A C# implementation of TokenFinder. Enumerates M365 Desktop Office applications for plain text authentication tokens. Parses and prints out any interesting tokens that can be leveraged to compromise the user's M365 identity.
Run this as a reflective assembly or compile and run the executable. Ensure your payload architecture matches the process architecture for the apps that you are trying to mine.
I included a set of M365 app processes and interesting token audiences for the checks, but if you have any battle-tested insights about other M365 app processes/token audiences that are exploitable, feel free to open a PR!
- Attacking & Defending Azure & M365 - Xintra Training: https://training.xintra.org/view/courses/attacking-and-defending-azure-m365
- mrd0x original writeup: https://mrd0x.com/stealing-tokens-from-office-applications/
- TokenFinder: https://github.com/doredry/TokenFinder