# Password Spraying O365

## Overview

The majority of companies use **Office 365** and **Outlook** with their **Active Directory** set up. If you find valid credentials for either of these there is a high chance that those credentials will also work with something like a VPN because all of the accounts are managed through **Active Directory.**

A great tool for password spraying **O365** is [TREVORspray](https://github.com/blacklanternsecurity/TREVORspray). Again, tools come and go so this isn't the only option.

## TREVORspray

Spray using a valid emails list and a single password and a delay of 15 seconds to avoid detection

```bash
trevorspray -u valid_emails.txt -p 'Welcome123' --delay 15
```

Doing the same thing except using AWS machines as a proxy and SSH

```bash
trevorspray -u valid_emails.txt -p 'Welcome123' --delay 5 --no-current-ip --ssh ubuntu@100.25.38.206 -k adot8.pem 
```

<figure><img src="/files/oJkia4uj58bzIpcf3fIe" alt=""><figcaption><p>From TCM Course</p></figcaption></figure>

Sometimes you may get this warning instead of a **SUCCESS** notification. This warning can be a successful login as well. Verify using the actual **O365** login panel.

<figure><img src="/files/vorM1TvcnRLRtORKPvl8" alt=""><figcaption><p>From TCM Course</p></figcaption></figure>

{% hint style="danger" %}
Identify the lockout policy before spraying so you don't lock everyone out of their accounts
{% endhint %}

{% hint style="success" %}
If a company has 5 passwords attempts as their policy, you can try 4 passwords and wait an hour until the next round
{% endhint %}

Once we get a foothold into an account digging through **Outlook, Onedrive, OneNote, Sharepoint and Teams**&#x20;

Don't spray against a VPN login portal because they have good detection systems in place.&#x20;

## AWS Proxy Setup

We can setup a free **AWS Cloud** account and create **Ubuntu machines** using the **EC2** service and the **Free Tier Eligible** option for everythin&#x67;**.**

Use the default credentials and create a new key pair.

To spin up more you can go to your **Instances Console -> Actions -> Image and Templates -> Launch more like this.** Tie it to the same key pair and launch that sucker.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pnpt.adot8.com/external-pentest-playbook/attacking-login-portals/password-spraying-o365.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.