Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Enumerating office365 users SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Enumerating office365 users

I found a pretty strange request in a University Firewall being sent over and over:

Turns out this is a very cheap way to enumerate office365 users. If the X-BackEndHttpStatus header is set to 200 in the response, the user exist:

If this header is set to 302, the requested user does not exist.

This functionality is automated in the following script: https://github.com/Raikia/UhOh365.

Manuel Humberto Santander Pelaez
SANS Internet Storm Center - Handler

Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

Manuel Humberto Santander Pelaacuteez

193 Posts
ISC Handler
Hmm, just tried it via "wget -S" - I got back statuses of 200 for a valid email (mine) but also for an invalid user name (messed up my own name) with a valid domain. An invalid domain got 302. Tried another invalid user name (with "xxx" in it) and a valid domain and it began to redirect the request to other valid sub-domains our ours, using the same user name! It retried 10 different sub-domains.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!