GitHub - Raikia/UhOh365: A script that can see if an email address is valid in O...
source link: https://github.com/Raikia/UhOh365
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
README.md
UhOh365
A script that can see if an email address is valid in Office365. This does not perform any login attempts, is unthrottled, and is incredibly useful for social engineering assessments to find which emails exist and which don't.
Microsoft does not consider "email enumeration" a vulnerability, so this is taking advantage of a "feature". There are a couple other public Office365 email validation scripts out there, but they all (that I have seen) require at least 1 login attempt per user account. That is detectable and can be found as a light bruteforce attempt (1 "common" password across multiple accounts).
This script allows for email validation with zero login attempts and only uses Microsoft's built-in Autodiscover API so it is invisible to the person/company who owns the email address. Furthermore, this API call appears to be completely unthrottled and I was able to validate over 2,000 email addresses within 1 minute in my testing.
Usage
The script is actually really basic and easy to use. You make a file of the emails you want to see are valid or not and pass it as an argument to the script:
Usage: UhOh365.py [-h] [-v] [-t THREADS] [-o OUTPUT] file
positional arguments:
file Input file containing one email per line
optional arguments:
-h, --help show this help message and exit
-v, --verbose Display each result as valid/invalid. By default only displays valid
-t THREADS, --threads THREADS
Number of threads to run with. Default is 20
-o OUTPUT, --output OUTPUT
Output file for valid emails only
Explanation
This is actually a very easy thing to do. It turns out the /autodiscover/autodiscover.json/v1.0/{EMAIL}?Protocol=Autodiscoverv1
API endpoint returns different status codes for if an email exists in o365 or not. 200 status code means it exists, a 302 means it doesn't exist.
Notice this request takes zero authentication or identifying parameters and it does not cause a login attempt on the target account.
Author
Chris King
@raikiasec
Recommend
-
26
sift.email - check if an email address really exist - NEXT
-
35
author Dave Taht <[email protected]> 20...
-
16
Using Mailgun for a Free Custom Domain Email Address Updated on February 18, 2020 · Published on December 7, 20181,507 words · ~8 minutes to read Warning! This...
-
6
Why your company should have a single email address (guest post) Jul 4, 2011 My second (ever) guest post has been published today by Jaso...
-
6
Marketing 101- How to Actually Get Someone's Email Address Aug 4, 2002 Marketing 101: How to Actually Get Someone's Email Address Last updated: 8/7/2002; 8:50:48 AM
-
11
Tini - A tiny but valid init for containers Tini is the simplest init you could think of. All Tini does is spawn a single child (Tini is meant to be run in a container), and wait for it to exit all th...
-
1
Here is a Python script that does wake on lan (if your MAC address is01-23-45-67-89-0a Instantly share code, notes, and snippets.
-
8
In this article, we will discuss three different ways to check if a string is a valid IP Address in Python. Table of Contents Check If a String is a valid IP Address using Regex In Python, the regex mo...
-
8
Files Permalink Latest commit message Commit time
-
2
Python program to check if email address is valid or notSkip to content Python program to...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK