MailSniper
MailSniper is a tool used in Microsoft Exchange and Office 365 environments for email discovery and credential attacks. The content describes it as a penetration testing tool that can automate searches of Exchange server mailboxes for specific keywords, including terms related to passwords, insider intelligence, and network architecture information. It is also explicitly noted as capable of password spraying against Exchange and Office 365. The tool is associated with remote email collection activity, and the content states that Leafminer used MailSniper to search Exchange server mailboxes for keywords. High-confidence behaviors mentioned include automated keyword-based mailbox searching and password spraying targeting Exchange and Office 365 accounts.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Leafminer used a tool called MailSniper to search through the Exchange server mailboxes for keywords.
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueThe content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.
Credential Access
1 technique“Agrius engaged in password spraying via SMB in victim environments… APT28 has used a brute-force/password-spray tooling… has also used a Kubernetes cluster to conduct distributed, large-scale password spray attacks… performed password-spray attacks against public facing services… APT29 has conducted brute force password spray attacks… APT33 has used password spraying… Chimera has used multiple password spraying attacks… Ember Bear has conducted password spraying against Outlook Web Access (OWA)… HAFNIUM has gained initial access through password spray attacks… HEXANE has used password spraying… Leafminer used… Total SMB BruteForcer to perform internal password spraying… MailSniper can be used for password spraying against Exchange and Office 365… Silent Librarian… password spraying attacks…”
Collection
2 techniquesMailsniper Invoke functions ... T1114.001 Data Exfiltration
Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
MailSniper is a tool for searching Microsoft Exchange mailboxes for sensitive information, such as credentials or internal data, aiding in privilege escalation and data exfiltration.
Tooling used to target Microsoft Exchange/Office 365, including password spraying capabilities.
A tool used to automate email collection/search activities (e.g., keyword searches) against Exchange/Office 365 environments as part of remote email collection.
Tool used to search and enumerate email in Microsoft Exchange/Office 365 environments, including keyword searching across mailboxes.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.