hartmann-cloud-compromise — M365 OAuth consent abuse
Hartmann Logistics is a 180-person freight broker. An attacker sent a rogue OAuth consent link for TeamSync 365 to the COO; the app harvested 23 mailboxes and 320 SharePoint files before Defender flagged anomalous Graph API throughput. Fully synthetic.
what this proves
- all eight cloud-account-compromise primary engines produce deterministic, fixture-locked output — verified by
npm run check:flagship(32/32 fleet · 8 for this scenario). - every output is generated 100% locally in your browser — export audit logs, never upload tenant data.
- OAuth consent grant, overprivileged scopes, MailItemsAccessed volume, SharePoint file access, and Defender alert surface without sending evidence to a server.
primary engines locked to this fixture
build the case binder
runs all eight primary engines on the synthetic evidence zip and opens a self-contained html binder. uses the default binder renderer — no upload.
runs all 8 primary engines locally on the synthetic evidence zip · opens a self-contained html binder · no upload
download the synthetic evidence
MIT-licensed, fully synthetic. includes unified audit log, Entra sign-in + audit exports, OAuth grants, mailbox/sharepoint access csvs, and Defender alert json.
built deterministically from scripts/fixtures/build-hartmann-cloud-compromise.mjs. seed: hartmann-cloud-compromise:v1.
methodology
OAuth consent abuse is tenant-level ATO — pull UAL first, then Entra audit, grants, sign-ins, and defender alerts. MFA on the grantor does not protect post-consent Graph access. read the full cloud account compromise (M365 / Workspace) guide →
after the playbook
once ual, entra, grants, and defender outputs are saved locally, feed every csv/json to fatcousin-multi-tool-super-timeline-correlator. consent grant, mail access, and file exfil land on one tenant timeline — still zero upload.