<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Microsoft Exchange - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/microsoft-exchange/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/microsoft-exchange/feed.xml" rel="self" type="application/rss+xml"/><item><title>Defense Evasion via Exchange DLP Policy Removal</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-o365-defense-evasion/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-o365-defense-evasion/</guid><description>Attackers may remove or modify Exchange Data Loss Prevention (DLP) policies in Microsoft 365 to evade detection and exfiltrate sensitive data without triggering alerts.</description><content:encoded><![CDATA[<p>Attackers with sufficient privileges within a Microsoft 365 environment may target Exchange Data Loss Prevention (DLP) policies to facilitate data exfiltration or other malicious activities. By removing or modifying these policies, attackers can disable controls that would otherwise prevent sensitive information from leaving the organization. This tactic allows adversaries to operate with less risk of detection, potentially leading to significant data breaches. The scope of this attack depends on the extent of the attacker's access and the breadth of the compromised policies.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> The attacker gains initial access to a Microsoft 365 account with administrative privileges, potentially through phishing, credential stuffing, or other methods.</li>
<li><strong>Privilege Escalation:</strong> If the initial account lacks sufficient privileges, the attacker attempts to escalate privileges within the Microsoft 365 environment.</li>
<li><strong>Discovery:</strong> The attacker uses PowerShell cmdlets like <code>Get-DlpPolicy</code> to identify existing DLP policies within the Exchange environment.</li>
<li><strong>Defense Evasion:</strong> The attacker uses PowerShell cmdlets like <code>Remove-DlpPolicy</code> or <code>Set-DlpPolicy</code> to remove or modify existing DLP policies. For example, they might disable a policy that prevents the transmission of sensitive financial data.</li>
<li><strong>Data Exfiltration:</strong> With DLP policies disabled or weakened, the attacker exfiltrates sensitive data via email, file sharing, or other allowed channels.</li>
<li><strong>Cover Tracks:</strong> The attacker may attempt to delete audit logs or modify other settings to conceal their activity. This might involve disabling auditing for specific mailboxes or DLP policies.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful removal or modification of DLP policies can lead to significant data breaches. Sensitive information, such as financial records, customer data, or intellectual property, can be exfiltrated without detection. The number of affected individuals and the financial impact can vary greatly depending on the scope of the attack and the type of data compromised. Organizations in highly regulated sectors, such as finance and healthcare, may face significant fines and reputational damage.</p>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>o365</category><category>dlp</category><category>defense_evasion</category><category>data_exfiltration</category></item></channel></rss>