Find The CEO’s Email — in a cloud world

Péter Gombos
Feb 14, 2019 · 3 min read

You’ve hacked it all, gotten domain admin, shelled every box that you can think of and ticked off all the objectives. But there’s a single one remaining: access to the CEO’s mailbox. Easy, you just jump to the CEO’s computer and get his password. Or crack the NT-hash you got from dcsyncing all the users. Alas, the CEO seems like the only person in the company that actually listened to the password security training. And his computer isn’t live on the network just now. And the company has taken the plunge headfirst into the cloud, so the mailboxes are hosted on office.com. Which means you can’t just read emails on the exchange server. What to do?

Enter the wonderful world of mailbox delegation! This feature is really for people who needs to have an assistant going through their email. But as it doesn’t notify the CEO when it’s set up, we can use it for our purposes. To set a delegation, you have to have privileges in Azure Active Directory, either Global Administrator or Exchange Administrator. To find members of this group, log in to portal.azure.com as any domain user. Go to “Azure Active Directory” in the left hand menu, “Roles and administrators” and click on “Global administrators”.

Image for post
Image for post
List of all global administrators in the domain

The next step is to get the password of one of these users. This might be easier than getting the CEO’s password. Best practices is to have separate O365 admins, but best practices aren’t always followed. It’s not uncommon to see Domain Admins also set as the Global Admin. So get the password in usual ways, 2019 is also the year of mimikatz!

With the Global admin password, log into admin.microsoft.com. On the first page, shown below, there’s a search field where you can find whatever user you’re targeting.

Image for post
Image for post
The admin page for Office 365

Click on the desired user from the search field, and scroll down until you see “Mail Settings”. Expand this, and choose “Edit Exchange Properties”. under “More settings”

Image for post
Image for post
Mail settings for the CEO

On the page newly opened, choose “mailbox delegation” from the menu. Under “Full access”, click the plus and search up a user you want to log in as and click save. There’s nothing that indicates to this user that they’ve been added, so you can use whatever account you want.

Image for post
Image for post

After this, open the mailbox of the user you added as a delegate through outlook.office.com. Open the account pane by clicking the user’s picture in the right top corner.

Image for post
Image for post

Click “Open another mailbox…” here.

Image for post
Image for post

A popup shows up, where you can enter the CEO’s name. It even autocompletes for you, which is very helpful. Click open, and voila! Full access to the CEO’s email without knowing their password.

Image for post
Image for post
That final objective for your report.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store