M365Pwned: Red Team tooling for Microsoft 365 exploitation via Microsoft Graph API
M365Pwned
Red Team tooling for Microsoft 365 exploitation via Microsoft Graph API.
Two WinForms GUI tools for enumerating, searching, and exfiltrating data from M365 environments using application-level OAuth tokens — no user interaction required.
| Tool | Target | What it does |
|---|---|---|
MailPwned-GUI.ps1 |
Exchange Online / Outlook | Browse mailboxes, search mail, download attachments, send impersonation emails |
SharePwned-GUI.ps1 |
SharePoint / OneDrive | Browse sites and drives, search files, preview and download documents |
MailPwned-GUI.ps1
WinForms GUI for enumerating, searching, reading, and exfiltrating email from M365/Exchange Online environments.
Permissions
| Permission | Required for |
|---|---|
Mail.Read |
Read mail in all mailboxes |
Mail.ReadWrite |
Send/reply/forward/delete (optional) |
User.Read.All |
Enumerate all mailboxes (global search) |
Features
- Connect using tenant ID + client ID + secret, certificate thumbprint, or raw token
- Region selector for sovereign/GCC clouds (EUR, FRA, NAM, GBR, APC, AUS, CAN, IND, JPN)
- Load mailbox — browse folder tree, read emails with full HTML rendering
- Global search — search across all tenant mailboxes without loading a specific one
- Scoped search — search within a loaded mailbox
- HTML email preview — full rendering with inline image support (no external requests)
- Attachment download — single or bulk
- Compose / Reply / Reply-All / Forward — send impersonation emails
- Mark read/unread, Delete
- Export to CSV
- API log panel — real-time color-coded request/response log for debugging
Red Team Use Cases
- Credential hunting — search all mailboxes for
password,credentials,VPN,secret, etc. - Lateral phishing — read ongoing email threads and send convincing replies impersonating the compromised account
- Intelligence gathering — enumerate who is emailing whom, find sensitive projects, HR data, investor communications
- Exfiltration — bulk download attachments matching a search query
- Persistence discovery — search for MFA codes, password reset emails, token confirmations
SharePwned-GUI.ps1
A CLI version developped by Ethical-Kaizoku can be found here
WinForms GUI for enumerating, browsing, searching, previewing, and downloading files from SharePoint sites and OneDrive drives across the tenant.
Permissions
| Permission | Required for |
|---|---|
Sites.Read.All |
Enumerate all SharePoint sites and browse drives |
Files.Read.All |
Read and download files from any drive |
User.Read.All |
Enumerate OneDrive drives for all users (optional) |
Features
- Connect using tenant ID + client ID + secret, certificate thumbprint, or raw token
- Region selector for sovereign/GCC clouds
- Enumerate all SharePoint sites across the tenant
- Browse drive trees — navigate site document libraries and OneDrive folders
- Full-text search — keyword search across all drives (
/v1.0/search/querywithdriveItementity) - Fallback search — per-drive search when
Sites.Read.Allis absent - File preview — text extraction for documents, inline preview panel
- Download files — single file download with progress
- File type icons — extension-aware icon display in the file browser
- API log panel — real-time color-coded request/response log for debugging
Red Team Use Cases
- Credential hunting — search all SharePoint/OneDrive for
password,secret,private key, config files,.env, etc. - Intelligence gathering — enumerate project sites, HR drives, finance document libraries
- Exfiltration — download files of interest without leaving a large audit trail
- Access mapping — enumerate all sites the compromised app can reach to understand the blast radius
Download
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce
