Running your first Simulated Office 365 Attack: Brute Force Password (Dictionary Attack)

In the last post, we looked at executing your first simulated attack by using the “Spear Fishing” attach that harvests credentials from a custom Office 365 login page.

https://www.helloitsliam.com/2018/05/14/running-your-first-simulated-office-365-attack-spear-phishing/

For this post we will look at running a “Brute Force Password (Dictionary Attack)” as the simulated attack. Once again to start this, access the “Security and Compliance” center with your Office 365 Tenant, then expand “Threat Management” and choose “Attack simulator”.

From the options, choose the attack “Brute Force Password” and press the “Launch Attack” button to begin the wizard.

Name the new campaign as “Brute Force Password Attack” and then press “Next”.

Select the target users, by choosing specific user accounts or groups.

Once you have selected the users or groups, press “Next” then set the password properties as needed.

Either a single password can be entered, which can be useful for checking single passwords. A file can also be uploaded, that contains multiple passwords, allowing for iteration of the password list against the selected accounts. You can download some password files from here:

https://github.com/danielmiessler/SecLists/tree/master/Passwords

Choose any of the password lists you want to use, download them and then choose file upload to add the file you need. This attack does not send an email to the end user, it simply tries to access the account, using the list of passwords that is supplied. Once the attack is complete, the status is updated, and a “View Report” link is then available.

Clicking this link then displays the number of accounts with passwords that matched any of the values within the password file used within the attack.

You can also see a short report by clicking the “Attack Details” link, within the specific attack displayed on the “Attack Simulator” page.

This attack is really for Security and IT to get the current state of passwords across the organization, allowing either training or new policies to be defined.

Liam Cleary

I began my career as a Trainer of all things computer related. However, I very quickly realized that programming, breaking, and hacking was a lot more fun. I then spent the next few years working on core infrastructure and security services, until I found SharePoint. I am now the founder and owner of SharePlicity, a consulting company that focuses on all areas of Technology. My role within SharePlicity is to help organizations implement technology that will enhance internal and external collaboration, document and records management, automate business processes and of course security controls and protection. I am also an eleven-time Microsoft MVP focusing on Architecture but also cross the boundary into Development. My specialty over the past few years has been security in SharePoint and its surrounding platforms. I can also be found at user groups or conferences speaking, offering advice, spending time in the community, teaching my kids how to code, raspberry PI programming, hacking the planet or building Lego robots.

You may also like...