
This course teaches a practical methodology for identifying Microsoft 365 usage, gaining initial access, performing post-compromise reconnaissance, abusing OAuth and application trust, establishing persistence, escalating privileges, and harvesting high-value data from cloud-based collaboration and identity platforms.
Course Length: 8 Hours
Includes a Certificate of Completion
Next scheduled date:
Notify me when available
Description
Breaching M365 is an offensive security training course focused on attacking Microsoft 365 and Entra ID environments. This course teaches a practical methodology for identifying Microsoft 365 usage, gaining initial access, performing post-compromise reconnaissance, abusing OAuth and application trust, establishing persistence, escalating privileges, and harvesting high-value data from cloud-based collaboration and identity platforms.
Students will learn how modern attackers abuse identity, trust, and misconfiguration in Microsoft 365 rather than relying solely on traditional malware or internal network compromise. The course emphasizes realistic tradecraft, open-source tooling, and operator-focused techniques that can be applied during penetration tests, red team operations, and security assessments of Microsoft 365 tenants.
-
Student Requirements
- A credit card (You will be signing up for a Microsoft tenant. This service require a credit card for signing up.)
- Check that Microsoft Azure services are available in your country. (Note that if you cannot sign up for these services you will not be able to participate in the labs)
- Stable internet access
-
Software/Hardware Requirements
- x86 architecture CPU clocked at 2 GHz or higher that is capable of nested virtualization (Apple Silicon is currently not supported)
- A computer with at least 8 GB of RAM. 16 GB is recommended
- VMWare Workstation or VMWare Fusion (VirtualBox and other VM software is not supported)
- Windows 10/11, MacOSX+, or a currently supported Linux Distribution
- Full Administrator/root access to your computer or laptop
- System should also have at least 40GB of available disk space to accommodate a VM
FAQ
-
Identify Microsoft 365 and Entra ID usage from public-facing infrastructure
-
Perform unauthenticated and authenticated reconnaissance against Microsoft 365 tenants
-
Understand Microsoft 365 authentication models and how they influence attack paths
-
Gain initial access through password attacks, phishing, and device code abuse
-
Enumerate tenant users, groups, applications, policies, and trust relationships post-compromise
-
Understand OAuth, enterprise applications, and delegated versus application permissions
-
Establish persistence through OAuth app abuse and other Microsoft 365 persistence mechanisms
-
Abuse groups, guest collaboration, and trust relationships to expand access
-
Escalate privileges through app management, service principal abuse, and related attack paths
-
Use automated tools to identify tenant weaknesses and prioritize offensive opportunities
-
Harvest high-value data from Exchange Online, SharePoint, OneDrive,
Teams, and connected resources
About the Instructor
Beau Bullock
Bio
Beau Bullock is the Director of Emerging Threats and Advanced Testing at Black Hills Information Security (BHIS), where he leads research and offensive testing focused on cloud security, identity abuse, and emerging attack techniques. He has been with BHIS since 2014 and brings over a decade of hands-on experience in penetration testing and security research.
Beau is an active contributor to the information security community through open-source tooling, technical writing, conference talks, webcasts, and by teaching his course Breaching the Cloud, which focuses on real-world attack paths across modern cloud environments. His work emphasizes practical tradecraft, attacker mindset, and helping defenders understand how small misconfigurations lead to large-scale compromise. Beau also writes music to hack to under the name NOBANDWIDTH.
Register for Upcoming
Breaching M365
On-Demand Beau Bullock
Attention: This is not a phish!
Antisyphon Training accounts have moved to learning.antisyphontraining.com. Training purchases will now be directed to that site. You can trust us.
Related products
-
Faan RossouwLiveOD16 Hrs
Building a C2 Framework in Go
View Course -
Derek BanksLiveOD16 Hrs
Incident Response Foundations
View Course -
Kevin KlingbileLiveOD16 Hrs
Defending M365 & Azure
View Course This product has multiple variants. The options may be chosen on the product page -
Joff ThyerLiveOD16 Hrs
Introduction to Python
View Course

