During a recent engagement, we tried to enumerate email accounts by abusing previously reported user enumeration issue affecting Office 365, but found out it no longer works.
In the past, sending authentication requests to ActiveSync with Basic HTTP authentication mechanism would return different status code disclosing the user's existence. A 404 meant the user did not exist, a 401 meant the user existed. We don't know exactly when Microsoft released that specific update, but it now returns a 401 whether the user exists or not.
We therefore had to find another way. By looking at HTTP responses from ActiveSync, we've identified that it still leaks information about the user existence. Whenever the HTTP response header X-MailboxGuid is set, that means the user exists.
We packed everything in a Python3 script that will read usernames from a text file and output the users and validity as CSV. You can find it at https://github.com/gremwell/o365enum. It also includes a user enumeration technique based on Office.com login page.
