Tag
medium
advisory
New ActiveSync Allowed Device Added via PowerShell
2 rules 3 TTPsThe rule detects the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device, potentially allowing attackers to gain persistent access to sensitive email data by adding unauthorized devices.
Microsoft Defender XDR +4
exchange
activesync
powershell
persistence
2r
3t
medium
advisory
Exchange Mailbox Export via PowerShell
2 rules 4 TTPsAdversaries may use the New-MailboxExportRequest PowerShell cmdlet to export mailboxes in Exchange, potentially leading to sensitive information theft.
Microsoft Defender XDR +2
collection
execution
powershell
exchange
mailbox
2r
4t