{
	"id": "c54fb71b-77a1-4a1a-a616-56a83c33d2a9",
	"created_at": "2026-04-06T00:17:25.053943Z",
	"updated_at": "2026-04-10T03:21:53.097998Z",
	"deleted_at": null,
	"sha1_hash": "da22b3d4c37e54ab7bca7728221729e791e1a6cb",
	"title": "Attacking Exchange with MailSniper - Black Hills Information Security, Inc.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 123472,
	"plain_text": "Attacking Exchange with MailSniper - Black Hills Information\r\nSecurity, Inc.\r\nBy BHIS\r\nPublished: 2016-10-03 · Archived: 2026-04-05 14:50:35 UTC\r\n3 Oct 2016\r\n, Beau Bullock, External/Internal, Red Team Beau Bullock, FindPeople, Get-GlobalAddressList, Invoke-PasswordSprayOWA, InvokePasswordSprayEWS, MailSniper, OWA, updates\r\nBeau Bullock //\r\nI’ve added in a few modules to MailSniper that will assist in remote attacks against organizations that are hosting\r\nan externally facing Exchange server (OWA or EWS). Specifically, the modules are Get-GlobalAddressList,\r\nInvoke-PasswordSprayOWA, and Invoke-PasswordSprayEWS.\r\nGet-GlobalAddressList\r\nVery often on external penetration tests we perform a reconnaissance phase that might yield us some email\r\naddresses or usernames of an organization. If we can successfully find valid credentials for any one of them, and\r\nthe organization has an Outlook Web Access or Exchange Web Services portal it is possible to download the entire\r\nGlobal Address List from the Exchange server. So, from one valid credential we can now have access to all email\r\naddresses for every employee of an organization.\r\nIn trying to improve on the method Carrie Roberts wrote about in her blog post regarding gathering the Global\r\nAddress List from OWA manually I’ve automated this task into MailSniper.  Brian Fehrman found something very\r\ninteresting in OWA. There is a function called FindPeople that will allow you to pull back the entire GAL with a\r\nsingle request. Unfortunately, this function is only implemented in Exchange version 2013. In testing, Get-GlobalAddressList that utilizes the FindPeople function was able to pull 4282 email addresses from a remote\r\nOWA portal in 10 seconds.\r\nThe OWA “FindPeople” method requires you are using PowerShell version 3 or higher.\r\nFor cases where the Exchange version is less than 2013 Get-GlobalAddressList fails back to enumerating the GAL\r\nfrom Exchange Web Services. This method can take a bit longer due to the fact that EWS will only let you search\r\n100 results at a time. To get around this restriction I basically search AA through ZZ then sort/uniq the results.\r\nTo use it import the module into a PowerShell version 3 session then run something like this:\r\nGet-GlobalAddressList-ExchHostname mail.domain.com -UserName\r\nhttps://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/\r\nPage 1 of 3\n\ndomain\\username -Password Fall2016 -OutFile global-address-list.txt\r\nIf Exchange version is 2013 it should look something like this:\r\nAfter obtaining the full email list you can then feed that back into password spraying attacks where you will likely\r\ngain more valid credentials.\r\nSpeaking of password spraying…\r\nInvoke-PasswordSprayOWA \u0026 Invoke-PasswordSprayEWS\r\nI wrote in two modules for password spraying Outlook Web Access and Exchange Web Services to MailSniper.\r\nPassword spraying is an attack where instead of trying to brute force many password attempts for a single user\r\naccount we try one password across many user accounts. This helps avoid account lockout and will still result in\r\nus obtaining valid credentials as users still pick passwords like “Fall2016”. Both of the functions are multi-threaded. Just pass the -Threads option and specify a number of threads (15 seems to be a pretty good starting\r\npoint).\r\nBoth functions have a similar structure but one thing to note is that Invoke-PasswordSprayOWA requires\r\nPowerShell version 3 or higher.\r\nTo use Invoke-PasswordSprayOWA import the module into a PowerShell version 3 session then run something\r\nlike this:\r\nInvoke-PasswordSprayOWA-ExchHostname mail.domain.com -UserList\r\n.\\userlist.txt -Password Fall2016 -Threads 15-OutFile owa-sprayed-creds.txt\r\nTo use Invoke-PasswordSprayEWS import the module into a PowerShell session then run something like this:\r\nInvoke-PasswordSprayEWS -ExchHostname mail.domain.com -UserList\r\n.\\userlist.txt -Password Fall2016 -Threads 15 -OutFile ews-sprayed-creds.txt\r\nhttps://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/\r\nPage 2 of 3\n\nYou should start to see credentials populate in the terminal as MailSniper finds valid creds:\r\nIn testing I’ve noticed the EWS password spraying method is significantly faster. Both Invoke-PasswordSprayOWA and using Burp Intruder with 15 threads took about 1 hour and 45 minutes to complete\r\nspraying 10,000 users. Spraying that same list of users against EWS took only 9 minutes and 28 seconds.\r\nFor more information about MailSniper check out this blog post.\r\nAvailable live/virtual and on-demand!\r\nSource: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/\r\nhttps://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/"
	],
	"report_names": [
		"attacking-exchange-with-mailsniper"
	],
	"threat_actors": [],
	"ts_created_at": 1775434645,
	"ts_updated_at": 1775791313,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/da22b3d4c37e54ab7bca7728221729e791e1a6cb.pdf",
		"text": "https://archive.orkl.eu/da22b3d4c37e54ab7bca7728221729e791e1a6cb.txt",
		"img": "https://archive.orkl.eu/da22b3d4c37e54ab7bca7728221729e791e1a6cb.jpg"
	}
}