A red teamer operating under the handle OtterHacker has publicly released M365Pwned, a pair of WinForms GUI tools designed to enumerate, search, and exfiltrate data from Microsoft 365 environments using application-level OAuth tokens without requiring any user interaction.
Built entirely in PowerShell 5.1 and leveraging the Microsoft Graph API, the toolkit presents a significant post-compromise offensive capability for penetration testers and adversary simulation operators targeting enterprise M365 tenants.
The toolkit consists of two components — MailPwned-GUI.ps1, targeting Exchange Online and Outlook, and SharePwned-GUI.ps1, targeting SharePoint and OneDrive.
Both tools operate under a registered Azure AD application with admin-consented application permissions and support three authentication methods: Client Secret, Certificate Thumbprint, and Raw Access Token (pass-the-token).
| Tool | Target | Capability |
|---|---|---|
| MailPwned-GUI.ps1 | Exchange Online / Outlook | Browse mailboxes, search mail, download attachments, send impersonation emails |
| SharePwned-GUI.ps1 | SharePoint / OneDrive | Browse sites and drives, search files, preview and download documents |
MailPwned provides a full-featured WinForms interface for interacting with Exchange Online at scale. Once authenticated, operators can enumerate all tenant mailboxes using User.Read.All, perform global keyword searches across every mailbox, and read full HTML-rendered emails with inline image support with no external requests made when previewing content.
.webp)
Bulk attachment downloads, email composition for impersonation attacks, and CSV export are all natively supported.
The tool works around a key Graph API limitation: /v1.0/search/query with message entityType does not support application permissions.
MailPwned addresses this by performing per-user mailbox enumeration followed by scoped per-mailbox searches, a technique that is both functional and produces a lower audit footprint when a UPN list is pre-loaded from OSINT.
Key permissions required include Mail.Read, User.Read.All, and optionally Mail.ReadWrite for send and delete operations. Red team use cases highlighted by the author include credential hunting (searching for terms like password, VPN, secret), lateral phishing via thread hijacking, HR and investor intelligence gathering, and bulk attachment exfiltration.
M365Pwned – Red Team GUI Toolkit
SharePwned mirrors MailPwned’s approach for file storage environments. Operators can enumerate every SharePoint site across a tenant, browse document libraries, and conduct full-text file searches via /v1.0/search/query with driveItem entity. A fallback mode activates per-drive search when Sites.Read.All is unavailable, using Files.Read.All instead.
| Permission | Purpose |
|---|---|
| Sites.Read.All | Enumerate all SharePoint sites and drives |
| Files.Read.All | Read and download files from any drive |
| User.Read.All | Enumerate OneDrive drives per user (optional) |
File previews support inline text extraction, and the tool includes extension-aware icons and a real-time color-coded API log panel for operational debugging.
Both tools include region selector support for sovereign and GCC clouds across Europe, North America, Asia Pacific, and beyond using the Prefer: exchange.region= header ensuring correct datacenter routing for non-default tenants.
From an OPSEC perspective, all requests route directly to https://graph.microsoft.com, and Graph audit logs will record access under the registered application’s identity. Security teams should audit Azure AD application permissions, monitor for anomalous Mail.Read or Sites.Read.All application-level access, and review consent grants for non-user-interactive service principals.
The CLI version of SharePwned, developed by Ethical-Kaizoku, is available separately on GitHub.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
