Hi @Bertrand, After account takeover I was able to send malicious emails to all the employees of the organization as SMTP was configured with the application. After some more research I was able to exploit SMTP Relay through which as an admin I could send phishing emails to thousands of employees of the same organization acting as a legitimate admin user.