post-exploiting-microsoft-graph-with-graphrunner

Fail

Audited by Snyk on Jun 25, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.70). The URLs are legitimate (GitHub, Microsoft Graph, Black Hills InfoSec, Apache) and not obfuscated or using shorteners, but they point to a dual‑use PowerShell post‑exploitation tool (GraphRunner) and related repos that can be used to compromise M365 tenants — so they are safe as hosting sources but high‑risk to download/run without authorization or review.

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 1.00). This codebase is an explicit post-exploitation toolkit: it acquires/imports Microsoft Graph access tokens, enumerates tenant users/groups/grants, searches and downloads mail/SharePoint/Drive/Teams data (data exfiltration), and provides deliberate persistence/backdoor capabilities (injecting OAuth apps, creating hidden inbox forwarding rules, adding group members / cloning groups) — all clear indicators of intentional malicious/abusive functionality when used without authorized scope.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Issues (3)

E005
CRITICAL

Suspicious download URL detected in skill instructions.

E006
CRITICAL

Malicious code pattern detected in skill scripts.

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 25, 2026, 06:48 PM
Issues
3
Security Audit — snyk — post-exploiting-microsoft-graph-with-graphrunner