M365Pwned, two WinForms GUI tools created to enumerate, search, and exfiltrate data from Microsoft 365 environments using application-level OAuth tokens without requiring any user interaction, were made publicly available by a red teamer going by the handle OtterHacker This article explores outlook tools. . The toolkit, which is fully built in PowerShell 5.1 and makes use of the Microsoft Graph API, offers penetration testers and adversary simulation operators targeting enterprise M365 tenants a substantial post-compromise offensive capability.
The two parts of the toolkit are SharePwned-GUI.ps1, which targets SharePoint and OneDrive, and MailPwned-GUI.ps1, which targets Exchange Online and Outlook. Both tools support three authentication methods: Client Secret, Certificate Thumbprint, and Raw Access Token (pass-the-token). They run under a registered Azure AD application with admin-consented application permissions.
MailPwned-GUI.ps1 Exchange Online/Outlook Tool Target Capability Look through mailboxes, conduct mail searches, download attachments, and send phony emails SharePoint/OneDrive SharePwned-GUI.ps1 Search files, view and download documents, and browse websites and drives For large-scale Exchange Online interaction, MailPwned offers a feature-rich WinForms interface. Operators can use User to list every tenant mailbox after they have been authenticated.Go through it.All, read complete HTML-rendered emails with inline image support without making any external requests when previewing content, and conduct global keyword searches across all mailboxes. M365Pwned Red Team GUI Toolkit natively supports CSV export, email composition for impersonation attacks, and bulk attachment downloads.
A major Graph API restriction is circumvented by the tool: /v1.0/search/query with message entityApplication permissions are not supported by Type.
In order to address this, MailPwned performs scoped per-mailbox searches after per-user mailbox enumeration. This method is both practical and results in a smaller audit footprint when a UPN list is pre-loaded from OSINT. Mail is one of the essential permissions needed.Read, User.Read.All, and Mail are optional.For send and delete operations, use ReadWrite.
The author highlights several red team use cases, such as bulk attachment exfiltration, lateral phishing through thread hijacking, HR and investor intelligence gathering, and credential hunting (searching for terms like password, VPN, and secret). Red Team GUI Toolkit M365Pwned Mirrors owned by Share MailPwned's method for file storage settings. Operators can browse document libraries, search for full-text files using /v1.0/search/query with driveItem entity, and list every SharePoint site in a tenant.
Per-drive search is enabled when Sites is in a fallback mode.Go through it.Using Files, everything is unavailable.Go through it.Instead, all. Sites for Permission Purposes.Go through it.List every drive file and SharePoint site.Go through it.Every user can read and download files from any drive.Go through it.Each user's Enumerate OneDrive drives (optional) The tool has extension-aware icons, a real-time color-coded API log panel for operational debugging, and support for inline text extraction in file previews. Using the Prefer: exchange.region=
From an OPSEC standpoint, all requests go straight to https://graph.microsoft.com, and access is recorded under the registered application's identity in Graph audit logs.
Security teams should keep an eye out for unusual mail and audit Azure AD application permissions.Check out the websites.Go through it.For non-user-interactive service principals, all application-level access and review consent grants are granted. For daily cybersecurity updates, Ethical-Kaizoku's CLI version of SharePwned can be found separately on GitHub, LinkedIn, and X. To have your stories featured, get in touch with us.
