• United States



Contributing Writer

How attackers identify your organization’s weakest links

Jul 31, 20194 mins
PhishingSecuritySocial Engineering

Understanding the techniques and tools attackers use in targeted phishing attacks.

business intelligence crowd binary virtual world
Credit: Getty Images

Attackers use a variety of techniques to infiltrate corporate networks, but one tried and true way it to find out who works for a company and then target phishing attacks to those employees.

Famed hacker Kevin Mitnick reportedly used a paperback edition of the who’s who in Washington business owners to gain more information on local businesses, but these days we all have access to a much better database that exposes much more information: LinkedIn. The social network is often the starting place for determining who is a good target in an organization as well as a source for usernames and email addresses. 

From LinkedIn scraping to Office 365 attacks

As noted in the OSINTframework, there are several tools used by attackers to scrape information from LinkedIn.  Scraping tools such as LinkedInt, ScrapeIn, and Inspy allow the attacker to enumerate email addresses from domains. 

Once the attacker has the email addresses of targeted users, there are a number of techniques attackers can use to infiltrate a network. 

One tool that specifically targets Office 365, office365userenum allows an attacker to  go through a list of possible usernames and then observes the response. Given that many usernames start with the email address, the would-be attacker can first determine email addresses from social locations, and then use those emails to see if there are valid user accounts.  Once the attacker finds valid usernames, he can enumerate a list of valid users who can then be targeted for more attacks.   The tool sends a command to the activesync service, which then responds back with codes that attackers can use to determine if the username exists or not.

The attackers can then directly attempt to brute force compromise the account by guessing the user’s password, or they can use the email address/username pairs in phishing attacks targeting known valid users.  The office365userenum tool exposes to the attacker which users have multifactor authentication enabled and which do not to better identify the weak links in the organization.  Shared mailboxes that are used for processes, and are less likely to be monitored by users, often do not have strong passwords  or have multifactor authentication, are often a weak link targeted for brute force attacks to guess passwords and gain access to the network.

Preventing Office 365 attacks

Microsoft has deemed that this user enumeration attack sequence is not a vulnerability but rather a feature of the activesync service.  Thus, there is no way to disable this service from responding. However, you can set alerts set so that you’ll know if a user has several failed logins in a short timeframe, a sign that attackers are surveying your network. 

Phishing attacks are so often used as a means to attack Office 365 accounts that consultants that control other customer accounts have been a key target in attacks.  Starting August 1st, Microsoft will mandate that partners and consultants that manage other customers’ accounts have multifactor authentication enabled.  If you work with a consultant who assists you in your Office 365 implementation, ensure that they are aware of these mandates and are doing all that they can to avoid being the entry way into your networks.  Ensure that they have disabled basic authentication as well.

If you happen to be attending the upcoming Black Hat Security conference in Las Vegas, be sure to check out the talk by Mark Morowczynski, principal program manager at Microsoft, and Trimarc CTO Sean Metcalf titled “Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD),” which will explore some of the most common attacks against the Microsoft cloud, including password spraying attacks, which have become so prevalent that even US Cert has identified it as a problem. 

Microsoft has a full detailed blog post about actions that can be taken to help protect you from password spraying techniques and there are other posts on the web with actions you can take, but it boils down to mandating multifactor authentication and changing your password policy and user education to avoid weak passwords that are easily guessed. 

Your users are indeed your weakest links. Take the time to review how your firm might be a juicy target for attack. 

Don’t forget to sign up for the IDG Tech Talk YouTube channel where you can see more videos of my Windows security tips.  I’ll be at The Experts Conference in Charleston South Carolina August 27th and 28th talking about Office 365 and the Windows update crisis.  Hope to see you there!

Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for, is a moderator on the listserve, and writes a column of Windows security tips for In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author