Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Enumerating office365 users

Published: 2019-12-27
Last Updated: 2019-12-27 19:19:55 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
1 comment(s)

I found a pretty strange request in a University Firewall being sent over and over:

Turns out this is a very cheap way to enumerate office365 users. If the X-BackEndHttpStatus header is set to 200 in the response, the user exist:

If this header is set to 302, the requested user does not exist.

This functionality is automated in the following script:

Manuel Humberto Santander Pelaez
SANS Internet Storm Center - Handler

e-mail: msantand at isc dot sans dot org

1 comment(s)
ISC Stormcast For Friday, December 27th 2019
Diary Archives