Scrape Office365 GAL Using Burp Suite

 

An important part of post-exploitation for Office365 email accounts is scraping the Global Address List to discover new attack targets. One of the possible ways to do this is to use Burp Suite's logging feature and then parse the log file. This method can sometimes be preferable over MailSniper, when bypassing MFA through the phone call MFA option. Here are instructions for using this methodology.

1. Proxy>Intercept>Open Browser
2. Use the resulting browser to log into the Office365 email account
3. Click on the People icon or use the following URL: https://outlook.office.com/people/
4. Now turn on logging: Project options>Misc>Logging>Proxy>Responses (choose a filename)
5. Click on the directory you want to scrape (All Users, Default Global Address List, etc.)
6. Scroll through all the entries with page-down
7. Parse the log file for email addresses. Example:

grep -o '[[:alnum:]+\.\_\-]*@[[:alnum:]+\.\_\-]*' proxy-log.txt | sort | uniq -i > scrape.txt

Don't forget to remove email addresses which are out of scope, if needed:

grep example.com scrape.txt > in-scope.txt