Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proposal: Create a new EXO policy to check for users with Default or Anonymous mailbox folder permissions #1420

Open
1 task
tkol2022 opened this issue Nov 12, 2024 · 1 comment
Labels
baseline-document Issues relating to the text in the baseline documents themselves enhancement This issue or pull request will add new or improve existing functionality
Milestone

Comments

@tkol2022
Copy link
Collaborator

💡 Summary

This is a new EXO policy proposal.

The proposal is to add a policy that checks for users in Exchange Online that have Default or Anonymous permissions set on their mailboxes. When the permission named Default is set, it allows widespread access to a victim user's mailbox by either any member of the organization. When the Anonymous permission is set, it allows access by any external user. Therefore these permissions are associated with a high amount of risk and we have evidence that they are exploited in the wild. See articles below for context, including how to code a policy check with example code from Mandiant.

https://github.com/mandiant/Mandiant-Azure-AD-Investigator/tree/master#mailbox-folder-permissions-get-mandiantmailboxfolderpermissions
https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.psm1#L922

Motivation and context

It is always good to enhance Scuba with policies that check for high risk configurations.

Implementation notes

We received an update directly from Microsoft that the feature to setup default or anonymous permissions may be disabled in the future, however it is not clear that the updates Microsoft is making will disable the ability for an adversary to setup these dangerous permissions on a victim mailbox so this requires some testing. The change from Microsoft is characterized as "Updates to the Microsoft 365 Cloud Policy service setting Turn off sharing recommendation in the Microsoft 365 admin center will disable the ability for users to share or edit folder permissions with individual users in Microsoft Outlook on the web and new Microsoft Outlook for Window desktops." The way this change is characterized it seems like a change to the GUI but it is not clear how this affects the ability to perform the configuration via the back-end API. Also Microsoft said that the update will not be fully rolled out until late December 2024 so we should not test if the feature is still available just yet.

  • In February of 2025, perform a hands-on check of Exchange Online to confirm that these permissions are no longer available. If that is the case, then close out this issue. Use the code below to set the permission Default for a specific user and then test from another user's account in Outlook to see if you can access the shared mailbox.

Set-MailboxFolderPermission -Identity [email protected]:\Inbox -User Default -AccessRights ReadItems

Image

@tkol2022 tkol2022 added baseline-document Issues relating to the text in the baseline documents themselves enhancement This issue or pull request will add new or improve existing functionality labels Nov 12, 2024
@schrolla schrolla added this to the Backlog milestone Nov 25, 2024
@schrolla
Copy link
Collaborator

Blocked until service changes are in place after February 2025.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
baseline-document Issues relating to the text in the baseline documents themselves enhancement This issue or pull request will add new or improve existing functionality
Projects
None yet
Development

No branches or pull requests

2 participants