____| \ \ / ___| ___| |
__| \ \ \ / \___ \ | __| _` | __| | /
| \ \ \ / | | | ( | ( <
_____| \_/\_/ _____/ \____| _| \__,_| \___| _|\_\
EWS stands for Exchange Web Services. This is a SOAP based protocol used for free/busy scheduling, and leveraged by third party clients. It allows a user to read email, send email, test credentials.
Unfortunately, EWS only supports Basic Authentication. If you have multi-factor authentication through a third party provider, such as Ping, Duo or Okta, EWS can be used to bypass MFA. It can also be used to bypass MDM solutions.
This was documented by the fine folks at Black Hills InfoSec as well as by Duo over a year ago.
Microsoft's official response is to use Microsoft provided MFA, which produce an application specific password. This leaves an enourmous amount of O365 customers in a difficult state. Most customers seem unaware of this issue or choose to ignore it.
Other fun facts about EWS:
- Logging is not 100%. It may log failed attempts in your audit logs, it may not.
- It helpfully provides user enumeration. If a user doesn't exist, a different error is returned.
ews-crack.py --mode single --username jsmith --domain contoso.com --password mypassword
ews-crack.py --mode creds --file user-passwords.txt --domain contoso.com
python ews-crack.py --mode spray --filename users.txt --domain contoso.com --password Winter2018!