Using Responder on Mac Os to MITM Outlook Office 365 credentials

Adam Toscher
2 min readApr 22, 2019

In this article we’ll discuss how to get clear text credentials from Outlook 2016 using Responder on Mac OS High Sierra. From password spraying SSO endpoints, to abusing Azure programs and Office applications — Office 365 and Microsoft Communication products are often the target of credential theft.

As shown below by @_dirk-jan ; there are new attack vectors that can leverage both old and new insecurities within the Microsoft, Azure and Office 365 environments and products.

As Mac OS, iOS and Microsoft platforms collide in the cloud space, I think we’ll see more, cross platform abuse, and sophisticated exploits that can target multiple Operating Systems — Payloads that can target internal, hybrid and office solutions. New techniques tools and procedures, will be necessary given the necessity of most infrastructure’s relying on cloud and hybrid environments spread across a fragmented, non homogeneous client landscape that includes more Mac OS, and Android.

Responder and Mac OS?

I thought I’d share something basic I’ve been experimenting with recently. In this example, the user has to click through some warning prompts.

Ever been on a plane and forget to turn off Outlook? Many captive portals, proxies, and atypical internet connections can produce the same prompt

This is arguably common place in some environments and inconvenient, but not necessarily perceived as nefarious activity by end users.

If the user accepts the warning, and types their password — at the end you’re left with working credentials that can be used to gain a foothold within Office365. After restarting the application, Outlook works as intended.



Adam Toscher

Adam is a offensive security engineer and red team operator with over 20 years of experience in IT