cyberneticlibrary
← library

Red-team Microsoft 365 Entra

m365-entra-attackskillsetup L21,791
elementalsouls/Claude-BugHunter
What it does

Test M365/Entra credential spray, user enum, and CA bypass

Best for

When testing M365 credential attacks with locked-down attempt budgets and needing AADSTS code interpretation.

Inputs
  • · email list
  • · password list
  • · tenant ID or domain
  • · target AADSTS codes
Outputs
  • · AADSTS code analysis
  • · valid credentials (confirmed via 50076/53003/530003)
  • · CA-bypass surface
  • · lockout state
Requires
  • · msftrecon
  • · AADInternals
  • · Burp Suite
  • · Playwright for SAML flows
Preconditions

Tenant enumerated; Smart Lockout math verified (≤1-2 attempts per user); authorized engagement

Failure modes
  • · Smart Lockout triggered (10+ failed in 10min)
  • · AADSTS50053 pre-existing (external attacker)
  • · federated ADFS changes attack surface
  • · MFA always required (legitimate defense)
Trust signals
  • · AADSTS code reference table with lockout impact
  • · Smart Lockout math with exponential backoff
  • · authorized red-team engagement sourced