Skip to content
Threat Feed
medium advisory

Exchange Mailbox Export via PowerShell

Adversaries may use the `New-MailboxExportRequest` PowerShell cmdlet to export mailboxes to PST files for sensitive data collection.

Attackers can target user email to collect sensitive information from mailboxes, including login credentials, intellectual property, financial data, and personal information. The New-MailBoxExportRequest cmdlet allows exporting mailboxes to .pst files. This cmdlet is available in on-premises Exchange. Attackers may assign the "Mailbox Import Export" privilege to accounts to perform exports and collect contents in preparation for exfiltration. This allows attackers to bypass traditional security measures focused on network traffic by collecting data directly on the Exchange server. Defenders should monitor PowerShell command lines for MailboxExportRequest and related parameters, especially in environments with on-premises Exchange deployments.

Attack Chain

  1. An attacker gains access to a Windows host within the target environment.
  2. The attacker compromises an account with Exchange Management Shell access or sufficient privileges to assign the "Mailbox Import Export" privilege.
  3. The attacker uses PowerShell to assign the "Mailbox Import Export" privilege to a compromised account if it doesn't already have the necessary permissions.
  4. The attacker uses the New-MailboxExportRequest cmdlet in PowerShell to initiate the export of a target mailbox to a .pst file. The command specifies the mailbox to export and the file path for the resulting .pst file.
  5. The Exchange server processes the export request, extracting the contents of the mailbox and writing them to the specified .pst file.
  6. The attacker accesses the .pst file on the Exchange server.
  7. The attacker may compress or archive the .pst file using tools like 7zip.exe or rar.exe to reduce its size for exfiltration.
  8. The attacker exfiltrates the .pst file to an external location using tools like scp.exe, pscp.exe, or ftp.exe.

Impact

Successful execution of this attack can lead to the unauthorized disclosure of sensitive information contained within the exported mailboxes. This can include confidential business documents, financial records, personally identifiable information (PII), and other proprietary data. A successful attack exposes the organization to data breaches, compliance violations, reputational damage, and potential financial losses. The number of affected mailboxes and the sensitivity of the data contained within them will determine the overall impact.

Recommendation

  • Monitor process creation events for PowerShell processes (powershell.exe, pwsh.exe, powershell_ise.exe) executing with command lines containing MailboxExportRequest or *-Mailbox*-ContentFilter* using the Sigma rule provided below.
  • Investigate and audit the assignment of the "Mailbox Import Export" privilege within the Exchange environment to identify any unauthorized or suspicious activity.
  • Enable Sysmon process creation logging to capture detailed command line arguments for PowerShell processes.
  • Review the references provided to understand the context and potential indicators related to this activity.

Detection coverage 2

Detect Exchange Mailbox Export via PowerShell CommandLine

medium

Detects the use of the New-MailboxExportRequest cmdlet in PowerShell to export mailboxes.

sigma tactics: collection, execution techniques: T1059.001, T1114 sources: process_creation, windows

Detect Exchange Mailbox Export via PowerShell Process Name

medium

Detects the use of the New-MailboxExportRequest cmdlet by checking the process name and commandline

sigma tactics: collection, execution techniques: T1059.001, T1114 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →