The mailbox backdoor that survives a password reset: FullAccess delegates

FullAccess delegation is a normal Exchange feature for shared mailboxes, and a near-perfect stealth backdoor, because it is tied to a delegate rather than the victim’s password.

How the attack works

After compromising an admin session, the attacker runs Add-MailboxPermission to grant a FullAccess delegate right on executive mailboxes to an account they control, then extends the same grant to more executives. The delegate opens those mailboxes and reads mail silently, with no sign-in of the owner’s own. Crucially, when an executive later resets their password and re-enrolls MFA, the delegate keeps reading the mailbox, because the permission is independent of the victim credential. This is Account Manipulation, T1098, and Email Collection, T1114.

Why it works

FullAccess is a mailbox permission tied to the trustee, not the mailbox owner’s credential, so a victim password reset leaves it intact. Add-MailboxPermission grants are rarely reviewed and easy to hide, so the backdoor persists quietly while the executive accounts look entirely normal.

How to fix it

Resetting the executives does not touch a delegate permission. Remove the FullAccess delegate right with Remove-MailboxPermission, revoke the delegate account’s sessions, and disable that account. Then audit all recent Add-MailboxPermission events tenant-wide, because these mailboxes are unlikely to be the only ones backdoored, remove every unauthorized grant, restrict who can run the cmdlet, and alert on new FullAccess delegations going forward.

Practice it

We built this as a GraphLattice Range scenario so responders can rehearse spotting a delegate grant, stripping it with Remove-MailboxPermission, and scoping the full read history including material-nonpublic and privileged content.