Microsoft 365
External Pentest Playbook
A step-by-step offensive security guide for defenders. Walk through every phase of the M365 attack chain to understand, test, and harden your tenant against real-world threats.
Attack Chain Phases
Reconnaissance
Enumerate the target tenant, discover domains, users, and M365 services exposed to the internet.
Initial Access
Social engineering, phishing campaigns, device code phishing, and authentication endpoint abuse.
Credential Attacks
Password spraying, brute forcing, token theft, and MFA bypass techniques against Entra ID.
Post-Auth Enumeration
Once authenticated, enumerate users, groups, roles, apps, conditional access policies, and configurations.
Privilege Escalation
Escalate from standard user to Global Admin via consent grants, app roles, PIM abuse, and misconfigurations.
Lateral Movement
Pivot across M365 services — SharePoint, Teams, Exchange, Azure — and cross-tenant boundaries.
Data Exfiltration
Discover sensitive data in mailboxes, SharePoint, OneDrive, and Teams, then demonstrate exfiltration paths.
Persistence & Impact
Establish persistent access via app registrations, federation trust, and inbox rules. Demonstrate business impact.
Defence Mapping
Map every attack technique to its defensive control. Checklists, detection rules, and hardening guidance.
How to Use This Guide
- Scope & authorise — Get written permission, define rules of engagement, and set up safe testing infrastructure.
- Follow the phases — Work through each phase sequentially. Use the interactive checklists to track progress.
- Run the commands — Code blocks can be copied to clipboard. Adapt parameters for your target environment.
- Document findings — Note every successful technique for your report. Screenshot evidence at each stage.
- Map defences — Use the Defence Mapping page to translate findings into actionable hardening recommendations.