A Shared Mailbox is available from the early days of the Exchange servers, and the same is for Exchange Online. Organizations primarily use a shared mailbox for users who left or, if we need to collaborate, an inbox for multiple users. Because a shared mailbox allows multiple users to access the same mailbox, it has security gaps. One of them is the “hidden object” in Azure AD.

This post provides a specific security risk with Shared Mailbox in Exchange Online, how to attack it, and block sign-in with a few tips and commands.

What is Shared Mailbox

A shared mailbox is a type of user mailbox. To access a shared mailbox, users must first be granted Send As or Full Access permissions to the mailbox. Once that’s done, users sign into their mailboxes and access the shared mailbox by adding it to their Outlook profile. In Exchange 2003 and earlier, shared mailboxes were just regular mailboxes to which an administrator could grant delegate access. More on Microsoft Learn.

Note: There are a few ways to access a shared mailbox – directly is one of them.

Why set up a shared mailbox?

• Provides a generic email address that customers can use to inquire about your company.
• Allows departments that provide centralized services to employees to respond to employee questions.
• Allows multiple users to monitor and reply to emails sent to an email address.

The General Risks

Exchange Online, the cloud-based email service from Microsoft, offers shared mailboxes as a feature for its customers.  However, shared mailboxes also pose security risks that must be addressed and mitigated.

One of the leading security risks with Exchange Online shared mailbox is that it does not require a password from a delegated mailbox or license to access.  Instead, users who have permission to access the shared mailbox can use their credentials.  he attacker can access the shared mailbox and its contents if a user’s account is compromised.

Additionally, a shred mailbox has its object in Azure AD that can be managed as a standard user, and for example, you can reset the password for this object.

Another security risk with a shared mailbox is that it does not have an audit log or activity report by default.  This makes it challenging to track who accessed the shared mailbox, when they did so, and what actions they performed.  Without an audit log or activity report, it is hard to detect unauthorized or malicious activity on the shared mailbox.

To reduce these security risks with Exchange Online shared mailbox, there are some best practices that administrators and users should follow:

• Assign permissions to access the shared mailbox only to those who need it and review them regularly.
• Block direct sign-in or block sign-in with Azure AD COnstional Access.
• Enforce MFA for all users who can access the shared mailbox.
• Enable audit logging or activity reporting for the shared mailbox and monitor it regularly.
• Use encryption and DLP policies to protect the sensitive data in the shared mailbox.

By following these best practices, you can improve the security of your Exchange Online shared mailbox and prevent potential data breaches or cyberattacks.

Security Risks with Shared Mailbox

Exchange Online shared mailbox is a convenient feature that allows multiple users to access and manage a standard email account.  However, it also poses some security risks that must be mitigated.  here are the security risks with Exchange Online shared mailbox and some best practices to avoid them.

Unauthorized access

One of the leading security risks with Exchange Online shared mailbox is unauthorized access by users who are not supposed to have access to the shared mailbox or its contents.  his can happen due to various reasons, such as:

• Inadequate permissions management: If the permissions for the shared mailbox are not correctly configured and updated, users may gain or retain access to the shared mailbox even when they are not authorized or no longer need it.
• Compromised credentials: If a user’s credentials are compromised by phishing, malware, or other means, an attacker may use them to access the shared mailbox and its contents.
• Insider threats: A malicious or disgruntled user may abuse their access to the shared mailbox and leak, delete, or tamper with its contents.

To prevent unauthorized access, some best practices are:

• Use role-based access control (RBAC) to assign permissions for the shared mailbox based on the principle of least privilege.  nly grant access to users who need it for their work and revoke it when they no longer do.
• Enable multi-factor authentication (MFA) for all users with access to the shared mailbox.  his adds an extra layer of security by requiring a second factor of verification besides the password.
• Monitor and audit the activity logs of the shared mailbox regularly.  his can help detect any suspicious or anomalous behavior and take appropriate actions.

Data loss

Another security risk with Exchange Online shared mailbox is data loss due to accidental or intentional deletion of emails or attachments.  his can result in losing important information, violating compliance requirements, or affecting business continuity.  The possible causes of data loss are:

• Human error: A user may accidentally delete an email or attachment from the shared mailbox without realizing its importance or impact.
• Malware infection: Malware may infect a user’s device and delete or encrypt emails or attachments from the shared mailbox as part of its payload.
• Ransomware attack: Ransomware may lock down the shared mailbox and demand payment for restoring access to its contents.

To prevent data loss, some best practices are:

• Enable retention policies for the shared mailbox that specify how long emails and attachments should be kept before they are deleted or archived.  his can help preserve essential data and comply with legal obligations.
• Enable backup and recovery solutions for the shared mailbox to restore deleted or corrupted emails and attachments from a previous point.  his can help recover data in case of any disaster scenario.
• Enable anti-malware and anti-ransomware protection for all devices that access the shared mailbox.  his can help prevent infection by malicious software that may harm data.

Data breach

A third security risk with Exchange Online shared mailbox is data breach due to the exposure of sensitive or confidential information to unauthorized parties.  his can lead to reputational damage, legal liability, regulatory fines, or competitive disadvantage.  The possible scenarios of a data breach are:

• Email spoofing: An attacker may impersonate a legitimate sender from the shared mailbox and send fraudulent emails to recipients inside or outside the organization.  The recipients may be tricked into revealing sensitive information, clicking on malicious links, or downloading harmful attachments.
• Email forwarding: A user may forward an email from

The Hidden Object

Not really a hidden object, but mostly, it’s unknown or not maintained and monitored.

Traditionally, when creating a Shared Mailbox on an Exchange server, the rule is to disable the corresponding AD account.  his is by design.  Because there is no secondary usage of the Active Directory account, it prevents attacks.  Nowadays, with Exchange Online, an object appears in Azure AD after creating a shared mailbox, room mailbox, and any resource mailbox.

A Shared Mailbox in Exchange Online creates in the background an object in Azure AD and a generated arbitrary password. Even though the initial password is unknown to the administrator, it can be easily reset to a known password. The account can be logged into as normal behavior if it is from APi or in some way directly.

The following images show a standard shared mailbox with the object in Azure AD.

A quick check on the object from Microsoft Entra will give the known fields, values, and information.

Recon Objects

As always, the AADInternals is part of my search and discovery, and a quick enumeration provides an additional fact about the object.

Note: You can run the AADInternals against a list of users and receive a result.

Can we use ChatGPT for this process? Somehow.  The ChatGPT can provide a list of potential names for shared mailboxes (like Google?).  Below are some names from ChatGPT or BingAI.

We can take those users and search for their existence.

If you want to spray the mailbox, you can run MailSniper to search through email in a Microsoft Exchange environment for specific terms (passwords, insider, network architecture information, etc.).

Blocking Sign-ins

Shared mailboxes mostly don’t need external or direct access – only from delegated users.  Additionally, no one needs to reset the password for a shared mailbox or perform any unusual or common changes to this mailbox.  The specific actions on the shared mailbox can be from a delegated mailbox and permissions changes for collaboration.

Note: If it will be a hidden object from GAL, isn’t matter for this scenario.  

Microsoft 365 admin console provides a reset password button for Shared Mailboxes.  Microsoft addressed this in an official document.

There are many scenarios when attackers can pose a password attack on shared mailboxes to steal credentials.  Multiple users shared and used the same mailbox, so identifying and detecting the attack would be challenging.

TIP: Something to think about it. How many environments maintain shared mailbox access and monitor them for password attacks? 

I’m abusing Microsoft 365, Azure, and AWS as part of my day job. The Exchange Online and its resources are part of it. A specific abuse from the field is to search for issues and gaps in cloud objects. In some scenarios, while running brute-force against a Shared mailbox in Exchange Online, I submit an authentication attempt against the Exchange Online component instead of relying on a timing attack and examine the HTTP response code.

In this scenario, a response code message will do the work and tell me about a valid inbox. The equal can be with AADInternals which can enumerate the object with the various, and available commands – login mode can be one of them. Once I get the response code, I test for a mailbox type. Externally, Exchange Online provides information about who’s shared objects. The process continues checking for valid shared mailbox objects.

Note: Shared mailboxes don’t have a complicated password – at least in a few security testing I made.

So, should I block sign-ins? Sure thing! Attacking shared mailboxes is 100% successful. Because of many reasons:

• Enumerating and discovering the cloud cannot be detected.
• Those objects don’t have the required maintenance they should have
• Many environments exclude those service objects.
• A single factor is still the primary auth method for those objects.

TIP: If you’ve got the proper audit and logging, so, in scenarios, such brute force will raise the correct detection and hunting rules 

Blocking Sign-in’s

You can block sign-in to the shared mailbox via Microsoft 365 portal or Microsoft PowerShell Graph. I’m a shell person, so I shared a few commands to connect to Microsoft Graph and Exchange Online Management with specific permissions and check for shared mailbox and block sign-in.

Install-Module Microsoft.Graph 
Install-Module ExchangeOnlineManagement

Connect-ExchangeOnline
Connect-MgGraph -Scopes “User.ReadWrite.All”

Then, you can block credential sign-ins for a single mailbox

$UID = (Get-EXOMailbox “Test1”).ExternalDirectoryObjectId
Update-Mguser -UserId $UID -AccountEnabled:$false

Then, you need to get a list of all current Shared mailboxes state

Get-EXOMailbox -RecipientTypeDetails “SharedMailbox”  | ForEach {Get-MgUser -UserId $_.ExternalDirectoryObjectId -Property “DisplayName, AccountEnabled”}

Once it works, you can disable Azure AD accounts for all Shared mailboxes

Get-EXOMailbox -RecipientTypeDetails “SharedMailbox” | ForEach {Update-Mguser -UserId $_.ExternalDirectoryObjectId -AccountEnabled:$false}

Note: You can set RoomMailbox and EquipmentMailbox as well

Microsoft-365-IT-Security/Block-Sign-in-Shared-Mailbox.ps1 at main · eshlomo1/Microsoft-365-IT-Security (github.com)