By Matt Durrin   /   Jul 6th, 2018

RIP Office365 Magic Unicorn Tool


As of this morning, Microsoft appears to have killed access to the “Activities” API, first publicized by Anonymous and used as the basis for the Office365 “Magic Unicorn Tool.” This is based on results from the Office 365 environment in LMG Security’s test laboratory.

Yesterday, our team received word that all V1 token access had stopped working, which we were pretty quickly able to confirm as true. This was a disappointing turn of events, but all was not yet lost. Bearer tokens from the Microsoft developer sandbox were still usable and the API was still returning data– until this morning.

We went to pull down a fresh set of test data this morning for some further development of our parsing utility, but instead of a file filled with inbox activities we were presented with the dreaded “403: Forbidden” error, and anyone who has worked in web development knows exactly what that means – the Activities API endpoint was no longer accessible.

Below is a screenshot of the Powershell output using both a sandbox generated and application generated tokens. The application generated token is returned as too weak for use, and the sandbox token returns a 403 error.

And here is the output from the developer sandbox, which is just a more detailed version of the output from our Powershell testing:

LMG’s search team will continue to test against this and other APIs in our lab, and we will update if there is anything new to add.  If you have any further information, contact us @LMGsecurity on Twitter or drop us a line via email.


About the Author

Matt Durrin

Matt Durrin is the Director of Training and Research at LMG Security and a Senior Consultant with the organization. He is an instructor at the international Black Hat USA conference, where he has taught classes on ransomware and data breaches. Matt has conducted cybersecurity seminars, tabletop exercises and classes for thousands of attendees in all sectors, including banking, retail, healthcare, government, and more. He is also the co-author of a new book, Ransomware and Cyber Extortion: Response and PreventionA seasoned cybersecurity and IT professional, Matt specializes in ransomware response and research, as well as deployment of proactive cybersecurity solutions. Matt holds a bachelor’s degree in computer science from the University of Montana, and his malware research has been featured on NBC Nightly News.