MailSniper: Weaponizing Exchange Web Services for Email Reconnaissance
Hook
A single PowerShell command can grant you read access to every email in your organization—not through a vulnerability, but through a legitimate Exchange administration feature that most security teams forget to monitor.
Context
Enterprise email systems contain the crown jewels of organizational intelligence: credentials in plaintext, network diagrams, merger discussions, and privileged access pathways. Yet traditional penetration testing workflows stop at credential acquisition, leaving this data source unexplored. Before MailSniper, red teamers needed custom scripts cobbling together Exchange Web Services API calls, manually navigating PowerShell remoting sessions, and reinventing search logic for each engagement.
MailSniper emerged from Black Hills Information Security as a purpose-built reconnaissance framework that weaponizes Microsoft Exchange’s administrative features. The tool exploits a fundamental tension in Exchange architecture: the ApplicationImpersonation role exists to enable legitimate administrative tasks like compliance auditing and backup solutions, but once granted, it provides carte blanche access to read any mailbox in the organization. By automating the role assignment, mailbox enumeration, and content searching workflow, MailSniper transforms what was previously a multi-day manual process into a scripted operation that runs while you grab coffee.
Technical Insight
MailSniper’s architecture leverages two distinct operational modes, each exploiting different layers of Exchange’s trust model. The Invoke-GlobalMailSearch function operates as an administrator, using PowerShell remoting to connect to the Exchange server and grant ApplicationImpersonation rights to a specified user account. This is the nuclear option—once that role is assigned, the impersonation account can read emails as if they were any other user in the organization, bypassing mailbox delegation permissions entirely.
Here’s the workflow for organization-wide searching:
Invoke-GlobalMailSearch -ImpersonationAccount current-username `
-ExchHostname Exch01 `
-OutputCsv global-email-search.csv `
-Terms "*vpn*","*2fa*","*backup*" `
-MailsPerUser 200 `
-Folder allThis command connects to the Exchange server at ‘Exch01’, prompts for administrative credentials (you need membership in ‘Exchange Organization Administrators’ or ‘Organization Management’), and then performs several key operations. First, it establishes a PowerShell remoting session with the Exchange server. Second, it grants ApplicationImpersonation to ‘current-username’ using native Exchange role-based access control. Third, it enumerates all email addresses in the Active Directory domain. Finally, it connects to Exchange Web Services as the impersonation account and iterates through each mailbox, pulling the most recent 200 emails from all folders and searching subjects and bodies for VPN credentials, 2FA bypass methods, or backup server intel.
The beauty—and danger—of this approach is that it appears to use Microsoft’s official EWS Managed API, meaning the traffic likely looks similar to legitimate email clients like Outlook. The tool doesn’t exploit vulnerabilities; it automates administrative workflows that are supposed to exist.
For non-administrative scenarios, Invoke-SelfSearch operates with a lighter footprint:
Invoke-SelfSearch -Mailbox current-user@domain.com `
-MailsPerUser 500 `
-Regex "\b[A-Z]{2,}\s*[:\-]\s*.{6,20}\b" `
-CheckAttachments `
-DownloadDir ./lootThis mode uses the current user’s existing mailbox access—no privilege escalation required. It autodiscovers the Exchange server from the email address, connects via EWS, and searches the user’s own inbox. The regex pattern here hunts for lines that look like credential dumps (uppercase labels followed by colons or dashes and 6-20 characters). The -CheckAttachments flag is where things get spicy: MailSniper will parse .pdf, .doc, .xls, .ps1, .bat, .htm, .msg, and .txt files embedded in emails, searching their contents for matching terms. Attachments can be exfiltrated to the specified directory for offline analysis.
The tool includes operational modules that extend beyond email searching. Password spraying functions enable attacks against Outlook Web Access endpoints, helping you acquire that initial foothold. Get-GlobalAddressList connects to Outlook Web Access and utilizes the ‘FindPeople’ method (available in Exchange2013 and up) to gather the organization’s GAL via EWS or OWA, providing a user enumeration list. Invoke-OpenInboxFinder identifies mailboxes with overly permissive delegation settings where non-owners have read access—these represent lateral movement opportunities.
Authentication flexibility is a critical design choice. MailSniper supports legacy username/password authentication, but the Invoke-GlobalO365MailSearch variant adds support for Primary Refresh Token (PRT) and access token-based authentication for modern Office 365 environments where legacy auth may be disabled.
Gotcha
MailSniper’s most significant limitation is its prerequisite: you need credentials before you can search emails. The tool doesn’t provide initial access—it’s a post-exploitation reconnaissance framework. If you haven’t compromised an Exchange admin account (for global searches) or at least a standard user account (for self-searches), MailSniper sits useless in your toolkit. This isn’t a remote exploit; it’s an automation layer over legitimate administrative functions.
The second limitation is observability. While MailSniper uses official APIs that blend with normal Exchange traffic, heavy email searching may generate substantial audit logs on the Exchange server. An administrator running Invoke-GlobalMailSearch across thousands of mailboxes will create EWS requests at volume, potentially triggering alerts in mature security operations centers. The ApplicationImpersonation role assignment itself is likely logged in Exchange’s admin audit logs—defenders who monitor role changes may spot the attack during its setup phase. PowerShell remoting sessions, EWS authentication events, and unusual API request patterns all leave forensic artifacts that could be detected in monitored environments.
Finally, the tool is Exchange-exclusive. If your target uses Google Workspace, Zimbra, or any non-Microsoft email platform, MailSniper provides zero value. It’s tightly coupled to Exchange Web Services APIs and PowerShell remoting against Exchange servers—architectural dependencies that lock it into the Microsoft ecosystem. Additionally, in modern Windows environments, PowerShell-based offensive tools may face increased scrutiny from endpoint detection and response solutions.
Verdict
Use MailSniper if you’ve already compromised credentials in a Windows environment running on-premises Exchange or hybrid Office 365 deployments and need to map the organization’s structure, discover privilege escalation paths through email intelligence, or locate sensitive data like credentials, financial documents, or merger intel. It excels in red team engagements where you’re simulating insider threats or advanced persistent threat actors who prioritize low-and-slow reconnaissance over smash-and-grab tactics. The tool’s modular design makes it ideal for engagements where you need password spraying, GAL enumeration, and email content searching in one framework. Skip MailSniper if you lack initial credentials, your target uses non-Microsoft email platforms, you’re operating in environments with mature security monitoring where PowerShell activity and Exchange API usage are actively hunted, or you need a tool that provides initial access rather than post-exploitation reconnaissance. Also skip if your engagement timeline requires maximum stealth—MailSniper’s volume of API requests may make it challenging to maintain undetected long-term access.
