Maldev Testing Environment
When conducting Red Team operations, it is extremely important to develop a testing environment that simulates your client's environment both for endpoint, domain authentication, and inbound email threat protection.
Fortunately Microsoft have made Microsoft 365 open to all potential customers, and therefore we can set up an environment with a Windows on prem DC, Office 365 and Advanced Threat Protection (ATP).
While this clearly does not cover all use cases, it is a suitable testing environment for our purposes and if you are able to get additional EDR solutions, then you can install them in parallel on the endpoints.
If we take a look at Microsoft's service offering it is important to be aware that when you are developing malware and testing on a trial or even licensed consumer version of a Windows 10/11 operating system, or a developer VM that you have downloaded; you are not actually testing against Microsoft's enterprise grade of malware analysis.
While you may succesfully bypass Defender on a vanilla Windows VM, be aware that when you actually deploy this implant on a client that is paying for a more expensive version of MS ATP then you will find your payloads fail.
This chart shows what each level of Microsoft's level of threat protection offers:
As you can see in the table above, E3 and E5 are what are likely to be used by enterprise clients to ensure commerical threat protection if they have decided to utilise the Microsoft stack.
Therefore if you are developing your malware, it is prudent to test against either E3 or E5, and merely performing your testing (both inbound email and endpoint protection) on a Windows 10 VM without an enterprise license is going to end in failure.
This link here will allow you to deploy a full Microsoft 365 virtual lab on a free trial, to test both your implants and your inbound SMTP campaigns.
My post on implant development concerning Microsoft ATP here, and this Github repo relating to the ML involved in Microsoft's Exchange stack has done a lot of the heavy lifting for you to enable you, with confidence, to approach both implant development, and ensuring that your phishing emails are reaching their targets.