Skip to content
Threat Feed
medium threat exploited

Exchange PowerShell Used to Add New ActiveSync Allowed Device

An adversary may use the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device, potentially gaining persistent access to a user's email and sensitive information.

Attackers are increasingly targeting Exchange servers to gain access to sensitive email data. This activity involves the use of PowerShell to modify mailbox settings, specifically to add new ActiveSync allowed devices. The addition of rogue devices allows the attacker to maintain persistent access, bypassing typical authentication controls. This technique has been observed in intrusions following initial compromise via vulnerabilities like the SolarWinds supply chain attack. This can lead to long-term access to sensitive information, facilitating data exfiltration or further exploitation within the compromised organization. Defenders must monitor PowerShell activity related to Exchange management and validate any changes to ActiveSync configurations.

Attack Chain

  1. Initial access is gained to a compromised host, potentially through exploitation of a vulnerability or stolen credentials.
  2. The attacker uses PowerShell to interact with the Exchange Management Shell (EMS).
  3. The Set-CASMailbox cmdlet is invoked with the ActiveSyncAllowedDeviceIDs parameter.
  4. A new, unauthorized device ID is added to the list of allowed devices for a target mailbox.
  5. The attacker uses the newly authorized device to synchronize with the target mailbox via the ActiveSync protocol.
  6. Email data, including sensitive information, is accessed and potentially exfiltrated from the mailbox.
  7. The attacker maintains persistent access to the mailbox through the authorized device, even if the user changes their password.

Impact

Successful execution of this attack allows adversaries to maintain persistent access to targeted mailboxes, enabling the collection of sensitive information. This can lead to financial losses, reputational damage, and exposure of confidential data. The number of victims can vary depending on the scope of the attacker's objectives. The technique has been observed in attacks targeting organizations across various sectors. If successful, attackers can exfiltrate sensitive data, compromise internal communications, and potentially gain further access to the organization's network.

Recommendation

  • Monitor process execution for PowerShell commands containing Set-CASMailbox and ActiveSyncAllowedDeviceIDs to detect suspicious activity (see Sigma rule "Detect Suspicious ActiveSync Mailbox Modification via PowerShell").
  • Enable Sysmon process creation logging with command line arguments to capture PowerShell activity (reference Sigma rule logsource).
  • Review Exchange audit logs for modifications to ActiveSyncAllowedDeviceIDs attribute to identify unauthorized device additions.
  • Implement multi-factor authentication (MFA) to mitigate the risk of credential compromise (reference: MITRE ATT&CK T1114).
  • Regularly audit ActiveSync device configurations for unauthorized devices (reference: description).

Detection coverage 2

Detect Suspicious ActiveSync Mailbox Modification via PowerShell

medium

Detects the use of PowerShell to modify ActiveSync settings for a mailbox, specifically adding a new allowed device.

sigma tactics: execution, persistence techniques: T1059.001, T1098.002 sources: process_creation, windows

Detect Suspicious ActiveSync Mailbox Modification - Alternate PowerShell

medium

Detects the use of pwsh.exe to modify ActiveSync settings for a mailbox, specifically adding a new allowed device.

sigma tactics: execution, persistence techniques: T1059.001, T1098.002 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →