This post was written by @nyxgeek
Microsoft recently fixed a beloved user enumeration vulnerability in Office 365 that I routinely used to gain valid credentials for the last couple of years (https://grimhacker.com/2017/07/24/office365-activesync-username-enumeration/).
Microsoft still hasn’t changed its official stance on user-enumeration-as-a-bug (they say it’s NOT a problem), and the company opted to fix this latest example quietly without any announcement. One day in mid-November 2019, the user-enumeration “feature” just stopped working.
There are some other options for doing user enumeration via Office 365, but in my experience, these have proven unreliable. While they may work at first, after repeated attempts, false positives show up.
Update: When I originally tested UhOh365, it suffered from a problem with false positives. Microsoft has since discovered a fix for the issue. I ran a 100,000-line user list through it and it worked great, with a 98% positive-identification rate of the 700~ valid accounts. Since it has the most complete coverage, the most reliable method is currently via UhOh365 (https://github.com/Raikia/UhOh365). While the OneDrive user enumeration trick won’t be your go-to for user-enumeration, it’s worth keeping in your back pocket, in case Microsoft ever devises a fix for the UhOh365 method.
What I describe below is a simple, largely passive method of performing user enumeration via OneDrive. There is a caveat—the user must have logged into OneDrive. While this may lead to some loss of coverage, there should be no false positives. Until a better method comes along, this is a solid method to validate usernames.
While using Office 365, I noticed that the OneDrive feature used a subdomain based off the Office 365 Tenant name, and a URL path that is distinct and predictable.
For example, let’s examine the OneDrive URL for a user with the email address of [email protected]
Breaking this down, we can see that it is made with the following variables. Note that any periods in the username or domain are replaced with underscores (_).
https:// + TENANT NAME + -my.sharepoint.com/personal/+ USERNAME + DOMAIN + /_layouts/15/onedrive.aspx
Using a simple Python script, or even a Bash script, it’s trivial to test for valid paths. If the user exists, it will return a 403 response code. If the user does not exist OR if they have never logged into OneDrive, then it will return a 404.
I have posted a script called onedrive_user_enum.py on
GitHub, available here:
Usage is as follows:
python onedrive_enum.py -d acmecomputercompany.com -U user_list.txt
If the domain name and Tenant ID are different, you can specify the tenant ID via the “-t” flag. Usernames should be sans domain, with only the first portion of the email address.
Below is an example of the output of the tool:
Obviously, the results will vary depending on how many users at the organization have accessed OneDrive. However, it is a reliable method of user enumeration, and should keep you off of the radar of defenders.