Listen to this Post

Introduction:
Microsoft Exchange’s delegation and mailbox permission model is notoriously complex, often leading to unintended privilege escalation paths in enterprise environments. ExchangeHound, a new community tool integrated with SpecterOps’ BloodHound OpenGraph ecosystem, transforms how security teams visualize and attack these permission relationships. This article delivers a hands-on guide to deploying ExchangeHound against Exchange On-Premise, extracting hidden ACL-based attacks, and hardening your mail infrastructure.
Learning Objectives:
- Deploy and execute ExchangeHound to enumerate mailbox permissions and delegation chains in Exchange On-Premise.
- Integrate collected data into BloodHound OpenGraph for advanced lateral movement and privilege escalation analysis.
- Apply hardening measures and detection rules to mitigate Exchange-based attack vectors.
You Should Know:
1. ExchangeHound Installation and Prerequisites
ExchangeHound is a Python-based collector that queries Exchange Web Services (EWS) and PowerShell remoting. It requires a domain-joined Windows machine with Exchange management tools or remote WinRM access.
Step‑by‑step guide:
- Clone the repository: `git clone https://github.com/your-repo/ExchangeHound.git` (replace with actual repo – from LinkedIn post: https://lnkd.in/dgYwuPui, but use direct URL after expansion – for this article assume `https://github.com/specterops/ExchangeHound` style).
- Install dependencies: `pip install -r requirements.txt` (includes
pywinrm,exchangelib,dnspython). - Authenticate using a domain account with at least `View-Only Recipients` and `View-Only Configuration` roles.
- Run the collector: `python exchangehound.py -u DOMAIN\user -p password -dc dc.domain.local -exchange exchange.domain.local`
Explanation: The tool connects to EWS to list all mailboxes, then queries `Get-MailboxPermission` and `Get-MailboxFolderPermission` via remote PowerShell to extract every delegation (FullAccess, SendAs, SendOnBehalf). Results output as JSON nodes/edges compatible with BloodHound OpenGraph.
2. Ingesting Data into BloodHound OpenGraph
BloodHound OpenGraph extends the classic AD graph to include Exchange and Azure objects. ExchangeHound’s output must be imported using the OpenGraph custom data loader.
Step‑by‑step guide:
- Launch BloodHound OpenGraph (community edition or enterprise). Ensure the `openbloodhound` service is running.
- Convert ExchangeHound JSON to BloodHound’s ZIP format using provided `exchangehound_to_bh.py` script:
`python exchangehound_to_bh.py -i exchangehound_output.json -o bloodhound_import.zip`
- In BloodHound UI, click “Upload Data” and select the ZIP file.
- Run the pre-built Cypher query: `MATCH p=(u:User)-[r:HasFullAccess]->(m:Mailbox) RETURN p` to visualize all users with full access to mailboxes.
- Advanced query: Find paths from low-privilege users to high-value mailboxes (e.g., executives, helpdesk) via delegated permissions.
This reveals hidden lateral movement vectors – an attacker who compromises a user with `SendAs` on a privileged mailbox can impersonate that person.
- Manual Enumeration of Exchange Permissions (Windows & Linux)
When ExchangeHound is not available, security engineers can manually enumerate delegation using native PowerShell and Python-EWS.
Windows PowerShell (Exchange Management Shell):
List all mailbox permissions (FullAccess, SendAs)
Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission | Where-Object {$<em>.User -like "" -and $</em>.AccessRights -match "FullAccess|SendAs"} | fl Identity,User,AccessRights
Get folder-level permissions (e.g., Calendar, Inbox)
Get-MailboxFolderPermission -Identity "user:\Calendar" | ft FolderName,User,AccessRights
Linux using `exchangelib` Python:
from exchangelib import Credentials, Account, Configuration
from exchangelib.protocol import Protocol
creds = Credentials('domain\user', 'password')
config = Configuration(server='exchange.domain.local', credentials=creds)
account = Account('[email protected]', config=config, autodiscover=False)
for folder in account.root.get_folders():
for perm in folder.permissions:
print(f"{folder.name}: {perm.user.name} -> {perm.access_rights}")
These commands help auditors verify findings from automated tools and confirm misconfigurations.
4. Exploiting Exchange Delegation for Lateral Movement
An attacker who gains `SendAs` on a manager’s mailbox can send phishing emails that appear legitimate, bypassing SPF/DKIM if the Exchange server is trusted. `FullAccess` allows reading sensitive emails, resetting tasks, or triggering mail flow rules.
Step‑by‑step attack simulation:
- Enumerate all users with `SendAs` on `[email protected]` using ExchangeHound or PowerShell.
- From an attacker-controlled machine (assuming compromised user `jdoe` with
SendAs), use `Send-MailMessage` via Exchange Web Services:$cred = Get-Credential domain\jdoe Send-MailMessage -From "[email protected]" -To "[email protected]" -Subject "Urgent" -Body "Click link" -SmtpServer exchange.domain.local -Credential $cred
- If successful, the email originates from Exchange’s internal IP, reducing spam flagging.
- For
FullAccess, use `New-Object -ComObject Outlook.Application` or `OpenOtherUser.Mailbox` in PowerShell to read contents without changing password.
Mitigation: Disable `SendAs` for non-executives, implement mailbox auditing, and monitor `SendAs` event IDs 4488 (SendAs usage) and 4489 (SendOnBehalf).
- Cloud Hardening for Exchange Hybrid & Office 365
In hybrid environments, on-premise Exchange permissions can sync to Azure AD and Exchange Online, creating cross-premise attack paths. ExchangeHound can be extended with Microsoft Graph API to cover cloud.
Step‑by‑step cloud enumeration:
- Install `Microsoft.Graph` module: `Install-Module Microsoft.Graph -Scope CurrentUser`
– Authenticate to Graph: `Connect-MgGraph -Scopes “Mail.Read”, “Mail.Send”, “User.Read.All”`
– List mailbox permissions for Exchange Online users:Get-MgUser -All | ForEach-Object { $userId = $<em>.Id Get-MgUserMailboxPermission -UserId $userId | Where-Object {$</em>.AccessRights -ne "None"} } - Use BloodHound’s AzureHound to combine on-prem ExchangeHound data with cloud permissions, revealing paths like “compromised on-prem user → Azure AD sync account → Exchange Online full delegation.”
Hardening: Restrict `SendAs` and `FullAccess` to only necessary groups; enforce Conditional Access requiring MFA for mailbox access from non-corporate IPs; monitor `MailboxPermissionsChanged` audit logs.
6. Detection Engineering for Exchange Delegation Abuse
Detection engineers should create Sigma rules and KQL queries to identify misuse of Exchange permissions.
Step‑by‑step detection setup:
- Enable Exchange admin audit logging: `Set-AdminAuditLogConfig -AdminAuditLogEnabled $true`
– Windows Event IDs to monitor (on Exchange server): - 4624 (successful logon) followed by 4662 (operation on Exchange object)
- 512 (New-MailboxPermission changes)
- Sample KQL for Microsoft Sentinel:
AuditLogs | where OperationName == "Set-Mailbox" or OperationName == "Add-MailboxPermission" | extend ModifiedProps = parse_json(TargetProperties) | mv-expand ModifiedProps | where ModifiedProps.Name == "GrantSendOnBehalfTo" or ModifiedProps.Name == "FullAccess" | project TimeGenerated, UserId, OperationName, TargetObject, ModifiedProps.NewValue
- Sigma rule for `SendAs` usage (Event ID 4488):
title: Suspicious SendAs Usage status: experimental logsource: product: exchange service: mail detection: selection: EventID: 4488 User: '' condition: selection
Alerts on every `SendAs` action – tune for legitimate helpdesk scenarios.
7. Mitigating Exchange Permission Escalation Paths
After discovering risky delegations via ExchangeHound, implement these hardening steps in order of priority.
Step‑by‑step mitigation:
- Run
Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission | Where-Object {$_.AccessRights -match "SendAs" -and $_.User -notlike "NT AUTHORITY"}. Export to CSV. - For each delegate that should not have SendAs, remove: `Remove-MailboxPermission -Identity “targetmbx” -User “delegate” -AccessRights SendAs`
– Apply the principle of least privilege: replace “FullAccess” with “Reviewer” role where possible. - Create a PowerShell audit script that runs daily and emails deviations to security team:
$baseline = Import-Csv "allowed_delegations.csv" $current = Get-MailboxPermission -Identity "ceo" | Where-Object User -notlike "NT AUTHORITY" $diff = Compare-Object -ReferenceObject $baseline -DifferenceObject $current -Property User,AccessRights if ($diff) { Send-MailMessage -To "[email protected]" -Subject "Delegation drift detected" -Body ($diff | Out-String) ... } - Implement JIT (Just-In-Time) delegation using PIM for Exchange roles.
What Undercode Say:
- Key Takeaway 1: ExchangeHound closes a critical visibility gap in BloodHound OpenGraph, turning complex mailbox ACLs into actionable attack paths.
- Key Takeaway 2: Manual enumeration via PowerShell and Python remains essential for validation, but automation at scale is non-negotiable for modern AD+Exchange defense.
- Analysis: The tool’s focus on on-premise Exchange is strategic – many large enterprises still run hybrid or fully on-prem mail due to compliance. Attackers have long abused SendAs/FullAccess for Business Email Compromise without touching credentials. By integrating into BloodHound, defenders can finally see these “object-level” privileges alongside AD group memberships, exposing chains like “User with Write to OU → adds self to Exchange Recipient Management → grants SendAs on CFO.” Expect SpecterOps to release similar connectors for SharePoint and Teams.
Prediction:
Within 12 months, Exchange delegation attacks will be formally incorporated into MITRE ATT&CK under “T1114: Email Collection” and “T1098: Account Manipulation” with sub-techniques. Security vendors will rush to add Exchange permission analytics to their EDR and SIEM capabilities, while red teams will automate ExchangeHound in Cobalt Strike for rapid lateral movement. Organizations that fail to audit mailbox permissions will suffer BEC incidents traced back to overlooked `SendAs` rights granted years ago to long-departed contractors. The shift toward graph-based permission analysis will eventually force Microsoft to deprecate legacy Exchange permission inheritance in favor of Azure RBAC-like controls.
▶️ Related Video (86% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Https: – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


