Silent org-wide mailbox reads: Exchange ApplicationImpersonation abuse

In Microsoft 365, an app can be granted the power to read any mailbox in the org. When that power is abused, mail is collected without phishing a single user, and user-centric monitoring stays quiet.

How the attack works

A service principal holds broad mailbox-impersonation rights, either the legacy ApplicationImpersonation RBAC role or the application-wide full access and mail read app permission. Using EWS and Microsoft Graph, it silently reads executive and finance mailboxes. The unified audit log records MailItemsAccessed events under the app identity rather than a user sign-in, and bulk message and attachment harvesting follows across dozens of mailboxes. This is Account Manipulation, T1098, and Email Collection, T1114.

Why it works

The reads run under the application’s own token, so there is no interactive user sign-in to flag and the targeted users see nothing. ApplicationImpersonation is org-wide by default and many apps quietly hold broad mailbox permissions, so this access is over-privileged and unconstrained.

How to fix it

Resetting the targeted users does nothing to an application token. Remove the ApplicationImpersonation role or the full-access app grant, revoke the service principal’s refresh and access tokens to kill live sessions, and apply an Application Access Policy that bounds which mailboxes any app can reach. For the class fix, inventory every app and role member with org-wide mailbox impersonation or full access, retire the deprecated impersonation role per current guidance, and bind remaining apps to least-privilege scopes.

Practice it

We built this as a GraphLattice Range scenario so administrators can rehearse spotting app-context mailbox reads, revoking the grant and tokens, and scoping apps with Application Access Policies.