In December, our client requested that LIFARS Pen Testing Team perform an external black box penetration test as part of a due diligence exercise. The client, a medium sized organization with over 1000 employees and 200 IPv4 addresses, understands the risks they face on a daily basis and the importance of meeting compliance standards. Therefore, this client requested an external black box penetration test on their network.
The intent of this assessment was to identify weaknesses in the company internet facing infrastructure and to detail how these vulnerabilities could impact the organization.
Therefore, the team used Outlook Web Application (OWA) and Office 365 (O365) as main targets for user enumeration and password spraying. Main emphasis was focused on weak integration of security measures between OWA and O365. The black box testing, as an unauthenticated user for OWA and O365, and its assessment was led in a manner that simulated a malicious actor engaged in a targeted attack against the company’s external internet facing network. This security testing effort was conducted with emphasis on the actual state of the systems examined and no documentation to the client was provided.