(no title)

Maybe a new version of the directory harvest attack[0]?

For example, if someone has an email address (or list of email addresses) from somewhere else, one can easily tell if you (or they) have a Facebook account by simply requesting a password reset against it (them). If there's no throttling on password reset requests, one could process a large list rather quickly.

[0] - https://docs.microsoft.com/en-us/exchange/recipient-filterin...