Need help with ews-crack?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

128 Stars 31 Forks 9 Commits 0 Opened issues

Services available


Need anything else?

Contributors list

# 521,586
1 commit

EWS Cracker

  ____|  \ \        /    ___|        ___|                         |    
  __|     \ \  \   /   \___ \       |        __|    _` |    __|   |  / 
  |        \ \  \ /          |      |       |      (   |   (        <  
 _____|     \_/\_/     _____/      \____|  _|     \__,_|  \___|  _|\_\ 

What's EWS?

EWS stands for Exchange Web Services. This is a SOAP based protocol used for free/busy scheduling, and leveraged by third party clients. It allows a user to read email, send email, test credentials.

Unfortunately, EWS only supports Basic Authentication. If you have multi-factor authentication through a third party provider, such as Ping, Duo or Okta, EWS can be used to bypass MFA. It can also be used to bypass MDM solutions.

This was documented by the fine folks at Black Hills InfoSec as well as by Duo over a year ago.

Microsoft's official response is to use Microsoft provided MFA, which produce an application specific password. This leaves an enourmous amount of O365 customers in a difficult state. Most customers seem unaware of this issue or choose to ignore it.

Other fun facts about EWS:

  • Logging is not 100%. It may log failed attempts in your audit logs, it may not.
  • It helpfully provides user enumeration. If a user doesn't exist, a different error is returned.

Update as of July 2018

Microsoft now supports conditional access with legacy auth flows

Turn on Modern Authentication:

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

This will break legacy clients, but it's a must. Make sure you watch out for POP3, ActiveSync, other methods of brute forcing your O365 environment.


You'll need the python and kerberos development libraries:

For example, in a Debian-based distro

sudo apt-get install python-dev
sudo apt-get install libkrb5-dev

Then install the requirements:

pip install -r requirements.txt

Single user test mode --mode single --username jsmith --domain --password mypassword

Colon delimited username:password tester --mode creds --file user-passwords.txt --domain

Spray a single password against a list of user accounts

python --mode spray --filename users.txt --domain --password Winter2018!

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.