S0413: MailSniper

MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used by a non-administrative user to search their own email, or by an Exchange administrator to search the mailboxes of every user in a domain.[1]

EnterpriseS0413ToolObject v1.1 Modified Oct 14, 2024, 22:11 UTC (UTC+00:00)

MailSniper matters because it turns email into a high-value discovery and collection source in Microsoft Exchange environments. Even without administrative rights, a user can search their own mailbox; with Exchange administrative privileges, the same tool can search mailboxes across a domain. For leaders, the issue is not just the tool itself, but whether email stores contain passwords, internal intelligence, or network architecture details that would accelerate an incident.

Executive priority

Prioritize this as an email, identity, and incident-readiness risk. Executives should ask whether Exchange and Office Suite activity is logged well enough to prove who searched or accessed mailboxes, whether administrative mailbox access is tightly governed, and whether sensitive operational or credential material is routinely stored in email. This also supports compliance evidence around privileged access, audit logging, and data protection in email systems.

Technical view

ATT&CK maps MailSniper to Email Account discovery, Password Spraying, and Remote Email Collection on Windows and Office Suite platforms. SOC and IR teams should validate visibility into authenticated Exchange or Office Suite access, mailbox search behavior, global address list or account enumeration, failed and successful authentication patterns consistent with password spraying, and administrative mailbox access. Because no official ATT&CK detection text is provided, detections should be built from local Exchange, identity provider, and endpoint telemetry rather than assuming a known signature exists.

Likely telemetry

Exchange or Office Suite audit logs for mailbox access and search activity
Identity provider authentication logs, including failed and successful sign-ins
Exchange administrative activity logs and role/permission changes
Global address list or email account enumeration evidence where logged
Endpoint PowerShell or script execution telemetry on Windows systems

Detection direction

Baseline normal mailbox search and access patterns, especially for Exchange administrators and service accounts.
Correlate broad mailbox access or email searching with unusual authentication patterns, including many accounts targeted with a small password set.
Monitor for account or address list enumeration followed by mailbox access or collection behavior.
Separate legitimate eDiscovery, help desk, compliance, and administrative activity from suspicious use through approved change records and privileged access context.
Treat absence of ATT&CK-provided detection guidance as a coverage gap requiring environment-specific logging validation.

Mitigation priorities

Reduce sensitive credential, architecture, and insider information stored in email through policy, training, and data handling controls.
Limit and review Exchange administrative privileges, especially permissions that allow searching or accessing multiple mailboxes.
Enforce strong identity controls for Exchange and Office Suite access, including controls that reduce password spraying risk.
Ensure mailbox auditing, administrative auditing, and identity logging are enabled and retained for investigation needs.
Review incident response playbooks for email collection scenarios, including containment of compromised users and privileged Exchange accounts.

Analyst notes and limits

MailSniper is described by ATT&CK as a penetration testing tool for searching email in Microsoft Exchange environments. ATT&CK also records use by Leafminer and relationships to Email Account discovery, Password Spraying, and Remote Email Collection. The practical defensive value is validating whether the organization can detect suspicious authenticated email access and whether email content would materially help an adversary after account compromise.

The ATT&CK object provides no official detection guidance and no tactics directly on the tool object. This take is limited to the supplied description, external references, and relationships. Local Exchange architecture, Office Suite configuration, audit settings, identity provider controls, and normal administrator workflows are required to assess actual risk and detection coverage.

Official MITRE ATT&CK definition

MailSniper

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 3 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1114.002	Remote Email Collection Sub-technique	MailSniper can be used for searching through email in Exchange and Office 365 environments.CitationGitHub MailSniper
Enterprise	T1110.003	Password Spraying Sub-technique	MailSniper can be used for password spraying against Exchange and Office 365.CitationGitHub MailSniper
Enterprise	T1087.003	Email Account Sub-technique	MailSniper can be used to obtain account names from Exchange and Office 365 using the `Get-GlobalAddressList` cmdlet.CitationBlack Hills Attacking Exchange MailSniper, 2016

Associated objects

Groups, software, and campaigns

G0077: Leafminer

Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. [1]

Relationship explorer

All related ATT&CK context

uses · Technique T1114.002: Remote Email Collection Enterprise uses · Group G0077: Leafminer Enterprise uses · Technique T1110.003: Password Spraying Enterprise uses · Technique T1087.003: Email Account Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: Oct 5, 2019, 02:34 UTC (UTC+00:00)
Modified: Oct 14, 2024, 22:11 UTC (UTC+00:00)
Raw hash: f1cd9dd446fce35f...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.1	Oct 14, 2024, 22:11 UTC (UTC+00:00)	Current bundle	`f1cd9dd446fc…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
GitHub MailSniper

Bullock, B., . (2018, November 20). MailSniper. Retrieved October 4, 2019.
Open source URL
[2]
mitre-attack S0413
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use