Wed, Oct 20, 2021

Tracking Exchange Online Powershell Access Into Microsoft 365 Environments

Most users are familiar with Microsoft Exchange Online only as an application for accessing their email inboxes. However, by default, all users also have access to a system called Exchange Online PowerShell. This feature, designed primarily to assist IT administrators, allows a user to programmatically perform actions on a Microsoft 365 (M365) tenant. The specific actions a user can perform depend entirely on the user’s assigned roles.

Throughout the course of conducting M365 business email compromise investigations, Kroll has observed successful logon events that indicate some threat actors are leveraging Exchange Online PowerShell to aid in and/or automate interactions with compromised mailboxes and user accounts.

Identifying Exchange Online PowerShell Authentication Events

Kroll has identified the following indicators as likely evidence of an Exchange Online PowerShell logon attempt:

  • Azure sign-in log entries with an “App Display Name” of Microsoft Exchange Online Remote PowerShell
  • Unified Audit Log entries with user agent strings mentioning:
    • Microsoft WinRM Client
    • Microsoft.Exchange.PowerShell
  • Unified Audit Log entries with user agent strings attributable to Internet Explorer 11

The newer Exchange Online PowerShell V2 module, which Microsoft recommends be used for Exchange Online connections, results in user agent strings that do not mention PowerShell or WinRM. Rather, the recorded user agent strings represent Internet Explorer 11. Entries mentioning WinRM are likely generated by older PowerShell modules that might rely on basic authentication.

Risks of Successful Threat Actor Authentications

Threat actors may leverage Exchange Online PowerShell to rapidly deploy malicious inbox rules and configure forwarding SMTP addresses. While the potential impact of an Exchange Online PowerShell sign-in by a compromised, non-privileged user account is limited to that user’s mailbox, compromised users with certain additional roles may pose a risk to all users on the tenant.

A user with default permissions would be able to perform the following common threat actor actions after logging in using PowerShell:

  • Create/modify/delete own inbox rules (Figures 1 and 2)
  • Create/modify/delete own forwarding SMTP address
  • Send email as the user via the OWA API
 

Tracking Exchange Online Powershell Access Into Microsoft 365 Environments

Figure 1: Example of malicious inbox rule that redirects emails containing certain keywords to the junk folder

 

Tracking Exchange Online Powershell Access Into Microsoft 365 Environments

Figure 2: Resulting malicious rule in user mailbox

A user with elevated permissions could perform some—or all of—the following actions, depending on their assigned role(s):

  • Create/modify/delete inbox rules for any user in the tenant
  • Create/modify/delete forwarding SMTP address for any user in the tenant (Figure 3)
  • Create and delete users
  • Disable logging sources and/or limit the retention period for certain logs
  • Reset user passwords
  • Create and export compliance search results for any content in the tenant
 

Tracking Exchange Online Powershell Access Into Microsoft 365 Environments

Figure 3: Example of a malicious forwarding rule that sends a copy of all inbound emails to another inbox for all mailboxes for which the compromised user has access

Note that some of the expanded capabilities listed above may require PowerShell modules other than those that provide access to Exchange Online. As of this writing, Kroll has determined that it is not possible for a user to export the result of a compliance search unless they have the “Export” role, which is included by default in the “eDiscovery Manager” role group. Accordingly, due to this requirement, Kroll identified no risk that a threat actor could exfiltrate a user’s mailbox content following an Exchange Online PowerShell connection if the user is non-privileged.

Two Ways to Proactively Mitigate the Risk

As most users do not have a business need for Exchange Online PowerShell, IT administrators might simply consider disabling the feature for all users except those that require it for administration purposes (see here for how to disable Exchange Online PowerShell).

When multifactor authentication (MFA) is enabled for all authentication methods, threat actors will be forced to provide an MFA token to access Exchange Online PowerShell.

  • Note that if you have disabled basic authentication via an authentication policy, PowerShell is a category separate from SMTP, Outlook and other services and needs to be independently disabled.
  • If basic authentication is disabled for mail access protocols but left enabled for PowerShell, a threat actor would still be able to take actions on a compromised user’s account without needing to provide an MFA token.

 
Conclusion

In the short term, organizations can protect themselves from Exchange Online PowerShell exploitation by requiring employees to enable MFA and restricting user permissions according to a least-privilege policy. However, this is just one example of how threat actors exploit legitimate software tools and features for malicious purposes. Combined with malware and threat actor tactics that grow more sophisticated every day, cyber challenges are crucial to address as early as possible.



Cyber and Data Resilience

Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.

Office 365 Security, Forensics and Incident Response

Digital forensic experts investigate hundreds of Office 365 incidents per year and help strengthen your security.

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.


24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Data Collection and Preservation

Improve investigations and reduce your potential for litigation and fines with the strict chain-of-custody protocol our experts follow at every stage of the data collection process.