ExchangeHound: BloodHound OpenGraph Collector for Microsoft Exchange + Video

Listen to this Post

Featured Image

Introduction:

Microsoft Exchange on-premises environments often become security blind spots in Active Directory attack path analysis, leaving organizations vulnerable to mailbox abuse and privilege escalation. ExchangeHound, a new defensive BloodHound OpenGraph collector, maps mailbox delegation, folder permissions, and Exchange RBAC relationships into BloodHound, enabling blue teams to identify and mitigate Exchange-specific attack paths.

Learning Objectives:

  • Understand how ExchangeHound extends BloodHound OpenGraph to visualize Microsoft Exchange abuse paths.
  • Learn to deploy and run ExchangeHound to collect mailbox permissions and delegation relationships.
  • Use Cypher queries in BloodHound to identify high-risk Exchange permissions and privilege chains.

You Should Know:

1. What is ExchangeHound and Why It Matters

ExchangeHound is a defensive OpenGraph collector built for blue teams, detection engineers, and Active Directory/Exchange defenders. It maps high-value Exchange relationships such as FullAccess, SendAs, SendOnBehalf, folder permissions, public folder ACLs, transport rules, and Exchange RBAC assignments into a graph queryable in BloodHound. Exchange permissions are frequently missed during AD-focused attack path analysis and security reviews. For defenders, this creates blind spots around mailbox abuse, impersonation risk, and privilege drift. ExchangeHoud helps defenders surface cross-OU and cross-team mailbox delegation, privileged mailbox exposure (including Tier Zero users), AD-to-mailbox abuse chains, and Kerberoastable delegates with mailbox rights.

Step-by-step guide to install and run ExchangeHound:

First, ensure you have BloodHound CE v8+ (tested on v9) with OpenGraph support, SharpHound AD data already ingested, and an Exchange account with rights to read mailbox and permission metadata.

Installation:

 Clone the repository
git clone https://github.com/FilipPwn/ExchangeHound.git
cd ExchangeHound

Ensure Exchange Management Shell is loaded
 For remote Exchange session, specify -Server parameter

Running ExchangeHound from an Exchange Management Shell session:

 Pilot run (recommended first execution)
.\ExchangeHound.ps1 -ResultSize 100 -SkipSendOnBehalf -OutputPath .\exchangehound_pilot.json

Remote Exchange session
.\ExchangeHound.ps1 -Server ex01.contoso.com

Collect all optional modules (enables all optional collectors)
.\ExchangeHound.ps1 -CollectAll

What this does:

The `-CollectAll` parameter enables all optional collectors, including `-IncludeInherited` and -IncludeDefaultFolderPrincipals. The script will:
– Connect to Exchange and AD via PowerShell
– Enumerate mailboxes and their permission entries
– Resolve SIDs to AD principals
– Generate a JSON payload compatible with BloodHound OpenGraph
– Output the file to the specified path

Sample run output:

PS C:\Users\Administrator\Desktop\ExchangeHound> .\ExchangeHound.ps1 -CollectAll
+-+
| ExchangeHound v1.0 |
| BloodHound OpenGraph Collector for Exchange |
| https://github.com/filippwn/ExchangeHound |
+-+
[+] Connected to Exchange server
[+] Enumerating mailboxes...
[+] Processing FullAccess permissions...
[+] Output written to exchangehound_export.json

2. Understanding ExchangeHound’s Data Model

ExchangeHound extends BloodHound with Exchange-specific nodes and relationships, enabling mailbox abuse analysis as part of the same identity graph. The model includes objects such as ExchangeMailbox, ExchangeMailboxFolder, ExchangePublicFolder, ExchangeTransportRule, and ExchangeRbacRole, connected by edges like HasFullAccess, HasSendAs, HasSendOnBehalf, HasFolderAccess, HasCalendarAccess, and HasPublicFolderAccess. At the center of the model is the `ExchangeMailbox` node, linked back to identity through `OwnsMailbox` (owner mapping) and to delegation principals through mailbox permission edges.

Step-by-step guide to query ExchangeHound data in BloodHound:

After ingesting the ExchangeHound JSON export into BloodHound, use these Cypher queries to analyze Exchange relationships.

Query 1: Map user mailbox ownership and permissions

MATCH p=(u:User)-[:OwnsMailbox|HasFullAccess|HasSendAs|HasSendOnBehalf]->(mb:ExchangeMailbox)
WHERE u.samaccountname = 'GraceTurner'
RETURN p

This query maps user GraceTurner to mailboxes she owns or has delegate access to, showing both explicit permissions and ownership.

Query 2: Find all non-owner full access to Tier Zero user mailboxes

MATCH (u:User {tierzero: true})-[:OwnsMailbox]->(mb:ExchangeMailbox)
MATCH (attacker:User)-[:HasFullAccess]->(mb)
WHERE attacker <> u
RETURN attacker.name, u.name, mb.name

This identifies any user with FullAccess to a Tier Zero user’s mailbox, a high-risk privilege chain.

Query 3: Detect SendAs permissions across organizational units

MATCH (u:User)-[:HasSendAs]->(mb:ExchangeMailbox)
WHERE u.ou <> mb.owner_ou
RETURN u.samaccountname, mb.name, mb.owner_samaccountname

Cross-OU SendAs permissions can indicate privilege escalation paths.

3. Exchange Permission Abuse Paths (T1098.002)

Adversaries may grant additional permission levels, such as `ReadPermission` or FullAccess, to maintain persistent access to an adversary-controlled email account. The MITRE ATT&CK technique T1098.002 (Additional Email Delegate Permissions) specifically addresses Exchange email delegate permissions abuse. ExchangeHound helps defenders detect this technique by modeling mailbox permissions as graph relationships, enabling detection of unusual delegation patterns.

Step-by-step guide to detecting T1098.002 with ExchangeHound:

Detection via PowerShell auditing:

 Audit mailbox permission changes in Exchange
Get-AdminAuditLog -Cmdlets Add-MailboxPermission, Remove-MailboxPermission -StartDate (Get-Date).AddDays(-30) | 
Select-Object CmdletName, ObjectModified, ParameterName, Caller, RunDate

Monitor for new mailbox delegations
Get-MailboxPermission -Identity "[email protected]" | 
Where-Object {$<em>.AccessRights -like "FullAccess" -and $</em>.User -notlike "NT AUTHORITY\"}

Detection using ExchangeHound in BloodHound:

// Find all mailbox delegations added in the last 30 days
MATCH (u:User)-[r:HasFullAccess|HasSendAs|HasSendOnBehalf]->(mb:ExchangeMailbox)
WHERE r.created_date > datetime({epochmillis: timestamp() - 2592000000})
RETURN u.name, type(r), mb.name, r.created_date

Mitigation steps:

  • Restrict who can delegate mailbox permissions using Exchange RBAC
  • Monitor for `Add-MailboxPermission` and `Add-ADPermission` cmdlet usage
  • Implement regular reviews of mailbox delegations using ExchangeHound
  • Use tiering to protect Tier Zero user mailboxes from delegation

4. Integration with BloodHound OpenGraph Ecosystem

BloodHound OpenGraph enables researchers to quickly ingest new data sets and light up new attack paths across their environment. The OpenGraph extension library includes community contributions for AWS, GitHub, Jamf, and now ExchangeHound.

Step-by-step guide to ingesting ExchangeHound data into BloodHound:

Prerequisites:

  • BloodHound CE v8+ with OpenGraph support
  • SharpHound AD data already ingested
  • ExchangeHound JSON export

Ingestion process:

1. Navigate to BloodHound CE web interface

2. Go to “Upload Data” section

3. Select “OpenGraph Data” upload option

4. Upload the ExchangeHound JSON export file

  1. BloodHound will validate and ingest the nodes and edges

Verification queries after ingestion:

// Check if ExchangeMailbox nodes were ingested
MATCH (n:ExchangeMailbox) RETURN COUNT(n)

// Verify Exchange relationship types
MATCH ()-[r:HasFullAccess|HasSendAs|HasSendOnBehalf]->() RETURN type(r), COUNT(r)

Expected output:

The graph will now show ExchangeMailbox nodes connected to User nodes via ownership and delegation edges, enabling path-based analysis of Exchange permissions.

5. Advanced Use Cases and Automation

ExchangeHound supports multiple use cases including continuous posture reviews, delegated access audits, incident scoping, and remediation validation after hardening changes.

Step-by-step guide to automating ExchangeHound collection:

Create a scheduled task on Windows Server:

 Create scheduled task action
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-ExecutionPolicy Bypass -File C:\scripts\ExchangeHound.ps1 -CollectAll -OutputPath C:\exports\exchangehound_$(Get-Date -Format 'yyyyMMdd_HHmmss').json"

Create trigger (daily at 2 AM)
$Trigger = New-ScheduledTaskTrigger -Daily -At 02:00AM

Register scheduled task
Register-ScheduledTask -TaskName "ExchangeHound_Collector" -Action $Action -Trigger $Trigger -RunLevel Highest

Use with SIEM for alerting:

 Example Python script to parse ExchangeHound output and send to SIEM
import json
import sys

def process_exchangehound_export(file_path):
with open(file_path, 'r') as f:
data = json.load(f)

Extract high-risk relationships
for node in data.get('nodes', []):
if node.get('label') == 'ExchangeMailbox':
 Check for privileged mailboxes
if node.get('properties', {}).get('is_privileged', False):
 Send alert to SIEM
print(f"ALERT: Privileged mailbox {node.get('name')}")

Extract cross-OU delegations
for edge in data.get('edges', []):
if edge.get('label') in ['HasFullAccess', 'HasSendAs']:
 Check source and target OUs
source_ou = edge.get('properties', {}).get('source_ou')
target_ou = edge.get('properties', {}).get('target_ou')
if source_ou and target_ou and source_ou != target_ou:
print(f"ALERT: Cross-OU delegation from {source_ou} to {target_ou}")

if <strong>name</strong> == "<strong>main</strong>":
process_exchangehound_export(sys.argv[bash])

6. Remediation and Hardening

ExchangeHound helps identify excessive permissions that should be removed to reduce attack surface.

Step-by-step guide to remediation using ExchangeHound findings:

Identify and remove FullAccess permissions for non-owners:

 Get all mailboxes with FullAccess from non-owners
Get-Mailbox -ResultSize Unlimited | ForEach-Object {
$mailbox = $<em>.Identity
Get-MailboxPermission -Identity $mailbox | Where-Object {
$</em>.AccessRights -contains "FullAccess" -and 
$<em>.User -notlike "NT AUTHORITY\" -and
$</em>.User -notlike "$($mailbox)\"
} | ForEach-Object {
Remove-MailboxPermission -Identity $mailbox -User $_.User -AccessRights FullAccess -Confirm:$false
}
}

Remove SendAs permissions for cross-OU delegations:

 Remove SendAs permissions where grantee and grantor are in different OUs
$crossOUDelgations = Get-Mailbox -ResultSize Unlimited | ForEach-Object {
$mailbox = $<em>.Identity
$mailboxOU = (Get-ADUser (Get-Mailbox $mailbox).SamAccountName).DistinguishedName.Split(',')[bash].Split('=')[bash]
Get-ADPermission -Identity $mailbox | Where-Object {
$</em>.ExtendedRights -contains "Send-As" -and 
$<em>.User -ne "NT AUTHORITY\SELF" -and
(Get-ADUser $</em>.User -ErrorAction SilentlyContinue).DistinguishedName.Split(',')[bash].Split('=')[bash] -ne $mailboxOU
} | ForEach-Object {
Remove-ADPermission -Identity $mailbox -User $_.User -ExtendedRights "Send-As" -Confirm:$false
}
}

Harden Exchange RBAC:

  • Limit membership in high-privileged role groups (Organization Management, Recipient Management)
  • Use management role assignment policies to delegate specific permissions
  • Regularly audit RBAC assignments with ExchangeHound

What Undercode Say:

  • ExchangeHound bridges a critical gap in BloodHound’s AD-focused attack path analysis by bringing Exchange mailbox permissions into the graph.
  • Organizations can now detect and mitigate Exchange-specific abuse paths such as cross-OU delegations, Tier Zero mailbox exposure, and Kerberoastable delegates.
  • Regular collection and analysis using ExchangeHound should become a standard part of continuous identity posture reviews.

Prediction:

As BloodHound OpenGraph gains adoption, we expect to see a growing ecosystem of community collectors targeting other identity systems like Oracle Identity Manager, SAP Identity Management, and custom IAM solutions. ExchangeHound represents the first step toward comprehensive identity attack path management beyond Active Directory, setting a precedent for how security teams will analyze identity risk across their entire technology stack.

▶️ Related Video (94% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Https: – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky