How can an attacker enumerate all mailbox users in an Exchange organization using this vulnerability?

Once the attacker has impersonated a valid mailbox user via the SSRF and SID technique, they can use the FindPeople operation in EWS to enumerate the GlobalAddressList. This list contains the email addresses of all mailbox users in the Exchange organization. The attacker simply needs to traverse and deduplicate results. The article references open-sourced scripts for implementation, and notes that default system mailboxes (e.g., `SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}`) can be used as the impersonated user since they exist in every Exchange environment.