msInvader: New Tool Lets Blue Teams Stress-Test M365 and Azure Defenses with Real-World Attacks
msInvader is an adversary simulation tool designed for blue teams to simulate real-world attack techniques within M365 and Azure environments. By generating realistic attack telemetry, msInvader empowers detection engineers, SOC analysts, and threat hunters to assess, enhance, and strengthen their detection and response capabilities.
msInvader supports simulating techniques in two common attack scenarios: a compromised user account or a compromised service principal. These scenarios are critical for understanding how adversaries operate after obtaining initial access, allowing teams to simulate post-compromise behaviors and validate their detection and response mechanisms. For user account scenarios, msInvader uses the resource owner password and device authorization OAuth flows to obtain tokens, simulating attacks such as credential compromise (e.g., phishing or password spraying attacks) or MFA bypass (e.g., adversary-in-the-middle (AiTM) or token theft attacks). For compromised service principals, it leverages the client credentials OAuth flow to replicate unauthorized application access.
Once authenticated, msInvader interacts with Exchange Online using three methods: the Graph API, Exchange Web Services (EWS), and the REST API used by the Exchange Online PowerShell module. This flexibility allows blue teams to simulate a wide range of attack techniques across multiple scenarios.
Supported Techniques
| Technique | Graph | EWS | REST |
|---|---|---|---|
| read_email | X | X | |
| search_mailbox | X | ||
| search_onedrive | X | ||
| create_rule | X | X | X |
| enable_email_forwarding | X | ||
| add_folder_permission | X | X | |
| add_mailbox_delegation | X | ||
| run_compliance_search | X | ||
| create_mailflow | X |
OAuth Methods and Attack Simulations
Multiple scenarios exist in which attackers may execute post-exploitation activities against M365. To effectively simulate these different scenarios, msInvader leverages various OAuth flows to obtain tokens.
This OAuth flow allows msInvader to simulate scenarios where a user’s credentials have been compromised through phishing or other methods. The ROPC flow is not compatible with users who have Multi-Factor Authentication (MFA) enabled, highlighting the flow’s specific application to scenarios without MFA protections.
msInvader utilizes the Device Authorization flow to simulate attacks targeting users with Multi-Factor Authentication (MFA) enabled, including scenarios like adversary-in-the-middle attacks or token theft. This flow is particularly effective in mimicking sophisticated attack techniques that bypass or exploit MFA protections.
msInvader leverages the Client Credentials flow to simulate scenarios where attackers have compromised application registration credentials within Entra ID that possess permissions over M365. This flow facilitates the emulation of attacks exploiting application-level access, demonstrating how attackers could leverage such credentials for malicious purposes within the environment.
Install & Use
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
