Customer insisted on sharing tens of GB of stuff as a sharepoint folder that they managed to share to an account attached to our 10-years-dormant MS organization.

After fighting with the MS organization thing and a million 2FA prompts for a while, the best that could be done was to get a browser view of the stuff. However it turns out that guessing the WebDAV URL, adding an rclone webdav config with vendor "other" and sticking the FedAuth cookie from the browser session in there was enough to grab the files.

Cookie theft is the best.