OffensiveVBA – Code Execution And AV Evasion Methods For Macros In Office Documents

In preparation for a VBS AV Evasion Stream/Video I was doing some research for Office Macro code execution methods and evasion techniques. The list got longer and longer and I found no central place for offensive VBA templates – so this repo can be used for such. It is very far away from being complete.Read More

365Inspect – A PowerShell Script That Automates The Security Assessment Of Microsoft Office 365 Environments

Further the state of O365 security by authoring a PowerShell script that automates the security assessment of Microsoft Office 365 environments. Setup 365Inspect requires the administrative PowerShell modules for Microsoft Online, Azure AD (We recommend installing the AzureADPreview module), Exchange administration, Microsoft Graph, Microsoft Intune, Microsoft Teams, and Sharepoint administration. The 365Inspect.ps1 PowerShell script willRead More

Msmailprobe – Office 365 And Exchange Enumeration

Office 365 and Exchange Enumeration It is widely known that OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks. This tool leverages all known, and even some lesser-known services exposed by default Exchange installations to enumerate users. It also targets Office 365 for error-based user enumeration. Getting Started If you want to download andRead More

Spray365 – Makes Spraying Microsoft Accounts (Office 365 / Azure AD) Easy Through Its Customizable Two-Step Password Spraying Approach

Spray365 is a password spraying tool that identifies valid credentials for Microsoft accounts (Office 365 / Azure AD). How is Spray365 different from the many other password spraying tools that are already available? Spray365 enables passwords to be sprayed from an “execution plan”. While having a pre-generated execution plan that describe the spraying operation wellRead More

CVE-2021-40444 PoC – Malicious docx generator to exploit CVE-2021-40444 (Microsoft Office Word Remote Code Execution)

Malicious docx generator to exploit CVE-2021-40444 (Microsoft Office Word Remote Code Execution) Creation of this Script is based on some reverse engineering over the sample used in-the-wild: 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52 (docx file) You need to install lcab first (sudo apt-get install lcab) Check REPRODUCE.md for manual reproduce steps If your generated cab is not working, try pointingRead More

DFIR-O365RC – PowerShell Module For Office 365 And Azure AD Log Collection

PowerShell module for Office 365 and Azure AD log collection Module description The DFIR-O365RC PowerShell module is a set of functions that allow the DFIR analyst to collect logs relevant for Office 365 Business Email Compromise investigations. The logs are generated in JSON format and retrieved from two main data sources: Office 365 Unified AuditRead More

Doctrack – Tool To Manipulate And Insert Tracking Pixels Into Office Open XML Documents (Word, Excel)

Tool to manipulate and insert tracking pixels into Office Open XML documents. Features Insert tracking pixels into Office Open XML documents (Word and Excel) Inject template URL for remote template injection attack Inspect external target URLs and metadata Create Office Open XML documents (#TODO) Installation You will need to download .Net Core SDK for yourRead More

X