First-of-its-kind recon module trawls cloud infrastructure rather than using DNS queries

O365 Squatting: Open source tool finds malicious cloud hosted domains before they are used in phishing campaigns

An open source Python tool used for finding potential phishing websites enables network defenders to identify risky domains before attacks start, Black Hat Europe attendees heard this week.

O365 Squatting generates typosquatting permutations based on a domain entered by the user and cross-references them against Office 365 infrastructure.

Security professionals can then monitor the domain variations that exist for signs of malicious activity.

“This tool helps blue teams to have a list of potential domains that could be used to attack your company by using social engineering techniques,” the tool’s developers, Juan Francisco Bolivar and José Miguel Gómez-Casero, told The Daily Swig ahead of their Arsenal session at Black Hat’s virtual European edition.

Guilty until proven innocent

O365 Squatting is unusual in alerting users to domains that are yet to engage in malicious activity.

Maltiverse, by contrast, does not, as the pair of security researchers demonstrated on Wednesday (December 9).

Other comparable tools are also not cloud-optimized. They only directly search for raw domains that are hosted somewhere, the researchers told The Daily Swig, citing examples like,, and

RELATED SnitchDNS framework offers automation and network monitoring features to pen testers

And they tend to “rely on standard DNS queries that don’t respond correctly for domains hosted in the cloud”, they added.

“Our tool searches directly in the Microsoft Cloud for potential domains that are prone to be used against your organization.

“O365 Squatting is not asking third-party databases or registrars, it is asking directly to Microsoft Cloud if those domains exist, so every discovered domain by our tool is already registered and ready to be used.”


When someone registers for Microsoft O365, the service automatically creates an email address at the domain and a website containing their user ID.

Consequently, scammers can credibly impersonate Microsoft domains.

These domains appear on Whois as registered by Microsoft Corporation and bypass spam filters, firewalls, and the Sender Policy Framework (SPF).

Read more of the latest hacking news

O365 Squatting generates typosquatting variations based on omission, bitsquatting, or using homoglyphs for instance.

The resulting domains that are found to be in use are then exported in a blue team’s preferred format for further analysis and monitoring with other security tools.

The entire process is automated: generation of domain permutations, creating requests to send to Microsoft, retrieving information, and generating an output.

Red teams and bug hunters could also use the tool to check whether a domain is registered with O365 in order to launch domain takeover attacks.

In the pipeline

Bolivar and Gómez-Casero believe the choices of output format – JSON, CEF, or CSV – should accommodate the needs of most blue teams, although more formats are on the way.

They intend to publish the tool on Docker Hub to help infosec pros who deploy tools using containers, further finesse the detection process, and replicate its functionality for use within Amazon AWS, Google Cloud, and Ali Baba Cloud.

Bolívar said the pair had alerted Microsoft to the tool’s findings and intend to add functionality that automatically cross-references typosquatting domains against public databases of abusive domains.

RECOMMENDED XSS for PDFs – New injection technique offers rich pickings for security researchers