The Triforce of Initial Access

This post is hosted over at, you are being redirected

While Red Teamers love to discuss and almost poetically describe their C2 feature sets, EDR evasion capabilities, and fast weaponizing of N-day exploits, something that is rarely mentioned is good old loot.

Loot, or information in general, will almost always be the deciding factor in whether someone clicks your link, happily follows your instructions, or accepts their MFA pushover prompt. It is vital for the future success of the operations and, in turn, reaching the goals designated by the client.

I frequently found myself willing to almost intentionally burn my initial access (or at the very least risk it) for the trade-off of gaining information. In my experience, with the correct information, getting back in is almost never an issue.

More often than not, I find myself targeting clients utilizing Entra ID (Azure AD) to manage users, services, and licenses. As a result, phishing Microsoft Office 365 accounts as a means of initial access has become very common. With each successful phishing campaign, I’m gaining access to a relatively flat stack of services, including Teams, Outlook, OneDrive, OneNote, and SharePoint. While this initial access might sound insignificant, these are all gold mines in terms of information. I cannot understate how absolutely amazing end-users are at storing sensitive information where they should not. Plaintext passwords? Throw them in Outlook notes or maybe OneNote if there are so many. Passports, Driver’s, or marriage licenses? I better keep those in my OneDrive. What was the password to that service again? - asked every colleague ever via Teams.