From ecb201d0f9f8a61ed53a9d92ad507e6f76b885c4 Mon Sep 17 00:00:00 2001 From: azotheblue Date: Wed, 11 Mar 2026 13:07:25 -0500 Subject: [PATCH 1/9] Authorization code Phishing --- reports/trr0000/azr/README.md | 245 ++++++++++++++++++++++++++++++++++ 1 file changed, 245 insertions(+) create mode 100644 reports/trr0000/azr/README.md diff --git a/reports/trr0000/azr/README.md b/reports/trr0000/azr/README.md new file mode 100644 index 0000000..ca51ab3 --- /dev/null +++ b/reports/trr0000/azr/README.md @@ -0,0 +1,245 @@ +# TRR Template Title + +## Metadata + +| Key | Value | +| ------------ | ----------------- | +| ID | TRR0000 | +| External IDs | [T1528] | +| Tactics | Credential Access | +| Platforms | Azure | +| Contributors | Kyle Barboza | + + +## Technique Overview + + +OAuth authorization code phishing is a technique where an attacker abuses the OAuth authorization code flow to obtain authorization codes generated during a legitimate authentication process. In Microsoft Entra ID environments, an attacker can craft a malicious authorization request and distribute it through phishing or social engineering to convince a victim to initiate the OAuth authentication flow. After the victim successfully authenticates and grants consent, the identity provider issues an authorization code and redirects the user’s browser to the specified redirect URI. If the attacker obtains this authorization code before it is redeemed by the intended client application, they can exchange it at the token endpoint to obtain an access token representing the victim’s identity, allowing access to APIs and services such as Microsoft Graph or Azure Resource Manager depending on the granted permissions. + +## Technical Background + + +### OAuth + +OAuth is a foundational protocol used by modern identity platforms to enable **secure authorization between users and applications**. It allows a user to grant an application limited access to resources without sharing credentials directly with the application. + +Instead of providing a password, the identity provider authenticates the user and issues **tokens that represent the user’s authorized permissions**. These tokens can then be used by the application to access APIs on behalf of the user. + +In Microsoft Entra ID environments, OAuth is commonly used to authorize applications to access services such as: + +- Microsoft Graph +- Azure Resource Manager +- Exchange Online +- SharePoint + +This model allows applications to access resources while authentication and authorization decisions remain centralized within the identity provider. + +--- + +### OAuth Authorization Code Flow + +One of the most common OAuth implementations is the **Authorization Code Flow**. This flow is designed for applications that can securely perform server-side communication with the identity provider. + +In this model, the client application redirects the user to the identity provider for authentication. After the user successfully authenticates and grants consent, the identity provider issues a temporary **authorization code**. The client application then exchanges this code for an **access token**. + +``` +User + │ + │ Authorization Request + ▼ +Authorization Endpoint + │ + │ generates + ▼ +Authorization Code + │ + │ redeemed + ▼ +Token Endpoint + │ + │ issues + ▼ +Access Token + │ + │ used to call + ▼ +API (Graph / Gmail / Slack) +``` + +The authorization code is designed to be **short-lived** and is intended to be redeemed only by the client application that initiated the request. + +--- + +### Authorization Endpoint + +The authorization flow begins when the client application directs the user’s browser to the identity provider’s **authorization endpoint**. + +In Microsoft Entra ID, this endpoint typically appears as: + +``` +https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize +``` + +The authorization request contains several parameters that define the request: + +- `client_id` – identifies the requesting application +- `redirect_uri` – the location where the authorization code will be sent +- `response_type` – specifies the requested OAuth response (such as `code`) +- `scope` – defines the permissions being requested +- `state` – a client-provided value used to maintain request integrity + +An example authorization request may appear as follows: + +``` +https://login.microsoftonline.com/common/oauth2/v2.0/authorize +?client_id=9bc3ab49-b65d-410a-85ad-de819febfddc +&response_type=code +&redirect_uri=http://localhost:3000/ +&response_mode=query +&scope=https://management.azure.com/.default +&state=12345 +``` + +After the user authenticates and grants consent, the identity provider redirects the browser to the specified `redirect_uri`, including the authorization code as a parameter. + +--- + +### Redirect URI Behavior + +The **redirect URI** defines where the authorization server sends the authorization code after authentication. + +The authorization code is delivered through a browser redirect and typically appears in the query parameters of the redirected URL. + +Example: + +``` +https://application.example.com/callback?code=AUTHORIZATION_CODE +``` + +The client application is expected to receive this authorization code and immediately exchange it with the identity provider's token endpoint. + +In some cases, redirect URIs may reference local addresses such as: + +``` +http://localhost:3000/ +``` + +When the redirect URI points to a local host that is not actively running the client application, the OAuth authorization flow cannot complete normally. However, the identity provider may still generate the authorization code and include it in the redirected URL. + +This behavior can expose the authorization code within the browser session prior to it being redeemed by a client application. + +--- + +### Token Exchange + +Once the client receives the authorization code, it sends a request to the identity provider’s **token endpoint** to exchange the code for an access token. + +In Microsoft Entra ID, the token endpoint typically appears as: + +``` +https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token +``` + +If the request is valid, the identity provider issues an **access token** representing the authenticated user and the permissions granted during the authorization request. + +The client application can then use this token to access APIs such as Microsoft Graph. + +--- + +### First-Party Applications + +Microsoft Entra ID includes a number of **first-party applications**, which are applications developed and maintained by Microsoft. + +These applications are often pre-registered and trusted within enterprise environments. As a result, authorization requests associated with these applications may appear more legitimate to users and administrators during OAuth authorization flows. + +Understanding the behavior of first-party applications is important when analyzing OAuth authorization patterns within Microsoft Entra ID environments. + + +## Procedures + +| ID | Title | Tactic | +| ------------- | ---------- | ----------------- | +| TRR0000.AZR.A | ConsentFix | Credential Access | + +### Procedure A: ConsentFix + +In this procedure, the attacker abuses the OAuth authorization code flow in Microsoft Entra ID by manipulating the authorization request and redirect behavior in order to obtain the authorization code generated during the authentication process. + +The attacker crafts an OAuth authorization request directed at the Microsoft identity platform authorization endpoint. This request contains parameters defining the client application, requested scopes, and the redirect URI where the authorization code will be returned. + +Example authorization request: + +``` +https://login.microsoftonline.com/common/oauth2/v2.0/authorize +?client_id=9bc3ab49-b65d-410a-85ad-de819febfddc +&response_type=code +&redirect_uri=http://localhost:3000/ +&response_mode=query +&scope=https://management.azure.com/.default +&state=12345 +``` + +The attacker then delivers this request to the victim through a phishing page or social engineering technique designed to encourage the victim to initiate the OAuth authentication process. + +When the victim follows the link, the Microsoft identity platform processes the request and prompts the user to authenticate. After successful authentication and consent, the identity provider generates an authorization code and redirects the browser to the specified redirect URI. + +Because the redirect URI references a local address such as `localhost`, the OAuth flow cannot complete normally. However, the redirect still occurs and the authorization code is included in the URL returned to the browser. + +Example redirect: + +``` +http://localhost:3000/?code=AUTHORIZATION_CODE +``` + +The attacker then obtains the authorization code from the victim and redeems it at the token endpoint. Once redeemed, the identity provider issues an access token representing the victim’s identity and the permissions granted during the authorization request. + +The attacker can then use this access token to access APIs such as Microsoft Graph or Azure Resource Manager depending on the scopes granted during the authorization process. + +#### Detection Data Model + + +```mermaid +flowchart LR + U[User] + AR[OAuth Authorization Request] + AS[Microsoft Authorization Endpoint] + AC[Authorization Code] + TE[Token Endpoint] + AT[Access Token] + API[Azure API / Microsoft Graph] + + PX[Proxy Telemetry] + AZ[Entra Sign-In Logs] + + U --> AR + AR --> AS + AS --> AC + AC --> TE + TE --> AT + AT --> API + + AR -. observable in .-> PX + AT -. observable in .-> AZ +``` + +Detection opportunities for this technique are limited because much of the OAuth authorization flow occurs within trusted Microsoft identity infrastructure. One potential observation point is network or proxy telemetry capturing requests to the Microsoft authorization endpoint. Although these requests often appear legitimate, a notable indicator may be the presence of `localhost` within the `redirect_uri` parameter of the OAuth authorization request, which is uncommon for most production applications. + +This signal may be more meaningful when correlated with Microsoft Entra ID sign-in telemetry, such as events recorded in `NonInteractiveUserSignInLogs`. Following a suspicious authorization request, defenders may observe a token issuance or application sign-in event associated with the same application identifier present in the request. These events may originate from an unexpected IP address, device context, or location compared to the user’s normal authentication patterns, particularly if the authorization code is redeemed from a different environment than the one used during the initial authentication. +## Available Emulation Tests + +| ID | Link | +| ------------- | ---- | +| TRR0000.WIN.A | | + + +## References + +- [Push Security - ConsentFix](https://pushsecurity.com/blog/consentfix) + +- [NVISO - ConsentFix](https://blog.nviso.eu/2026/01/29/consentfix-a-k-a-authcodefix-detecting-oauth2-authorization-code-phishing/) + +- [RFC 6819](https://datatracker.ietf.org/doc/html/rfc6819#section-4.4.1.5) + +- [Microsoft - OAuth Redirection](https://www.microsoft.com/en-us/security/blog/2026/03/02/oauth-redirection-abuse-enables-phishing-malware-delivery/) + +- [John Hammond - ConsentFix Video Walkthrough](https://www.youtube.com/watch?v=AAiiIY-Soak) \ No newline at end of file From 384846c729a5f34f8fad99fc2dc5d2eb8486493e Mon Sep 17 00:00:00 2001 From: azotheblue Date: Wed, 11 Mar 2026 13:21:14 -0500 Subject: [PATCH 2/9] Fix Title --- reports/trr0000/azr/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reports/trr0000/azr/README.md b/reports/trr0000/azr/README.md index ca51ab3..0b32c7a 100644 --- a/reports/trr0000/azr/README.md +++ b/reports/trr0000/azr/README.md @@ -1,4 +1,4 @@ -# TRR Template Title +# OAuth Authorization Code Phishing ## Metadata From 66768353c9ba08c174dfda7bfb69abbfefe17359 Mon Sep 17 00:00:00 2001 From: azotheblue Date: Mon, 23 Mar 2026 16:38:10 -0500 Subject: [PATCH 3/9] Multiple Review Fixes --- reports/trr0000/azr/README.md | 210 ++++++++++++------ .../azr/ddms/ddm_trr0000_consentfix.png | Bin 0 -> 59668 bytes 2 files changed, 143 insertions(+), 67 deletions(-) create mode 100644 reports/trr0000/azr/ddms/ddm_trr0000_consentfix.png diff --git a/reports/trr0000/azr/README.md b/reports/trr0000/azr/README.md index 0b32c7a..16d5943 100644 --- a/reports/trr0000/azr/README.md +++ b/reports/trr0000/azr/README.md @@ -14,33 +14,59 @@ ## Technique Overview -OAuth authorization code phishing is a technique where an attacker abuses the OAuth authorization code flow to obtain authorization codes generated during a legitimate authentication process. In Microsoft Entra ID environments, an attacker can craft a malicious authorization request and distribute it through phishing or social engineering to convince a victim to initiate the OAuth authentication flow. After the victim successfully authenticates and grants consent, the identity provider issues an authorization code and redirects the user’s browser to the specified redirect URI. If the attacker obtains this authorization code before it is redeemed by the intended client application, they can exchange it at the token endpoint to obtain an access token representing the victim’s identity, allowing access to APIs and services such as Microsoft Graph or Azure Resource Manager depending on the granted permissions. +OAuth authorization code phishing is a technique where an attacker abuses the +OAuth authorization code flow to obtain authorization codes generated during a +legitimate authentication process. In Microsoft Entra ID environments, an +attacker can craft a malicious authorization request and distribute it through +phishing or social engineering to convince a victim to initiate the OAuth +authentication flow. + + +After the victim successfully authenticates and grants consent, the identity +provider issues an authorization code and redirects the user’s browser to the +specified redirect URI. If the attacker obtains this authorization code before +it is redeemed by the intended client application, they can exchange it at the +token endpoint to obtain an access token representing the victim’s identity, +allowing access to APIs and services such as Microsoft Graph or Azure Resource +Manager depending on the granted permissions. ## Technical Background ### OAuth -OAuth is a foundational protocol used by modern identity platforms to enable **secure authorization between users and applications**. It allows a user to grant an application limited access to resources without sharing credentials directly with the application. +OAuth is a foundational protocol used by modern identity platforms to enable +**secure authorization between users and applications**. It allows a user to +grant an application limited access to resources without sharing credentials +directly with the application. -Instead of providing a password, the identity provider authenticates the user and issues **tokens that represent the user’s authorized permissions**. These tokens can then be used by the application to access APIs on behalf of the user. +Instead of providing a password, the identity provider authenticates the user +and issues **tokens that represent the user’s authorized permissions**. These +tokens can then be used by the application to access APIs on behalf of the user. -In Microsoft Entra ID environments, OAuth is commonly used to authorize applications to access services such as: +In Microsoft Entra ID environments, OAuth is commonly used to authorize +applications to access services such as: - Microsoft Graph - Azure Resource Manager - Exchange Online - SharePoint -This model allows applications to access resources while authentication and authorization decisions remain centralized within the identity provider. +This model allows applications to access resources while authentication and +authorization decisions remain centralized within the identity provider. --- ### OAuth Authorization Code Flow -One of the most common OAuth implementations is the **Authorization Code Flow**. This flow is designed for applications that can securely perform server-side communication with the identity provider. +One of the most common OAuth implementations is the **Authorization Code Flow**. +This flow is designed for applications that can securely perform server-side +communication with the identity provider. -In this model, the client application redirects the user to the identity provider for authentication. After the user successfully authenticates and grants consent, the identity provider issues a temporary **authorization code**. The client application then exchanges this code for an **access token**. +In this model, the client application redirects the user to the identity +provider for authentication. After the user successfully authenticates and +grants consent, the identity provider issues a temporary **authorization code**. +The client application then exchanges this code for an **access token**. ``` User @@ -66,13 +92,15 @@ Access Token API (Graph / Gmail / Slack) ``` -The authorization code is designed to be **short-lived** and is intended to be redeemed only by the client application that initiated the request. +The authorization code is designed to be **short-lived** and is intended to be +redeemed only by the client application that initiated the request. --- ### Authorization Endpoint -The authorization flow begins when the client application directs the user’s browser to the identity provider’s **authorization endpoint**. +The authorization flow begins when the client application directs the user’s +browser to the identity provider’s **authorization endpoint**. In Microsoft Entra ID, this endpoint typically appears as: @@ -100,15 +128,19 @@ https://login.microsoftonline.com/common/oauth2/v2.0/authorize &state=12345 ``` -After the user authenticates and grants consent, the identity provider redirects the browser to the specified `redirect_uri`, including the authorization code as a parameter. +After the user authenticates and grants consent, the identity provider redirects +the browser to the specified `redirect_uri`, including the authorization code as +a parameter. --- ### Redirect URI Behavior -The **redirect URI** defines where the authorization server sends the authorization code after authentication. +The **redirect URI** defines where the authorization server sends the +authorization code after authentication. -The authorization code is delivered through a browser redirect and typically appears in the query parameters of the redirected URL. +The authorization code is delivered through a browser redirect and typically +appears in the query parameters of the redirected URL. Example: @@ -116,7 +148,8 @@ Example: https://application.example.com/callback?code=AUTHORIZATION_CODE ``` -The client application is expected to receive this authorization code and immediately exchange it with the identity provider's token endpoint. +The client application is expected to receive this authorization code and +immediately exchange it with the identity provider's token endpoint. In some cases, redirect URIs may reference local addresses such as: @@ -124,15 +157,20 @@ In some cases, redirect URIs may reference local addresses such as: http://localhost:3000/ ``` -When the redirect URI points to a local host that is not actively running the client application, the OAuth authorization flow cannot complete normally. However, the identity provider may still generate the authorization code and include it in the redirected URL. +When the redirect URI points to a local host that is not actively running the +client application, the OAuth authorization flow cannot complete normally. +However, the identity provider may still generate the authorization code and +include it in the redirected URL. -This behavior can expose the authorization code within the browser session prior to it being redeemed by a client application. +This behavior can expose the authorization code within the browser session prior +to it being redeemed by a client application. --- ### Token Exchange -Once the client receives the authorization code, it sends a request to the identity provider’s **token endpoint** to exchange the code for an access token. +Once the client receives the authorization code, it sends a request to the +identity provider’s **token endpoint** to exchange the code for an access token. In Microsoft Entra ID, the token endpoint typically appears as: @@ -140,19 +178,39 @@ In Microsoft Entra ID, the token endpoint typically appears as: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token ``` -If the request is valid, the identity provider issues an **access token** representing the authenticated user and the permissions granted during the authorization request. +If the request is valid, the identity provider issues an **access token** +representing the authenticated user and the permissions granted during the +authorization request. -The client application can then use this token to access APIs such as Microsoft Graph. +The client application can then use this token to access APIs such as Microsoft +Graph. --- ### First-Party Applications -Microsoft Entra ID includes a number of **first-party applications**, which are applications developed and maintained by Microsoft. +Microsoft Entra ID includes a number of first-party applications, which are +applications developed and maintained by Microsoft. -These applications are often pre-registered and trusted within enterprise environments. As a result, authorization requests associated with these applications may appear more legitimate to users and administrators during OAuth authorization flows. +These applications are often pre-registered and inherently trusted within +enterprise environments. Because of this, they typically already have +established permissions and do not require the same user consent experience as +newly registered third-party applications. -Understanding the behavior of first-party applications is important when analyzing OAuth authorization patterns within Microsoft Entra ID environments. +In the context of this technique, first-party applications play a critical role +by removing the need for a traditional consent prompt. Instead of convincing a +user to approve a malicious application, an attacker can leverage an existing +trusted application and initiate the OAuth authorization flow directly. + +As a result, the interaction appears legitimate, and the user is not presented +with a suspicious consent screen. This allows the attack to bypass the consent +phase entirely and focus on capturing the authorization code during the +authentication process. + +Understanding the behavior and trust model of first-party applications is +important when analyzing OAuth authorization patterns within Microsoft Entra ID +environments, as they can be leveraged to make malicious activity appear +indistinguishable from normal authentication flows. ## Procedures @@ -163,9 +221,14 @@ Understanding the behavior of first-party applications is important when analyzi ### Procedure A: ConsentFix -In this procedure, the attacker abuses the OAuth authorization code flow in Microsoft Entra ID by manipulating the authorization request and redirect behavior in order to obtain the authorization code generated during the authentication process. +In this procedure, the attacker abuses the OAuth authorization code flow by +manipulating the authorization request and redirect behavior in order to obtain +the authorization code generated during the authentication process. -The attacker crafts an OAuth authorization request directed at the Microsoft identity platform authorization endpoint. This request contains parameters defining the client application, requested scopes, and the redirect URI where the authorization code will be returned. +The attacker crafts an OAuth authorization request directed at the Microsoft +identity platform authorization endpoint. This request contains parameters +defining the client application, requested scopes, and the redirect URI where +the authorization code will be returned. Example authorization request: @@ -179,52 +242,61 @@ https://login.microsoftonline.com/common/oauth2/v2.0/authorize &state=12345 ``` -The attacker then delivers this request to the victim through a phishing page or social engineering technique designed to encourage the victim to initiate the OAuth authentication process. +The attacker then delivers this request to the victim through a phishing page or +other social engineering technique designed to encourage the victim to initiate +the OAuth authentication process. -When the victim follows the link, the Microsoft identity platform processes the request and prompts the user to authenticate. After successful authentication and consent, the identity provider generates an authorization code and redirects the browser to the specified redirect URI. +When the victim follows the link, the identity provider (IdP) processes the +authorization request and prompts the user to authenticate. Upon successful +authentication and consent, the IdP generates an authorization code and +redirects the browser to the specified redirect URI. -Because the redirect URI references a local address such as `localhost`, the OAuth flow cannot complete normally. However, the redirect still occurs and the authorization code is included in the URL returned to the browser. +The attacker intentionally specifies a redirect URI that points to a local or +unreachable destination (such as localhost). Because no legitimate client +application is available to receive and redeem the authorization code, the OAuth +flow cannot complete as intended. -Example redirect: +However, the redirect still occurs, and the authorization code is included in +the URL returned to the browser. -``` -http://localhost:3000/?code=AUTHORIZATION_CODE -``` +Example redirect: -The attacker then obtains the authorization code from the victim and redeems it at the token endpoint. Once redeemed, the identity provider issues an access token representing the victim’s identity and the permissions granted during the authorization request. +`http://localhost:3000/?code=AUTHORIZATION_CODE` -The attacker can then use this access token to access APIs such as Microsoft Graph or Azure Resource Manager depending on the scopes granted during the authorization process. +At this stage, the authorization code is exposed within the browser context. The +attacker then uses social engineering to convince the victim to copy and share +the URL or the authorization code itself, often under the pretense of +troubleshooting or completing the sign-in process. -#### Detection Data Model +Once the attacker obtains the authorization code, they redeem it at the token +endpoint of the IdP. The IdP validates the authorization code and, if valid, +issues an access token representing the victim’s identity and granted +permissions. +The attacker can then use this access token to access protected resources and +APIs, depending on the scopes granted during the authorization process. -```mermaid -flowchart LR - U[User] - AR[OAuth Authorization Request] - AS[Microsoft Authorization Endpoint] - AC[Authorization Code] - TE[Token Endpoint] - AT[Access Token] - API[Azure API / Microsoft Graph] - - PX[Proxy Telemetry] - AZ[Entra Sign-In Logs] - - U --> AR - AR --> AS - AS --> AC - AC --> TE - TE --> AT - AT --> API - - AR -. observable in .-> PX - AT -. observable in .-> AZ -``` +#### Detection Data Model -Detection opportunities for this technique are limited because much of the OAuth authorization flow occurs within trusted Microsoft identity infrastructure. One potential observation point is network or proxy telemetry capturing requests to the Microsoft authorization endpoint. Although these requests often appear legitimate, a notable indicator may be the presence of `localhost` within the `redirect_uri` parameter of the OAuth authorization request, which is uncommon for most production applications. +![DDM - Consent Fix](ddms/ddm_trr0000_consentfix.png) + +Detection opportunities for this technique are limited because much of the OAuth +authorization flow occurs within trusted Microsoft identity infrastructure. One +potential observation point is network or proxy telemetry capturing requests to +the Microsoft authorization endpoint. Although these requests often appear +legitimate, a notable indicator may be the presence of `localhost` within the +`redirect_uri` parameter of the OAuth authorization request, which is uncommon +for most production applications. + +This signal may be more meaningful when correlated with Microsoft Entra ID +sign-in telemetry, such as events recorded in `NonInteractiveUserSignInLogs`. +Following a suspicious authorization request, defenders may observe a token +issuance or application sign-in event associated with the same application +identifier present in the request. These events may originate from an unexpected +IP address, device context, or location compared to the user’s normal +authentication patterns, particularly if the authorization code is redeemed from +a different environment than the one used during the initial authentication. -This signal may be more meaningful when correlated with Microsoft Entra ID sign-in telemetry, such as events recorded in `NonInteractiveUserSignInLogs`. Following a suspicious authorization request, defenders may observe a token issuance or application sign-in event associated with the same application identifier present in the request. These events may originate from an unexpected IP address, device context, or location compared to the user’s normal authentication patterns, particularly if the authorization code is redeemed from a different environment than the one used during the initial authentication. ## Available Emulation Tests | ID | Link | @@ -234,12 +306,16 @@ This signal may be more meaningful when correlated with Microsoft Entra ID sign- ## References -- [Push Security - ConsentFix](https://pushsecurity.com/blog/consentfix) - -- [NVISO - ConsentFix](https://blog.nviso.eu/2026/01/29/consentfix-a-k-a-authcodefix-detecting-oauth2-authorization-code-phishing/) - -- [RFC 6819](https://datatracker.ietf.org/doc/html/rfc6819#section-4.4.1.5) - -- [Microsoft - OAuth Redirection](https://www.microsoft.com/en-us/security/blog/2026/03/02/oauth-redirection-abuse-enables-phishing-malware-delivery/) - -- [John Hammond - ConsentFix Video Walkthrough](https://www.youtube.com/watch?v=AAiiIY-Soak) \ No newline at end of file +- [Push Security - ConsentFix][push-consentfix] +- [NVISO - ConsentFix][nviso-consentfix] +- [RFC 6819][rfc6819] +- [Microsoft - OAuth Redirection][microsoft-oauth] +- [John Hammond - ConsentFix Video Walkthrough][hammond-video] + +[push-consentfix]: https://pushsecurity.com/blog/consentfix +[nviso-consentfix]: + https://blog.nviso.eu/2026/01/29/consentfix-a-k-a-authcodefix-detecting-oauth2-authorization-code-phishing/ +[rfc6819]: https://datatracker.ietf.org/doc/html/rfc6819#section-4.4.1.5 +[microsoft-oauth]: + https://www.microsoft.com/en-us/security/blog/2026/03/02/oauth-redirection-abuse-enables-phishing-malware-delivery/ +[hammond-video]: https://www.youtube.com/watch?v=AAiiIY-Soak \ No newline at end of file diff --git a/reports/trr0000/azr/ddms/ddm_trr0000_consentfix.png b/reports/trr0000/azr/ddms/ddm_trr0000_consentfix.png new file mode 100644 index 0000000000000000000000000000000000000000..1de7d5a7601f4648b5667f330562dd1fc6b77f49 GIT binary patch literal 59668 zcmc$`WmH^S(=Li7xHJ+R0t5&WoThP-AR$ySoQ>f`vvC zvb&p1p%E&+kkvp# z!^%fPLw|^KANVCgtfUbQjRZ|m_UUUk^n)zyhDUNUaJBfvmYtU$VFCBBa09-;&68Ob zi7=RR{rt>d1^6*5e%#8(`5pL(l^g!B;o(EkmvIl9{T?a`{01$zuQt_tHt)@j9H#AN z@1}`fq@|Y|6sKRfVoYFDA_`~Lg-<- z!y&A;sdFKEwyCrC1*yUk6sTRkDA6uXVtY@pdkfw-<1e%==Vg5bL5JbfcF)2^VZ{GM z6dnVLMJPJ3Aim!h!`C5zC>F0j1(3@CqM(KKx_pwXMM)*+x7eZq48nAIJ;5X#o8+iN ztIKiHCTV2W{Rdq7wwnMixlcFyW{U1_(P<9ez$1kMV3dAMMu znf3a6hP9p67fFPC0Y$SPuo&gzVh+%Cb^M}}?_R5pRT*-*B>iyQy;yQ?!ZV3ZLtkIC z@vZMFgIb+`5;O7}k}{<*Dw<#*KzU%+^{Izh$6zaebf1;~sEPPINnMbN@T$`Olj-bJ zz5{*1QOy1sbx&8Sv$6;NJi|JkKLvt|8(aXJ&-La78_EMpJq&h4fAvadQRNiS%n80< z^V|lVi>02o)g~6P#CITfZQwM@`mVgO@aA{FbaH~4lwNt$9%myW+tYlbC;X(3)_&mb z_WRx7)?k9+LsbTg=}$biZ=3sQ-r;yJ@P~RbkySCVR571A*w(a2&pstN zlm-sVfW&4T=NheqFC}cb_x{-U8}~*nyL?G`V|?Bg_(9b$&-)2EO3|XJNZz)`bH=`{ znQj~5Rr}@5LrweTT*KVeQ6tiKHv*QFS|rJ%S1U`VF}m#xSC zH|&)0+cx8%$C6nyOFB@SaY@@2ZxPX2M4P7j4Eu63f>zkFPnc`2+@SmYli@q_rKCj1 z7ZgW?QeKof^@0+k_rdQiF|BCnuin@-{@B{di%nKw^nT6Yd*dj2KCNkSIx6x(wdhl= z{&1(B-1n$X-6;1OdRpqev#5g+|3p%4dj9qqx(@O_Kz{~Ux~NKB{lhIoA!hll(cd8(&B8xIxwk6f<^i3 z{pq}aQDW@St(ajx-;Vm{BZKNc=SFf2k7%D0oXW8kJiFs122QVE(L*rdxn= zyJy+v^~8ZI$xa8=zr+sdw}jKfa8Ns2#zdhsW}@6Df8YEmn|TR8w-Z!#q)eV-^r!m2 zbu0|~k2>~R)^{`2hEQCh)5gG|Z)jWQHX?a>tTG)#TCVm=-XB!<50NTyuP1#F@aG-~ zf(?X~g4|QdoXlcIgf--9K6^v2XX$rM=6KuskP0caAEb5N*0B42d@3nkT3WBy^_`OGQ~6Y%V(+ z1{n!&YnfEXip!5xvc{)OivIwzHJgWN8KmgjDNmym6&4u#UDv#7AN!a5mAlhQ9a?GVu#xt z!tCNra{W7t`{)@RV8AN9T%{)ejAj1U*it=78MKwpX3mEy*#CJ@R$2@W*x%NKWj;bj zw-ZZ%nM;7hQ&tu*YnoHOZncLW+TZmui2e@@YDg`uqSH{)KmJ(N9PW0Tq)+(n z@h&@PheAine*}d)kOmH-v_w@fW=#))Nml%cdd?{g%N75R*A8M598NNXKJ6Cutp$YyxR^2*< z>r;$>4;uLYWzg~)ZEB+8U;6PsE1`NIUkgGtO3%IGqUEXM{NX#dH;lkH9A7-&h)-Yw z;sDfS_9L2L6+7>dznDj>TcfBERqt{5>m6SBj?mwShmpV2rUc1^?vQ4AnC78e#SvZ; zUndIKBf`d)p=gmWDlJ_==+0q06UFRc0LtL^Dsu73{!S70`~Tb&j;DHZ;`uREpEKWe z=d#+IM?QnS&Lc2B}xy;!)RIlTi{h7Hf?{|5?V4^{^ z3mLj|DA9xk=LfBE5e@W=s2zk;!dg>N+Ttm>;j#4S9ay<=%ce8~Cs!OWk7ncfsi@q< z`}`N7)4|&5x3)({;y)YmB+kA)ubO@H&i%4AkxI}qDg(f>5qvgyIC-r|iB_nbXTjm` zw>tzY?g6=*Ul*${ICd3RbU*7KG*;@JdmolpBR&fiA`Qp~U!Lb7VdG`YH0$E{;CSZI zuYBmvAwMNRC0=doxQox8N$2SM>8upqTX1q=*HsdzMZ7U@5^MK7Xk5d;bzO7<5f$&2 zr5RdvYlGc*UG1dzORLSBb_-8W-m&Ac>3QaMDFGmBF%~}t#bnWyix4h(hV>29^vo(- zcjp0sVHLU9WB^bJAO_A%{tme2E_tkGB0B$f&??UVe9(WK<-ZOXkqy1Fj2TH1Rgm=~ zj547BjxZibMqvjp%iZ*oK7hQf0SwA~3fn`OEK`C1%>Y&QmkkWizmpVV(^7SEYGg_S zrk);geT;RSEIlgn-Ru4ElX{`!vlh}9Z_t-6P3t|ji2_Xws5NeuKXkBaRZCGh1=KzHfnd)5S4W{XHe_mKskfe#f z43y*hpxa5{3aBiujFtsRoEQ;+LJL4;?k?1~Z?XpupgsT=b4^7Pdn&T?nBpG&XC>!! zOQc%QXkueG+5;Z5A=*-t`^_AUG$k15&H;Ac)H#X8WK(v8Mh~iSoI=sL1B$!xEaCVO zLJLrg9jukyyw~I?FtJWwumWupVd`ROhEj}}P?B3$bz^?4iX3&0u~ud)7q{pkxuAgT@wHgpU?ihx-kqnyP{Jn+r z1K^_!u+!lGMh}<(5K!I(4L=nN2e8jW{RDb8Kho*8oVOns3G|kO4z3RIVm}YUR=Ap{f|eQV;}WYi%%>d92{4- zgDB*wYowy>DmS{bzv?6sz?4tjLe-%x?l`1Q)&Fn-v*cZ<(XUXW>)6C)(F}7FoZXy5 zetv_dFCaj=9avy=y!lQ(l%hDf_|6}RV#fe&07WG*@KZb3WYEQ_?gNSfQ4p}m`UEwg z4WOuk2|C$4)?*XwZj_?Temvh4#U#X@f7sz0JvhbTHo?e1yLVth1sMK0*0+0NilN5M zv^TWHHHYDe(D8G6jpLH(yaVTjo*{<&Ms9=UZC5t@g>~5PaxL##Y0a>}e0Y|`&vk)y zVS?z+ems-V2?{a6Lf-??U&_(yo~nce>7ZJ~{WH_3MJLP#F?FrOM)bWtAU*UeA=8@4 zrp>kc_k&vd!$#_P)RXSAXxr&*T0dLmN~FPeCgIocUrVL8wl9pA72J9$bk4E_Ie(TY zRl0%9qB?N2jr?)Ap)`Q>Dp)45M3d_P>Itw_M6%f~ih#_fv$?*)Y7uPYX22?B^NSO* zhmE*Hs73tC=v4sTA{Q1_ZMDA4{dTO8Ryh!+QWuVPF!5B3PHgfNL9QT#lA2r@Avlwr z@y(yVcfpB;sJNi46fqyyHgA0k1k*ot~ z((TvBb5w!{@mi}cO-hkJn}11tAZkCXTPk$diUdr=hi@Lp0Ryy4Rz}-~tAzq+0f1K; zO*p9^3Xfj<{ilZqZdIVr>D@Yfv*%Y$YXSITRsQZQB?%f(E)pmUU+TTj9prVukyT;(J@}BedDoPFx8Upwd#&= zv1mQH54?KH4<^+2{H8;T+d+rijRSzZfSRUQ2@S9UXXk$_CKhUIj?Ilirz>Em7Qk6U zB}qrW+lBI?L6-A<>v;4ipcD&!5`{9OEZQueTC)QC4%_Ir7d#kzfmu54RUHrdj9imQ zCE4&xq1meV07?lxXKBRgAaFIZ$U`0+KbHQ4G$7ghA{n{p^wjOtRWnR7mWuybjM&~| zQNZO-!k6rtMXA9H<_SW)9LDblSq=4gTZ<)io@E5jJF!|$LYbzs#Y_GC*JrY^AvHIv zUnLQaFUp_=%S$0=y}W$VH|xYxHS#npXaEY7nGozhY-azcm5vn!%^C^tabekMpiyGjdd8>fk`Tu=C@S3g=EoO`3Pt_sb+z##%Dt_(=A&044@FO)l3-hKeRkzsT0|2}L z{Ru&S^aO$O|Lua-vgCbmHY33;#~1Wjwyj59_`@7UnIA_d-N>*^aE5b>`^6qlne$^w z^zEP-l25s~cvxT5auYzQNse@}Ez-F|{Q9Zrb0bZgettIs#{2mJ1Ar=Gx5;7-`CLbJH_CA zxYx-by9=!^z&TWP6Nxu~6&T#j-{eTyx1MWX_KCEu4@L1m%SkczX?&IJoPMBmUL<|1 z$kVjLe0hVA{G}nvS5@wY4oS?fs0tEk^~Wr{^;m=v3Jb zUARzUc!+yy#jYt1aOkYKEm&6F{kd+wnGgDMx5;>? zJ0^KyaJew?bld<+vkat7(t|-8!9$=dad!I=3}{fy0`qCYxAE zWa?7)-qQC!b*RL@>iTChzW1v4#mY(RFYoc_{)Y0CwI#uE36{-pYW`6x7HXa+~1=z*Xf%@aT1ANx%Kq6dbb3GJ8JF52&I)rcg|UZuIr z>P><4n0lW$X{rb(0l?z>;xruIgsU*K9?HmbfZ0{%5iS^U0@E(< z{0uH%GO*}Om7dhT{^-nAGyfY2Oj*$aoGELcYEWtyc#2^gK5lMZgN6Z!wvPvhhU?As zSEgN(|Me4<@Y(k-qN}uA>zKSNoj>%1fvn%K^pc=l*DB!m17Ip(MYLo-m5gpWq_w|vHklwQz7IG6 zvrYzjtc7&Cmk)J_xS{FVA%I(o$^^m8`lzkQkvCz&?iVW`EY5Z&cu0N)sq}8q@bF%? zcmIh`n?W0pHfV;^6~YNmp#N`SLgew7P@X^QU$etLq5*S*Ls4^+vixej$cCp|$B1sn z-2>v`ffvTVyC}_nHX@RXa(v!Y<%Az#o+sqo^kn%uuw%s(!pyEREz_;Hj{6x?hIyJt z@V$Ir-7((%4)wY@?za}~`=pW%Wm*2yf9PS~avY*kiwpqlWAtC_^WTd^5KaCJIBSGr zfs$f4RdP0>`N)x31Fz#=i#fv&qn6e!G8ph+$8QBifw{^F(V!#UE}HG~$d9WHINPRf zllh7#z=zgwOZofW$I(@YVmF9{NF`%RRa~X*YNi5DVG^33%3eakoDW^x~wcq^U zeGk}8OmAHJ&I?)~Q;pH}pzoTw7ffmNB4eXr!zssy7_x>2xMG!- zj;~yq%B8uc=bDpoqaz7!$grsC@oiz+P#_dQW)lSnsDR}=Q0s}z2G5Qup#cl-d5Yl- z2`x~e$Fi0}S9K}hi1VV)cR{}V+I`3oDVqOV(IPY-qaT2el;=!O#ly+M_y9M>yei{# zO6teNJ#__|wboMysV)Kl`lNIu)w(ck(ylSCeeY|DIZ#(%tl|vDf6G|~dd%*snBHQC z59-@7@wdxRxc4KNiCc4mxpb;Z0+c*`5)4|TrDVF{9DDM>{i^sSJ$PBTuR#m#+}y^T z{WA{A2ksH7ztCfO|3JXRQ`{d|S)HYHN+6p2`NOWiPWArIU#FTV6XfznTfT>irS#>7 zqDN4RS!rb-&HE`8k;dEXY_|>E%b5zFA3iVgBum~p@_26x<~WvAI6Urs=GOLn$u;Qj zN{jqnys_xdbqk%M;HtxWa=$;}hzs=XBrNXxS6KiGpc&3j{`8h(wg1Iy2e?Mgm%x&R z@uoPkRC$=r>x3juFAfvSI)jI1_3g8O-~bm32uyO{sZj#w<`i^9)kQUXnGV*8?QewiG_8M4f$dUZfr6R-dFFpG6WvB5$kNq7)8Y@16+F=_9D=1YhPb<;c+Q z(Fnd$&6F6znU}u9?jv|&1v|*O!_;OjZ$&N!IQ>r6w*%Qh2V=~3xUKy7O9S_^d4Th^ z&9cTH#9w+UJo9Fh6!kOm|M~N%I#=k2^zkY6Jo!fU^>tl5Pm4UqOr-J61|{pY*+Qn% z*zOqFd~W7x!jzh{pahWUdggAVP!nE0p7I9?{Uw+nG5xsza>=E!@V35piJHuWIdT;iZ&qZ_1)jdjs zHDu%(rOJ?LN%iE=J$cm3o?IL=+@Oilbd}yh+;jQfVpx;0~X&J9Tb>WdlAi9}^}gM07L#tNU*&38#sLROzV z)6BAAiG>DLl5&R21l1NrehfKWw_BN(2m$q#YfRaTw(fX^R27lscrW1l+9ik|_tf&X z?Eb?AkOe1cX1?p$`h8#}z0Y9MbLcK%!E4 zk=dJ%-+!8+)^Q!4V%c;jV2N^4Nuan(G4d$(I(%pBRPS+O-q(J6Xy3Sqd{=-2d^;=S ztcXy(O0sh*c`8crbYwDV7#!*RwD%iRuf~^na*~Fmz#?0cxmQx?y4@0jq)jsHKqvy1 z0kQyR6%%~3l*gC0o%blodD>2ix@|aol9W|AT2TMg1+PhS%D|yPDM+pTJ_i+GHr5qOqJs@>otx;9NG9f%wW(P7K^D3c5 zH1zq-Z^Hghq6|Ne+Cz4H|D5JD>mRjUj@ma#a*P8ZupTs+B4~6tK9YTHhBWdt4#=!k z|6I+r4~Zf&S#FMNB*0&OVBe?1Z~t>%5iEtWF@DS)z3cqby>mrIi~HMHrz2GVb*)a3 zwu}XWJN@rh$tF5N2yyx%c1ObJxE(axX{12LC7`!LXZvgNu@asuUyV9wzH6TKtjrk$ z@L-k?Q3+Y;H>O&PH>NDyE4A3(wed1RjYSFIh)MkC?gz{;r3@Cz83O|Z^}|N^xKYEV zjOh<-%9}*QZjm;9@~=5gE^+CuUQPGVe?1TvMHC z7%J@#ydc*@$(uOBeQwv{>!n@Dg^Gw{hg=4S4s_Ef-wei0O?GGGWXK)G&=*b1Fun_C zjqQ2K`TBmIt~%@@gE9`eR8O(u^6Vp6 z273Ta2aOay3*hMK0($AFbt-^~+%@=~83^aU12Q(1O3DGVAHwxFv}OjkKt$G2M!wZw z5BrfycQ&fK%$ZS^!Oj5vx%)_s@eMocT4f|$h07+N4g<8Ety)FI0mjqg;_Ca*e!T+I z*tC5}0*wJ!MOyh^#Y_Or=&S*%v(}3TA!fZ|Nz=mI}^$99rb;ngeLz1k30?4lG} z^7=@BHmzsS7{-lGci;r4m;ZqNHLnR9#q3-81I>Af%gCczmOC^`<0e^5LW>VNWEV9%U zbNCwv^60Cktm2uv=m1)TIdnI)4P}sWltEf?RM|7tjPI`IR#uCvN5L6U^y0IUgdWQc zjuV9t)eo!gRtvD|(XB!DoW%1vV`I2}W{$pHW5FwVdK#xkSw%eO)Cn^_K+c(6y-)vP zS-tJ7fOil`O&^uw#k#!5tjcp%5inm{4VaQ>_&r!^LNrxs=w6y*=&Wn>sOjvAT#k7 z%C-YMdLORa2$0CS&6qlgQtJbmVleArWwxWt`dd>uydMTP)%}EAs=qaqFxUgR9ZP43 zZL29y@=G3=5M9ggsEGhE&nA|HC10>@i;YtwM4{0(Hi2Dr2qIcCM^>L-^`;m^+tV22 zZMLNN-3uvb)l}V6Dz6F$A?UHx%23*h zMU!%CxDTTake*;-0kT#xyZ~>U3`!cJ9%nSW6n;*(zb_xC4!rqxdzTFejxzoF2@2uS zI%PSLm^ekOlzG)-VkIRbv4$-2QC}JxMeCEYy^#xDhq)5DTWY>n3Hl5Dw!Ve2uHM9yUJvP%b=sYSs*RW(nEVlDd zC$y=QPnm(a#~mB}DFj7^jO~VGLfqmLAcuOAy;2p^qqKmXa@&eBfDFYEgF!I0%k|~V z4gU>oA62JuXXCp+$ypWQ(X?jy$-b;<8T@^h@1xS*6Cjj~p{ovpL81qN9>sQ5M8%a0 zFWrKxt)uH>WrA9ZGLVXsGc4{S%*skxbi>Q+%Bg%?&m(=^lAjm@$&uZHK#A0sezt80 zR@F1dr(@C*Kc+VWGLl|HYQBWBP+2{2d?rYQv6w{9d?2}!DCrY>_KQD~?}>T({5-&R zF_*sR`m^T}(ONb1t7b}->>#1Z>#13_mtH&(W(oYko3~7ztHnx}#YNei;ep9MRN_kv z3gqVwaiFm3^f(r#aCVC=3rwdCb5Oq)xP8G5C9UQ4VYMqmHO`b&_eA5a{Jdw=Zl<}R za8*BdS4|1q)M(e=pSBxo)m>xtf~%yFzGUX(~LYL%; z#Si$_{UrxYGHKzl)G<%Sd})i776m7{~+MLnq z>og$dyG!|CqMQdUsF?PbEea2 zwxPuzQo}l-g#u;9S2J34duI~ih>Ym%@i2=;C4U;( zRwF&`P-fwWbOyq~vY)C1(A;`h)w(qz&-g@n(OsmWEZfd!ceB zWMYMfcGmV0(EW&0_I8B{DKRUi{aHA4a0^=#h7-z0ywO=HsGKlFUQK~bOulg!BW~{& z_R44-Vvlfry*Q<|>RRb>ejo~P*QT^Iw9D_H`>iqFBn{8Jxw25T7d{d(yec6*V4pal z;|8gx1sPa8`PGzTiJ|TbqK?;$F|3*DTbk0lk;Hwd45ureI0`1}?j<_;VKVuBAJORm zuizKSdgXc{&pt35`v8MO^dno25PC*;HoWr9k8qXu`BI0bE`#h2q%RFIkkMHQYN&2V ztc@*oc^RUuPf>m?QF7Gi3)Sw4@r67V)7GrOY|qAPpNwW3{>t**=fs`P*4Iv1bQ;Eq z+y}Y|Es}#51WWQ9jvN%wJfncaLR{TPwO|_gBr~`4#fG+M3f%t2WH=UnIwoELr-&N; zdP!4Po;H~{^ZM*vlwH)5uT;kFY>^QeTD7Iaen~@Toszph6TClR=K7 z|5(Ihor$(en+W~0-|LZ#qppkA>`*04ZDo)>@|lmW=h(m0ioRygj#BlmjJ(z?V3|KgLE= zSI?b=8wi7VGesbd4%S6`ujw z2cxN@JgA>TRw~8_Mue^1D&^=iLBvjT3x64*PgJ?-aad&$rAQOX)vx_b7F$&z{P`a3 z!q~zKo{U+yYg}39wcRhbq%JdIC@YkwEB^?xeU^(dm+*vzwD7U6oGy|q^5ux|XG}GP zB$BG8XDG9laJk36d@$i(l*f?esy=lBjCvp(gG@+}k;TrAdG9(^F(aW3N^Wdec9}Cg z=^<0Y@tlRHK{66T{YQtQ`B%5M59WFje!uPB+wlk#*0`9;`BURiLR!CF`GJD+tQLc- zp?Y(J%4EDa!@f;V_qaD?4~VDp;Z>2N6V)zyxX4j^A5DPslc=vCciP_dy1V{57T zoAjps#^M@h6GZPOhPVH25#aVB;Afn3FV|W+!vh6F#STJ;Y&}a8yY=LZs2s>EgYjbW z4mj`NM%?sbmAbgSoRUbl-eWmh?VHm(Ew%f5>q6b`A!N})s@#7lb%o_T8vLF|9$KdI zo-&mGargnEhtR7C&pV`b=7}HWvr%Pbp#$zQx{q_ud zzjX{{&+f6*+jLaXN9ULL_sf{(!vWR+5uQn0NZ9uqW%~IO1!2`aMp@_e4T0* z6Au7ZNf&kyKjzVI851&t#0wx)-+GYa$#N_Za{C0{f${#^Q*7MTE03&oCOIg;lYJLl zRsPAlY8ESr>T_~p9B@0mB_8qvg08{{@(14n@MU@Z@6Y3>q)JuzJg&!aU_o9K4 zTOk(E&ZC?x&w^!w#ifJwT(?O!M#Qd@&vI>fCUsF^?1^aq$b>~XXQng@`zFHX+cQ>e zAX$BMy)`Z0)a~DqV8H0U6~8>1O4~Fb1av%c0+a#{I#uToMJGuz&qN0;SLi%#L>(m4 zM%aRNdcM+ZrSE&`%dYrdJT`3>kXp8CN{v-7dA&?!nrI1k17u7;WxofNQKgcNl_iPM4f~VBqi+)w5nL_oTP`IGR6z;9RVi(*JpcK3W1cF11-u zlKxr$UNOv5+cKWAoMG!uP`@Gx0&G;8)VGN*Jxod4r)o)ToK)+K3<}c{rz0$|?BNu0 zB_=X;WAAgVOQ1>iAy8v!IvT(Gy&20cH^FjS8AS?NCZj|4-{vaNIR+i|gaTan-1Vyn zS4irhceljqQGSBzdqxfO_LCv50CmLim?k5Fs$Y36hby7f;EaxIf);$!8)CokEj*?F z%N}wWS0;-_^RSWQ#AaLt%GD0s&(Mq#w;M0ysPz2%4>6veY*FJMb=hzHBauhNCMt^h zjq=_2J+`cwp4FxnzZW%a60OHsy+h7ME(JZGt*=4HS$Woq-denc0hx!hYVLkT`|8Su zLNt&mD*rZK!}T`UkMDCIy7#BSanpc$tU!MMB$v_7y{od<)}@pNYUTuv&2}0S4L(NI z8}&R7Yj@w&t$Ms;8tsKpP7HK>EtY$rC)>apTLm<{EzcM_PssgXm%a=?dQ=6JAarMq zeZA|g#m3C{9G1S1`yd6^XP?gHcGe337jD!~w0}{1_C4)>VofsiYAULTMBHO75* za;_rXt$-<^LHqMCMvQ*T$KCmg37L7qv(jS%+WNtVy6U}!w~!Lk!=bUr1wo=>UMuWv z#wQu&Z!&q=>D2Yu$r-GYM)W1tVP{)gauPs?gr8hQVpYg8wvV5*~?Hti5*HH!jqaZUl zEO+$=;7DPkZrOaY&!qZ(y?PO}IoJNj&x zW5wp87w`OgJyfaHJI}#x{o!XRe+XAu*c{$XPSD|(;i0LCJO!m$CV44;iA;+`b}5__ zT*%P;R%RoUp!*>KP`+oXHPObA7+7#dY&@6lX_z?-B2#@Kx9E<@x_56q+-g_v^E6AW z#H3_lLIig$z$%jk^U6*tK2$+MA=mxWuDLsU9r#jYC4r*`myHGn7c~C!4k4Dj#%{|D6_stkNofR zKpBZAZy&zDyS*s7*f<#gAZ%vo8$w4I3H|ik{pIxyD`J@BVzKM;EUr z&|t?!l>(br5{vF@#QM=e!u49>rZ-auo*GZHIIM({9pW4R#?VS90vUdhBnHk4ITQjT z&g5OI>2wbyV~2J4C>e;WhdL3^WkZS`dO}?k*}3lPHOi)g^%ybTD`kAolOIxtb?(qW5r zcPmjk+O@{0P7x{P->Yu}=TXjRiH+1DKM-q7@udK8l zT#(QT#>Iwa{%|XYX4Rwag~d&!`n!6$9Y57A3fCc@=#{{fbf5W}yrv|~rrDgSNw_4~ z-g4CIe;V(m{M*BQS!t{<`h1UEJ;YEgmG7x3qeL`v9DDI(m^bH-v}2C6s%}g)GO6BY zB>S{(RIeh+#%A2&Rjv0|Nqw9{U!cLE$KbH>5&XRQP|UMjI%{32(KgJu<#HlHKdk`= z+}H4g(+!UbA+TVS?RBD9PZQ*Ug%tk5EUF(0xjmsD743`QD&Ij$7D#a^?gWZ0bkN^l zuB++5z;9^kqk>j1>f5)@h_ZZa%49^P>5}eI(Kk{3?rs9f{PJN5DP{e{9iR+x;zph3{OhKkL?(dyWpt|_gI-a&B#oh<2owq9bD1JMu` z4sBJ27-poSDHB1CXC)uBE3p>~68BN;OeGyjw;Ri{8#cCLTcD^PGhLv<{pfw~)hDS) z+PFxW%(l3qRRe2k)eA9Q-U(F}Suxd(hRlC2EetZKC>kLL zBwHSzrCDWzl9f&hQW8&DvzJSh8HS%N2u8S-b&#rqifhUJgO3I_XsfH%3Fk zcq9ykm+S`*Rcmgo?3bzsn|Q}~B->i_V01)yvH1*`FU;58Fn5pMF`guf> z{gz5GQx~s$kS;^}pW{T#mJPQuMfUSQz|GD=hWFb2l`R4sn=f+usC3x55w2{RU-J}V zU4P``<~yc>L@aa5_%&nB6u(b@D(BZ6a`=J`it^6>6-yFxK0S0N=~+YlU)Bu!m#!7n8qG#EF`;+5;(>Ke&XW|s@t`dDsi;o0lE zr@K?2LLoUSkN1wGJ)C06JSW2p!<5zSd>%Nfi;+Mi;$2&7;bAnb1$H3Q2a@F!wz!BqVxtm1_i!`>^vV^d<6+ z6q^De49RX#T5kvX!weic?{#So{%$L3&nM;)Xkd*yB<_o4%rRGptwAWrm=zi%!b$N% z$q*M4@`UD=2)_A|>jUbMO+P|H+`3#%cSHN}QHY* zR3;p%$u0iK;RGP(iVA2Gi;^8CDF>(4^->}~GbAVQAXjOBNQD>+92&6$W zufWn#zCa%kXghv1$L4GCa>S8&#XL+e?|8r}@?s%jw?eO(tHf|_$tk2v9-kT5xZZ4g zw>FZAb}(7k!s%=65Np^AWA11bGEo)@VLPBNRq5R+*UR+Be5NBEX2O>NV}Cdk2s&G1 zx%IcZQjPT>Qb1ScbEL;ca;y0+zpY-=$n8bACmz z;t)+ek`_HtYU1z9+N$)G{b>Aaz=l2h?O@d(nB@G?Fzb&kM0~7=Vi?LvX;gexs6{j) zV!p~BiuO**A-QeFZN`h&Nq5V~tpW!YUb%aY;Vs!@o(6+hVMNDzM`6greVc|3`{5(mLIIY$4 z#SSlU)gn58xUFT3<5%X0+5C-y4riErI{VtLX>NwK!wW)LeK$m8c${-*NT_1V4$G#4 zKB+2eGNDx#?z(Pi;v3U&)}ZUjOH-m@VM9*zUxB%6@!8h3(mrwkAP+A(5>T6EPTlu3 zJ*QP;f9nz@zhsrA?!G7x`nOA_)nEU2mF+y`5YQlo?1K8;vX`V)ozsL*5#N1?uAwe3 zr!IfyGNfOPxH^61S?A@^nSChK^rHZ2prBbfUf^@%RUY`ITWAPar8(=i)enJ z13PDnA^Vg`Dzy9l88ixXWllj>QaG^L!dzOi`wZucBxOLQr+BzGw#zTr*=b{>%N%&Z z@r8S~8(0SB?5xdY;j1;cN|aL1>oWrl*3gh{_ILl7B3U)TqJ{@0v+=<-&6B6oI><;U zQ}AlPMJkDSJQ}s(X?qo34NE0cY15@8tfb&L(|i4QGu1bppGw=mp&qYYUjoC)?Xf*e z&)p3A2a=n0f<6r+>O^6ol8Mh+PlYJyG?wuYoY?l6aL0FV;0UEC9COf`z*vXmO4GbQ7DBf8Yh=H^%DzC!tB4NUlTbkLUj$pKkpabMRpxFk|kK#EB`cFTTTV` zLcnCH6l;7N1QdBU6itMufmT=EGr63D+fG~eOyZ;0ZTUv;w_K%srZ@Z79#xR_&tJ;3 zZ++=VMY+hed3Dfqw&o40r~GGh&jEGl^z{PAvD`-$MEJPSl=8>c{;Wvvww{w3l|A?b zq<)OmI+=*wG3K1dKo8m6g~x?cf8rP`Zu}KCGQcZZV-e0@&&4X>_;i$4GI3qPOpRkh z3m;_Y)-*JrKihgRiWKK((XXD6mvXK$bBkgoFf;`7SQ%r11wK%xiP)*IDALD3!mEfl zv*80FtBD{}BDRxv_rR|ZJu#B*4&>^@MWjSk=CG5!dv?9g*|gm)vN{*QnS5;4JjiN+ zQ)xdZ4t@4wCEw+rLu}jOnlUWaCmd>f;P+9eZ?v$&^02(rm37IfRZZj=@X2DZ`LBzo z0Tb-v(2Dsd$Vht3DAWt=6%+r0T3?F=i|X5C*mznRakK|YSo~TmZe9xCzK=t}# z*|6wMID7WvWz`1Yk8wOQtnu2ymKfWl-3@ERI&U4%R@O5Tf2Si^i->wJBqo#Fg_Kyn zlT({N1@6B*S#}r5CA`a$L*ovC=B#d|k5w=|llp`DFHN`4 z*lImyz6`3mt$1lzKMsnk$EB|G8zIFXjl<_1y#8LfffVnZ|KKESJMJCp#m|sB369#d zg?~wW{x`4)WI#nd__{#U(`rro!w}b^MBW%kYVCJpw4=yvvCQ^ha=}~K0dx&|8@QnbU$z?s_vjQusT_FbU$S)PM?~NG{=b7HB255}s5lj6xS@%lPzitd%LuF`dx?+e-r+`JxkBRD`O*MM& z%4&n|?p=LWv#~>6Gay3;YzXT-?nx+jXJ$j-9<;jy+_<6}ky^7Q#s?(_N-TtSW&&t@ zO6{)&y=zXZMaFfzy`-!jUF6w{em@F@arY8GU0wnFpnEZYH)G?GtvNYQ9Po!fXsmV4 zn*jDq$7oI?2bIn0maN2im0vdy(P_jDnkXdzHS&JZ9DxO%q0fN_pV0&wv(x#Y0S;qN zn}+=F*vmEl2XSv5(AC=Q`zn&6v>;N_C831Wj}S=(BqbE-l1`Bjl#=c)rMp2u5kWeo zB$aLu0g(_rW8zwSueIOzz31KgoO|zoYvKIOc;++5Gsbwv_mBWDTaAN@RFg=#Mc1-)BYE>nGW2);w_2K-A(`eWAS=Zk*~-bAI9$8s9ojO zt4MmuI9N+O?XyK`7+u573Q6S4^3@sLXP#}oJi$$|gyS@Ze|BJ$$NLeHS+hTm6KjT2 zviy2WV}w20SMD%TGs(u{T*>=r$NkJ6UDJDha-YcF?n_B{j{DM@OFr05h~^>PFmL-2 zb(JNj2g*yVa2Dpy_-`}xr#hq0R#JqAQATKf67OhqLk1kvLVff8#+XpdjfuvFCK1ak zWfv^Ngr4&oR!2Zo#2h_tujZ!V7J4bsQ&grbV5m>=ZL`2p2zTM<$EDFbTFJsyXo_^b zQCI~_qSLao{+yoT3r_>AI3dsLpsOM5OBLY)dycqbpH#jF^Yq#lpe;XZh&)UV8>9*4 zrS?L4joP8kfb~azm()jSt6*#uXE6WpBLeqzQT3z>=i49lf7U^D4{O~d%PY2b>Q9i5 z`Q>hnflEO?cezC|GCVnKfQw>^`Jm%!ZIbV{Cm!U(%|9Qdg>iQev$A{HrrTb>{RXqp zqE(E5Q$wHdRPSz#hIXFrP6J!e@~ji3%CBCPQ}_5&uJ?9k!AEtqsF#aDz;<+>yC?YO ze$_KvV(Yu|fi<5!-SpFP7M-Mm7E3WkIHl4mzxg@y7D^1C-V_h9z;aY%P@7Qgd!g#n{oe$@Ud$sXQ1;9WB*++ z#3pObalKywk?D~VThh93(Z|=gdv~vYf^9g}zszgDEf$&MEX}+5EsTUG%d}i` z^|+O>Xxf2K0C%DA+d|^Boo;Q~wdov%J^w7DQ=ID^_)l08k*qw8yC7N4F96UOz62Nwyg~#4EKwRiICK2pknd0w7#w9+zf7`;R5mdmW6j+%UVc@ zs||6!)EQhokLPit8dV@#D~a($Dzfjam|?KPGKJyf#y~W!aFEkh(M3b_Cz!v4qwN^1 zy2a~Dl@6Jq$i&_-d-s;xjW?p2S?#NLH#4=MiOmP&9D4PQSuE^5vP{(R{P}L?+#?%G z6)q#5gUC+!(hm#{pvso>QKNbD@uwda+aWgYlEtsL>v>+~R&UueGNnt^pqhSyKoIfj>F+mVf2{5n=uF{c7W_9Djzel{5d)2=kB z+~Qb>rRsb88I1@ zyk%UI2FuK+*ZZt~^;2ASmtL4wb2WYTqJIcOp_HOBN%RN`ps@??*-g$hDkV!<=G~we zr=w@TwGt&xX?k%1-MT*G^ZVz#_h^3PdR-9+F+YOs0d;K4`_1_!&_AdZ?rXP$xkx_b zaoT^VV(hjCuJK^V`?ueUY;Z!UJO$;(%L2`xo#(e@PYu4>yXHT*+V$XPIntCCdB55h zYxDI^FR>?~+_-62p}oPJJ>~8B3N8}%n9=6IqwcTehTM->yrrqos9XBGtb-$v+)26g z)50Hz+j&YJ^2_vI)ls#aBK}$P&~>fWZ}C@KIozk|gkNu!@ZklKj%M^+q`!x2f26Jw7vo`h z7}osm;#{#ZnWo<9+U1u)KINIzGMv*|&zm|)TNe%7fvDnag_Nne=&-^T4u{Z9$C;J< z<*#R#OH4)6KJek!bT*?OJ%&`nq;AWQDI-BI*$;}$hZq|AcJ&YTB-905ZAE4Xct7Yt z7mPpvwfmOD%yT8zq&Yo|1_wssd-cA zXNL1;s#fY44zrquc$hN#Uh;<8+%Na{o`2>7iinqeP&F)7;|@Wm+-hrK({misbN{ii z_Lsd-cGJE>#TgB;J>{c;xQ6*n%bC1Yfrxffo3h6|3y(v44r;$e3)|-QRnb_n%-x_~ z8kutW%rP1Iz6DjoWOug*>O0m^Qjz@Vd+u|O!`FJhczkhtYIxQk4VUtfJfl+}vdj=% zFds|(dS)J~_6N$sePeDHve4nvoGFMRVkUAe^GcyG^w}%hX5d=W3=~YtZ7cE}WoECq z=mNz@O_=kPc91&2aXpk>C3Ou(HYeN4pV>ZvB;0LEJpt=|EMq6ag3v8C(<6g07E#Lm zaHyEQI}b?*$L}{y*51#;RzM!P^o^v2Se@R7{=|V_p&;RbApSzb(dHVZYFR_OVY5hV zUD5H%g`OB3(;SM6RJ==4w>qr3fq%itT`SoAZBk~BI;7wE;X;FHlUzC zghFk9b%q5>|FvgAQhxC$C1Wgc{Vx+4ZZpd>w>lWLAMvybEcHM)ENx-@jjLCTZ#O|> z1kF48cFe^dk)lw1It}$H*mT?^43c|m+0_0B>6qmm;Bqp5cIFv=S*Fpz^sI- z@Y3jL{H#nW-S65?JM+-a6_FQ&RB;s8e^3;BQGOXJGUBkHBEzS_DfkqW6_B3>YC@-x zI%odgJ;4|?$;+@={H^hq$giW~Gor+LD@2DQSJ9wh%n1FY5<|V#?ClfL>sjF)3RSDc z((snnf_}OF{C*$HovCqvQE01`jb+n*npW+~Ic}5A6wb*@Eqs@QaDIONb@W6sb51*0 zCr*>(-Oom3W4MOu9R5&KtrV(Ql}yVhq7q-@PT90Khc;5+)bVLnhLMt_FtbyaxI95j z33GmrMI+@-Nv;=CUn1t{Q+!P;CTQ>dk^_Cs8snwL(|r0(=rgf`d-c?t&TlgBS5!X> zmZKRn9O>{;LepWMPBvH|tx0A2wzC^CWc5w63qrFG-`~7u^o|jiyBC&1ds1)ID?7}W zfs`fbq+;V~yq<<|?$@iUKO-LKYEx(SP;L3PaosUKM}d?k&9?HkIH{+kBGpM8a-DIJ zSD7r@TH_rhTTC$Z`!M$A=0sgANrVmX@T9vy#J z!ZCO|YAQAM9wF&j+c;d8d83+#GcS{3l*A4?lzdunnNuIVbcduMxf$<%uc@%x@mBhk zJu&KTMSS<4J43vjL(GcF@r%R+2jL#cnM(m_a`Qsqe(X}Q~D{-UpY#3vPCM~tiagvbN=Dqt${Jn$TA^gEmk z`lO)9+K>#3wd+jke$%v((8-WwTLgVb{c-#esbHkzv2(k;RiHZ(8YMt+xmrY=hwA2d zDbAcjA1dzXIrR^G&n4l{&v%EkHIRZl?X@>cI&SbnC(e5HiE@f+YNs93=QBG{FV6KD8&LB4u`UR(EX$%C=clqor#r ze1~rr>dkJ(XL=1QS<3eco~t?fdYNrjPEcm=;Kex^($F*fs6Nci_?cLV24aDwbOjm~Q?iR*&4u-0`uOInL&0uFJ*jqP+ z8D};(rf3cI6+6G=aD}{5nW#X{OfQ#F*Px7mb-_viUUDdr|ImYqGn4K+J!6@z!r-bw z$s!d&UXtG~RN}=7k#SCc72Uyququw>qHE%U6tS^6tWz&fAOm_vb-kGNq!_Z^WYF3C zWR6`3=n*|IPV%4=6ugDGboZv>s6g!;16RkF7Q>UlvFpX??LY=+`p&pIH5zil&OsTP zk4Vv^23`+DAS<-&xuo|Ul_mCkNwsAa#f}|oH>&rkj3!lDsD; z7Hr3PP1CB~dre`lRtVD3Q}^)@s_siA4b!r!59T>3i%@R)^!9p+f{xIV6K{PZM9~DM4k_d2Uqk+z^-}aeFuf>SflURg|TbvJ@Kb?nnQ_oZjT#xl}UNNQR);> zNpo&Jw=3bXEqnp$s+k^;yIH$3q58d{zFNM}2Q_CjYmhjsDDq8&pPdqOa&Z@NUd!<_ z4Ah5ho*e1S?8N2dRy+>u+XsLwYQqmp!%mo{X01#m@Pb+u8riyeGrtU+7V}djD#NAs zv|rRI;e|x5H32%P_?B}!yd;ult2NY--I1v{f|n;LdfZQQEut55lTt71!9b{J`GVX; zX0qXcjf%}H(a7!feL3o5_Cz zXr-(1sEPw}fVrP-O+B^?yKfFqE-fgvh>g8>h0 zO7C})KjT_|Otw*FG>aSgv+Us^ZO_Fb%&H{~9C_n)^7_VJTTQ&{?4ptf-Se5@69Q)b zMa*esl}iqkZVHDB4#~{dm8BaS^3q1dj{6^=j0!wm4bh+bhA(xe-)YWQ+{IJ;nc06aN+@^qoJWe&2w`tWltOpQ&mO36Z7R|f zxgXZ2m!#f-RM%VN1*2+2qNtbCQ&G%#tl5I0H4OLcS}w?`g;_BX=zm$s?wNI5vqgGb zZY=srw#9ots0$$%u=no4!1`o}sn5z#WUoo0WVzJWUQ0sO}utH;Oc#Hbo^xUQits zB2&0`Q9rHOBh>J-)=>`4;haqHd)A5S=lFOe@a!g~iPWpaTk%ryBQ{eHv#64lkftBJ zz!3#WXbup+{#IU-~ykMEm|QWWa2;%u05o?sl43@wZm0{o$|AGt}m zVW^-q64KoD@B4)8<_g#>w$1&5GJ8%j*ZR3oVIOrh5sxp>D56+C;Ta5fKj`dT=OB)B z4!QK^<7S1HDmg_t$sV%`Ur*I;B*rdxy~LFUkSm(t`MkaJ;a*HiiBW?Adgmww<^#&Iol;6SqdDcy zsK$~6xn%kkxhSTNF0Qv%DCMHk&^2z`83cqdyN($Om{b=o3&7p(uKn$9Ij+ayMrc>Z zP$dYpo?BlFpWk`gxWrqnB=}2s)V-SWh#|y~>_}1c8MJLCw>C7Z`wZDI@am8)mg0}Q z{q6SnYObJh`+M}i{Yy(4zi!p*N!P^$8AZ_pqwkp_p3C}~HQk=)-_9gUy+7o@Af3)#iU)VV$v5H}OL9u|# zeFj&}#tn#C&%9An=*Ee`Fi(Jc^))|Hhx9bG?JbK9D~!;7ds^i9=KRVU6!P4jyJU{< zjqTw0)Ows={7Wzz&uA7;V5ve^U_fd98LSIOBeoBv2bjs&t2p-$?B~(^9;`$i_E3`3 z*YZ6NdTA-EA#s)T;GV!$%sKlqwQNH+q{oxuW`8)$0KK^C065WO)~9b~d2^eRF%wLs zB!HTgl=F242f$e7J=hbKh0v(!4ZV4-28N{;<_J3BD6OTlW3D1@&i1rFSAp6==(K|X z#po~EBl=cbj|DE%`iAkU->s`tvbPM-p_R1q3N*G3$_k>>Aswx(rj4IAE|`?wGQFsu z6dOaX1rVb72pMWZN=YPlRr*z+AWjn{_49kfcT~+63lw?q)pCGu;pmu7LM2mVw=wMC zU(m4o1>Bo(t|tdwO&i0zeZD-$6)_m0R}62z*}TPmYrgv&f((RObU_61Wj+i~a+`jE zAb=aNV6Erlon#}v{(5w)2|}c}o8Ly6PFjS=8Kg_j%|X{NhkNQ|llP7}B+V7L3^c#K z^Tj4(C_Ami!3Vr^eH{C0_gA7?5UUs=|?kGyDPf8Q+T1Vepd{|7;)UaFU(7m;zt85A0<{iPN<1v#Umy zJJZm2qf#n$QaNe*pfy|PaCiTT(E>|NkMRaSdHh6*%xIs9Xoj8c%*`h1DEo1}ol((+ z*8Se1%;dw}cN|48JXAGwbDz*&fL7>Ck=n=QreXJetdtb%-jqG70uYjgiLU%;4?J zUq~qL;QTe?ve zfGLCa_H_jgJ$s&6GqE_H*biIUH2dwSz08Bz1yZqC(x`0eqX+_Kq@bH0ANW1shgEgba5_pZFVgcrabq=Mf@IUiybmv@s+fO;en%%39cb6TX@NMs4CZi|onWSL5PWXL87zLvLKwU7K z(=n(4UR)?cTFSY;C8p|*CBd{0mR|M!H*n?lct~|jEADx=EYYDak?sXf4PY&}TNCHt zkDF{HxwpixA;G>3T}LsXGU-e zm^c0br*O#cD=v2x01<;IxK(qFuu^q!$~eq0q@a=ffGLnykLrkTy2s%&tAkrf2X&IdJ+#Bs>!6>Hfx!s zIBm4VE)JuHdIAJt5**X?y~GD?ZsxYCr1#AtC=%uQc9t;YueT=eYb zS-m&Bs6RG#FfjcgZ=b>)67khNgy?>o(vY#oFStuE#QmkQ<^?bc>!k zCETVgk2ubHVPy{(cG{x_2>0K13WsSQOKZB-YoU0k~YzU9Bp zj9yI|+ji|0aF^aDPc3R&G9U3gC|uwnlgYg*4SNYfT2GF@nQx-)_2@q9SbB9;`lA0Y zih0|Z@m*5=jg^-Q2D{_j)Xms)x=A+1i^RyEu03^*yNvv4Gf@E}tB6qrfqQ6g@V@0d z4OkJosaEY#5pU!%cPSlYQzRsaUdeoaiYvmbp_18#hM@f<;{MKwDZ0;ID=>q`pb>;? zreR`x`i3AG#l79|IG@a5d$g6z;JSPJ;c4it@}0HZhfrEfOBvxSL@CGYBrxE24UJ6W z%5|nRafDqn#F!?!9Q4}c3=ncEzdI5}n_r_j9YzbF!4mV=8ZTWOX>g+liISKIl+es? zMB;5wQg{H-fZ?I(m1k{x7lRC|gFR)Vlmuxf#Ei#&ve5T);y~qMnc;eZXQXTRXETIw zUHqOBS#%4f3bEBYLH^7VXk+3Jd5AzD5R6eYkKV7{vj95c2?fv* zugW>^6aG;kdHNGKKrE@E0o*A;I*^t?{{#hiX7>aID1W(02-dHw=ybs!PS>%RcvZ$V z1OW+f<^8`VGL4W$9QHkDL6`8k3RyGX-Op_)@C(+b*lU%A0oX1{!PKbnsc%gqgg>yQ zF8AVVq}UQ%xLP88ctV?MT4P!af7yidn(=fWsS=&+z~d{ir!4g;cUS+;$}-z{jSh$| zXs7=R@GHdWMHQf`0DyG}0Ic#}#(D>%6Vz3TYF@(-@WC$U{p-X3!poAvALd`^#Q!NqrRot{JM;D`{Sa--62mPguL;%qvg?4bQoP$!qBFB4o=Q}T?tE0i^G4& zu)1jl#vj?*_ym~--Xh>dAs|v4h-m>)nZ$7FR(y7kKHd>;##2J;oy%%>Dii4t1SrO6 z#CqKrnoYb^fTdI7ffgp*_=%`j#(7U?rKAvY+70ADohSt&FUH%0i{Qg0 zzKFPSat+hp*YGE5|K^JK=Vc`6eNTXNz5fm1TJTf4$xCf)EYv1VdxZKm$;1_D^RTnC z78p6KhDGHVzSYkTiQXhCUy*jU4xZLmZvvvOb&k=;#AsIXnWVoSSuKD)w1Fz9`qizb zIb>r)2H?rb&B=23lUxWZwV@fC)?E+voc6}5d)0732Iy`*yVwq+rscdsvgt8r00DRi z-Xb*8ouvm%orw@25O}nXNjR)LuEW3S0cY^vg$`Z`8DR=P+5rsSe~VT4H@>0rGzI?h z3t{T~=BuQLZ#)J#mp3no6$K<7X`Zdw`+A16mxUVr{j-vG`mJzw>YtKY1M&XE5Yt#8 z=s9dB+dCY9mwRe>C9j#fa5rjbhP7GbCOcFCO{@|kPksh@^6Z-coBYX0=P$n)mhrAHPDW zg_XL5?|N;~j`f5d{EuXhxJBO`maDm_IBXZQj~0EB2_%WCC^t^W$Lec^9D6@T4L|sb zHo5bplES+U21`D&kBjiAm~zz9M%*lvaB|;!8y0K z4qF*d2U+Y=mEQ*R2cteZ$kGmSZA?6a>5uw8sfv_8!t`InZnQ0Vvv-!F`O>0(Lv|4D zDV>WsfRN2$(GG;D+^1x$^+K8HVBwD#tDL<_!eO=dslwO3t6-_SabB<~>K#sf7-4?( zEi(uxF z$S?T*`N`)3*rQ~Ba3G)9#^DVW>9K`|mh_# znvJTYPNHul64b;jLX7~`B#3tU1lSs1d{jdQz}CytWq6&uTIWuOAr`L1aq8_GuyChO zhdBYU!~pxziLK0D`?-PPS9%WnQQ@=lRHbV3rzd#VabD*>yfXl%Cf@y*pxD2FWvgVD zHD5kRmWS@ktkCd6gO`OG)77tye&wFQ6A(vQy!54r3sNkqR*XaeKHHAm*u86ElB<|H zI|6`kA2Utk06Kz6;)tvvpskwIFTmOeOlmzez^9FKAfAz*^d&k3%^QNCd3Bkk-0ay+~P1c0F8HbV#W+E`+@++`a+Se1&x5Nhv>2tR~fB|#5=0RZYd1g%!7^FJo? zX82;WM+Cm2+Jv3xs(NFtvG314vbF3a%c?U6Y6DL8^wsx$DMmJ;Mm6znB`q;27K zuD1E~b`uKjIEa}QE5{ByB@z7dYSTa9pLvN^n(IoRYH>Tk#}32Wfe!2#$BX|P6g96( z+$n^cjVuxCi&5DJ*~ddfu!1ZF17aWESRJ|^MnyUi@N{4b7$LF0&^aJqn@iW+6xuzF zK&s>ak#C(CjG%an7bqRNX(t~q5$&CqAwCke!~MirzfQOQ-KfI<^{bXJRQ4n6yW0#R zhl23Q-=A9lc}F03?~|L&3!AemZcvP{%P-0NHW)!@do;t-I*W`2NUn-bwBP{?g_@?_ z5bHDS)A5$vkFch|Lc|O%3;)-}I2iF5LVHp~VBF`27q-v0Kf-zQs(8O>Qz zal_!kSF?dPo$yW$%S=5|~!G zABCKknFwzHA`b#3R7l2Uzirt7Q zUAlc1#O5f^$nn^kwbcV?J{qbXyhc))U^CKI!_68^+bt20^Y63(K5y2-pEsN|?!a-) zX?r+zt#QRtId8AKL1|f(!d7jjR6biF`E|cU%sjJ|-Kh^WcsZYsH(lf$Tz;%5Jz4#6 zbtsE#ybkRswz8wRb+)=GQ%omohHQ?+0fm`m=lf?aK%iFNpQMRe@3W^3;MxHh=<}RT zGck`)<`h$@cSKkGHm0PeV#fzfX6$s>j13Jb?kBIi#lts?4FUt)_T;Lc0Hn<-c*y~M z{Pk04t;fC2ZvzkeLU`a(Hh~w8r5-Qi#}+;8TXFqBSr7+s>4j7GU+_4_nOM9hME-gH zTJ~#bi&wSh9l=5NX)_Ho*d6^gF|U0?(VmI|3Wbbb^!#~heeAAxnbblc!;~HbDhE|C z>UBZ0ysGq}jb5mdg1vP!wQU6u3#cNo>I*3jm%n*j9C8mH=+brT7%dt^znRS$JRmSJ*lj|O8o)#TnVa!n3NHjxxLC;|zuw`SB0u?cMgc6j1MMVk z)NzaFrNN>i4|*Gsb5J{npsO#jHm4>z$*{kl-i&CzLGQtq;j zbzGCuu0`|LJBaFr9HYcPDq*ZY8W4KHUpB+3a~OO6SGApP+gMGWmG*-cLUG8iZ4iQ> zj$?v}^JNuZT75+4VjFT);1i!{i6p6=gNOTI{Qr`A#udJS(Ki<+7uz`8$0ojZ65(T( zddYEPB3c?tw?O#huo17U_&l~A{u!>l7%lUx7@xLZ=jV4n3!f;GjQuM`lKT;{S;m{( zUQ+$!h^R@rnc09)%3ein+~}4QMR~~^%UKN_(I)C|>gRq-os829{oj!~nU*z-6U4wz z%@973L>bn{06h_@KlDUEQswNwcO5P5%#iv%er~Ljv-IeloaG?0NFej#4Al{TE2fPr zg>Vu57SxQJ2OX|CEhd;?>^THqgIH|OsEGqD@^lFJ z!{PD$Qx0b}+<@V=KK87YrOZ1;;SC0{{df5D&G=#rV}ss;*X}M-Ca_rQp%;MOl{$#h z-MG8lO^kaYn|5JW@9FOYsF4FoA1Nf+<(|(|?G#GzbC4ce-TbC-B-%T2HzyiHxgVG6 z1-s*-({t+&SL^o9)(I-lSp@y%$N$^2|4$C6jLbFDSws}tZr&UPEsh9-o_r8!@hR?4 zU?#0Y_(2^3!jQlW)ZP|V{0E+H)05FJC3-&ScG0NpNK$xaL z?#{>_tWu_I1skXXy%1Kq=~%dTrS$8ob4*00B%zE;(dE5auX}Ufar(rloEOfr*r$yY z{l=nb3SkMyX{M@mS2L@gyt5}VRj#``T6$;{VL?o6N+;*)&mXH`z9)f$dcuiqR0V!o z^~VOnm@P59B-scPbx<3UbV&_3Jh-=hARU3nO4344TvJ2%r4^bO9^Dwxb+bD75a!8% zKxsKPL&zNT6~S>MT)fzQ7PC~~a{EW4?*zYv+X`9#ob?_r@Zst&CC%Puts)b2rY@AH6E8}S!8&&GF1 zzHR?=*{>H7o6unh($3rSQLMEbt%1(6w7oX#6XpDqhR?nW0poxE)`P>yWcyB5 zUC--G@n_(!2@gP5>YwVgIqE+ZO>p(t|M@BBlUw%h9KI`+ad18}G%d-gHNd$xV<13&Kv91hFbq*+0F`zj2DBKDK6B zU*7Ly*Hbf{l2MOKpafk3qU!4ht9ReBk=?WPzB_Ur$4J^4E=+fg2a&si&%ufIG$N5z z#4HL=r$;>McXt%y&x7dxIH>Ee!efc_&BVqB!HiH*p|&O#wvYI$(fNHjV=5;<{)qLj zfBbJ<;s4u%>>g?v3uY4K?UfN)FSzzozxfCgmu|wcBE;c#nM3`FGUH1YBk8?>fNn&V zP1bIyLhWfRPWp*NT5l}-L(_Vv=+(oWYtyp3X(O$dDzIs zQ&e!C&xZY0Z*%!AXnUcg^eK+fO^v^tyv*d=snd=@p&zQQQ~m#SkmU2n&2%6h%u_D2 z`p2`h7{zRa-{_=RpZI7g(C-&!xuttMHDyBVdu?9_YJRSQ z3wH5-hJ)i5h4U~_rR0`a6x(c$-2Wj_YWJr^DPt<1>-K!s>Qwgk4>B|-d%GpCw*wLV zmamGlwX4yA4y<%!R2e5SpQ2^|7j;Sh{d@dBkx^Z6s3>^Sd`6Z21D?OywOuYNBMAz{ z8vXX51^u_6r(gtorO`me(*^a2i>@H*;y1)D{1@@sSN{|7+V>SjJo$@*yOs%v>_<5C zX>g2Ca=)cH4bZmAi)P7XE-JP~Hq zzcory&6f$~(7_#u1~=%>^7$EafywqzaDMQ|W6QYm&P_`wK2hle^ zjcC7Goa?#=6QMwv(WZK2?b;urxHtb>3cCB_1tmBj68jJLGUVx2e2kvrER-pJ%ym>9 zbUtX@HuU@l*sh&oJo@tX?UlOam*wqrL9cRl?gRhzn)yJc+415vEN8ncrNc#Y*WeaJ zaM&t~=gX)ECF~Hz=LthfP#( z;+$xJTGEX(gS@!D&gjKzzaD)zV4N5Y{8m_JGNhMGu|{-M$rjaeEPjy;i=JQB!u(U` z`DWR_rSm+Ymf7t1^wb|0V>|P2T`ZsU8z}IdNVVQ{%sVVsOH8O!18hlspxO5&!L*E1O*zTw*`q}a&)&BlIsy}l9L#b|^SL&RvS@hj6 z5V|08LwrLJjZsM>hf?LaC9&1~DGE{3W`2H%tEWC9T5{JXZJ#AO4#;hqd%(VE>XrKS z@}`z!z;8399S-HZzc>fQR4f^IPGhLlYS20&JIogz6{kIsgJ!>mAH7^pwDq6b@tz@< zea|}=pmcKjnVf|Lrq^kI9!`DnT+$Fis_hYFrR2cST^ASj2jT9Wd!=h=2&uw)t25G?G=(Lp%fi7Qw z(+eV-6ZdsfuEW>ot$IUQY}5f~w6ZIZ=#E=)u7O%%Hr&W{-=Zg%5;hYp`oHQLU~Z+lfN166EzrhwbJs_nZK%c0cC_rUjz$_p`fmgP@$ z4_|1#DlS7*%2&zVQbk<1yJLs!`G-70F7b7uwD7UiR3ezyQy$GeM}%3R)oou=ze;U3 z*q{Qn>6!|?pHZvdLc!~j$w@9xtz5FdV_tG!9Qd`k(V29MfX+y!P=BJnK2-98LxtL) zZ{53MHjo{pCT#OY48BM>9D*Eusg$oSzJ}l1l=ucAX}tiHj@%Y%`dK5Hew1&+GHB0d z+;QVn>wMRnzZ`yvq=!nh^vj&(G=FZ)dIauc{)t%)TI!1SMV&$s*Zx?PO|uUF)-qJ! z;Jok12o@U3I&Zb|?Bpz2D$R{g<8p<0>U`uQR;4Wu-F(6l!4J$J;U++)5IeNJ|K*1nsl%+bb$Dn?c zyZSal3LbjFX=Qc`Xh(loEJg*H`V9xPQBr=tB7KKZYW@HYgQ!s^{=g!GicwDfU=CtX z79n@ay+tuTfCX$D4<1azt0rlNA6MdTo|Xfh{RYbxAc90{K7WA=t|Pno0+_B)gEiNa0J|{ zFYd3;^F;Tlh^ih~F7U+mX^T1>tS>+jkAY~^0nph_OimpC@6zT&liaye?Tm3Z`K?&$>Hh6aRo68{i??CxJsYLte{N-vG0Mgtv|-RZ zdd*wF^`vF`1&2rf-KpnWtQs{pdT$tZce&>GLYDWM^`w9+VET-UYZr<5`NY1w-kAr- z#7;5)q>0DsF~V&NCg*7#UND*gXjuE8hl&j1Lif^?Nmvplz2`4ew!Dzk;#{V0nShir zK+o{W2o&t_sNg(K5J)r0l-sMV-Gr?y6O6N?MBiowQT`&#!ox zrYK#-<&(;qr$c{rHXiEI>s7m)&-OdbU4c1v_8p)V7^EkVS! zeBwd8zryRo)q?HDGx)FSDo;k@de4314LLOT?Cr5m(<^CJ?u*-FU8dY=E$&P^V}F~F z!|LJjYBK1XJzru!C9BJvyNR`diPpA67v!^rH<+I0K=g%H434r5yQynJu^A#eIb`8Qb*8@S~)#y$f`2x6KxP*8basOxK zqsdcsZiifNb|bsRe*Lii%;Kgfv>s7cxw5HMuv>-wUaWVvw(79|M=wEcqGUb~iK80) zHjz$G>C~sn^RAC2i(^!(i?39V8rZ`E-_BN0IJ>#V%!Q*Qc3es6xj$3BH~z2-iWHa; znS&|SL(#*4sd46zu)pM=a#THlu095&zos4)78L-b<}ty%@TKWz z__0XG*wo^6U=o~FlGbmQ@3hBsl3zg28vf7gdD5jjs3VtF^Y;?U%+J7$xrsv}oj&Dq z`}%5h`L~7iXL$AnX(lO78VP{%F@k2_7^El?DJ<_qHmi`rX=5PF6I*Wx|J^ z5uWtLJk@+cZSA|iUt}U3_qvO<>KhAs7`97{jU29%iEXYXM2JRYFC)dqtu^-3jQ!MT ztKk;-rc_cml`-PXoAK2TeoQvRxn+^CrvVU(OC<0+@bO}v{FtLTQ5isBq%Q2A*DLxq zDK*xaeR(XBtg4Y#*Y2s-kEgmXSWel2z~|!ET>gA6xa^^~SFbWoWmMz5GhVhKynF&i zTd1||0;m^9PO^RA_vklQ4O?H)2z{yl(qJasqlPA*UV%PDJFN9nsE%lv6)i+4D?9bE z#f8v$}j| ziuRI|ys_zaza)O`urjjaH61?=M&Fk>cq#3PF7hdj!M4g&gUT4c;2biw^GotqJor7b ztWyeq&#GM}ZxB+E0VNJCay|<+$EO0BOyl;eQtW2gZ~zs3I$qxE<*HQp?^+z*wdmP~ zUr3;_4bE#9Fkk2qANe)RV0*A3orqo@fHo_1IAU}N-o6yda;HulII_G{eR|Lq*Xrb1 z&7OLBj`E%^dXlsyx%d>9lO^uHvldAcR7x@7j{b4k0K)#))dY9^)pWSmF3YF?!seZe zo)!I7yO?-uZ_Jd&6%_vF5g0k5`nwIUNYIPMeao8?ZUy;>1>1&zvCjl(!XWmpgKWjT zG`hioi-;i-IDK5oN@;%GakMa)r-wJn_SPp*g5;8+@u>WG-t86@e3aHL zsBf=tAOqfS2QzQ=)mgPujQ#cKFx+KILr}TP+$XXVyv0tcGjAJAJ);Z z3ep%|OJ-(rrR*?WKrMw=z6iyHIg&3aPNg#Z!B_qz`r}A16#1h;#Vg+jzr#KN^}*VM zUu6&+?ms%vHXS`imA>=@rN&Rh-SMShQHSQeXZ;3ku=Nj`MZpUls0u{=70pcV%y}5Y zlTOvl8QaWMKr5<7!@MlHlf6ssg%~d)GhF0y!L{iRze{Hh)XAqm#2$@$>Sz7=78Aey zyzD#L7V1;;WiBL&c?g5KC|29!+psZ|)H@#C{>sn*>YIrcuFr(Bwj&1~BW4-q2>NN1 zuq9d|zcSi+LcK36sg>WM;;0?u-xhlDYkj|f3l>9e5-*`BxIpqjXYbOD{Fs7U={XFl z{%T5js>~Va`AX^JIYTgltPhS??@mRjK02hXc+c9h;TFWz@QTuX>)mFa`+V8E10NjX zd6=s?+MmJ&vP`-r#MgeWRDT+g)Klzf0^jG%dqm`HhH{mgQkB8t7GHr?80hf+ua2eV zt}_=^tH8Uzf`(cMAHeuvobY_F06mbgKUdWPkQ{Nyu7bc!JShGe!N*3n7piTNU_1{b z&Pd>qz0x@VO)RE^&btk>p5)EmPM~^volZb8@8Noh`D(OP{LLmJW>9`+ysSjW5zhukj*UA-<)cA`~+axnTqn3VLDmBlcl zQIg`!FOm6>E99;H@iAf;ZR-)L{9?A3WFR*Fo0;4fglKi|Ghi92aY9DIg35mnS@DH& zcvqtn!87n>{zCQS$JcTYG428jzN{fV6MRX`^Ys?)#qElB2S`#tAREF1vAbbEk|k19 z1SQO?VzJE(|HGuGpGK>?$2ge{imN#(&WSn-eY(oGu9W%wfbuTqHx5R8s8IH}7dB4V zL-t3*<}an>(=pIC>|}=zcg-Yht@7bsYzWNYTkRIAzjoGi2&!_vWwukLfv9Hf!D7-> zcC2Lp=WO{-L*9SRels8O`DE_MVcD?Xi|b`1AqB;r+OYL-O6FNekKLWIo!c{yK-k-Su_Pe<@$TIII?nbGyYE~57G{F{tmyK>uRLYENGoEi~^{UzL9#`^h(C>|Y zpRA0CWApS1G;@5`bsAQ8_(qnOshEdN(gPDq9H;W;WqZYo9Tw);R)z2sPl)y*v}Z;) z>0@IBFE2S9O1b%v2}0-1RA(I~nUC|X@;SV-W2toI91@BY8b~M-6$d{ZfB&3#0TNr0 zsJ&51#K$PV_vmP&W=h36uKhchb@$}TSoqoRFA#ZkNjS^4^63+ZGc>`MyUp%RO$U=Y ze`JWOcAhA~I9AID!RV{&J~?(8gL!0(6ree;Ya+yed!D@zssGja*%dgQqKkp^8dMvv z{ra)f1)cgj5-Vy9@OoDXb4w-VT}X0s1UOXD-pHq`=L{juL$KmDtb-WsNyG*FBTJOZ zS7t=PlburCH%ar@lm4pS$C^bG5wcqPeYN2HZmOb_G$C4I*2z3o@|yTMDi*jS=0?rx zLvEU^{AgL>I93~(201utqqJGVXC21{4qe>ebgoryZalx)>?Y56?bia=6T-c-)0svu zd`Tm*Xx#5W40Oq*;1f(tu62|X(&0A)!JmBMf}lnha&cG3kqM{Ha_>*s*%hj2Erk7p zzO$MZO7iJaXg{{vJ(ba`tsVig+Ze{nu9wwKH?JT^d%mD2MqCS>Z9SarVdr=W(Zx_N z-G%cqxl{{#^Dp#shM3db>1w8&lXS@Wz?y6EYO5Hd=a!g zqF@)7wo^osqt;timH7J&sy+8gdbKd-dnL<2*RO&b+3hDD-`d+qdJpZ}gaZ{2#%T~UJyZPM8e+&`Ebd3(7%$MAebTJ)3`?%hK{7l&Hg%##}%fL94?^Va};xd z1=pAIeF`!aEAn}O>U%q7@a^D{kOyOU82IDcb_3cl`yIo@GZga*bHN5?g1;+T4$25! zHl8~awU9eBu3dc}6ZsY(loYC=W=`*#t(Sf`8F(FnNqxheVnS^USX&z5qS4Lih_!M&<86|x z@&Fd2`Je|sUY^+1w}~^!;%En zhGc9{lJKhqC7S~RsYIqjyMszx5N{;BhHc+>?M_iB$gT;SazNB@;w~V@stt#sX8kL7 zQYdZ)8sb3^z-9P+Zn3j_N8*@$uf>K{$iSDxO~wj_wtk(vfZq&c*nkxT0&5zs-bBtpBC>Q;OY#M12t zc6SYSX?8 zgZn>r`bv89*(MAqj0a!jOCg@^fWLeOjL8}F_2;cg)rUg-llqdyAGtig;?AtNj!o>o za{2;8N|vl4#~gH}JfPmn2E0_cScpS@MSz>28Y=elQQl6DVxEv~rR<-Rm*tJARCs2l>_peCA~>P zS*wj7=otH{(08|Mgm*Jl@EH4(1W~iXD+&v0MjD0D28_|D>m>YwOO!SMLL2VsWq(O? zK@#UZIM{5`Qai}>XG7b2pFx{L5``!Q%>xfETwOy;O7vTvQbdd&qWz9^pdrT0xZz;Y zfjz@k8nxX{Z;$v)0FQ|pDI&&6R(Wiv;~zuH>V1~TY(2u(~z<`&3h%`4PGbtted2pXpZFeE}lzcinwxe%2%t=cR!R7R4h`N_EMY0m#uv$6j zoOi~({b5`SmeCl(pIFjlWt@s&Rkn@+LpSVYEe|(=HI_d=G9j7i6qipCAOfr*9dhZy zg_jzhmE|UEFyl3lWCHu9H0EF(9Ly`(D3oxi&cg=jnguz#E(o~SQj5Ps4Y4Gm8I}Mp zub)7Mro^|ywGv$KM`yMne{ouqDlb1MPw44=tUo>8ezwz|;s~*Np{$KM$k}PkI1XoF zC`hCKHsc)}v}0Buq0B?oFG3F)`v;M6RX}|kY9g}HkSr5gg(Tp`+2A^8ZJgZjK(erC zHHSzYbBL`P;?s`bze}cCmGsECP4%;pvHGCyyCH({E*%*Nln4+Fcq532osXV;0>h`P zgoLrlPktU0CqLGG!2}cPVyyVs1OL_VOBxv3FQU*pe_}1qPdcvKBc85&rd(=v+*Bht z(p)Y_@?YP-fyH99D102GP>sR#I4G^%8ebI1hx|7~(Mxn8IdPAul*|V&%7zK#m8HM9 zw9C^IU-{K9^4)=_Fz$%YB z#_z|%K6)J3BaoGy=J{C5x^`h8X9ab*oPm&!aFPrZAtgVWGtHBB5G*`4W|k2$kKh?I zf+2clxmr{LpK1kqC1Q}R7}HIQty-wgwbqVp$|Ydq?qZ6Iu6_%Nl8ar; z&Rg)V#R@nJ@@C;|Ckc!{jcYiP65GBrfW)tAapHI#g*&+~LV7FiZx6+0#cIos{&0te z3w!uHaSWF0+}#s4uv0& zKzsmRB1-~XP9AeIXlgAvTD%s$bL`2xR6y=TYden_FF<8r1ke{JQid25^U4g{I+5LI z=v%g87tkmTDS;I7w&h+flIi+S3(bUG8koYo0`g;GMEv}wUveSjYn^KF&j|d%R5#27 zj};)BKrlqB&UAl62bOy#?C6?bH+U5DkjC;2ifA+uYzwlN zYc!@i+y#o(UsdIYmngEbnEm;p`U%m5%(w_&t(SKhfx*1>{fq|`L_9WsEJViGuZmnG zQ>d#pFIP^#G68PwJYi|?3&;iN=y_wzLljS1^UC?O!tXA<@MV#@C2iJ=iGBC)Gle~Hrk;lD5a5}ZPO;lOnr6xv;1&j6PIhmUS zNHlmy@y%1eA#3Et2EdC=MA!PHAf<3Nvj_fS7JxW(uqmUBWKgs~!_x@7v?4*$-dxB> z+~a&TjfTW579$19Fq1Cn@zy(`jX(Qy;niid9a5IT3C*otO4R{YD4*cwtGP+Fno$GX zrQnlI)`7!p_=2jCl#ce{9dqQ0^vL)&KaT|~r@;5W>U!^ZEdMWlJa@M;BAbk|S4d=2 zWQ9of$e!7I7b<&XZ&D~TTN#-dDWr_sC`sJ5$_ORDbKTYF^ZEV0-{0fmkN3OBb=}wX zx?bmX#`8SSIUuRegqFdJPl9B(+w;e)+AY)KMS~2jp=1BPDNc?;j+8y%RL}advufQo zRFrNy>0A#ZHqh7YsP0|h4t1aa?@(m>k(P*}ECWwy4hjq5<^Pq>KL9)}rTqZQXg8()FwU{Gkx0N(*5^bfe2Tbjex_kaa!DJXl)u9X!#vBk2miTf&C@bd~?ta zymZAr03FHtLZ~Z1;_Q|8rY28#8SY6((Bd_#c9nPfZTq^7F#0w5aTn8*Gf(fN{rBj; zP|q))*dwleO<#2Dz!Y$z&fnJ&z!+SV?_XZ6i`%}T%Y+L1F93TxJ`j{lf?aBa0F_sa zx1tyxT1jc&!y^KdDqlh2g1}r)oM)htd-mzG1qfceH+SZcJA%<8vg&>Z(k>b%jkT(2 za~*&E#A9Tb_m7p+*ic=azg490w^Z|KDGg{Bn|ADvA(Lm z^@U-{P*cwpPK8OSbKX}trnli0LMW=h7#&?&Zuo}TXx3@rIhR{w4CfuTAFwb|b7CPySG!;X(8f60A!*KyahdQwkg8?r+pZ#vLak_#y)GCF!1X zvb4c8nuewI*H!w#_7&AzA94RuzP zHpKVq<;?zk=D&K=o8S##-s@@7JL}S5tzKlU@_R%3*5(805-hdDWl)mwl#99%I=vmG zN8m=UOL!}E4t+c#Kv-xxD6A14k}N=)^*+>SkdB;-ZR%Tac06iY=DB(u_n1&gv{#tZ zpD0N7KE)@C^AlXlz%B@Id3>DFEhMlhPbR`s`8zV+5vf4|RN)54trbO-B z)jh7gQ_CyX-?##pubu;w30#^0is>?I77nmQqqE#qL5>1FUXm+6pV|sHK85%<2k+uL z`ni=(4@{Z2pZ6X#zwtMedOL*nTL1Uy0%GBZ0*F_hWx1)NMZit(B3sIJY|&d=1%`Z2WH z%kM5f(bbxr7J>EuCswf_tn%Lj*O?7DY`zR+rW!%G(B1T#y$se`%E_f&F@HV z=V6|HF(JsUqy~f?YkHyah~^omv>)Z^&bv+v!~WJzk=>u%trHyySmOO_G(%O%iWj{d zI55Rz&YW*a)Sgbo7FNyj_V4_!bDPV%_wSr#qU$!A(EXlQmNHdLz8WEF#+TB*gQtF; zGuz1{Klk9FsI+BQpeUb1m)kiL4iQEcetq!2t&wzQ& zV7L&(_P}E~%mxvLe0lV-1I2lX!mT%j@>!!6pqTAxLpgJ_j3-5<)i;dwlybCUrsiTr zzxcx%q*LnR|Lk5}b_gt2Qq>%x93UzQ0VO5i7|9qSHUIz8EfT1^zaM>P)XL4yiU;@* zew+bs#k{|HSYogkTVWntJzFUn+wgEW{b`azO2(KzN=8MN3x}a;q6|?hPn(}k176|* z$MVTFOfA-4K>gzU#6CT;M0zmxx+F5iRLI#pj~CdPEMD}q^n9GUQ|=i|jV;slhLXS~ zUY>}DM_nZg|D$CzZ=#Tr!xj+!kJ>v|lFe>*=!$c^?L|C?-v05Dv!M{{icXYwEs-#c zJ@csjzQncT_ngFd>g&zyOZR1NzYb?LZBi{Ih@Oo2&u{+KCrrq>jsILZ@`*Q=V(}L0 zZZBpB74IgNblY=Uq&=o~f=WNB5kwXhZVP5)!*9w_K8w zn6Eh`u9IIMk{mLe_+Q41lkTnmO%0q@rK?iegQ{ZAHke>&1Dfu|qK8d;Wh3CY6O|fmeI0+;8!OnsRAI?Ul%vQaEU`Ap1fb+A**>DKz$0&ZX8+ z3R6`>QX%=cv`W<>K4tS7$jFWXhr7%>Psp&|V^L9q`#GP4x)Y?EooS7v69-)r1UTV}?dK37x+6^CGO zRxNc6h-l^8qXr}&_nUImhvafU>wn>JA3G(usxphHc*m!WkAK0Cury@MA5ygp?qQ(y z=a*66dl+2%4i9Dyi_{jQ{?U=1R`<|fHuHHiYYN=kzR2=E=^NRmXUF&c`Bsazs36}> zra@l`t`UE6-`*b@Q_Le65yH(CoeA>9deIv-?=fod ziTnSdYFRs37rz&-5k9`qnX{}j%K9ItH-7-V>#`t~wc*fOThO&>GUR)4<{;;&n?Sn+ z9`@M(FIBgc23D*YBMZ8%tY+blYbrZM@WuNob+zj96Cb@_mm6zkNd4m&CA5(A`44n9 z;Og2)>gtq8^cm3z9ezHxhOMmgrx;H8X^{%C7{|$F5_?*@h?Ls<{2-4sRQfS+nFHqq zZ1Lc=Chx&J1`wcH-|x9#rSdicS~vIB&uCSDIne_vlclk~+(6$YM7!{E+Cit}c7tj$ zT2j6}QnFCtuqj&hl3C2w=5%xa6=GT+@m`&?Wrbr^?=G5mk&9k+y!*olVS6HY7vNL6 z@iIFGhA?}m<+}!F0)A!!$*DvU)|2pBP&uJgYOhxfKt{gh+Kp-oM+6M!4kaa9e8#dz zy3m}lVcnYjV(&lVxyiJlyJ(I=nBh=X!S-2@YoQ0qqza=EQ4vgOxAwk5681@k?*7|;5 zA7kcO&v+_FJ$Llh-BR(iN$qNMofu-}6+$*lTkq}(>?nMa%HD8k?b;LgL3H-tjgkLu zMDTwWJQEgbis3rkIi5sY#+NARsqi~L@qI=TIQ8j;LHuCyy7!JD%sRyReqHrEyCC_WG8O~eY!zLhjnU@+%4%x7jnW1AZj5r+nnAz?s^7z&-NozY!>%#NNNpTaZN=!v}&z^~Zkwe;CbVI2L!9F={Kk0UCC0B(TJxm>gN7=Aw=9&`g&7A(ay|FmcvAy}=a9W~Z2RJ^= z6(O>`Wsjti6%1Zdg;2jS$JSUsVmx+$d^qIWX``z$F&a+xn#UMoD!LbrMS0W6`qH(t zK9)pEf(_Chv1$gRc~=rjFMWJxfF@$jFV$7amwZ8E6{L67?^kb<JKJ${_z@Q#}+$)yYYoBE(UuB0+GN>U;BCz0>g&Im==?%(I2E%QJU82+Yn-Wvgj5fNDbV+?fs52=53 zlBLOA{&1ZB@LNeBI|?VS-dB$>L{*$1Ggqq)*3*vvhXs`6rDt~#&==2!U~jfw@9H`` zO2p0_p%Z#U*96(((tGWMt&EA+_&r@ZGR|93J{S# zF9OfKmR#SzR9pUhrBe7NA1aKZUDT58u20oNjMmWWwT(){T3f@Z2IpM<9qDr`wc1ZK zM1z0-${)Ic+FTf@mAiXv0#eLLYW0uOwxtKeqKS0kMo-{L6gt>)7e&I}Gf`rO#}AYa zNd;P0g`iztj@f(Tk6+xNi)=L{u7&|}x|?5FcO0W}@@z)8S16B@)vM@eSpl>M|Je<* zr!RF((F*xa=&C48PrkepmnfAnJ^KPV#{4eHD%Yhwm1N(Qv5MR--tot6`^#sgAcyOO zsj}FCEbY9}i{g0;H2f%i_}?F0qfC%5-RU);j}9Rixfr?t>-S_6c^;RcwTlPzSU`qoSr|2tXuU1bZJG9qovU!g$uwTV4M z{iW!!ek-Z!hjN!s<1t=1*Sh-%iOAJIihH;%ewq9QId|6>+H-^TMz8vzRKA)NI*Ax~ z{Ju{ArmevtT6T}1k45+5*s==RAuWWej63x8!AGfGUpEsVjx~TYcgVc2t@G~J*&YQ~!=FnZC-8(Z{O^0i%!#dNhwtM~AFP!J&xu9! zyyltgsI?OmRQAwMv_n9Tu0aqAj%n3@#PVIr)jgXF3Q`sOT*U!75+UuazlSD%Gu>FV zmRu@KzT;PYG!Hug*!)fL^4~y_naq*!ylhe!EJF(Y6L=J%D;sCIF(P#Ew;Xpwl+2iJ zF|OjJ?J+`|6O6vo?(3^1OYfgdwTB*c1}dUY<>ohOAcDt^Z;?fq=p)dXdXD(;T8qQ` z$8lx7-_V&yF&oe4NLM~I`)VG-An-?}w}4#Y0|e{|WI*kA=^^u^AN}S?^dBdj zfhG@Q$DnnOnw}22+?Kptvo=fRJhG5th}*h&U0@)OsMq3KH!YRUvWkYR>=gIsi;omz zrdbLYMJH?Rt|6QTq<`x(YW*9-zoA;B(fRx8Bcx?T;K0zPv{<#g9%sPSU9u#fc=68! z>9l4dEwCv!0>2F9NW6a$jd>`4{3oE2CG?F$;&Ug&&fkJnvMx0$m`4UxOOlUOODiho zFBAIdo_mM}MNn*sB4>zkFen7+DCh2(o zPotL?gtvY`TFfr1?W_epw7!JnUdTxX`yZRvL4IkB^)E{!S}4 zOGKecg;06cU_h@=S$MgUZBvK)1@rbJ*vKZx2CPAbugH_#1OUCBXjaM=2wi$|<+`mC za`g^={_v%2L%1X_i25Er2E-(B`1smj#`&&6nIAW>_vnSJBhQ~ItbpwG#OGwW);y$i zoX+g$9`s02-EMKwlZ7hKem@gvN}2ccIYHr_5Yw3}-GZaf65h2M5t{$33Jnc{d82MV zRL$wqL!QLidE>jU;vdT%x%3t2`KP1`AFF5EBDG-1dx9x%72AlO-j=|+N|AtjXV7$Mk8^Olp8 zFP`5II1_0XG}|i|81UP*N3&Q!%MP3SK@RmARlGE8P*E{V15);orLw!JKy;2ZA#i@LNfMi}zIB+@RDrtn$+Jz!M|(y4XWCmyL)-M?XJX!mK#m_sIMOm&@ z%&BW<1Np4+FY}S)z$~G4>XxGGR(W56veEe)nN=X6z$r833H%|??M|Cr``18_w_I)d z4JD>@*8X{R2%k7cn9Cy+6?|can=HTdNnQw}R>_&mJcwr!f&Tqzr6no2Ii_OK$i zwn%AzqQ*tBWKqtr+3}qW!Ha;dH-M8wceXs`?3T+!O;LyF80qS%y9PCn5JwT&5pcx3 zF)gw@POJ^*uW&0d5B-QT#1NffNT}q_@jq4hdi@EoSUSgy9Qno0%o5xIsT_ql0>K8I znb*E8OY~ZR%~He&AFH+oeb#`OEaN#te`oeku=6E^zeJ}y0A+E86q=EE3HR(+g)xI2 z|1_ZCX^n7F>!_RNpg2`n|y)f&j`nJJ&s!9J>pYo*~?R#Bf*elh| zyql9Bzr0HRuoBRsL}#{iV*Itp31jQX(U@2{zH7r2lwWDzt4-g{LWCKQ{41e?6H^0O z_TrQAUqE-%H*C9o5W86nqyig8rmsLxnCuLjc`iSqhIa%EUOf|hkGw~$noMY-lt*5q zJOgyZjP$zjQ^me0!r-`?fnwi`*Amzq%6L6p%%=1+lDy5l=h2{fpKDW>}aFt1|}yjMI^EUB@hm z-xG9hrt!spJ5O`5_1z67x2xYc+T8pv_H`=jci!wi(M2~_Ey`v^{#siHt#vKmi?n2< zAQ6$oEPK5V4?;~XqQr-o87q4PE8l*jKSTK(ye3w%M3vdY-y4VYQcp;wRt3{r{f1e8 z=)M5<#JD*67PtW3*FGOTPI_U`%MCyMw_CepJfA7gFW{W7MY6>kWNH6WMy>Q2P_-%7 zbECGe$~MJ>5a?vczU<+^v_FdOm0N&9)dH#Mpn^D2)gTw>%Dw~4u!ZS!F;*lbBt6oz zF!QS#lIBATgSn3C2fZzyLynRP#xs6m-Uce!+x@L2tJVIGpkh88HxBGpKVHvF)$3U2&~7^`4OF!2n^}Ip>K#a7!7y^-R2V8Kiv5WgspdwAg_Y zZRq!q-#D=GO9%bJL&;ctD+*O!pRYeH#fo$T7+Kd$@7bhlSG28=R?%C9u7YO3y+lTTWXt!+NWLUIhJp;$9>D*LxS@d`5z3(TM zzG%mLxo}1V5heg`d}dXTpD=w{!~FEAWUcKopFg3iLVhfowSm85hgzMgbx_K4;p!Y4 z_v_|8k8{n%i#dv=ZaH;ta#J9blL}laO22U_M@l8fM00DRE%@;2=%-iHcjbF7{rW1e zAK`&iiFmI~j^28e-q?pw>uda#QJZ}k=sS9fvdv|smULQt_ZYQ!PD@ASQQ}e4gkGS; zyrpfe4L(kb<-$*7JtmYa&l!0y`~8KfDXyy-=9Is(-CE+Y{yyL@z+9ylG*?#%Hls}z zRss>(TIRxv)Va=Fe1~>__v*g-;m_fo>*AXT%dZi%B{rN*vXJ6ZZiLjZ&e%(Dm-oan(KrgP$#>W?jK zu-}nbwQ5r6;Y`!#xE{rVYJ`Z1*Vnf6Iw@-4P^y{nUGYis;tQcqE%3zkc^E67eT5b( zpGoQFuY%zZ=+_XRMLP~ZQZy7~ueu+rZg@|V>(6TNLYwl0j!{L^L}KdD+4^V3#!5$kd;|g=S$x9cm1VYk9;@LVwDIFTrC~Rkv4jPNuy5LH zTV(dF^1R<>RFhZOXN+9-o-T zV5arfz$QwXBLWrJ!#qZAMWv=ycLg2&{_5WENGfI1dRFAf&2xqD6aQ{_IcBlhe=a=W z-jUT)M>`*8pC?kJrV8Dn{P*1Bn%C&jG>`LA(w?#=+(rf7)7>4dRF$D6{PEb0BJ|$* z$k^*zOhvjGAq#@kr;m7_L$M~HP~^rm7|DYJ!|I2`J?5F{#PddJ9U(lT1%tX zla{Rf#{OXe=Qx-HYp4|JW!Uc%SaVf5iU;18xj;*}S*###ae~!KhcI*G$zLCc>I$>v zYn1U5>NQmLf|(56T^n_U9(%)@%d82eDDR~N)eScl4{#GD*{ie-uqM8vH`w14P|V_9 zlEYf-!9M|I4vpkjtMbMdtz2%TxI%Zgk8Xa_R3<%reN+v?i)AJT6;9*}G1Alr9P5IK zv*ylI4Fd{nL(n64Ft_N7|3{ApDRDY3tU|%RgH}dLlA8&|u9rI`N$4*F`uz-sGp6Wp zg54wV?xZ`f_mCa`@9Ae2L04H|gt!DnNsY0rdk4jO?_WX%GTwdGo!(tM9SVIEcPbnj+A{FZjK(dv`#a?``yCjNZS>6L!)kFsd<|lL#~-gel3ulpR_ftRdjdg2yezd; zp;oUJ3b*cRLMKKSH(;ESD6a_IP$%MwRkSWIRndF(?kdXYxFaVwH6?gbauD98na_RK z+Jn%(0hvT48o1-s{OJy{Q^y_r9q>w!`hGh`{I46qhf|0f-wYY~wRov@f_*v(k3wMT z=r@3v9J{$qe}yil&tUW{?UIQUXo=F?>J&~^O(&E?<#)8`iI{dn)T|%NEKKumf6>#M z=0CLQ1d(?GV!+jpq>l^Oi6E6oF5U0JlS|FLEA{|dwO$!Le%h}c<8jITv%py1-!a?TO_fbw8--TKB#P?{Kg^?t74Q8)Fe6A#tO-=n_&qT!F+7MBe}_tGOVu zk6V_a+F9HYfm5QZ&TQF5;dH~abIvUQD!tZV7lA9rahF5WYIeDWR7}b@mo- zsA&Xl(7n=snKVcm7n@2KB|Ax2p5TM;pmzJFwhPL%QA#IRkyTTSZCvt1tn>OTq*fb- zfbYN4L-gep*Mn6(j+2nvp9{JN4vpYS!=7Rc%>=XwwpBjuUzlwGh)UcJlrxQ1_<4wq zLX&Dr@|agPpbJgTfY()rga;MTJF64#7abv58=O#JfPZ@AnS>BT0+=+XwCQb7~&*&zH z)x!wI;zFg{d#}ytJ&9MP=6SkUDPxrQc*(K0)zK0?G{#P|G@Tj3g0y?Ey!jl_TuE<_ zP2zs7GfyVLs>C%a+seh-dD70WN`h^7S%^5r>c>fBz6=!%VR-K&m_ z)qT2F5>!u~AnkEwX-L+DGIG7E*pZ4yyLF3AKQs8ug=Oy#U)#$e;XP|_3g2E>!fNUl zXdMfE6Yo^1=2_@KQjNI!AVMzsrv5g`&et*oJ93r1q0k+vO0mmP_C}mCXb^7+70t~D z3u0~6i2o~ecph(CdI-utol>NLwzLXPh6tlB!cH|N=g9pDqt&u2syc~!6z=a|y_h%; z#AUY{7B=ivX5pG(2%>vlCSAM@!>XF84VJ4ZVrm@$gk@QF@i7|~NFKp!rE~(P*aNFq z^?Dih$K6Kg(qf+>4bsd$d&~A+*AQ;$&&xXz1CWp^yQFS3ww}s^x)>TsqE_X8J8}9P z>3O^BQDIec2mVKQ7^m_a)kYeD*codwz$Z{mnI-6x+s)x~t9Qz}waappBmIUYlax;# zTfBHDFh3a>r2VS0%LIKRp}27HGwo&^^oo6rcobGFu_wzvr3An^^mG=e4(c>e=;5tS zqEKX3MEr(fa}^!1R^Q2s-?W{i-`>Al1@7JK$*$p+&a21VCC{Iq0yK!tc@@6oddsm^ zzfH&#Du0g@WU>BU4~+FD6Rq-qq`^2Ru3WFAS$0cb@|&3qy&5ZHuW7a#zUqrXw$s~6 z7ZAaNn~yVo?vqx&pFP2v=*hYM;)kgf7ge&CR>>E9 z&{z%Wyt)0O?NG+g`99$)rrL@`lu6QyK#ZKQz?Hp&Pe>0z1ra6fLU`qy4p}6o3eAw7 zPSNrRDX=_Mxm}wbd9tFsrk}R~powOt_rkVs?6<4yr8h8Pj@EWdDxlQ(t{`Z7^as&ZxlNx(NE&vxI^BkD9`O0-6%q`C|s9`tKImXc5GevOu*0 zm)RJTk(SGSjI7Cd8_A8A{W@a9n&e3(UW!Dt2xxw~hDcs%`+}}a5t^Rg;)%}5muZkD zZNhD$Bw-yvOgFm#;}BPlJ5BZbrLSElpMAXrA@~%OA38Cz=6y-n2NV8b#qVkjgprgb zYEmskefKCL^b8uH%u0xnq|*Ycoj^zQ$=+(LQ+ikJR+W#BgczU0Ct%Gc3DU5LMvr~gBoKBRJ` zI^$*Ubqr5;CuQZ_rs`?WNIzxq`Yo&L$Xo0QjlVl-z>FmXgwETKCS zBBu8qXF0K2@UdErS}WQ_%Blk3lbRHolmX9TK@lyehnUFev_fCgxG1xC0~*|>Q3W@4 zO@XW#SDWr8cs}%MsT%$9_=uHx2HW}Mwck)26Odf_XsB2LX6YqHVifRN-^U!4U%NTXXQTWHZHzc_ilS;` zq)hMc9gWE7eLv@Zaq+W%o~OD0$0WO7vfF;SS9A8{Im^N8mAwsmqW`|}htVWNcTuxc ziBF%E^6mT<)XBI$FqjW9@tA~vr}L)-gzhpujx~630!wb|(K{Bv8Jk%-m6+G)+Po&( zb+cQ7D6{Tz-cqe(~R)M!RzDV8S);J&LpL$>TX$ILf$YwmgnrR8v zqw41!^M)pz@H%;?av>fu{H1b!y`>X^lilHW1F_#8Qu>g|?0rdAANv%9)Dq5Q+(qiA zZtBEK5RNR?5bZU5KFseHM+v73|_ z?-Z4DUtYQJ4cca0xS90x`)MKD$v_a_IN>UBhC9OCLQB%L{6;Se44+~B*Bt{N+}seJd%MvA61t7f1jNz87L(JGyCGuBTT zW3wR8x3!S%+Ee@CvKEV3-O5Z`n{mEXd}8B7Vrrds%XMtG`V}XV7gnbdtD}*$MF|_= z?#tm<5m$7CJk;O9MA+;B@soLa+vD#OSma}c3B}+31cr*>pqDt%>SOii{E9Y^UPH#? z$&(A)&p*BhWT>2XKaEa)1Au(L+hzBQqZ_w>NX=D!FKlXjeEz%)VDTUD9*cJ-e2X70 zAjxd@-Ehev_J)FN{N_wd*0o$X$LNqR=f));V^Vm*0wn@pc*Sd-sY}d*hj$p=|5^ z7duu)s=-rQ2*TBBp03h6DEy=&F-3*=(rb7uYJ~Uq(wO%lB_RK+cU0 zf2f4TEAeMMj6-5bTe_*T%2o$)KXJ9_t~c(gv-Xx^6wUEj4%tkaL7kcBK38c+OI{W7 z&%Iyy$=cIaWYo67%i4c7jCK{0`QFWi0gSimOyD5*2yps%K2&>rQKS0y!G2@q7k2}R zz04M;A-xKtQJJKylz zkiy1Sigh*GvBakL{BRnWz@(UvyqGz3V?Lpj`Ia|7B6F|VzPdkeFE_0194@!eW0%0* zgyhNkjVFEA%*d?MsWd9w0<>pwo|5)1Lf#K->7A1@{^1Ov2KK%3;769k|7hXpWcrJlyy1`I({4IN$a`uOZIcfqhZBHD;{=(Ck` zH)d3i)Y(;|3@1qobq|I99a)aQugGG%*&@crSN%SdNh4E{jV2x`RFRrb(aw?QnZ_g5 z=DSf{oTBnWddOhc5-+x?PS^<}IOl!qb5Pj1+AfKb+mCad{GYz5@fM-A`4+q5--JGl z2y5`mda(Kw{#`cy67Io_+1l>p+~-3vhq42U>ZB#MvRa7_oXisn`Hu-(7{&yGTrP{7 z%>E(}|i)qub$jW44pv z&4Wub8Ph_EFMvDfAsKrMlI`CH*{qJZ)TLD~(b?Ot{3jMi;-3(L3)!;xL`qHu^#fw!V#{!y z=*7Z2cf*Cx8D8mB>2|Sm@zK-`F@Dwj=HkrTOBt#ck1XeZ0sF@*VdNgW_R)N*ar5&@F^W#R*w!#90VO42>xLy@6b;BoMkCn5I+ zc=L0$jvD-My()lR@RJqGCiMXv$U|!g^O`RS89VkQK8Tmos7Eek!al1eJBs|| z2n1!Og|?$tThSCf%tA_g4aQ9Y-+MA_7m9w)6{Ue@cLG8z^Z3BbLhRzW11 zI+PFX@QNi>QQZb1j6tGDL0U5>{c8`y!?~kcWqOkM5i(X}NvHLdtz$3y>ryDZ0gcwY$3jBt2M@beUKq-ms z&)v+RM4eEXT7WGSy^~nYQ^38f3QFoU!4+k4?sK7$>S|T~9EsuQUe!BKjXft!FHBAm z$!fnSB+8?${5e`S88*U!B2EaW*&GO_8Pcqwpi0!HKgBJn(}wwoC#JV4I#wN$byO4y zxc$}a1?57L9kEtsb(;D*(?ZpK@6)HUArq&oCX4kGaJB!EV08K+(fs)InGado#g~Hx zN1R_!?6&Jm*TnsX6vTG2!)Mhv3c@$1D0?_XB(G>9sXzGZyL==&+?hC<9n;EuE%Y7P z74yLiLD8Zm&5E>yBg(<4ReSXIMx-UYOfR#37Gzt7ISi%i6$LMHjD07VJ}uw|CO4vh zC_Pjbf&EkD(B3S69hf3cvTA3-hRTtH@moI$->_L}{RlzlKSolX@v}N-N;nfN&5TML z)pnK8N_#xD2U8}sc0&yoUEz&Yw^gql852CY{n9{?6M-%BH3;mB9%~#kau@?14uj}m z$$eaQhWg-5w%8CtHkkm9hHD8*Scg_=X@EB~P+0AR= zAdWie@N%O@<=V?g&$BDq5X2Jr211tc9xOjW7D<_Iu~#_h-nRXQ*e3 z4sa{)LYw0%sQT)?#E`uB8wT28iZ-7km1md~{oa)srIl^8QAFEih zuiMP3$pdLL-RPEm>QHII#Th*RJ7sYW;}N5NfDAg1aPwz{Wu~y6urlbKggf}IUB^*< zyixBeozT2On=u%1C+3DKCtkZH`){ASeW1*3R4gbk`!nqqc`H%`E6__HzK_;$S8=ovk&qZ=;QlS21 zirEiFwF;;W$16EP$W0JR30Y_jd3%q=${kWlCyNCA!FB{IMXC=gN49}809aR1{!ewW z4YPxMCAf5773kT`-{$Wl`e^}F2}(fiJb?BzqpcD z_uHek!Ks)8u$8V*j4L6A>8kk~IzgI&B~=>*=2SS?s`FJU_6YvZ>1Jc#tM@LPl!;zL z>$w5?mk+SYF448JT9FNEimNiGr_S1|cmGj4yjPhmSE|A=FNt1TpSiV_=-%@V0M*q& zpXk@}l7pN%%HnBAUsq#*cH=e+KHEH-bT~Veub$2951UYnL_BMGlhFDk?iT{yxI|Fd zso~?Rk-@A=D|O`_W(0~JK_lb}OFB<|R$A9v>lJ0;1YeY8>$4O;k+h9?16K`vX0Nhf zxjQIDmiA~~C#$%Qyz`M9XN?%p)=Z98j74Ffm&pmtSE~Hwv@r@!RtcJ+?a&s;W!2K5 zbY)b}cmPKF*`&u&E`je{lg4jMKggL*w?FH)NptooU7_3QQG_7nYf9zq_rVpI7!BYV zGj$rOK#5+A7S(bR@t4fLMCwuvRze_wfoZ9dMxEKmKZZ~a;W?tWf9*0qm9;=4 z5}uJCIn7_iBP zj$;hZD}MmD2y&)A(9L85D$!&8L$UrlP)xeZ;n`S|USyKdqY4Yb(NJ~}og8Sz8wY~8 ze7Bw1Y#{wW>iO-TQ!~fP?#MktNl=>GY?s##MvvbWc{8`9-aGHtmy1i?u+mt)qdwNW3E&65Uql}u9q5d3Z4h8}tU&psulXKJ1mowygwLts z--T7(?Ds%{O?O~3FEDDZmVTDq0$|%F$>dbd4aTJSg0p?xf|_-EN}(RbO$0hgK#oc+ ztZc<0MuMn=u2I7S=*jcGQ-ugCcO<+jRyXbsL(f}XwjYUdr2$)gsbqOJrb5K*?c7-( z@!TXA(+6`oPXNQ4nSAEzDxT@a3eAGtePB%Jh)o6j%f*rRk?t2a1 zk%UGatH8CZBN3Z^yH@kP#b&C;P4v1isJC@8ugTT-Pwu;G?jQadI>bQZ6kBPNF2!A# zd26MvXwdteiaIn43A_hLN~kDsYV73CCevAPL4tPO7(|^6$n=@TU|_aIISoR zgkXk<6C^=sezZDF?g7G)PS7kw!n0{duNGC>wzl2R#N%o}DqaJf+5njMIFs9LNWx+O zCUr)vU=$_SB!DrtXDjNG&aU|9xpR&H&gq=(R1<~Zol3hHtNZm(BS&Ya^o{5fG$LE> zua(dG<+C<90m{U6@zo&krLtR1I#9vp%2U<0FntlBL1{LFf-C({ooWj*ugIo3O0vCK z6!@|2?h53=8o>18yW?jmBP{V$7>9^3k^e5mguI=`lJaO#HL%K=S%!{aMF$Y(Cw;G@ zyZVQNpXa8ex9*<#)qd>cX{Q`EMSl=~_`%7%!1X25QQ{Z?rVvWsx=7nqL&nRD2^uXn zuhTl@mhzqzt|B~vzOM9x-Oke<;Zp-*CxkKG%Uv`*e>hfPxOJ!IvQ5|68{vZrp!fH~ z+J1lunRo4pJtcPoua+R6jtuDiX;-QL{|U*d_-@h_(4f-?5_gL1b7lTtz9D6pZ2m>D z?LbAoh@&E>E!K#U)KY1s5$IeBZD-Lvc%*t6tUxD0p9ghMWvOG^qT2XW+uayXx_HTD z?w^o>yi*r&^1^m7ZsZ^x8w_InOU8%2AK}15C}x_c{}dTS=~7_;WphGE-=;4D3?oRH zVuc@ydq(STD8G0}i~_;$FPZo7f@WO&04fD?T!TJ6;i4=|)%g?~=q?-hvT) zxUJVgX9bw$>m2a6nMf3-4PD_tG#0Zu`t};J6bP*2^mBKpSh0K2N=tUW7sXjc$U%9J z=>*}*U@D%3aQKlU1S~2FaylW18i|xOAuDbT9??A_)j*Mb$}3L2yWzWoQG!8|Y=F-} z7u+265T@%`e0ym)#lI<9-{Sd`+)!Z}w;x^@)jd9>hN6F$T1V{UKwUuBe?du59Gu zzp@c#R5!DxO)wLcJV!kXYFpz7Fx+2;ALFa4#uz!dBpBG?c}3vyS(YNh>0)d~m36dt z_UW(-4wUqRy{kkDn;5O|`c+R;~4^_Uw@t_cQQcwS1rbT4(nks)cX zOCKzLf3mvWbvY~R6-&`2e8kp*7BaYH^||X|COJRS9CHN}F#nC`g8$$8ARlV>n+tmQ zcbUm?)+(Hk>M1==gyZVM*Se2c#ju?cp_5bgQpBRSkztn{)@N1F%gJD5wk6iz89_kT zO5kSC`G7j!et_1l;e(HHAh4>~mg=caL9fh*Y)zbt_>>rSYaSH@(oj{F<&Tk#qiBC@ zY0S240X0Zjt_oG$KyETH~~d^O~%<&Yx}sMqILPEELW+1-b#hF~dZI^n!N-FVx_ z`NrZM4U;CX^Iowx@sAqh(5mUz`4Eo0ur>WaNp=LjwGerGgQZnAl?YhM+epz+tQvguRbNyTl`##LR~YJlzQBQqzv!`99=wsF8U)}X7|Go&MJ@-t@(jE+#PxNft<*z?E;Y zCLm7?S2%r57w6_vQ7&R%w>}7NTb)T<0R~=uo=l)*FO^wzly#c$yEokzt*tF1-}L1% zvr0ZXE6HV@&aKjnRYU6y{4q*}kw+S68Djb4BjW~oe5|^v=M&%X#xmpPIdMfs#xF(> z5>BY9O5wdS3qnYV4@!)1B)vK^KMbu`;NkDP!RNkj^mSXuoa;uC)jr@mVp4dtS@$^Z zTe~kZ6XV8%INp(7yyvnQ`IJymHDlyzgb^W!=6ghl5jiG7S9M@4orD@BSSdvrjpNmO z8?5HiX^MA`{;lVvymy()OJ3Pao%<0x>_0oa2gmi2%sRfqtg=%~xcZ=Ebk?DMJ9ArH z+`&)DLl>`VrUQiOf=ph48UtDeC>nSH&F|v+Qzb($E-{=!%1tYxZV%(gSKR-?@J3dD0X6KQ>&~rk*_m z_oA_KGw!s^r0rl%ra^0h!epUyYnn1L$D%Kx$i!OtxR=}$KE+fHl&-8SE6xeJMcyuI zRZu;OSyfo8-o^wuUGhA#fOQ~=aN5yG)GGR`;^W*hF;;||4BU^T{RoZpGUyavri_amngsS(MhPdCbX z6oGTx5R1`GXkJ!5fpKvXZ;-yuy>R3Weg>tW*xMjB@?^-o|2Iy&LXAh5tpTBJ_0ZlefrU7X(zwUSo3VEIZJ}PcE3X}!svhtc}|2(WqXW{wk!V@-o zMkL-yBDtWVJeU8K0;jb+)b1{DNbDmuceuYRNAaA*{tB2~YPQ6k1qMTM9&NOiJQ81@ z&=t5-T8_LqRcbqTTfM;V1IojTAKEhc7IrS@o0VLly~TF4hMBU4y5y$FKd*pQQx1jk za*`4~ZG3-VJgDH#(MM0;UuJ&c(a)0lu{!w+PQG1GXLgxLw_Q179CwFYeh-NLRQc^0 z8ch51k^1E0llw*=HbPoq%*(H0fxj Date: Tue, 24 Mar 2026 13:57:41 -0500 Subject: [PATCH 4/9] Update reports/trr0000/azr/README.md Co-authored-by: vanvleeta --- reports/trr0000/azr/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/reports/trr0000/azr/README.md b/reports/trr0000/azr/README.md index 16d5943..9c3a7fb 100644 --- a/reports/trr0000/azr/README.md +++ b/reports/trr0000/azr/README.md @@ -225,8 +225,8 @@ In this procedure, the attacker abuses the OAuth authorization code flow by manipulating the authorization request and redirect behavior in order to obtain the authorization code generated during the authentication process. -The attacker crafts an OAuth authorization request directed at the Microsoft -identity platform authorization endpoint. This request contains parameters +The attacker crafts an OAuth authorization request directed at the Microsoft +identity platform authorization endpoint. This request contains parameters defining the client application, requested scopes, and the redirect URI where the authorization code will be returned. From 765565087a855f5306d9a3089c3b5b19e395a1ce Mon Sep 17 00:00:00 2001 From: azotheblue <46788911+azotheblue@users.noreply.github.com> Date: Tue, 24 Mar 2026 13:58:00 -0500 Subject: [PATCH 5/9] Update reports/trr0000/azr/README.md Co-authored-by: vanvleeta --- reports/trr0000/azr/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/reports/trr0000/azr/README.md b/reports/trr0000/azr/README.md index 9c3a7fb..81ccffe 100644 --- a/reports/trr0000/azr/README.md +++ b/reports/trr0000/azr/README.md @@ -217,9 +217,9 @@ indistinguishable from normal authentication flows. | ID | Title | Tactic | | ------------- | ---------- | ----------------- | -| TRR0000.AZR.A | ConsentFix | Credential Access | +| TRR0000.AZR.A | Authorization Code Collection via Social Engineering (ConsentFix) | Credential Access | -### Procedure A: ConsentFix +### Procedure A: Authorization Code Collection via Social Engineering (ConsentFix) In this procedure, the attacker abuses the OAuth authorization code flow by manipulating the authorization request and redirect behavior in order to obtain From 7cdea59da4f8750831fa4745ac20646f2c7a9ce2 Mon Sep 17 00:00:00 2001 From: azotheblue Date: Tue, 24 Mar 2026 14:11:33 -0500 Subject: [PATCH 6/9] Fix Liniting Issue --- reports/trr0000/azr/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reports/trr0000/azr/README.md b/reports/trr0000/azr/README.md index 81ccffe..9bf52dc 100644 --- a/reports/trr0000/azr/README.md +++ b/reports/trr0000/azr/README.md @@ -219,7 +219,7 @@ indistinguishable from normal authentication flows. | ------------- | ---------- | ----------------- | | TRR0000.AZR.A | Authorization Code Collection via Social Engineering (ConsentFix) | Credential Access | -### Procedure A: Authorization Code Collection via Social Engineering (ConsentFix) +### Procedure A: Authorization Code Collection (ConsentFix) In this procedure, the attacker abuses the OAuth authorization code flow by manipulating the authorization request and redirect behavior in order to obtain From 5bfa9c64d8d3988eea8ad224ce635e56752d715f Mon Sep 17 00:00:00 2001 From: azotheblue Date: Tue, 12 May 2026 14:00:50 -0500 Subject: [PATCH 7/9] Address OAuth authcode phishing review notes --- reports/trr0000/azr/README.md | 135 +++++++++++++++++++++++++--------- 1 file changed, 99 insertions(+), 36 deletions(-) diff --git a/reports/trr0000/azr/README.md b/reports/trr0000/azr/README.md index 9bf52dc..7e8f19b 100644 --- a/reports/trr0000/azr/README.md +++ b/reports/trr0000/azr/README.md @@ -23,16 +23,15 @@ authentication flow. After the victim successfully authenticates and grants consent, the identity -provider issues an authorization code and redirects the user’s browser to the +provider issues an authorization code and redirects the user's browser to the specified redirect URI. If the attacker obtains this authorization code before it is redeemed by the intended client application, they can exchange it at the -token endpoint to obtain an access token representing the victim’s identity, +token endpoint to obtain an access token representing the victim's identity, allowing access to APIs and services such as Microsoft Graph or Azure Resource Manager depending on the granted permissions. ## Technical Background - ### OAuth OAuth is a foundational protocol used by modern identity platforms to enable @@ -55,8 +54,6 @@ applications to access services such as: This model allows applications to access resources while authentication and authorization decisions remain centralized within the identity provider. ---- - ### OAuth Authorization Code Flow One of the most common OAuth implementations is the **Authorization Code Flow**. @@ -95,11 +92,9 @@ API (Graph / Gmail / Slack) The authorization code is designed to be **short-lived** and is intended to be redeemed only by the client application that initiated the request. ---- - ### Authorization Endpoint -The authorization flow begins when the client application directs the user’s +The authorization flow begins when the client application directs the user's browser to the identity provider’s **authorization endpoint**. In Microsoft Entra ID, this endpoint typically appears as: @@ -128,11 +123,9 @@ https://login.microsoftonline.com/common/oauth2/v2.0/authorize &state=12345 ``` -After the user authenticates and grants consent, the identity provider redirects -the browser to the specified `redirect_uri`, including the authorization code as -a parameter. - ---- +After the user authenticates and grants consent, the identity provider +redirects the browser to the specified `redirect_uri`, including the +authorization code as a parameter. ### Redirect URI Behavior @@ -165,12 +158,27 @@ include it in the redirected URL. This behavior can expose the authorization code within the browser session prior to it being redeemed by a client application. ---- +Microsoft Entra ID validates the `redirect_uri` parameter against the reply +URLs registered for the application identified by `client_id`. If the value does +not match a registered reply URL, the authorization request fails with a +redirect URI mismatch error. For the ConsentFix procedure, the attacker is not +adding a new reply URL or registering a new application. They are selecting a +valid reply URL already present on a Microsoft first-party application, such as +a `localhost` reply URL used by command-line or development-oriented clients. + +This validation is important for procedure scoping. A non-localhost reply URL +would only support direct attacker collection if the first-party application has +a registered reply URL that can deliver the code to attacker-controlled +infrastructure, such as through an exploitable open redirect or overly broad +reply URL pattern. The public ConsentFix research reviewed for this TRR +describes valid `localhost` reply URLs and some first-party owned web reply +URLs, but does not document an attacker-controlled reply URL for the selected +first-party application. ### Token Exchange Once the client receives the authorization code, it sends a request to the -identity provider’s **token endpoint** to exchange the code for an access token. +identity provider's **token endpoint** to exchange the code for an access token. In Microsoft Entra ID, the token endpoint typically appears as: @@ -185,32 +193,55 @@ authorization request. The client application can then use this token to access APIs such as Microsoft Graph. ---- - ### First-Party Applications Microsoft Entra ID includes a number of first-party applications, which are applications developed and maintained by Microsoft. -These applications are often pre-registered and inherently trusted within -enterprise environments. Because of this, they typically already have -established permissions and do not require the same user consent experience as -newly registered third-party applications. +These applications are often represented in customer tenants by service +principals that Microsoft provisions automatically or on first use. The service +principal is the tenant-local object for the globally defined Microsoft +application. Delegated permission grants for that service principal are stored +as `OAuth2PermissionGrant` objects. When those grants already exist for the +requested resource and scope, Entra ID does not show the user a new consent +prompt because consent has already been granted in the tenant. In the context of this technique, first-party applications play a critical role -by removing the need for a traditional consent prompt. Instead of convincing a -user to approve a malicious application, an attacker can leverage an existing -trusted application and initiate the OAuth authorization flow directly. - -As a result, the interaction appears legitimate, and the user is not presented -with a suspicious consent screen. This allows the attack to bypass the consent -phase entirely and focus on capturing the authorization code during the -authentication process. - -Understanding the behavior and trust model of first-party applications is -important when analyzing OAuth authorization patterns within Microsoft Entra ID -environments, as they can be leveraged to make malicious activity appear -indistinguishable from normal authentication flows. +by removing the need for a traditional consent prompt. The attacker is not +registering a new application. Instead, they craft an authorization request that +uses the globally consistent `client_id` of an existing Microsoft application. +Because the corresponding service principal and delegated permission grant may +already exist in the victim tenant, the victim may see only a Microsoft sign-in +or account selection prompt rather than a suspicious consent screen. + +The example authorization request in this TRR uses +`9bc3ab49-b65d-410a-85ad-de819febfddc`, which public ConsentFix research maps +to Microsoft SharePoint Online Management Shell. Other commonly discussed +first-party applications include Microsoft Azure CLI, Microsoft Azure +PowerShell, Visual Studio, Visual Studio Code, Microsoft Teams, and Aadrm Admin +Powershell. These applications are not equally useful to an attacker. The +attacker needs an application whose pre-consented delegated scopes provide +access to a useful resource, and whose registered reply URLs include a value +that can expose the authorization code. + +For many ConsentFix examples, that useful reply URL is `localhost`. Local +redirect URIs are common for public clients and developer tools because a +locally running application can receive the code through a loopback listener. +In the attack, no legitimate local listener is present. Entra ID can still issue +the code because the reply URL is registered for the first-party application, +but the browser displays the failed local navigation to the victim with the code +visible in the address bar. + +Tenant controls can affect whether this technique succeeds. Administrators can +scope access to some first-party applications by creating the corresponding +enterprise application object and requiring user assignment, reducing which +users can authenticate to those apps. Conditional Access can also limit token +issuance for the targeted application based on device, location, risk, or other +policy conditions, although the attacker may still benefit from the victim's +successful interactive authentication. Detection engineers should therefore +inventory first-party service principals, review delegated permission grants, +and examine which reply URLs and resources appear in sign-in activity for those +applications. ## Procedures @@ -270,12 +301,29 @@ troubleshooting or completing the sign-in process. Once the attacker obtains the authorization code, they redeem it at the token endpoint of the IdP. The IdP validates the authorization code and, if valid, -issues an access token representing the victim’s identity and granted +issues an access token representing the victim's identity and granted permissions. The attacker can then use this access token to access protected resources and APIs, depending on the scopes granted during the authorization process. +#### Procedure Boundary + +This procedure specifically covers authorization code collection where the code +is exposed to the victim through a valid local redirect URI and the victim is +socially engineered into returning the code or full URL to the attacker. + +A related redirect-hijack variant would be materially different if an attacker +could use the same first-party `client_id` with a registered reply URL that +delivers the code directly to attacker-controlled infrastructure. That variant +would not rely on a `localhost` indicator and would require different detection +logic. This TRR does not define that as a separate procedure because the +reviewed public research does not confirm an attacker-controlled reply URL for +the Microsoft first-party applications discussed here. If future research +identifies a first-party app with an exploitable open redirect, wildcard reply +URL, or other misconfigured reply URL that allows direct attacker collection, +that path should be added as a distinct procedure. + #### Detection Data Model ![DDM - Consent Fix](ddms/ddm_trr0000_consentfix.png) @@ -297,11 +345,19 @@ IP address, device context, or location compared to the user’s normal authentication patterns, particularly if the authorization code is redeemed from a different environment than the one used during the initial authentication. +The relevant data artifacts are the authorization request parameters, the +interactive sign-in event created when the victim authenticates, and the +non-interactive sign-in or token issuance event created when the code is +redeemed. The attacker operations are the phishing delivery, authorization +request construction, victim code collection, and token redemption. Keeping +these artifacts separate from the attacker actions helps avoid treating log +records as steps in the attack itself. + ## Available Emulation Tests | ID | Link | | ------------- | ---- | -| TRR0000.WIN.A | | +| TRR0000.AZR.A | | ## References @@ -310,12 +366,19 @@ a different environment than the one used during the initial authentication. - [NVISO - ConsentFix][nviso-consentfix] - [RFC 6819][rfc6819] - [Microsoft - OAuth Redirection][microsoft-oauth] +- [Microsoft - Redirect URI Best Practices][microsoft-redirect-uri] +- [Microsoft Graph - oAuth2PermissionGrant][microsoft-oauth2-grant] - [John Hammond - ConsentFix Video Walkthrough][hammond-video] +[T1528]: https://attack.mitre.org/techniques/T1528/ [push-consentfix]: https://pushsecurity.com/blog/consentfix [nviso-consentfix]: https://blog.nviso.eu/2026/01/29/consentfix-a-k-a-authcodefix-detecting-oauth2-authorization-code-phishing/ [rfc6819]: https://datatracker.ietf.org/doc/html/rfc6819#section-4.4.1.5 [microsoft-oauth]: https://www.microsoft.com/en-us/security/blog/2026/03/02/oauth-redirection-abuse-enables-phishing-malware-delivery/ +[microsoft-redirect-uri]: + https://learn.microsoft.com/en-us/entra/identity-platform/reply-url +[microsoft-oauth2-grant]: + https://learn.microsoft.com/en-us/graph/api/resources/oauth2permissiongrant [hammond-video]: https://www.youtube.com/watch?v=AAiiIY-Soak \ No newline at end of file From 7b7e0d37ffc632b676871b6c1e1ae731691ade02 Mon Sep 17 00:00:00 2001 From: azotheblue Date: Tue, 12 May 2026 15:17:28 -0500 Subject: [PATCH 8/9] Clarify first-party app consent details --- reports/trr0000/azr/README.md | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/reports/trr0000/azr/README.md b/reports/trr0000/azr/README.md index 7e8f19b..acb2e07 100644 --- a/reports/trr0000/azr/README.md +++ b/reports/trr0000/azr/README.md @@ -215,14 +215,22 @@ already exist in the victim tenant, the victim may see only a Microsoft sign-in or account selection prompt rather than a suspicious consent screen. The example authorization request in this TRR uses -`9bc3ab49-b65d-410a-85ad-de819febfddc`, which public ConsentFix research maps -to Microsoft SharePoint Online Management Shell. Other commonly discussed -first-party applications include Microsoft Azure CLI, Microsoft Azure -PowerShell, Visual Studio, Visual Studio Code, Microsoft Teams, and Aadrm Admin -Powershell. These applications are not equally useful to an attacker. The -attacker needs an application whose pre-consented delegated scopes provide -access to a useful resource, and whose registered reply URLs include a value -that can expose the authorization code. +`9bc3ab49-b65d-410a-85ad-de819febfddc`, the application ID for Microsoft +SharePoint Online Management Shell. This application has delegated scopes such +as `AllProfiles.Manage`, `Sites.FullControl.All`, and `User.Read.All`, with the +reply URL `https://oauth.spops.microsoft.com/`. Those grants make the +application useful when the attacker wants SharePoint or user profile access +without registering a new application or triggering a new consent prompt. + +Other commonly discussed first-party applications include Microsoft Azure CLI, +Microsoft Azure PowerShell, Visual Studio, Visual Studio Code, Microsoft Teams, +and Aadrm Admin Powershell. These applications are attractive targets because +they are Microsoft first-party applications with existing consent grants in many +tenants, allowing authorization requests to avoid the suspicious consent prompt +associated with newly registered third-party applications. The practical impact +depends on which delegated scopes are already granted for the selected +application and whether the application's registered reply URLs allow the +authorization code to be exposed or captured. For many ConsentFix examples, that useful reply URL is `localhost`. Local redirect URIs are common for public clients and developer tools because a @@ -368,6 +376,7 @@ records as steps in the attack itself. - [Microsoft - OAuth Redirection][microsoft-oauth] - [Microsoft - Redirect URI Best Practices][microsoft-redirect-uri] - [Microsoft Graph - oAuth2PermissionGrant][microsoft-oauth2-grant] +- [Tech and me - SPO Management Shell ADAL Application][spo-adal-app] - [John Hammond - ConsentFix Video Walkthrough][hammond-video] [T1528]: https://attack.mitre.org/techniques/T1528/ @@ -381,4 +390,6 @@ records as steps in the attack itself. https://learn.microsoft.com/en-us/entra/identity-platform/reply-url [microsoft-oauth2-grant]: https://learn.microsoft.com/en-us/graph/api/resources/oauth2permissiongrant -[hammond-video]: https://www.youtube.com/watch?v=AAiiIY-Soak \ No newline at end of file +[spo-adal-app]: + https://www.techmikael.com/2017/08/a-workaround-to-support-switching.html +[hammond-video]: https://www.youtube.com/watch?v=AAiiIY-Soak From 08cfcbbb9b759c7650451c70eb37d7bdf6cc3028 Mon Sep 17 00:00:00 2001 From: azotheblue Date: Tue, 12 May 2026 15:30:30 -0500 Subject: [PATCH 9/9] Fixing Metadata fields --- reports/trr0000/azr/README.md | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/reports/trr0000/azr/README.md b/reports/trr0000/azr/README.md index acb2e07..413b932 100644 --- a/reports/trr0000/azr/README.md +++ b/reports/trr0000/azr/README.md @@ -10,17 +10,14 @@ | Platforms | Azure | | Contributors | Kyle Barboza | - ## Technique Overview - OAuth authorization code phishing is a technique where an attacker abuses the OAuth authorization code flow to obtain authorization codes generated during a legitimate authentication process. In Microsoft Entra ID environments, an attacker can craft a malicious authorization request and distribute it through phishing or social engineering to convince a victim to initiate the OAuth -authentication flow. - +authentication flow. After the victim successfully authenticates and grants consent, the identity provider issues an authorization code and redirects the user's browser to the @@ -251,7 +248,6 @@ inventory first-party service principals, review delegated permission grants, and examine which reply URLs and resources appear in sign-in activity for those applications. - ## Procedures | ID | Title | Tactic | @@ -376,7 +372,6 @@ records as steps in the attack itself. - [Microsoft - OAuth Redirection][microsoft-oauth] - [Microsoft - Redirect URI Best Practices][microsoft-redirect-uri] - [Microsoft Graph - oAuth2PermissionGrant][microsoft-oauth2-grant] -- [Tech and me - SPO Management Shell ADAL Application][spo-adal-app] - [John Hammond - ConsentFix Video Walkthrough][hammond-video] [T1528]: https://attack.mitre.org/techniques/T1528/ @@ -390,6 +385,4 @@ records as steps in the attack itself. https://learn.microsoft.com/en-us/entra/identity-platform/reply-url [microsoft-oauth2-grant]: https://learn.microsoft.com/en-us/graph/api/resources/oauth2permissiongrant -[spo-adal-app]: - https://www.techmikael.com/2017/08/a-workaround-to-support-switching.html [hammond-video]: https://www.youtube.com/watch?v=AAiiIY-Soak