UhOh365 – O365 Enumeration

Image result for o365"

Email addresses are what malicious parties collect because the more they have, the more they can Phish/target. Having the ability to enumerate these without generating logging attempts would be a dream for them. Sure they could use other OSINT techniques and steal them, but guessing may be quicker and less work.

UhOh365 does just that.

Git clone https://github.com/Raikia/UhOh365.git

Usage: [-h] [-v] [-t THREADS] [-o OUTPUT] file
Example: Python uhoh365.py -v -O outputfile.txt emailaddresslist.txt

*The emailaddresslist.txt would contain the emails you wish to guess.

The reason this works is explain on the Github page and is as followed:

This is actually a very easy thing to do. It turns out the /autodiscover/autodiscover.json/v1.0/{EMAIL}?Protocol=Autodiscoverv1 API endpoint returns different status codes for if an email exists in o365 or not. 200 status code means it exists, a 302 means it doesn’t exist.

If the email does not exist:

This isn’t the first-time error codes have been used against O365. Attackers are targeting O365 account using basic authentication. Basic authentication is legacy protocols which don’t support conditional access.

Because of this, attackers can spam your tenant over IMAP or POP3 and never be prompted for MFA.

Application Author: Chris King – @raikiasec

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s