SPECTER 360 takes a single email address and attacks the entire Microsoft 365 tenant behind it. SURVEY fingerprints any M365 tenant unauthenticated — tenant ID, exchange servers, SharePoint URL, and a spoofability score from DMARC/SPF/DKIM posture. ACQUIRE deploys RFC 8628 device code phishing that bypasses MFA. ADMIN-PIPELINE auto-discovers Global Admin accounts via GetCredentialType OSINT and delivers targeted lures. DOCSTRIKE weaponises Word documents with a Copilot worm — once Copilot reads the doc, it sends poisoned copies to every admin in the organisation. GHOST-HAND executes the entire attack through Microsoft Copilot's own native Graph API calls. The audit log shows only one actor: Microsoft Copilot. 276 tests. Zero failures.
CVE-2024-49035 CVSS 9.6 Copilot Studio Privesc arXiv:2406.00137 Copilot Prompt Injection GHOST-HAND — Zero Attribution
Unauthenticated tenant recon from one email address. Extracts tenant ID from OpenID configuration. GetCredentialType reveals federation state, MFA posture, desktop SSO. MX + Autodiscover confirms Exchange Online. DMARC/SPF/DKIM checked for email spoofability score 0–100.
RFC 8628 device code phishing — generates a user code and polls for token. Admin authenticates from their own trusted device, bypassing MFA and Conditional Access. Consent phishing URL builder with inflated scopes. Password spray (1 attempt/account to stay under Smart Lockout). Token refresh for persistence.
Generates 24 Global Admin email candidates from the domain (admin@, globaladmin@, ga@, sysadmin@ etc.), validates via GetCredentialType (IfExistsResult 1/5/6), launches targeted device code phishing at validated accounts. Auto-delivers lure emails via Graph. Stealth mode spreads timing over hours with jitter and UA rotation.
Enumerates all admin role assignments (Global/Exchange/SharePoint/Teams Administrator), checks PIM-eligible roles the current user can activate, identifies service principals with admin roles and exposed credentials, maps Conditional Access policy exclusions as bypass opportunities.
Injects Copilot hijack payloads into email chains (HTML comment, zero-width chars, white-on-white text). When Copilot summarises a poisoned thread the hidden instruction executes — creates calendar events, forwards credentials, drafts and sends emails. Calendar events also poisoned with Copilot meeting-prep hijack payloads.
Injects payloads into Word/Excel/PowerPoint XML internals. Deploys the Copilot worm — a recursive propagation payload embedded in documents. When Copilot reads any poisoned doc it sends copies to all admin-role users in the org and creates a calendar event with the payload. One infected doc, organisation-wide spread.
Extracts tenant-level Copilot system prompt via beta Graph API. Tests 5 safety bypass techniques (context interleave, roleplay, base64 wrap, authority spoof, chain-of-thought). CVE-2024-49035 CVSS 9.6 — Copilot Studio privilege escalation. Business Chat harvest: "find all emails/docs mentioning password/token/secret across the tenant."
Full Teams exploitation. Channel enumeration and message harvest with credential scanning. Injects lure messages into standard channels. Plants Copilot summary hijack payloads. Enumerates guest accounts with #EXT# pivot to external tenants. Maps cross-tenant federation partners. Admin token: tenant-wide app install.
Bulk Graph API exfiltration using batch requests to evade Defender throttle alerts. Emails, files, contacts, calendar events, Teams messages. 40+ credential regex patterns (OpenAI/Anthropic/AWS/GitHub/Slack/JWT/PEM). CA policy enumeration. Admin user directory. Credential scanner on email body and file content.
The holy grail of attribution masking. GHOST-HAND executes every objective exclusively through Microsoft Copilot's own native Graph API calls. No external tokens after the initial trigger is planted. No anomalous API calls from foreign IPs. No rogue OAuth apps in the audit log.
The audit log shows one actor: Microsoft.Copilot. The forensic trail reads as normal AI behaviour. When the incident response team investigates, they find no external attacker — just Copilot doing what it was designed to do, with catastrophic consequences.
GHOST-HAND plants a trigger document that appears as a legitimate IT policy update. When any user asks Copilot to summarise it, Copilot reads the embedded standing orders and executes: credential harvest, lateral email, persistent calendar trigger. The tenant-wide system prompt is optionally backdoored with standing orders that persist across every future Copilot session. Attribution score calculated 0.0–1.0.
Trigger planted in OneDrive System prompt backdoored Daily calendar persistence Audit actor: Microsoft.Copilot
| Reference | Score | Target | Description |
|---|---|---|---|
| CVE-2024-49035 | CVSS 9.6 | Copilot Studio | Privilege escalation — delegated user token gains Copilot Studio management API access |
| arXiv:2406.00137 | — | Copilot for M365 | Indirect prompt injection via Embrace/Ignore/Override techniques (Zenity Labs, March 2024) |
| Storm-2372 / Midnight Blizzard | — | Device Code Flow | RFC 8628 device code phishing used in nation-state M365 compromise campaigns |
| Gate | Level | Modules | Requirement |
|---|---|---|---|
| OPEN | 0 | SURVEY, ACQUIRE, ADMIN-PIPELINE | None — email address only |
| INJECT | 1 | ESCALATE, MAILPOISON, DOCSTRIKE, TEAMS-SIEGE, GRAPH-HARVEST | Valid access token |
| UNLEASHED | 2 | COPILOT-HIJACK, GHOST-HAND | Ed25519 key at ~/.specter/specter360_ed25519.pem |
| DESTROY | 3 | ANNIHILATE | Ed25519 key + ROE file "m365 destruction authorised" + --confirm-m365-destruction |
# Install pip install red-specter-specter-360 # Step 1 — Tenant recon from email only specter-360 --email ceo@corp.com # Step 2 — Discover admin accounts automatically specter-360 --email ceo@corp.com --find-admins # Step 3 — Launch device code phishing at admins (stealth mode) specter-360 --email ceo@corp.com --find-admins --stealth # Step 4 — Full attack chain with acquired token specter-360 --email ceo@corp.com --token <tok> --full # Step 5 — GHOST-HAND zero-attribution attack specter-360 --email ceo@corp.com --token <tok> --ghost-hand # Step 6 — Simulate annihilation (dry run) specter-360 --email ceo@corp.com --token <tok> --annihilate --simulate # Full autonomous chain specter-360 --email ceo@corp.com --find-admins --stealth --full --teams --ghost-hand