-
Notifications
You must be signed in to change notification settings - Fork 7
OAuth Methods and Attack Simulations
Multiple scenarios exist in which attackers may execute post-exploitation activities against M365. To effectively simulate these different scenarios, msInvader leverages various OAuth flows to obtain tokens.
This OAuth flow allows msInvader to simulate scenarios where a user's credentials have been compromised through phishing or other methods. The ROPC flow is not compatible with users who have Multi-Factor Authentication (MFA) enabled, highlighting the flow’s specific application to scenarios without MFA protections.
msInvader utilizes the Device Authorization flow to simulate attacks targeting users with Multi-Factor Authentication (MFA) enabled, including scenarios like adversary-in-the-middle attacks or token theft. This flow is particularly effective in mimicking sophisticated attack techniques that bypass or exploit MFA protections.
msInvader leverages the Client Credentials flow to simulate scenarios where attackers have compromised application registration credentials within Entra ID that possess permissions over M365. This flow facilitates the emulation of attacks exploiting application-level access, demonstrating how attackers could leverage such credentials for malicious purposes within the environment.