{
	"id": "e439fad1-df49-4bac-9b08-0a053f28ccbd",
	"created_at": "2026-04-06T00:10:59.584621Z",
	"updated_at": "2026-04-10T03:21:22.016698Z",
	"deleted_at": null,
	"sha1_hash": "fb3c543cb5f738df8587ca498fd1eebae7b052c3",
	"title": "GitHub - dafthack/MailSniper: MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an administrator to search the mailboxes of every user in a domain.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 63810,
	"plain_text": "GitHub - dafthack/MailSniper: MailSniper is a penetration testing\r\ntool for searching through email in a Microsoft Exchange\r\nenvironment for specific terms (passwords, insider intel, network\r\narchitecture information, etc.). It can be used as a non-administrative user to search their own email, or by an\r\nadministrator to search the mailboxes of every user in a domain.\r\nBy L1ghtn1ng\r\nArchived: 2026-04-05 23:51:46 UTC\r\nMailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for\r\nspecific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email or by an Exchange administrator to search the mailboxes of every\r\nuser in a domain.\r\nMailSniper also includes additional modules for password spraying, enumerating users and domains, gathering the\r\nGlobal Address List (GAL) from OWA and EWS and checking mailbox permissions for every Exchange user at\r\nan organization.\r\nFor more information about the primary MailSniper functionality check out blog post.\r\nFor more information about additional MailSniper modules check out:\r\nGAL \u0026 Password Spraying\r\nInvoke-OpenInboxFinder\r\nDownload the MailSniper Field Manual to quickly reference various MailSniper functions.\r\nQuick Start Guide\r\nThere are two main functions in MailSniper. These two functions are Invoke-GlobalMailSearch and Invoke-SelfSearch.\r\nInvoke-GlobalMailSearch is a module that will connect to a Microsoft Exchange server and grant the\r\n\"ApplicationImpersonation\" role to a specified user. Having the \"ApplicationImpersonation\" role allows that user\r\nto search through all other domain user's mailboxes. After this role has been granted, the Invoke-GlobalMailSearch function creates a list of all mailboxes in the Exchange database. It then connects to Exchange\r\nWeb Services (EWS) using the impersonation role to gather a number of emails from each mailbox and ultimately\r\nhttps://github.com/dafthack/MailSniper\r\nPage 1 of 5\n\nsearches through them for specific terms. By default, the script searches for\r\n\"*password*\",\"*creds*\",\"*credentials*\"\r\nTo search all mailboxes in a domain:\r\nInvoke-GlobalMailSearch -ImpersonationAccount current-username -ExchHostname Exch01 -OutputCsv global\r\nThis command will connect to the Exchange server located at 'Exch01' and prompt for administrative credentials\r\n(i.e. member of \"Exchange Organization Administrators\" or \"Organization Management\" group). Once\r\nadministrative credentials have been entered, a PowerShell remoting session is setup with the Exchange server\r\nwhere the ApplicationImpersonation role is then granted to the \"current-username\" user. A list of all email\r\naddresses in the domain is then gathered, followed by a connection to EWS as \"current-username\" where by\r\ndefault, 100 of the latest emails from each mailbox will be searched through for the terms\r\n\"*pass*\",\"*creds*\",\"*credentials*\" and output to a CSV file called global-email-search.csv.\r\nInvoke-SelfSearch is a module that will connect to a Microsoft Exchange server using EWS to gather a number\r\nof emails from the current user's mailbox. It then searches through them for specific terms. This could potentially\r\nassist in privilege escalation after obtaining a user's credentials or assist in locating sensitive data as a non-admin\r\nuser.\r\nTo search the current user's mailbox:\r\nInvoke-SelfSearch -Mailbox current-user@domain.com\r\nThis command will connect to the Exchange server autodiscovered from the email address entered using EWS\r\nwhere by default, 100 of the latest emails from the \"Mailbox\" will be searched through for the terms\r\n\"*pass*\",\"*creds*\",\"*credentials*\".\r\nInvoke-GlobalO365MailSearch same as Invoke-GlobalMailSearch, with support for single sign-on (SSO) based\r\nauthentication to O365.\r\nInvoke-GlobalMailSearch Options\r\nImpersonationAccount - This user will be granted the ApplicationImpersonation role on the Exchange server.\r\nExchHostname - The hostname of the Exchange server to connect to (If $AutoDiscoverEmail is specified th\r\nAutoDiscoverEmail - A valid email address that will be used to autodiscover where the Exchange server is loc\r\nMailsPerUser - The total number of emails returned from each mailbox.\r\nTerms - Specific search terms used to search through each email subject and body. By default, th\r\nOutputCsv - Outputs the results of the search to a CSV file.\r\nExchangeVersion - Specify the version of Exchange server to connect to. By default the script tries Exchan\r\nAdminUserName - The username of an Exchange administator (i.e. member of the \"Exchange Organization Admi\r\nAdminPassword - The password to the Exchange administator (i.e. member of the \"Exchange Organization Adm\r\nEmailList - A text file listing email addresses to search (one per line).\r\nFolder - A specific folder within each mailbox to search. By default, the script only searches th\r\nhttps://github.com/dafthack/MailSniper\r\nPage 2 of 5\n\nRegex - Use a regular expressions when performing searches. This will override the -Terms flag.\r\nCheckAttachments - Attempts to search through the contents of email attachements in addition to the default\r\nDownloadDir - Download files to a specific location.\r\nInvoke-SelfSearch Options\r\nExchHostname - The hostname of the Exchange server to connect to (If $Mailbox is specified the server\r\nMailbox - Email address of the current user the PowerShell process is running as.\r\nMailsPerUser - Number of emails to return.\r\nTerms - Specific search terms used to search through each email subject and body. By default, th\r\nOutputCsv - Outputs the results of the search to a CSV file.\r\nExchangeVersion - Specify the version of Exchange server to connect to (default Exchange2010).\r\nRemote - A new credential box will pop up for accessing a remote EWS service from the internet.\r\nFolder - A specific folder within each mailbox to search. By default, the script only searches th\r\nRegex - Use a regular expressions when performing searches. This will override the -Terms flag.\r\nCheckAttachments - Attempts to search through the contents of email attachements in addition to the default\r\nDownloadDir - Download files to a specific location.\r\nOtherUserMailbox - Use this flag when attempting to read emails from a different user's mailbox\r\nUsePrt - Uses the current user's PRT to authenticate.\r\nAccessToken - Use provided oauth access token to authenticate.\r\nInvoke-GlobalO365MailSearch Options\r\nUsePrtImperonsationAccount - Uses the current user's PRT to authenticate ImperonsationAccount.\r\nAccessTokenImpersonationAccount - Use provided oauth access token to authenticate ImperonsationAccount.\r\nUsePrtAdminAccount - Uses the current user's PRT to authenticate AdminAccount.\r\nAccessTokenAdminAccount - Use provided oauth access token to authenticate ImperonsationAccount.\r\nAdditional MailSniper Modules\r\nGet-GlobalAddressList will attempt to connect to an Outlook Web Access (OWA) portal and utilize the\r\n\"FindPeople\" method (only available in Exchange2013 and up) of gathering email addresses from the GAL. If this\r\ndoes not succeed the script will attempt to connect to EWS and attempt to gather the GAL.\r\nGet-GlobalAddressList -ExchHostname mail.domain.com -UserName domain\\username -Password Spring2021 -O\r\nGet-MailboxFolders will connect to a Microsoft Exchange server using EWS and gather a list of folders from the\r\ncurrent user's mailbox.\r\nGet-MailboxFolders -Mailbox current-user@domain.com\r\nInvoke-PasswordSprayOWA will attempt to connect to an OWA portal and perform a password spraying attack\r\nusing a userlist and a single password.\r\nhttps://github.com/dafthack/MailSniper\r\nPage 3 of 5\n\nInvoke-PasswordSprayOWA -ExchHostname mail.domain.com -UserList .\\userlist.txt -Password Spring2021 -\r\nInvoke-PasswordSprayEWS will attempt to connect to an EWS portal and perform a password spraying attack\r\nusing a userlist and a single password.\r\nInvoke-PasswordSprayEWS -ExchHostname mail.domain.com -UserList .\\userlist.txt -Password Spring2021 -\r\nInvoke-PasswordSprayGmail This module will first attempt to connect to a Gmail Authentication portal and\r\nperform a password spraying attack using a userlist and a single password.\r\nInvoke-PasswordSprayGmail -UserList .\\userlist.txt -Password Fall2016 -Threads 15 -OutFile gmail-spra\r\nInvoke-DomainHarvestOWA will attempt to connect to an OWA portal and determine a valid domain name for\r\nlogging into the portal from the WWW-Authenticate header returned in a web response from the server or based\r\noff of small timing differences in login attempts.\r\nInvoke-DomainHarvestOWA -ExchHostname mail.domain.com\r\nInvoke-UsernameHarvestOWA will attempt to connect to an OWA portal and harvest valid usernames based off\r\nof small timing differences in login attempts.\r\nInvoke-UsernameHarvestOWA -ExchHostname mail.domain.com -UserList .\\userlist.txt -Threads 1 -OutFile\r\nInvoke-UsernameHarvestGmail is a module that will attempt to enumerate Google Apps user accounts and\r\npotentially identify user accounts that opt-out of implemented 2FA solutions.\r\nInvoke-UsernameHarvestGmail -Account\r\nInvoke-UsernameHarvestGmail -UserFile .\\emails.txt\r\nInvoke-UsernameHarvestGmail -UserFile .\\emails.txt -ProxyHosts 10.0.0.5:8080,10.0.0.6:8080,10.0.0.10\r\nInvoke-UsernameHarvestGmail -UserFile .\\emails.txt -Detailed\r\nGet-Content emails.txt | % { Invoke-UsernameHarvestGmail $_ }\r\nInvoke-OpenInboxFinder will attempt to determine if the current user has access to the Inbox of each email\r\naddress in a list of addresses.\r\nInvoke-OpenInboxFinder -EmailList email-list.txt\r\nGet-ADUsernameFromEWS will attempt to determine the Active Directory username for a single email address\r\nor a list of addresses. Use the Get-GlobalAddressList module to harvest a full list of email addresses to use with\r\nGet-ADUsernameFromEWS.\r\nhttps://github.com/dafthack/MailSniper\r\nPage 4 of 5\n\nGet-ADUsernameFromEWS -EmailList email-list.txt\r\nSend-EWSEmail will attempt to connect to EWS and send an email.\r\nSend-EWSEmail --ExchHostname substrate.office.com -Recipient $targetEmail -Subject \"Foo\" -EmailBody\r\nSource: https://github.com/dafthack/MailSniper\r\nhttps://github.com/dafthack/MailSniper\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://github.com/dafthack/MailSniper"
	],
	"report_names": [
		"MailSniper"
	],
	"threat_actors": [],
	"ts_created_at": 1775434259,
	"ts_updated_at": 1775791282,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fb3c543cb5f738df8587ca498fd1eebae7b052c3.pdf",
		"text": "https://archive.orkl.eu/fb3c543cb5f738df8587ca498fd1eebae7b052c3.txt",
		"img": "https://archive.orkl.eu/fb3c543cb5f738df8587ca498fd1eebae7b052c3.jpg"
	}
}