Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proposal: Create a new EXO policy to check for users and groups that hold the ApplicationImpersonation role #1419

Open
1 task
tkol2022 opened this issue Nov 12, 2024 · 1 comment
Labels
baseline-document Issues relating to the text in the baseline documents themselves enhancement This issue or pull request will add new or improve existing functionality
Milestone

Comments

@tkol2022
Copy link
Collaborator

💡 Summary

This is a new EXO policy proposal.

The proposal is to add a policy that checks for users and groups that hold the ApplicationImpersonation role in Exchange Online. According to Mandiant, any user or member of a group with this role "can use impersonation to act as and access the mailbox of any other user in the tenant." This is associated with a high amount of risk and we have evidence that its exploitation is used in the wild. See articles below for context, including how to code a policy check with example code from Mandiant.

https://github.com/mandiant/Mandiant-Azure-AD-Investigator/tree/master#application-impersonation-get-mandiantapplicationimpersonationholders
Source code: https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.psm1#L899

O365 Application Impersonation section of this article: https://www.crowdstrike.com/en-us/blog/observations-from-the-stellarparticle-campaign/

Motivation and context

It is always good to enhance Scuba with policies that check for high risk configurations.

Implementation notes

Microsoft announced the retirement of RBAC Application Impersonation in Exchange Online however this will only be completed by February 2025. I emailed Microsoft to confirm that once this retirement takes effect, the policy proposal associated with this issue will become OBE, but I wanted to log it here for historical reasons.

  • In March of 2025, perform a hands-on check of Exchange Online to confirm that Application Impersonation is no longer available. If that is the case, then close out this issue.
@tkol2022 tkol2022 added baseline-document Issues relating to the text in the baseline documents themselves enhancement This issue or pull request will add new or improve existing functionality labels Nov 12, 2024
@schrolla schrolla added this to the Backlog milestone Nov 25, 2024
@schrolla
Copy link
Collaborator

Re-prioritize post March 2025 in order to verify that setting has been deprecated fully.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
baseline-document Issues relating to the text in the baseline documents themselves enhancement This issue or pull request will add new or improve existing functionality
Projects
None yet
Development

No branches or pull requests

2 participants