S0413 MailSniper
MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used by a non-administrative user to search their own email, or by an Exchange administrator to search the mailboxes of every user in a domain.1
| Item | Value |
|---|---|
| ID | S0413 |
| Associated Names | |
| Type | TOOL |
| Version | 1.1 |
| Created | 05 October 2019 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.003 | Email Account | MailSniper can be used to obtain account names from Exchange and Office 365 using the Get-GlobalAddressList cmdlet.2 |
| enterprise | T1110 | Brute Force | - |
| enterprise | T1110.003 | Password Spraying | MailSniper can be used for password spraying against Exchange and Office 365.1 |
| enterprise | T1114 | Email Collection | - |
| enterprise | T1114.002 | Remote Email Collection | MailSniper can be used for searching through email in Exchange and Office 365 environments.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0077 | Leafminer | 3 |
References
-
Bullock, B., . (2018, November 20). MailSniper. Retrieved October 4, 2019. ↩↩↩
-
Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper. Retrieved October 6, 2019. ↩
-
Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018. ↩