Office365 Mailbox Pivot Attacks Using Burp Suite

 

Office365's option to "Open another mailbox" is commonly used during post-exploitation to test for mailboxes the compromised account can pivot to. One possible method for automating this attack is to use Burp Suite, and I've documented the steps below. This method can sometimes be preferable over MailSniper, when bypassing MFA through the phone call MFA option. Before performing these steps, you'll probably want to scrape the GAL.

1. In Burp Suite, turn off Intercept and then choose Proxy>Intercept>Open Browser
2. Use the resulting browser to log into the source Office365 email account
3. In Burp Suite, make this configuration so that you capture only the specific request needed: Proxy>Options>Intercept Client Requests>Add

Boolean operator: And

Match type: Any header

Match relationship: Matches

Match condition: startupdata

4. Turn on Intercept

5. In the browser: Click the user's avatar, click "Open another mailbox", type in an email address and click Open

6. In Proxy>Intercept, you should now see a POST which begins like this:

POST /owa/newvictim@example.com/startupdata.ashx?app=Mail&n=0 HTTP/2
Host: outlook.office.com

7. Send the POST request to Intruder

8. Navigate to the relevant Intruder tab and set the desired position for the username/email

9. Proceed to the payloads tab and provide the usernames/emails

10. Proceed to the Options tab and add the following 3 entries under "Grep - Match":

HTTP/2 200 OK
HTTP/2 302 Found
HTTP/2 500 Internal Server Error

11. Uncheck "Exclude HTTP Headers" under "Grep - Match" so that you can grep the headers

12. Run the attack

The HTTP 200 and 302 responses correspond to accounts which the existing user should have access to.

Updated 1/23/2022 with clarifications and tweaks