Often we have customers that require Red Teaming from a black-box perspective where we don't get provided an e-mail list. A relevant username enumeration technique that can still be used in 2024 is the Teams username enumeration technique. When relevant configurations are not in place, attackers are able to view and talk to your employees through Teams.
This post is to confirm the technique still works in 2024 and can be highly relevant in various scenarios:
You have obtained a list of potential First name and Last name values from sources such as LinkedIn for the target company.
You have a list of potential First name and Last name values from census research.
By utilizing this fast technique we are able to:
Validate the existence of a user within a Office 365 tenant.
Reveal information such as the Display Name of the user account.
Sometimes data values such as the user's department may be included in the Display Name.
Technique Execution
To utilize the technique we had to create a new user account in the free non-Office 365 teams. Go to https://teams.microsoft.com and login with a non-Office 365 account by creating a new account with outlook.com.
After logging in, at the system redirects to https://teams.live.com - the non-Office 365 version of Teams.
By inserting an e-mail address into the "Search" bar, it is possible to reveal information about a potential target:
By inserting a non-existent user, we get a different response:
As such, we can automate the attack in Burp Suite to attempt a large list of users (>52000).
Example JSON output from a request:
We can see from the screenshot that various information is exposed such as the userPrincipalName which may be useful in other situations.
Conclusion
The Teams username enumeration technique is still relevant in 2024.
The interface provides a lot of interesting information that may be of use.
Komentarze