SaaS Security (M365 & Azure AD)

Microsoft 365 and Azure Active Directory (now Entra ID) are the backbone of many organizations. Compromising these services often leads to full data exfiltration.

Reconnaissance & Enumeration

User Enumeration

Identifying valid email addresses is the first step. Tools can leverage timing differences or specific error messages in Microsoft login endpoints.

bash

# Using O365Spray
python3 o365spray.py --validate --domain target.com --file users.txt

# Using TREVORspray
trevorspray --recon target.com
  

Azure AD Attacks

Password Spraying

Trying a single common password against many accounts to avoid lockout.

Device Code Phishing

Tricking a user into authenticating a device code flow, granting the attacker an access token.

bash

# TokenTactics
Get-AzureToken -Client Graph
  

Conditional Access Bypass

Conditional Access Policies (CAPs) restrict access based on location, device, etc.

IPv6 Bypass: Some policies only block IPv4.
User-Agent Spoofing: Some policies allow legacy clients (e.g., "BAV2ROPC").
Device Compliance: Registering a personal device (BYOD) if allowed.

Post-Exploitation

eDiscovery: Search all emails and SharePoint files for sensitive keywords ("password", "secret").
Illicit Consent Grant: Create an OAuth app and trick users into granting it permissions to read mail/files.