m365-entra-attack

Solid

Microsoft 365 / Entra ID red-team attack chain — current 2026 reality. AADSTS code reference, user enumeration vectors (with hardening status), Smart Lockout math, Conditional Access bypass options, ROPC + SAML SSO browser flow, Burp/Playwright templates. Built from authorized red-team work where ROPC spray surfaced pre-existing lockouts and CA-blocked credentials, plus real-time external attacker activity correlation. Use for any M365/Entra credential attack, password spray, user enumeration, CA-bypass exploration, or active-attacker-detection scenario.

AI & Automation 1,478 stars 216 forks Updated 5 days ago NOASSERTION

Install

Quality Score: 86/100

Stars 20%

100

Recency 20%

100

Frontmatter 20%

70

Documentation 15%

100

Issue Health 10%

50

License 10%

100

Description 5%

100

Skill Content

## When to use this skill Trigger when: - Target uses M365 / Entra ID (autodiscover.* records, login.microsoftonline.com redirects, "Microsoft Office 365" in tech-stack notes) - You have a list of corporate emails or stealer-leaked creds - Engagement involves "credential spray", "password spray", "Entra attack", "ATO via M365" - You see `*.onmicrosoft.com`, `*-my.sharepoint.com`, `enterpriseregistration.*`, `enterpriseenrollment.*` in recon - Client mentions "Conditional Access", "MFA bypass", "compliant device" DO NOT use for: - On-prem-only Active Directory (use a separate AD-attack skill) - Service-to-service token attacks (different threat model) - Phishing-required attack chains (covered by phishing skills) — but you can prep for the credential-validation step here --- ## Tenant discovery (msftrecon) ```bash # For each owned domain msftrecon -d client.example msftrecon -d clientltd.example msftrecon -d sister-brand-school.example ``` Key fields in output: - **Tenant ID** (different domains may share OR have separate tenants — always test all owned domains) - **Federation Information.Namespace Type** = `Managed` (cloud-only, ROPC works) | `Federated` (ADFS, different attack) - **SharePoint Detected** (Yes = OneDrive enum vector available) - **Communication Services Teams/Skype** (post-auth lateral targets) - **Admin Consent Endpoint accessible** (consent-phishing surface) **Red flag:** if the org has multiple Entra tenants for sister domains, each is a separate att...

Details

Author: elementalsouls
Repository: elementalsouls/Claude-BugHunter
Created: 3 weeks ago
Last Updated: 5 days ago
Language: Python
License: NOASSERTION

Integrates with

Anthropic · AI Playwright · Testing

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Solid

okta-attack

Okta-as-IdP red-team attack chain — tenant discovery, user enumeration (multiple vectors), authentication flow analysis (factors enumeration, push-notification fatigue, SMS bypass), password spray with lockout discipline, Okta-specific phishing primitives (kits, FastPass abuse, OIDC redirect_uri tampering), MFA enumeration, post-compromise admin API surface. Many enterprise orgs use Okta instead of (or alongside) Entra ID. Distinct endpoints, distinct rate-limiting, distinct factor flows. Use when recon shows `<tenant>.okta.com`, `<tenant>.okta-emea.com`, `<tenant>.oktapreview.com`, or autodiscover-style records pointing at Okta IdP.

1,478 Updated 5 days ago

AI & Automation Featured

active-directory-attacks

Provide comprehensive techniques for attacking Microsoft Active Directory environments. Covers reconnaissance, credential harvesting, Kerberos attacks, lateral movement, privilege escalation, and domain dominance for red team operations and penetration testing.

39,350 Updated today

AI & Automation Listed

active-directory-attacks

This skill should be used when the user asks to "attack Active Directory", "exploit AD", "Kerberoasting", "DCSync", "pass-the-hash", "BloodHound enumeration", "Golden Ticket", ...

5 Updated today

DevOps & Infrastructure Solid

offensive-osint

Operational arsenal for authorized external red-team and bug-bounty recon. Concrete probes, wordlists, regexes, dorks, curl one-liners for: subdomain enum, GraphQL/Swagger/REST discovery, identity fabric (Entra/Okta/ADFS/Google/SAML/M365 deep — Teams/SharePoint/OneDrive), cloud bucket enum (S3/GCS/Azure), CDN/WAF bypass, origin discovery, vendor fingerprinting (Citrix/F5/Pulse/Fortinet/PaloAlto/Cisco/VMware), CI/CD exposure, 48-pattern secret-scan catalog (AWS/GCP/GitHub/Stripe/Slack/Anthropic/OpenAI/Atlassian/DataDog/npm/PyPI), Postman workspaces, breach correlation (HudsonRock/HIBP/DeHashed/IntelX), TLS/JA3 audit, certificate transparency, JS endpoint extraction, package registry leaks, mobile/APK recon, sat imagery, sector-specific recon (healthcare DICOM, finance SWIFT, ICS/SCADA Modbus/BACnet). Detail content in 15 modular reference files, loaded on demand. Use for any authorized recon: scoping, asset discovery, attack-path mapping, secret triage, severity scoring.

1,478 Updated 5 days ago

Testing & QA Listed

active-directory-attacks

Provide comprehensive techniques for attacking Microsoft Active Directory environments. Covers reconnaissance, credential harvesting, Kerberos attacks, lateral movement, privilege escalation, and domain dominance for red team operations and penetration testing.

0 Updated today