Attackers use a variety of techniques to infiltrate corporate networks, but one tried and true way it to find out who works for a company and then target phishing attacks to those employees.Famed hacker Kevin Mitnick reportedly used a paperback edition of the who\u2019s who in Washington business owners to gain more information on local businesses, but these days we all have access to a much better database that exposes much more information: LinkedIn. The social network is often the starting place for determining who is a good target in an organization as well as a source for usernames and email addresses.\u00a0From LinkedIn scraping to Office 365 attacksAs noted in the OSINTframework, there are several tools used by attackers to scrape information from LinkedIn.\u00a0 Scraping tools such as LinkedInt, ScrapeIn, and Inspy allow the attacker to enumerate email addresses from domains.\u00a0Once the attacker has the email addresses of targeted users, there are a number of techniques attackers can use to infiltrate a network.\u00a0One tool that specifically targets Office 365, office365userenum allows an attacker to\u00a0 go through a list of possible usernames and then observes the response. Given that many usernames start with the email address, the would-be attacker can first determine email addresses from social locations, and then use those emails to see if there are valid user accounts.\u00a0 Once the attacker finds valid usernames, he can enumerate a list of valid users who can then be targeted for more attacks.\u00a0\u00a0 The tool sends a command to the activesync service, which then responds back with codes that attackers can use to determine if the username exists or not.The attackers can then directly attempt to brute force compromise the account by guessing the user's password, or they can use the email address\/username pairs in phishing attacks targeting known valid users.\u00a0 The office365userenum tool exposes to the attacker which users have multifactor authentication enabled and which do not to better identify the weak links in the organization.\u00a0 Shared mailboxes that are used for processes, and are less likely to be monitored by users, often do not have strong passwords \u00a0or have multifactor authentication, are often a weak link targeted for brute force attacks to guess passwords and gain access to the network. Preventing Office 365 attacksMicrosoft has deemed that this user enumeration attack sequence is not a vulnerability but rather a feature of the activesync service.\u00a0 Thus, there is no way to disable this service from responding. However, you can set alerts set so that you'll know if a user has several failed logins in a short timeframe, a sign that attackers are surveying your network.\u00a0Phishing attacks are so often used as a means to attack Office 365 accounts that consultants that control other customer accounts have been a key target in attacks.\u00a0 Starting August 1st, Microsoft will mandate that partners and consultants that manage other customers\u2019 accounts have multifactor authentication enabled.\u00a0 If you work with a consultant who assists you in your Office 365 implementation, ensure that they are aware of these mandates and are doing all that they can to avoid being the entry way into your networks.\u00a0 Ensure that they have disabled basic authentication as well.If you happen to be attending the upcoming Black Hat Security conference in Las Vegas, be sure to check out the talk by Mark Morowczynski, principal program manager at Microsoft, and Trimarc CTO Sean Metcalf titled \u201cAttacking and Defending the Microsoft Cloud (Office 365 & Azure AD),\u201d which will explore some of the most common attacks against the Microsoft cloud, including password spraying attacks, which have become so prevalent that even US Cert has identified it as a problem.\u00a0Microsoft has a full detailed blog post about actions that can be taken to help protect you from password spraying techniques and there are other posts on the web with actions you can take, but it boils down to mandating multifactor authentication and changing your password policy and user education to avoid weak passwords that are easily guessed.\u00a0Your users are indeed your weakest links. Take the time to review how your firm might be a juicy target for attack.\u00a0Don\u2019t forget to sign up for\u00a0the IDG Tech Talk YouTube channel\u00a0where you can see more videos of my Windows security tips. \u00a0I'll be at The Experts Conference in Charleston South Carolina August 27th and 28th talking about Office 365 and the Windows update crisis.\u00a0 Hope to see you there!