{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/microsoft-exchange/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft 365","Microsoft Exchange"],"_cs_severities":["medium"],"_cs_tags":["o365","dlp","defense_evasion","data_exfiltration"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers with sufficient privileges within a Microsoft 365 environment may target Exchange Data Loss Prevention (DLP) policies to facilitate data exfiltration or other malicious activities. By removing or modifying these policies, attackers can disable controls that would otherwise prevent sensitive information from leaving the organization. This tactic allows adversaries to operate with less risk of detection, potentially leading to significant data breaches. The scope of this attack depends on the extent of the attacker's access and the breadth of the compromised policies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to a Microsoft 365 account with administrative privileges, potentially through phishing, credential stuffing, or other methods.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e If the initial account lacks sufficient privileges, the attacker attempts to escalate privileges within the Microsoft 365 environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker uses PowerShell cmdlets like \u003ccode\u003eGet-DlpPolicy\u003c/code\u003e to identify existing DLP policies within the Exchange environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker uses PowerShell cmdlets like \u003ccode\u003eRemove-DlpPolicy\u003c/code\u003e or \u003ccode\u003eSet-DlpPolicy\u003c/code\u003e to remove or modify existing DLP policies. For example, they might disable a policy that prevents the transmission of sensitive financial data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e With DLP policies disabled or weakened, the attacker exfiltrates sensitive data via email, file sharing, or other allowed channels.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCover Tracks:\u003c/strong\u003e The attacker may attempt to delete audit logs or modify other settings to conceal their activity. This might involve disabling auditing for specific mailboxes or DLP policies.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful removal or modification of DLP policies can lead to significant data breaches. Sensitive information, such as financial records, customer data, or intellectual property, can be exfiltrated without detection. The number of affected individuals and the financial impact can vary greatly depending on the scope of the attack and the type of data compromised. Organizations in highly regulated sectors, such as finance and healthcare, may face significant fines and reputational damage.\u003c/p\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-o365-defense-evasion/","summary":"Attackers may remove or modify Exchange Data Loss Prevention (DLP) policies in Microsoft 365 to evade detection and exfiltrate sensitive data without triggering alerts.","title":"Defense Evasion via Exchange DLP Policy Removal","url":"https://feed.craftedsignal.io/briefs/2024-01-09-o365-defense-evasion/"}],"language":"en","title":"CraftedSignal Threat Feed - Microsoft Exchange","version":"https://jsonfeed.org/version/1.1"}