{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/exchange/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Exchange Server","Elastic Defend","CrowdStrike","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["exchange","activesync","powershell","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eThis detection identifies the use of the Exchange PowerShell cmdlet, \u003ccode\u003eSet-CASMailbox\u003c/code\u003e, to add a new ActiveSync allowed device. Attackers may target user email to collect sensitive information by adding unauthorized devices to a user\u0026rsquo;s allowed ActiveSync devices. The rule focuses on detecting suspicious PowerShell activity by monitoring for specific command patterns indicative of unauthorized device additions. This activity can lead to persistent access to sensitive email data, bypassing normal authentication controls. The original Elastic detection rule was created on 2020/12/15 and updated on 2026/05/04. This matters for defenders because it highlights a persistence mechanism that can be difficult to detect through traditional means.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a privileged account with Exchange management permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell to execute the \u003ccode\u003eSet-CASMailbox\u003c/code\u003e cmdlet.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eActiveSyncAllowedDeviceIDs\u003c/code\u003e attribute for a target user\u0026rsquo;s mailbox.\u003c/li\u003e\n\u003cli\u003eThe attacker adds a rogue device ID to the list of allowed devices.\u003c/li\u003e\n\u003cli\u003eThe attacker configures a mobile device with the rogue device ID to synchronize with the target mailbox.\u003c/li\u003e\n\u003cli\u003eThe attacker gains persistent access to the target user\u0026rsquo;s email, calendar, and contacts.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data from the mailbox.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence even after password changes by continuing to synchronize via the added device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to unauthorized access to sensitive email data, including confidential communications, financial information, and personal data. This can result in data breaches, compliance violations, and reputational damage. The scope of the impact depends on the privileges of the compromised account and the sensitivity of the data contained in the targeted mailboxes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eActiveSyncAllowedDeviceID Added via PowerShell\u003c/code\u003e to your SIEM and tune for your environment to detect suspicious activity.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to capture PowerShell commands for the rule above.\u003c/li\u003e\n\u003cli\u003eReview Exchange audit logs for instances of \u003ccode\u003eSet-CASMailbox\u003c/code\u003e being used to modify \u003ccode\u003eActiveSyncAllowedDeviceIDs\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all accounts, especially those with Exchange management privileges.\u003c/li\u003e\n\u003cli\u003eRegularly audit ActiveSync device configurations to identify unauthorized devices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-activesync-device-added/","summary":"The rule detects the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device, potentially allowing attackers to gain persistent access to sensitive email data by adding unauthorized devices.","title":"New ActiveSync Allowed Device Added via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-activesync-device-added/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Exchange","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["collection","execution","powershell","exchange","mailbox"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers may target user email to collect sensitive information. The \u003ccode\u003eNew-MailBoxExportRequest\u003c/code\u003e cmdlet is used to export the contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange. Attackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data. This activity is typically performed using PowerShell or similar scripting tools and can be difficult to detect without specific monitoring in place. The activity may be part of a larger attack campaign targeting sensitive information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised system with sufficient privileges to access Exchange PowerShell.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Exchange server using PowerShell.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eNew-MailboxExportRequest\u003c/code\u003e cmdlet to initiate the export of a target mailbox to a .pst file. The command may include parameters to filter specific content.\u003c/li\u003e\n\u003cli\u003eThe Exchange server processes the export request, creating a .pst file containing the mailbox data.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the exported .pst file from the designated file path.\u003c/li\u003e\n\u003cli\u003eThe attacker may compress and archive the .pst file to reduce its size for exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the .pst file to an external location controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the .pst file to extract sensitive information such as credentials, financial data, or intellectual property.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows the attacker to gain access to sensitive information contained within the exported mailboxes. This could lead to financial loss, reputational damage, or compromise of intellectual property. Depending on the scope of the export requests, multiple mailboxes may be compromised, impacting a large number of users. The impact is significant because email often contains highly sensitive business communications and data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to monitor PowerShell execution with command-line arguments (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect the use of \u003ccode\u003eNew-MailboxExportRequest\u003c/code\u003e cmdlet in PowerShell commands.\u003c/li\u003e\n\u003cli\u003eReview the privileges of users with the \u0026ldquo;Mailbox Import Export\u0026rdquo; privilege to ensure that the least privilege principle is being followed.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Security Event Logs for PowerShell activity related to mailbox export requests (Data Source: Windows Security Event Logs).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules to identify potential malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-exchange-mailbox-export/","summary":"Adversaries may use the New-MailboxExportRequest PowerShell cmdlet to export mailboxes in Exchange, potentially leading to sensitive information theft.","title":"Exchange Mailbox Export via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-exchange-mailbox-export/"}],"language":"en","title":"CraftedSignal Threat Feed — Exchange","version":"https://jsonfeed.org/version/1.1"}