Proposal: Create a new EXO policy to check for users with Default or Anonymous mailbox folder permissions #1420
Labels
baseline-document
Issues relating to the text in the baseline documents themselves
enhancement
This issue or pull request will add new or improve existing functionality
Milestone
💡 Summary
This is a new EXO policy proposal.
The proposal is to add a policy that checks for users in Exchange Online that have Default or Anonymous permissions set on their mailboxes. When the permission named Default is set, it allows widespread access to a victim user's mailbox by either any member of the organization. When the Anonymous permission is set, it allows access by any external user. Therefore these permissions are associated with a high amount of risk and we have evidence that they are exploited in the wild. See articles below for context, including how to code a policy check with example code from Mandiant.
https://github.com/mandiant/Mandiant-Azure-AD-Investigator/tree/master#mailbox-folder-permissions-get-mandiantmailboxfolderpermissions
https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.psm1#L922
Motivation and context
It is always good to enhance Scuba with policies that check for high risk configurations.
Implementation notes
We received an update directly from Microsoft that the feature to setup default or anonymous permissions may be disabled in the future, however it is not clear that the updates Microsoft is making will disable the ability for an adversary to setup these dangerous permissions on a victim mailbox so this requires some testing. The change from Microsoft is characterized as "Updates to the Microsoft 365 Cloud Policy service setting Turn off sharing recommendation in the Microsoft 365 admin center will disable the ability for users to share or edit folder permissions with individual users in Microsoft Outlook on the web and new Microsoft Outlook for Window desktops." The way this change is characterized it seems like a change to the GUI but it is not clear how this affects the ability to perform the configuration via the back-end API. Also Microsoft said that the update will not be fully rolled out until late December 2024 so we should not test if the feature is still available just yet.
Set-MailboxFolderPermission -Identity [email protected]:\Inbox -User Default -AccessRights ReadItems
The text was updated successfully, but these errors were encountered: