nice tool for internal cross-tenant phishing campaigns as well as for educational purposes.
I have reported to Microsoft a vulnerability to bypass restrictions on "Anyone with the link". They see it as a feature, not a bug. It would be nice to integrate this "feature" into this project.