M365Pwned — enumeration, discovery, and data exfiltration from Microsoft 365 environments

A set of two utilities for Red Team operations in Microsoft 365 environments, which enable discovery and exfiltration of data from Exchange Online and SharePoint/OneDrive using application‑level OAuth tokens. Operates via the Microsoft Graph API and requires a pre‑registered Azure AD application with with admin-consented Application permissions.

MailPwned‑GUI.ps1: 📍 Detects credentials in mailboxes (IDs, passwords, VPN access). 📍 Identifies persistence mechanisms (emails with MFA codes, password reset links, access‑token confirmations). 📍 Collects system and project information. 📍 Bulk‑downloads attachments based on custom search criteria.

SharePwned‑GUI.ps1: 📍 Searches for credentials and configuration files (.env) in SharePoint and OneDrive. 📍 Analyzes project site structures. 📍 Downloads files of interest while minimizing visible traces in logs.

Compared to GraphRunner and GraphSpy, M365Pwned stands out with its graphical interface and focus on application‑level OAuth tokens but falls short of those tools in automation and CLI‑script scalability.

📎 Tool: https://github.com/OtterHacker/M365Pwned

💬 Discuss