Proposal: Create a new EXO policy to check for users and groups that hold the ApplicationImpersonation role #1419
Labels
baseline-document
Issues relating to the text in the baseline documents themselves
enhancement
This issue or pull request will add new or improve existing functionality
Milestone
💡 Summary
This is a new EXO policy proposal.
The proposal is to add a policy that checks for users and groups that hold the ApplicationImpersonation role in Exchange Online. According to Mandiant, any user or member of a group with this role "can use impersonation to act as and access the mailbox of any other user in the tenant." This is associated with a high amount of risk and we have evidence that its exploitation is used in the wild. See articles below for context, including how to code a policy check with example code from Mandiant.
https://github.com/mandiant/Mandiant-Azure-AD-Investigator/tree/master#application-impersonation-get-mandiantapplicationimpersonationholders
Source code: https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.psm1#L899
O365 Application Impersonation section of this article: https://www.crowdstrike.com/en-us/blog/observations-from-the-stellarparticle-campaign/
Motivation and context
It is always good to enhance Scuba with policies that check for high risk configurations.
Implementation notes
Microsoft announced the retirement of RBAC Application Impersonation in Exchange Online however this will only be completed by February 2025. I emailed Microsoft to confirm that once this retirement takes effect, the policy proposal associated with this issue will become OBE, but I wanted to log it here for historical reasons.
The text was updated successfully, but these errors were encountered: