Msmailprobe – Office 365 And Exchange Enumeration

AVvXsEgoZDvj0NOmVaQ5TdYZbC3WFoUf 5ShW2imdIHfTr2O74ATloW9T7zrUdoR0 Da1ypV7AYi0eAzdOB30z9zvHwJIN4 umMYbZd2JQbqdeGa1uGVh8HUKfY DRmI4pg9hcPGRWYiIRl82y0phZ17q4CwO8j1ZxklANibPRrQeacSJ9gr0h6bD Tr5wXvwA=w640 h360

Office 365 and Exchange Enumeration

It is widely known that OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks. This tool leverages all known, and even some lesser-known services exposed by default Exchange installations to enumerate users. It also targets Office 365 for error-based user enumeration.

Getting Started

If you want to download and compile the simple, non-dependant code, you must first install GoLang! I will let the incredible documentation, and other online resources help you with this task.

You may also download the compiled release here.


List examples of commands for this applications, but simply running the binary with the examples command:

./msmailprobe examples

You can also get more specific help by running the binary with the arguments you are interested in:

./msmailprobe identify
./msmailprobe userenum
./msmailprobe userenum --onprem
./msmailprobe userenum --o365


Identify Command

  • Used for gathering information about a host that may be pointed towards an Exchange or o365 tied domain
  • Queries for specific DNS records related to Office 365 integration
  • Attempts to extract internal domain name for onprem instance of Exchange
  • Identifies services vulnerable to time-based user enumeration for onprem Exchange
  • Lists password-sprayable services exposed for onprem Exchange host
Flag to use:
-t to specify target host

./msmailprobe identify -t

Userenum (o365) Command

  • Error-based user enumeration for Office 365 integrated email addresses
Flags to use:
-E for email list OR -e for single email address
-o [optional]to specify an out file for valid emails identified
--threads [optional] for setting amount of requests to be made concurrently

./msmailprobe userenum --o365 -E emailList.txt -o validemails.txt --threads 25
./msmailprobe userenum --o365 -e

Userenum (onprem) Command

  • Time-based user enumeration against multiple onprem Exchange services
Flags to use:
-t to specify target host
-U for user list OR -u for single username
-o [optional]to specify an out file for valid users identified
--threads [optional] for setting amount of requests to be made concurrently

./msmailprobe userenum --onprem -t -U userList.txt -o validusers.txt --threads 25
./msmailprobe userenum --onprem -t -u admin


  • poptartFor a truck load of golang assistance, poking of Exchange services, and help testing timing of responses
  • jlaroseParsing decimal data within NTLMSSP authentication reponse for internal domain name
  • Vincent YuiOffice 365 check python script
  • grimhackerDiscovery/disclosure of error-based user enumeration within Office 365 blog post
  • Nate PowerDiscovery and disclosure of OWA time-based user enumeration


This project is licensed under the MIT License – see the file for details

click here to read full Article

Read More on Pentesting Tools

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *