Defense Evasion via Exchange DLP Policy Removal
Attackers may remove or modify Exchange Data Loss Prevention (DLP) policies in Microsoft 365 to evade detection and exfiltrate sensitive data without triggering alerts.
Attackers with sufficient privileges within a Microsoft 365 environment may target Exchange Data Loss Prevention (DLP) policies to facilitate data exfiltration or other malicious activities. By removing or modifying these policies, attackers can disable controls that would otherwise prevent sensitive information from leaving the organization. This tactic allows adversaries to operate with less risk of detection, potentially leading to significant data breaches. The scope of this attack depends on the extent of the attacker's access and the breadth of the compromised policies.
Attack Chain
- Initial Access: The attacker gains initial access to a Microsoft 365 account with administrative privileges, potentially through phishing, credential stuffing, or other methods.
- Privilege Escalation: If the initial account lacks sufficient privileges, the attacker attempts to escalate privileges within the Microsoft 365 environment.
- Discovery: The attacker uses PowerShell cmdlets like
Get-DlpPolicyto identify existing DLP policies within the Exchange environment. - Defense Evasion: The attacker uses PowerShell cmdlets like
Remove-DlpPolicyorSet-DlpPolicyto remove or modify existing DLP policies. For example, they might disable a policy that prevents the transmission of sensitive financial data. - Data Exfiltration: With DLP policies disabled or weakened, the attacker exfiltrates sensitive data via email, file sharing, or other allowed channels.
- Cover Tracks: The attacker may attempt to delete audit logs or modify other settings to conceal their activity. This might involve disabling auditing for specific mailboxes or DLP policies.
Impact
Successful removal or modification of DLP policies can lead to significant data breaches. Sensitive information, such as financial records, customer data, or intellectual property, can be exfiltrated without detection. The number of affected individuals and the financial impact can vary greatly depending on the scope of the attack and the type of data compromised. Organizations in highly regulated sectors, such as finance and healthcare, may face significant fines and reputational damage.
Detection coverage 2
Detect DLP Policy Removal via PowerShell
highDetects the removal of Data Loss Prevention (DLP) policies in Microsoft 365 Exchange via PowerShell commands.
Detect DLP Policy Modification via PowerShell
mediumDetects the modification of Data Loss Prevention (DLP) policies in Microsoft 365 Exchange via PowerShell commands.
Detection queries are available on the platform. Get full rules →