Program Speakers Registration Sponsors Team

General Information

Elbsides 2025

The Elbsides 2025 computer security community conference will be held in Hamburg, Germany on Friday, the 13th of June 2025. Registration is now open!

Location

The conference will be held at the Hotel Hafen Hamburg in the Elbkuppel, a unique event location in the heart of Hamburg overlooking the harbor. The Elbkuppel has been recently renovated and offers a modern and comfortable setting for our conference.

Follow us

Sponsors

Elbsides cannot exist without sponsors because we are trying to be as inclusive as possible by keeping the ticket price to a nominal charge that doesn’t even start to cover our costs. If you are interested in sponsoring Elbsides 2025, please contact us at elbsides <at> gmail.com.

We encourage sponsors from the local community, even if you are not a security company. In fact, since security is everyone’s concern, we would love to have sponsors from all walks of life.

Platinum Sponsor
VMRay GmbH
Gold Sponsors
DFN-CERT Services GmbH
Amazon Web Services, Inc
Silver Sponsors
pure ISM GmbH
SIGNAL IDUNA Gruppe
Barracuda Networks, Inc
ZEAL Network SE
Bronze Sponsors
Mogwai Labs
Trend Micro
Schutzwerk
ISACA Germany
Pre-sense
Community Sponsors
BSidesMunich
Detlev Louis Motorrad-Vertriebsgesellschaft mbH
BSidesFrankfurt

Program

start time speaker title
09:00   Conference Opening
09:15 Mikko Hyppönen Opening Keynote: What I’ve Learned
09:45 Andrea Ercolino A tale of nefarious usage: IPv6 based Covert Channels
10:15 Lars Fischer Internet Message-Protection using Certificates and (not yet) Transformation
10:45   morning break
11:15 Sewar Khalifeh From Unrestricted Uploads to Security Nightmares: Preventing and Mitigating File Upload Vulnerabilities
11:45 Max Maaß Why Defensive Software Architecture is Important, or: How to Compromise a Payment Processor using Math
12:15 Igor Stepansky, Michael Goberman Breaking the CI/CD Chain: Security Risks in GitHub Actions
12:45   lunch break
13:45 Jasmin Mair, Lukas Mika SBOMs – A Tragicomedy in Three Acts
14:15 Andrey Voitenko The Ongoing Challenge of Phishing: Examining Attack Vectors and Exploring Defense Improvements
14:45 Sarah Pauli Effects and dynamics of Cybercrime on cyberprofessionals in the workfield. How can we optimize the workplace for our guards in Cybersecurity?
15:15   afternoon break
15:45 Malte Wessels HyTrack: Tracking You Across Apps and the Web Hydra-Style
16:15 Chris Traynor Pentest Pains
16:45 Asan Stefanski AI security and AI auditing: security risks and protective measures for modern AI systems
17:15 Axelle Apvrille Closing Keynote: Malware, Meet AI: Friend or Foe?
17:45   Conference Closing
18:00   Networking Hour

This is version 0.13 of the schedule.

Speakers

Andrea Ercolino, Andrey Voitenko, Asan Stefanski, Axelle Apvrille, Chris Traynor, Christian Kollee, Igor Stepansky, Jasmin Mair, Lars Fischer, Lukas Mika, Malte Wessels, Max Maaß, Michael Goberman, Mikko Hyppönen, Sarah Pauli, Sewar Khalifeh, Yasin Tas

Andrea Ercolino

Andrea Ercolino

Biography:

Andrea is a passionate Digital Security Specialist currently working at the European Central Bank. Navigating the challenging waters of cybersecurity, Andrea focuses on Identity and Access Management, security engineering, and security operations. During his academic journey, he developed a strong interest in network protocol security, secure coding practices, malware reverse engineering, and operational security (OpSec).

Beyond his professional life, Andrea is an enthusiastic fan of The Legend of Zelda series, a saxophone player, and an avid home cook. He’s driven by a deep desire to keep learning, to share knowledge, and to help make the digital world a little bit more secure for everyone.

ΣΠΔ

Andrey Voitenko

Andrey Voitenko

Biography:

Andrey Voitenko is Senior Product Manager at VMRay, where he focuses on advanced threat detection and analysis technologies. With over 20 years of experience in cybersecurity, he has held leadership roles in both product development and product management at major international security vendors. Andrey holds a CISSP certification and a Master’s degree in Applied Mathematics and Information Security Technologies. He is a frequent speaker at industry conferences and technical community events.

ΣΠΔ

Asan Stefanski

Asan Stefanski

Biography:

Asan Stefanski is Director of Digital Transformation at ADVISORI FTC GmbH and a recognized expert in Artificial Intelligence. With more than 12 years of experience in complex IT projects, he has successfully taken on key roles including Project Manager, Senior Software Architect, and Senior Software Engineer. Attached you will find the photo of Asan.

ΣΠΔ

Axelle Apvrille

Axelle Apvrille

Biography:

Axelle Apvrille is a Principal Security Researcher at Fortinet, Fortiguard Labs. Her research interests are mobile and IoT malware that she reverses every day. In addition, she is the lead organizer of Ph0wn CTF, an on-site competition which focuses on ethical hacking of smart objects. In a prior life, Axelle used to implement cryptographic algorithms and security protocols.

Axelle has spoken at many conferences such as Black Hat Europe, Confidence, Hack.Lu, Hacktivity, Insomni’hack, ShmooCon, Troopers, Virus Bulletin… NorthSec 2021 ;-) She has also published in academic journals such as IEEE Security & Privacy, or Journal in Computer Virology. She regularly writes in the French magazine MISC and Hackable, and has recently published in Phrack #71.

ΣΠΔ

Chris Traynor

Chris Traynor

Biography:

Chris is a Pentester at Black Hills Information Security (BHIS), where he is responsible for Pen Testing web apps, mobile app, APIs, and networks. He is also the owner of Ridgeback InfoSec (ridgebackinfosec.com) and has authored two cybersecurity classes (Offensive Tooling Foundations and Offensive Tooling for Operators) which he teaches via Antisyphon Training. Chris has nearly two decades of experience in Web/Mobile development, QA automation, and Penetration Testing.

Certifications: GSEC: GIAC Security Essentials GCIH: GIAC Certified Incident Handler GWAPT: GIAC Web Application Pen Tester GPEN: GIAC Penetration Tester

ΣΠΔ

Christian Kollee

Christian Kollee

Biography:

Christian has more than 13 years of experience in IT security (primarily CSIRT and SOC) and 8+ years in digital forensics and incident response. He has led the handling of numerous incidents involving small and medium-sized businesses, large corporations, hospitals, and universities.

Since October 2024, Christian has been the Principal Expert at Eye Security GmbH and is responsible for helping (primarily) German companies and organizations recover from incidents quickly and securely.

ΣΠΔ

Igor Stepansky

Igor Stepansky

Biography:

I’m Igor Stepansky, a Product Security Engineer at Axonius for more than 3 years with a background as a cybersecurity analyst. My expertise includes integrating security solutions such as SAST, IaC, SCA, secrets detection, malicious package identification, and more. I’m also responsible for penetration testing, securing cloud and Docker environments, GitHub hardening, and building cool tools to enhance security workflows. I’m passionate about sharing practical knowledge and insights gained from working with diverse security solutions in a modern enterprise environment like Axonius.

ΣΠΔ

Jasmin Mair

Jasmin Mair

Biography:

Jasmin Mair is the Head of Application Security at E.ON Digital Technology. Prior to this, she held the role of Global Product Security Manager at Leica Microsystems and led the Data & Application Security Competency at IBM Security. She brings extensive experience in both application and product security. Throughout her career, she has collaborated with diverse stakeholders across multiple industries to implement security programs, foster DevSecOps practices, and strengthen the security of the software development lifecycle (SDLC). Her true passion lies in connecting interdisciplinary teams and driving more effective collaboration between security, development, and product management.

ΣΠΔ

Lars Fischer

Biography:

https://informatik.hs-bremerhaven.de/lafischer (more coming on acceptance of the talk)

ΣΠΔ

Lukas Mika

Biography:

Lukas Mika is the Lead Cyber Architect for Application Security at Maersk. He focuses on the strategic vision and architecture of a secure software supply chain that is seamlessly integrated into the company’s comprehensive secure software development lifecycle. With his extensive experience in solution development and enterprise architecture, as well as his passion for application security, he is deeply committed to the principles of “Secure by Design, by Default, and through Automation.”

ΣΠΔ

Malte Wessels

Malte Wessels

Biography:

Malte Wessels has been a PhD student at the Institute for Application Security at TU Braunschweig since summer ‘22, where he researches web security and privacy.

ΣΠΔ

Max Maaß

Max Maaß

Biography:

Max Maaß works at the security team at iteratec. He spends his time with architecture reviews, threat modeling and pentesting for software development projects, and has contributed to the OWASP secureCodeBox. Previously, he conducted research into security and privacy issues at the Secure Mobile Networking Lab at TU Darmstadt.

ΣΠΔ

Michael Goberman

Michael Goberman

Biography:

Michael Goberman is the Director of Product Security at Axonius, where he leads the Application Security department. He brings extensive industry experience across a diverse range of cybersecurity roles, demonstrating strong leadership in securing modern enterprise applications and infrastructure.

https://www.linkedin.com/in/michael-goberman/

ΣΠΔ

Mikko Hyppönen

Mikko Hyppönen

Biography:

Mikko Hyppönen is a global security expert, speaker and author. He works as the Chief Research Officer at WithSecure and as the Principal Research Advisor at F-Secure.

Mr. Hyppönen has written on his research for the New York Times, Wired and Scientific American and he appears frequently on international TV. He has lectured at the universities of Stanford, Oxford and Cambridge.

He was selected among the 50 most important people on the web by the PC World magazine and was included in the FP Global 100 Thinkers list.

Mr. Hyppönen sits in the advisory boards of t2 and Safeguard Cyber.

ΣΠΔ

Sarah Pauli

Sarah Pauli

Biography:

Hi, I´m Sarah! I have been working over years in the business as a disciplinary and temporary leader in Customer Services, Supply Chain Management and IT. Whilst a Transformation Program, I found my passion for Informationsecurity and the Psychology behind. Some Years later, I am a future Cyberpsychologist, focusing on the human machine interaction. My aim is to give a better understanding what happens with us in the digital world and how we can gain the right benefit and limits for our digital future.

ΣΠΔ

Sewar Khalifeh

Sewar Khalifeh

Biography:

Sewar Khalifeh is a cybersecurity consultant specializing in Secure by Design principles, with over three years of experience in the banking and telecommunications industries. She currently works as a Secure by Design consultant for CLOUDYRION, conducting security assessments for cloud/hybrid solutions, and leading security initiatives that pushes digital transformation journeys.

Holding multiple certifications, including ECIH, CEH, and OCI Security Professional, she is passionate about advocating for security best practices and sharing insights through workshops and community engagements.

ΣΠΔ

Yasin Tas

Yasin Tas

Biography:

From a young age Yasin had an affinity with Computers and Technology, and has been with Eye Security B.V. for the past 3 years improving his knowledge and skills in Digital Forensics and Incident Response.

ΣΠΔ

Talks

Conference Opening

Start time: 09:00

Duration: 00:15

Abstract: Welcome and housekeeping statements

ΣΠΔ

Opening Keynote: What I’ve Learned

Start time: 09:15

Duration: 00:30

Speaker(s):

Abstract: Mikko brings over 35 years of deep, firsthand experience in the ever-evolving computer security landscape. In this talk, he will guide us through the formative stages of the industry - when the first self-replicating malicious code emerged, and security professionals were just beginning to recognize and contain the computer virus threat.

Mikko will examine the transition from isolated virus outbreaks to organized, financially motivated cybercrime rings. He’ll recount his investigations of email-borne exploits, discuss the rise of botnets and distributed denial-of-service attacks, and share lessons learned about the interplay between attacker innovation and defender response.

Finally, Mikko will reflect on the current state of cybersecurity as a mature, multi-billion-dollar ecosystem and how governments entered the picture. He’ll finish with some educated guesses about where we will go next.

ΣΠΔ

A tale of nefarious usage: IPv6 based Covert Channels

Start time: 09:45

Duration: 00:30

Speaker(s):

Abstract: Like steganographic techniques that embed messages in unstructured data, network-based covert channels exploit communication protocols to conceal data. By hijacking legitimate traffic, these channels provide a stealthy means of communication and data exfiltration.

The growing adoption of IPv6, driven by major ISPs and tech companies, introduces new security risks. One such risk is the ease of implementing covert channels within IPv6 communications, which remain undetected by common open-source IDS tools like Suricata, Zeek, and Snort.

Using high-level programming languages like Python and open-source libraries such as Scapy, it is possible to inject covert data into IPv6 packets without disrupting application-level communication. This technique applies to on-premises, hybrid-cloud, and commercial cloud environments, including AWS, Azure, and Vultr, leveraging an IPv6 network stack.

Six covert channels have been implemented and tested in virtual and cloud environments to evaluate their feasibility. To prevent interference with legitimate traffic, packets are cleaned before delivery, ensuring injected data is removed and restoring packets to their original form.

Various IPv6 fields and extension headers can carry covert messages without affecting overt communication. The Flow Label and Traffic Class fields, as well as the Authentication, Routing, Destination Options, and Fragment headers, can be exploited. The bandwidth of a covert channel depends on the bits that can be safely manipulated. For instance, the Flow Label field allows a bandwidth of 20 bits per packet, offering an efficient and hard-to-detect method when high bandwidth is not required. In contrast, the Authentication Header, introduced in this work, can carry 32 bits per packet while maintaining stealth. The Destination Options Header, though rarely used, can transport up to 256 bits per packet.

Ensuring successful message delivery while preserving communication integrity requires a communication strategy at both ends of the covert channel. Three strategies have been implemented: naive, marked, and reliable, each offering increasing levels of complexity, reliability, and efficiency.

The naive strategy simply transmits n covert-data packets followed by y legitimate packets, with both sender and receiver preconfigured accordingly. However, it lacks reliability in cases of packet loss or reordering. The marked strategy improves upon this by employing cryptographic marking to ensure correct packet identification and reassembly. The reliable strategy applies when TCP is used at Layer 6, allowing the sender to retransmit covert bits associated with missing TCP sequence numbers.

Beyond academic research, the proposed tool enables man-in-the-middle data exfiltration, allowing a compromised router to participate in an attack chain. Covert channel performance has been evaluated in terms of bandwidth and message loss rates. Their effectiveness has been tested against Suricata, Snort, and Zeek to assess whether standard detection rules trigger alerts when scanning IPv6 traffic modified to carry covert data.

ΣΠΔ

Internet Message-Protection using Certificates and (not yet) Transformation

Start time: 10:15

Duration: 00:30

Speaker(s):

Abstract: The crucial stopping-gap of wide-spread secure communication over Email clearly seems to be “usability”. The difficult part arguably is “certificate management” which, at the core is the question of how to authenticate credentials. Many researchers and developers have taken their shot at improving the situation, while instant messenger applications seem to simply circumvent all obstacles and provide effortless end-to-end security — alas only for communication within their respective silos. And the situation for Email, i.e. combination of SMTP (RFC 5321) and Internet Text Messages, going back to RFC 724 and RFC 772, nowadays encapsulated by MIME, is anything but simple. But since 2015 ACME seemed to have solved the similar problem of distributing authenticated certificates for web-sites. In this work we take up the work on ACME for end-users and transfer the principles to OpenPGP and thus finally solving(?) this problem from the 1990s.

ΣΠΔ

From Unrestricted Uploads to Security Nightmares: Preventing and Mitigating File Upload Vulnerabilities

Start time: 11:15

Duration: 00:30

Speaker(s):

Abstract: Unrestricted file uploads pose a significant threat to application security, allowing attackers to exploit various vulnerabilities and gain unauthorised access to systems and data. And there are some potential risks associated with unrestricted file uploads, such as: Triggering vulnerabilities in libraries/applications, abusing real-time security tools, executing malicious code and unauthorised access to sensitive files. In addition to the standard security best practices for file uploads, such as restricting file size, types, and extensions; experts recommends security controls to further enhance protection and validate files. These technologies include Content Disarm and Reconstruction (CDR), multi-AV scanning, sandboxing, and single-AV scanning. The aim of this presentation is to provide a detailed walkthrough of the risks and attacks associated with unrestricted file upload vulnerabilities, review the protective technologies available, outline proper mitigation strategies, and give practical examples on how to secure your environment against malicious uploads.

ΣΠΔ

Why Defensive Software Architecture is Important, or: How to Compromise a Payment Processor using Math

Start time: 11:45

Duration: 00:30

Speaker(s):

Abstract: People talk a lot about defensive software architecture, but does it really make a difference?

In this presentation, I give an example from a security audit we performed, in which a simple misuse of a cryptographic primitive led to the compromise of an entire customer service tool for a payment provider, which would have allowed us full administrative access to their backends.

By stepping through the architecture of the system from the highest level down to the exact vulnerable code, this example allows us to illustrate the advantages of defensive software architectures with multiple layers of security. By the end of the presentation, you will have a new appreciation for defensive software architectures. As a bonus, you will also have learned about a neat cryptographic trick that exploits unauthenticated encryption.

ΣΠΔ

Breaking the CI/CD Chain: Security Risks in GitHub Actions

Start time: 12:15

Duration: 00:30

Speaker(s):

Abstract: GitHub Actions have become a critical part of CI/CD pipelines, but do you really know what’s happening under the hood?

This talk will break down GitHub Actions concepts, explore their security risks, and highlight how third-party actions in the supply chain can introduce vulnerabilities. We’ll examine real-world examples of misconfigurations, critical security risks, and unexpected workflow behaviors that attackers can exploit.

We’ll also discuss the recent security issue with tj-actions/changed-files, and we’ll analyze how attackers can exploit these risks and what security best practices can help to mitigate them.

Additionally, we’ll compare existing security tools, from static analysis scanners to runtime monitoring solutions, and discuss how teams can integrate them into their CI/CD pipelines. Finally, I’ll introduce a new tool designed to help identify and analyze transitive actions, making it easier to assess their impact and reduce security risks.

Attendees will gain a deeper understanding of GitHub Actions’ security landscape, real-world case studies, and practical techniques for proactively securing their workflows, alongside a new tool to simplify the process.

ΣΠΔ

SBOMs – A Tragicomedy in Three Acts

Start time: 13:45

Duration: 00:30

Speaker(s):

Abstract: Increasing supply chain attacks have highlighted the need for greater transparency in software. As a result, more regulations now require software vendors to provide SBOMs (Software Bills of Materials) for their products. In this talk, we’ll take you on a journey into the world of CISOs and managers who hope that SBOMs can solve many problems in the areas of cybersecurity and cyber resilience. Our brave architect will address questions such as: Do SBOMs actually make products more secure? Can they help mitigate situations like Log4Shell? What exactly do they need to contain? Along the way, they’ll debunk inflated expectations and outline the prerequisites for using SBOMs effectively.

ΣΠΔ

The Ongoing Challenge of Phishing: Examining Attack Vectors and Exploring Defense Improvements

Start time: 14:15

Duration: 00:30

Speaker(s):

Abstract: Phishing attacks are evolving faster than traditional defenses can adapt. Despite significant investments in Secure Email Gateways (SEGs) and email security stacks, phishing remains one of the most effective initial access vectors. This session examines why phishing continues to succeed and introduces a practical, high-impact strategy to strengthen defenses.

SEGs typically rely on a layered architecture that includes header analysis, policy enforcement, static anti virus (AV) signature checks, link reputation services, and even lightweight sandboxing. As SEGs must process high volumes of email with minimal latency, they are optimized for speed and scale rather than for depth of inspection and comprehensive analysis. This can create exploitable detection blind spots. Sophisticated phishing campaigns take advantage of these limitations using tactics such as multi-stage redirect chains, geolocation- or time-based payload activation, QR codes, SVG images, and HTML smuggling

What can be done?

One often overlooked opportunity to address these advanced threats lies in integrating the organization’s User-Reported Phising (URP) program with advanced sandboxing technology. Unlike SEGs, these sandboxes operate outside real-time delivery constraints. They simulate realistic user interaction, follow complex redirect paths, and expose evasive payloads in a save analysis environment. This enables faster triage, higher-confidence verdicts, and improved detection of phishing threats that bypass gateway-level defenses.

This session will include real-world examples of advanced phishing techniques, such as redirect chains, QR code-based attacks, and SVG-based payloads, and show how advanced sandboxing can be used to detect them effectively.

ΣΠΔ

Effects and dynamics of Cybercrime on cyberprofessionals in the workfield. How can we optimize the workplace for our guards in Cybersecurity?

Start time: 14:45

Duration: 00:30

Speaker(s):

Abstract: I would like to give an insightful exploration into the impact of Cybercrime on the mental health of SOC-Analysts and related roles which are connected to the upper management. As we delve into this critical topic, we recognize the increasing prevalence of cyberattacks and decresing availability in the workforce. SOC´s are at the forefront of defending organizations against these threats, yet the demanding nature of their work often leads to significant stress and burnout among SOC analysts and upper management dedicated in the field of Cybersecurity.

Most of the time, we try to reflect on the technical stability in this area. But we do not figure out how important structures and regulated processes are relevant in this area, similar to High-reliability organizations (e.g. Aviation or Medicine).

I want to give an inspirational approach to improve the workplace, keeping professionals more resilient and longer in their workplace. My approach reflects not just on mental health and wellbeing, it´s partly a management calculation which should be added in the consideration of defending risks from organizations.

ΣΠΔ

HyTrack: Tracking You Across Apps and the Web Hydra-Style

Start time: 15:45

Duration: 00:30

Speaker(s):

Abstract: We found HyTrack, a robust new tracking Android tracking technique. It allows tracking providers to track you across multiple apps and the web. It does not depend on the ad IDs or fingerprinting and can be hidden from you. HyTrack is based on a new browser feature called Custom Tabs. Additionally, it is hard to get rid of: It might survive browser purges and the re-installation of affected apps.

In short, HyTrack brings the full power of web tracking to native Android and is a danger to user privacy as it allows tracking across apps and the web.

In this talk, we will discuss the mechanisms behind it, check which browsers and devices are affected, and discuss mitigations. Finally, we will recommend the next steps for you and the community to take to mitigate HyTrack and protect user privacy.

ΣΠΔ

Pentest Pains

Start time: 16:15

Duration: 00:30

Speaker(s):

Abstract: Pentesting is meant to uncover security weaknesses, but sometimes the process itself becomes an exercise in frustration. From unclear scopes and unresponsive clients to network misconfigurations and unexpected legal roadblocks, every pentester has war stories of engagements gone wrong. This talk dives into real-world pentesting pain points, sharing firsthand experiences of what makes assessments more difficult than they need to be—and how to avoid these pitfalls.

Whether you’re a seasoned pentester, a blue teamer trying to prepare for a test, or a purple teamer bridging the gap, understanding these challenges can help ensure your next engagement is smoother and more effective. We’ll cover the most common mistakes from all sides of the table, such as poor scoping, lack of communication, ineffective remediation, and unrealistic expectations.

Beyond just the horror stories, this session provides actionable lessons to help security teams and consultants work together more efficiently. Learn how to avoid common traps, improve collaboration, and turn painful experiences into opportunities for a more productive outcome.

ΣΠΔ

AI security and AI auditing: security risks and protective measures for modern AI systems

Start time: 16:45

Duration: 00:30

Speaker(s):

Abstract: Modern AI technologies such as RAG and AI agents open up enormous opportunities for companies, but also present them with considerable security and compliance challenges. The presentation “AI Security & AI Auditing” highlights typical points of attack of modern AI systems and presents practical protective measures that enable effective protection. It will also show how regulatory requirements can be met. Only through proactive security measures and transparent auditing processes can AI systems be designed to be not only innovative and efficient, but also secure and trustworthy.

ΣΠΔ

Closing Keynote: Malware, Meet AI: Friend or Foe?

Start time: 17:15

Duration: 00:30

Speaker(s):

Abstract: Artificial Intelligence is capable of creating malware. Fortunately, it is also capable of analyzing them, summarizing and decompiling them with surprising clarity. But how much can we trust it?

In this keynote, we’ll explore moments where AI shines and fails. We’ll also discuss MCP security (Model Context Protocol): a modern protocol with no/little security? As AI and malware evolve together, what does the future hold, in terms of malware and anti-malware?

ΣΠΔ

Conference Closing

Start time: 17:45

Duration: 00:15

Abstract: It’s a wrap! See you at the networking hour and next year.

ΣΠΔ

From OneDrive Access to System Compromise

Backup talk

Speaker(s):

Abstract: With the move to cloud environments and Software as a Service (SaaS) offerings, digital identities are becoming more critical daily. Especially in the business context, these identities are connected to the business e-mail addresses and allow access to e-mails and documents via cloud applications in M365 and Google Workspaces.

With the increased importance of digital identities, they have become a target for criminals. Using adversary-in-the-middle (AitM) attacks, these criminals try to compromise business e-mail addresses, and after successfully obtaining valid credentials, the threat actor can access the user’s cloud environment, launching business e-mail compromise (BEC) attacks. Additionally, these credentials allow a threat actor to access the user’s cloud storage environments, like OneDrive. This access provides many opportunities for a threat actor, including:

  1. Direct access to valuable information
  2. A trusted repository to host malware for distribution
  3. A trusted command and control (C2) channel
  4. Data exfiltration via a trusted channel
  5. Synchronisation misuse

Looking at the last tactic, sync misuse, we found a potential attack vector unknown to our knowledge. By combining sync misuse with another known tactic, replacing .lnk files, a threat actor can rapidly move from a compromised account to a compromised Windows host, from where they can move laterally to achieve their goals.

This talk will illustrate briefly how threat actors use AitM attacks to obtain access to Microsoft M365 credentials and show a proof-of-concept of how a threat actor can use these credentials to compromise a user’s system via the OneDrives sync feature.

ΣΠΔ

Team

Morton

Morton is a researcher in the Forward-Looking Threat Research (FTR) team at Trend Micro, Inc. where he peers into the future of computers and society to identify the risks and vulnerabilities of the future. His past in computer security stretches back 30 years, and he has been involved in most of the innovations in security, first at the University of Hamburg, Germany, then IBM Research and now Trend Micro. While originally active in malware analysis and computer forensics, recently his team has been focussing on massive threat data analysis for spotting new types of attacks quantitatively and also on modelling future threats to society that will accompany its inevitable march towards tighter integration in smart cities, intelligent transportation, supply chains and manufacturing. Morton, a native of New York City, has a Computer Science PhD degree from the University of Hamburg, and resides in the Hamburg, Germany area.

Dagmar

Coming from a non-technical background, Dagmar brings her knowledge of event organization to Elbsides. Through previous experiences in professional stage management / production for theatre in the UK and US, as well as Sci-Fi conventions in Germany, she teamed up with her husband Morton to organize events for the computer security industry, BSides Munich being among them. Having lived and worked in a variety of countries, she enjoys traveling the globe and seeing theatre productions, especially in London.

Stefan

For all his professional business life (even years before that) Stefan has been involved in information security. In 1993 he was the first student to be hired by the freshly launched DFN-CERT Services GmbH, the first Computer Emergency Response Team in Germany and also one of the first within Europe. After having spent a number of years in the PKI universe he worked as an IT security consultant for the next 15 years before re-joining the awesome crew at DFN-CERT Services GmbH in 2016. He likes IT forensics, Cyber Threat Intelligence, and malware analysis and loves helping people.

Florian

A past interest in archaeology brought Florian to the field of security. To him, both share a similar approach: recognizing the ideas of the past via its artefacts and the application of these lessons to form a better future. As a security engineer he tries to adopt this philosophy to the various aspects of the field, may it be user awareness, OS and network security or how to cloud securely. He also enjoys hot food, fast bikes and open source.

Jonas

Jonas’ day job is in incident response and forensics at BlackBerry. During engagements, he specializes in disk forensics and fast triage, relying heavily on automation to aid in fast recovery of customers affected by data breaches or malware incidents. In his spare screen time he engages in various open source efforts and likes researching new forensics related topics. Reverse engineering proprietary APIs, file formats and protocols is one of his main interests. In the great outdoors he enjoys geocaching and paddling. He also added aerial photography and semi-autonomous to fully manual flight with home-built UAVs and FPV drones to his outdoor activities.

David

David is an independent software developer, penetration tester and IT consultant. He likes to build software, analyze systems and troubleshoot weird computer problems. When not in front of a screen he enjoys a good physical challenge, doing various kinds of sports.

Fabian

Fabian currently works as an embedded software engineer for a small company in Northern Germany. He was working as a financial consultant when his fascination for technology led him back to school to study electrical engineering and digital systems. During his bachelors and master’s thesis he was able to get deep into the weeds of reverse engineering and secure code as part of the vulnerability analysis department at NXP. Whenever he isn’t sitting in front of a keyboard, he enjoys playing music and sports outdoors.

Matthias

Matthias has more than 25 years of experience in various industries, disciplines and roles in the world of IT. He now uses this experience as a freelance cybersecurity culture evangelist to support organizations on their way to becoming secure and resilient organisms. This has a lot to do with the agile mindset, where people take center stage - processes ensure smooth interaction and technology is seen as a tool, not an end in itself!

Apart from that, he likes to spend his time outdoors, preferably exploring new holiday destinations or cycling in the surrounding area.

Peddy

Peddy has been working with Unix systems since the early 1990s and set up and operated one of the first web servers in Germany. He was the first to introduce Hamburg teachers to the Internet and installed the first Linux servers in Hamburg schools. He did the same in a software company for private health insurance. Security during implementation, as well as training, was always an issue. At his current employer, a media company, security in the cloud environment is a top priority.

Garlef

Garlefs dayjob has been fixing all kinds of IT-problems for over a decade in various roles, companies and industries. His current day job includes looking at log files and asking unpleasant questions for money and coffee. He enjoys simple and reliable Systems and has been loosely involved in various IT-Sec related events in Germany for a number of years.