A ’black box’ review of Microsoft’s Outlook Wep App(OWA) revealed several vulnerabilities. This includes a time based authentication attack that allows attackers to validate realms and usernames existing in Active Directory. We will discuss how these vulnerabilities can be leveraged during a pentest.