Unauthenticated Enumeration of All Microsoft Account Authentication Methods with CredSpy
CredSpy, an open‑source tool released by security researcher RedByte1337, leverages Microsoft’s public GetCredentialType API to enumerate, without any authentication, the full set of supported authentication methods for a given Microsoft 365 (Entra ID) account, aiding red‑team reconnaissance and defensive assessments.
Tool Background
On July 1, 2026, security researcher RedByte1337 announced the open‑source tool CredSpy, created because no existing utility could enumerate Microsoft account authentication methods without authenticating.
“Couldn't find any tools that allowed unauthenticated enumeration of auth methods for Microsoft accounts, so I created it.”
Core Capabilities
CredSpy reports the following information for each queried account:
Password : traditional password authentication.
RemoteNGC (Password‑less Push) : push‑notification login via the Microsoft Authenticator app.
FIDO2 / Passkeys : hardware or platform‑based authentication such as Windows Hello or security keys.
Certificate Auth : client‑certificate authentication typically used in enterprise environments.
Preferred authentication method : the default method the user’s tenant selects.
FIDO key count : number of registered FIDO keys returned in the AllowList (may include orphaned keys).
Example output:
[email protected] | Preferred: Fido (7) | Supported: Password, RemoteNGC (PushNotification), Fido (Count: 3)
[email protected] | IfExistsResult: NotExist (1)
[email protected] | Preferred: Password (1) | Supported: Password, RemoteNGC (PushNotification)
[email protected] | Preferred: RemoteNGC (2) | Supported: Password, RemoteNGC (PushNotification)
[email protected] | Preferred: Fido (7) | Supported: Password, Fido (Count: 5), CertificateTechnical Implementation
CredSpy follows a three‑step process:
Obtain session context (sCtx) : capture a valid session token from the Microsoft OAuth authorization page.
Call GetCredentialType API : send a POST request to login.microsoftonline.com/common/GetCredentialType with the target username. This is the same public endpoint the Microsoft login page invokes after the user enters their email.
Parse credential flags : decode the returned flags to identify supported methods and then print or export the results.
The entire workflow requires no credentials because it reuses the publicly exposed login API.
Security Assessment Value
Red‑Team Perspective
Knowing a target’s authentication methods enables precise phishing campaign design:
If the user relies on Passkeys/FIDO2, password‑based phishing is largely ineffective.
If RemoteNGC is used, attackers must craft push‑notification hijacking techniques.
Certificate authentication indicates a tightly controlled enterprise environment with stricter policies.
CredSpy therefore tells attackers “who to phish” and “how to phish”.
Defender Perspective
Defenders can use the tool for:
Self‑assessment : identify accounts still using weak password authentication.
Security evaluation : understand what information an attacker could gather.
User education : demonstrate which authentication methods provide stronger protection.
Installation and Usage
Installation
Recommended via pipx:
# Install pipx if missing
apt install pipx
pipx ensurepath
# Install from PyPI (recommended)
pipx install credspy
# Or install directly from GitHub
pipx install git+https://github.com/RedByte1337/CredSpy.gitAlternatively, the tool can be run with a standard pip environment.
pip install .
# Or run without installing
pip install -r requirements.txt
python credspy.py ...Basic Commands
# Single email
credspy [email protected]
# Bulk check (one email per line, # comments ignored)
credspy emails.txt
# Use a proxy (useful with MITM tools)
credspy emails.txt --proxy http://127.0.0.1:8080
# Export CSV
credspy emails.txt --csv results.csv
# Filtered outputs
credspy emails.txt \
--save-existing existing.txt \
--save-ngc ngc.txt \
--save-password-preferred password-preferred.txtRepository
Project URL: https://github.com/RedByte1337/CredSpy
Conclusion
CredSpy fills a gap in unauthenticated Microsoft account enumeration, allowing security researchers and red‑team operators to quickly map authentication method distribution without touching the target system—information crucial for crafting targeted phishing attacks. The tool is intended solely for authorized testing; unauthorized use is illegal.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
