Offensive Security Tool: o365sprayer

Reading Time: 2 Minutes

Description

o365sprayer by securebinary, is a tool used to enumerate and spray passwords for Office 365 accounts on both Managed and Federated AD (Active Directory) services. It has the ability to distinguish managed O365 and Federated Microsoft Office 365 accounts for a target domain.

It can help during security assessments by testing Microsoft Office 365 environments for security vulnerabilities or misconfigurations.

Features

Here are some of the abilities you can do:

• Enumerates emails for valid O365 accounts
• Sprays passwords to check for valid credentials
• Provide custom delay between each request
• Provide number of attempts which triggers account lockout
• Provide cool down time for account lockout
• Provide maximum number of account lockouts to tolerate while spraying

The fact that you can customize the attack vectors such as the custom delay and so on, allows you to evade a lot of policies that are set when it’s performing the fuzzing and brute-forcing part which are designed to trigger account lockouts, bypassing them.

Installation

O365 Sprayer was built using go1.18.4. Make sure you use the latest version of Go to install successfully. Run the following command to install the latest version:

go install -v github.com/securebinary/o365sprayer@latest

Usage

This will display help for the CLI tool. Here are all the required arguments it supports.

Clone the repo from here: GitHub Link