- Home
- Techniques
- Enterprise
- Account Manipulation
- Exchange Email Delegate Permissions
Account Manipulation: Exchange Email Delegate Permissions
Other sub-techniques of Account Manipulation (4)
ID | Name |
---|---|
T1098.001 | Additional Cloud Credentials |
T1098.002 | Exchange Email Delegate Permissions |
T1098.003 | Add Office 365 Global Administrator Role |
T1098.004 | SSH Authorized Keys |
Adversaries may grant additional permission levels, such as ReadPermission or FullAccess, to maintain persistent access to an adversary-controlled email account. The Add-MailboxPermission
PowerShell cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.[1][2][3]
This may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can assign more access rights to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: Internal Spearphishing), so the messages evade spam/phishing detection mechanisms.[4]
Procedure Examples
Name | Description |
---|---|
Magic Hound |
Magic Hound granted compromised email accounts read access to the email boxes of additional targeted accounts. The group then was able to authenticate to the intended victim's OWA (Outlook Web Access) portal and read hundreds of email communications for information on Middle East organizations.[2] |
UNC2452 |
UNC2452 added their own devices as allowed IDs for active sync using |
Mitigations
Mitigation | Description |
---|---|
Multi-factor Authentication |
Use multi-factor authentication for user and privileged accounts. |
Privileged Account Management |
Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. |
Detection
Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions being granted to compromised accounts.
A larger than normal volume of emails sent from an account and similar phishing emails sent from real accounts within a network may be a sign that an account was compromised and attempts to leverage access with modified email permissions is occurring.
References
- Bienstock, D.. (2019). BECS and Beyond: Investigating and Defending O365. Retrieved September 13, 2019.
- Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
- MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.