While exploring this, it's clear there are a bunch of other applicable techniques for expensify so I'm just going to hijack this issue to keep track of a bunch of them:

• Ghost logins
• Passwordless logins
• Account ambushing
• Username enumeration

There are a couple more I'm still trying to validate but will add once I've figure it out.

Tagging the following on to this now too:

• SAML enumeration

SAMLjacking I am leaving off due to the requirement for domain validation and inability to invite external users. Technically, it's possible to SAMLjack and I have confirmed and tested but it's not much use when you can only do it with email addresses for a domain you have admin control over.

Retrospectively removing account ambushing as it seems none of the persistence methods actually work fully end-to-end in an account ambushing scenario:

• Co-pilot features do not appear until a validated email is present
• Secondary logins become primary automatically when validating, which then causes a problem when the target user tries to login (it alerts them of the second email and requests validation by that)
• Unvalidated secondary logins remain secondary but then require action by the target user once they have logged in