<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Email-Collection - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/email-collection/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sat, 26 Oct 2024 14:22:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/email-collection/feed.xml" rel="self" type="application/rss+xml"/><item><title>Exchange Mailbox Export via PowerShell</title><link>https://feed.craftedsignal.io/briefs/2024-10-exchange-mailbox-export/</link><pubDate>Sat, 26 Oct 2024 14:22:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-10-exchange-mailbox-export/</guid><description>Adversaries may use the `New-MailboxExportRequest` PowerShell cmdlet to export mailboxes to PST files for sensitive data collection.</description><content:encoded><![CDATA[<p>Attackers can target user email to collect sensitive information from mailboxes, including login credentials, intellectual property, financial data, and personal information. The <code>New-MailBoxExportRequest</code> cmdlet allows exporting mailboxes to .pst files. This cmdlet is available in on-premises Exchange. Attackers may assign the &quot;Mailbox Import Export&quot; privilege to accounts to perform exports and collect contents in preparation for exfiltration. This allows attackers to bypass traditional security measures focused on network traffic by collecting data directly on the Exchange server. Defenders should monitor PowerShell command lines for <code>MailboxExportRequest</code> and related parameters, especially in environments with on-premises Exchange deployments.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains access to a Windows host within the target environment.</li>
<li>The attacker compromises an account with Exchange Management Shell access or sufficient privileges to assign the &quot;Mailbox Import Export&quot; privilege.</li>
<li>The attacker uses PowerShell to assign the &quot;Mailbox Import Export&quot; privilege to a compromised account if it doesn't already have the necessary permissions.</li>
<li>The attacker uses the <code>New-MailboxExportRequest</code> cmdlet in PowerShell to initiate the export of a target mailbox to a .pst file. The command specifies the mailbox to export and the file path for the resulting .pst file.</li>
<li>The Exchange server processes the export request, extracting the contents of the mailbox and writing them to the specified .pst file.</li>
<li>The attacker accesses the .pst file on the Exchange server.</li>
<li>The attacker may compress or archive the .pst file using tools like <code>7zip.exe</code> or <code>rar.exe</code> to reduce its size for exfiltration.</li>
<li>The attacker exfiltrates the .pst file to an external location using tools like <code>scp.exe</code>, <code>pscp.exe</code>, or <code>ftp.exe</code>.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful execution of this attack can lead to the unauthorized disclosure of sensitive information contained within the exported mailboxes. This can include confidential business documents, financial records, personally identifiable information (PII), and other proprietary data. A successful attack exposes the organization to data breaches, compliance violations, reputational damage, and potential financial losses. The number of affected mailboxes and the sensitivity of the data contained within them will determine the overall impact.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Monitor process creation events for PowerShell processes (<code>powershell.exe</code>, <code>pwsh.exe</code>, <code>powershell_ise.exe</code>) executing with command lines containing <code>MailboxExportRequest</code> or <code>*-Mailbox*-ContentFilter*</code> using the Sigma rule provided below.</li>
<li>Investigate and audit the assignment of the &quot;Mailbox Import Export&quot; privilege within the Exchange environment to identify any unauthorized or suspicious activity.</li>
<li>Enable Sysmon process creation logging to capture detailed command line arguments for PowerShell processes.</li>
<li>Review the references provided to understand the context and potential indicators related to this activity.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>email-collection</category><category>powershell</category><category>exchange</category></item></channel></rss>