By Matt Durrin   /   Jul 6th, 2018

RIP Office365 Magic Unicorn Tool


As of this morning, Microsoft appears to have killed access to the “Activities” API, first publicized by Anonymous and used as the basis for the Office365 “Magic Unicorn Tool.” This is based on results from the Office 365 environment in LMG Security’s test laboratory.

Yesterday, our team received word that all V1 token access had stopped working, which we were pretty quickly able to confirm as true. This was a disappointing turn of events, but all was not yet lost. Bearer tokens from the Microsoft developer sandbox were still usable and the API was still returning data– until this morning.

We went to pull down a fresh set of test data this morning for some further development of our parsing utility, but instead of a file filled with inbox activities we were presented with the dreaded “403: Forbidden” error, and anyone who has worked in web development knows exactly what that means – the Activities API endpoint was no longer accessible.

Below is a screenshot of the Powershell output using both a sandbox generated and application generated tokens. The application generated token is returned as too weak for use, and the sandbox token returns a 403 error.

And here is the output from the developer sandbox, which is just a more detailed version of the output from our Powershell testing:

LMG’s search team will continue to test against this and other APIs in our lab, and we will update if there is anything new to add.  If you have any further information, contact us @LMGsecurity on Twitter or drop us a line via email.


About the Author

Matt Durrin

Matt Durrin is the Director of Training and Response for LMG Security, a Black Hat instructor, and the co-author of the upcoming book, “Ransomware and Cyber Extortion”. A seasoned forensics professional, Matt specializes in incident response, ransomware cases, cryptojacking, and banking trojans. He regularly conducts cybersecurity webinars and seminars for hundreds of attendees in all sectors, including banking, retail, health care, government and more.  Matt holds a Bachelor’s Degree in Computer Science from the University of Montana and previously worked as a “blue team” field technician/system administrator for over 10 years. His malware research has been featured on NBC Nightly News.