Find The CEO’s Email — in a cloud world

You’ve hacked it all, gotten domain admin, shelled every box that you can think of and ticked off all the objectives. But there’s a single one remaining: access to the CEO’s mailbox. Easy, you just jump to the CEO’s computer and get his password. Or crack the NT-hash you got from dcsyncing all the users. Alas, the CEO seems like the only person in the company that actually listened to the password security training. And his computer isn’t live on the network just now. And the company has taken the plunge headfirst into the cloud, so the mailboxes are hosted on office.com. Which means you can’t just read emails on the exchange server. What to do?

Enter the wonderful world of mailbox delegation! This feature is really for people who needs to have an assistant going through their email. But as it doesn’t notify the CEO when it’s set up, we can use it for our purposes. To set a delegation, you have to have privileges in Azure Active Directory, either Global Administrator or Exchange Administrator. To find members of this group, log in to portal.azure.com as any domain user. Go to “Azure Active Directory” in the left hand menu, “Roles and administrators” and click on “Global administrators”.

List of all global administrators in the domain

The next step is to get the password of one of these users. This might be easier than getting the CEO’s password. Best practices is to have separate O365 admins, but best practices aren’t always followed. It’s not uncommon to see Domain Admins also set as the Global Admin. So get the password in usual ways, 2019 is also the year of mimikatz!

With the Global admin password, log into admin.microsoft.com. On the first page, shown below, there’s a search field where you can find whatever user you’re targeting.

The admin page for Office 365

Click on the desired user from the search field, and scroll down until you see “Mail Settings”. Expand this, and choose “Edit Exchange Properties”. under “More settings”

Mail settings for the CEO

On the page newly opened, choose “mailbox delegation” from the menu. Under “Full access”, click the plus and search up a user you want to log in as and click save. There’s nothing that indicates to this user that they’ve been added, so you can use whatever account you want.

After this, open the mailbox of the user you added as a delegate through outlook.office.com. Open the account pane by clicking the user’s picture in the right top corner.

Click “Open another mailbox…” here.

A popup shows up, where you can enter the CEO’s name. It even autocompletes for you, which is very helpful. Click open, and voila! Full access to the CEO’s email without knowing their password.

That final objective for your report.