Description

This is a simple Python script used to validate email accounts that belong to Office 365 tenants. This script takes either a single email address or a list of email addresses as input, sends a request to Office 365 without a password, and looksfor the the "IfExistsResult" parameter to be set to 0 for a valid account. Invalid accounts will return a 1.

Requirements

  • List of users
  • Domain

How to Use

1. Download the tool into your computer

  • git clone https://github.com/LMGsec/o365creeper.git

2. Display the help menu

  • python2.7 o365creeper.py -h

-e EMAIL, --email EMAIL

  • Single email address to validate.

-f FILE, --file FILE

  • List of email addresses to validate, one per line.

-o OUTPUT, --output OUTPUT

  • Output valid email addresses to the specified file.

Exploitation

1. testing a sing user

  • python2.7 o365creeper.py -e ceo@adpentesteracademy.onmicrosoft.com

VALID

INVALID

2. Enumerate using a file containing different emails

  • python2.7 o365creeper.py -f emails.txt

References

https://github.com/LMGsec/o365creeper