Unauthenticated Enumeration of All Microsoft Account Authentication Methods with CredSpy

CredSpy, an open‑source tool released by security researcher RedByte1337, leverages Microsoft’s public GetCredentialType API to enumerate, without any authentication, the full set of supported authentication methods for a given Microsoft 365 (Entra ID) account, aiding red‑team reconnaissance and defensive assessments.

Black & White Path
Black & White Path
Black & White Path
Unauthenticated Enumeration of All Microsoft Account Authentication Methods with CredSpy

Tool Background

On July 1, 2026, security researcher RedByte1337 announced the open‑source tool CredSpy, created because no existing utility could enumerate Microsoft account authentication methods without authenticating.

“Couldn't find any tools that allowed unauthenticated enumeration of auth methods for Microsoft accounts, so I created it.”
CredSpy banner
CredSpy banner

Core Capabilities

CredSpy reports the following information for each queried account:

Password : traditional password authentication.

RemoteNGC (Password‑less Push) : push‑notification login via the Microsoft Authenticator app.

FIDO2 / Passkeys : hardware or platform‑based authentication such as Windows Hello or security keys.

Certificate Auth : client‑certificate authentication typically used in enterprise environments.

Preferred authentication method : the default method the user’s tenant selects.

FIDO key count : number of registered FIDO keys returned in the AllowList (may include orphaned keys).

Example output:

[email protected] | Preferred: Fido (7) | Supported: Password, RemoteNGC (PushNotification), Fido (Count: 3)
[email protected] | IfExistsResult: NotExist (1)
[email protected] | Preferred: Password (1) | Supported: Password, RemoteNGC (PushNotification)
[email protected] | Preferred: RemoteNGC (2) | Supported: Password, RemoteNGC (PushNotification)
[email protected] | Preferred: Fido (7) | Supported: Password, Fido (Count: 5), Certificate
CredSpy terminal output
CredSpy terminal output

Technical Implementation

CredSpy follows a three‑step process:

Obtain session context (sCtx) : capture a valid session token from the Microsoft OAuth authorization page.

Call GetCredentialType API : send a POST request to login.microsoftonline.com/common/GetCredentialType with the target username. This is the same public endpoint the Microsoft login page invokes after the user enters their email.

Parse credential flags : decode the returned flags to identify supported methods and then print or export the results.

The entire workflow requires no credentials because it reuses the publicly exposed login API.

Security Assessment Value

Red‑Team Perspective

Knowing a target’s authentication methods enables precise phishing campaign design:

If the user relies on Passkeys/FIDO2, password‑based phishing is largely ineffective.

If RemoteNGC is used, attackers must craft push‑notification hijacking techniques.

Certificate authentication indicates a tightly controlled enterprise environment with stricter policies.

CredSpy therefore tells attackers “who to phish” and “how to phish”.

Defender Perspective

Defenders can use the tool for:

Self‑assessment : identify accounts still using weak password authentication.

Security evaluation : understand what information an attacker could gather.

User education : demonstrate which authentication methods provide stronger protection.

Installation and Usage

Installation

Recommended via pipx:

# Install pipx if missing
apt install pipx
pipx ensurepath

# Install from PyPI (recommended)
pipx install credspy

# Or install directly from GitHub
pipx install git+https://github.com/RedByte1337/CredSpy.git

Alternatively, the tool can be run with a standard pip environment.

pip install .
# Or run without installing
pip install -r requirements.txt
python credspy.py ...

Basic Commands

# Single email
credspy [email protected]

# Bulk check (one email per line, # comments ignored)
credspy emails.txt

# Use a proxy (useful with MITM tools)
credspy emails.txt --proxy http://127.0.0.1:8080

# Export CSV
credspy emails.txt --csv results.csv

# Filtered outputs
credspy emails.txt \
  --save-existing existing.txt \
  --save-ngc ngc.txt \
  --save-password-preferred password-preferred.txt

Repository

Project URL: https://github.com/RedByte1337/CredSpy

Conclusion

CredSpy fills a gap in unauthenticated Microsoft account enumeration, allowing security researchers and red‑team operators to quickly map authentication method distribution without touching the target system—information crucial for crafting targeted phishing attacks. The tool is intended solely for authorized testing; unauthorized use is illegal.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Security ToolRed TeamMicrosoft 365Credential EnumerationGetCredentialType APIUnauthenticated Attack
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.