{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/email-collection/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Exchange"],"_cs_severities":["medium"],"_cs_tags":["email-collection","powershell","exchange"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers can target user email to collect sensitive information from mailboxes, including login credentials, intellectual property, financial data, and personal information. The \u003ccode\u003eNew-MailBoxExportRequest\u003c/code\u003e cmdlet allows exporting mailboxes to .pst files. This cmdlet is available in on-premises Exchange. Attackers may assign the \u0026quot;Mailbox Import Export\u0026quot; privilege to accounts to perform exports and collect contents in preparation for exfiltration. This allows attackers to bypass traditional security measures focused on network traffic by collecting data directly on the Exchange server. Defenders should monitor PowerShell command lines for \u003ccode\u003eMailboxExportRequest\u003c/code\u003e and related parameters, especially in environments with on-premises Exchange deployments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to a Windows host within the target environment.\u003c/li\u003e\n\u003cli\u003eThe attacker compromises an account with Exchange Management Shell access or sufficient privileges to assign the \u0026quot;Mailbox Import Export\u0026quot; privilege.\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell to assign the \u0026quot;Mailbox Import Export\u0026quot; privilege to a compromised account if it doesn't already have the necessary permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eNew-MailboxExportRequest\u003c/code\u003e cmdlet in PowerShell to initiate the export of a target mailbox to a .pst file. The command specifies the mailbox to export and the file path for the resulting .pst file.\u003c/li\u003e\n\u003cli\u003eThe Exchange server processes the export request, extracting the contents of the mailbox and writing them to the specified .pst file.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the .pst file on the Exchange server.\u003c/li\u003e\n\u003cli\u003eThe attacker may compress or archive the .pst file using tools like \u003ccode\u003e7zip.exe\u003c/code\u003e or \u003ccode\u003erar.exe\u003c/code\u003e to reduce its size for exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the .pst file to an external location using tools like \u003ccode\u003escp.exe\u003c/code\u003e, \u003ccode\u003epscp.exe\u003c/code\u003e, or \u003ccode\u003eftp.exe\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack can lead to the unauthorized disclosure of sensitive information contained within the exported mailboxes. This can include confidential business documents, financial records, personally identifiable information (PII), and other proprietary data. A successful attack exposes the organization to data breaches, compliance violations, reputational damage, and potential financial losses. The number of affected mailboxes and the sensitivity of the data contained within them will determine the overall impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for PowerShell processes (\u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003epwsh.exe\u003c/code\u003e, \u003ccode\u003epowershell_ise.exe\u003c/code\u003e) executing with command lines containing \u003ccode\u003eMailboxExportRequest\u003c/code\u003e or \u003ccode\u003e*-Mailbox*-ContentFilter*\u003c/code\u003e using the Sigma rule provided below.\u003c/li\u003e\n\u003cli\u003eInvestigate and audit the assignment of the \u0026quot;Mailbox Import Export\u0026quot; privilege within the Exchange environment to identify any unauthorized or suspicious activity.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture detailed command line arguments for PowerShell processes.\u003c/li\u003e\n\u003cli\u003eReview the references provided to understand the context and potential indicators related to this activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-10-26T14:22:00Z","date_published":"2024-10-26T14:22:00Z","id":"https://feed.craftedsignal.io/briefs/2024-10-exchange-mailbox-export/","summary":"Adversaries may use the `New-MailboxExportRequest` PowerShell cmdlet to export mailboxes to PST files for sensitive data collection.","title":"Exchange Mailbox Export via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-10-exchange-mailbox-export/"}],"language":"en","title":"CraftedSignal Threat Feed - Email-Collection","version":"https://jsonfeed.org/version/1.1"}