Business Email Compromise

Business-Email-Compromise-Guide/PwC-Business_Email_Compromise-Guide.pdf at main · PwC-IR/Business-Email-Compromise-GuideGitHub

Redirecting

MailSniper:

Groups with full rights in Exchange:

• Organization Management

• Exchange Organization Administrators

By default, the “Domain Admins” group does not have “full access” rights to mailboxes on Exchange.

BUT, the “Domain Admins” group has the ability to grant this access to any account. You can always resort to adding your own user to the group with a DA

From a workstation on the domain the following command can be run as a domain admin to add a user to the “Exchange Organization Administrators” group:

net groups “Exchange Organization Administrators” <username-of-your-user> /DOMAIN /ADD

ApplicationImpersonation

Users with the “ApplicationImpersonation” role have the ability to access other user's mailboxes.

The “ApplicationImpersonation” role is a Microsoft Exchange server role that, when granted to a user, allows them to impersonate other users when accessing mailboxes. This role can be granted at the Exchange Management Shell with the following command:

New-ManagementRoleAssignment -Name:impersonationAssignmentName 
-Role:ApplicationImpersonation -User:username-of-impersonation-user

Introducing MailSniper: A Tool For Searching Every User’s Email for Sensitive Data - Black Hills Information SecurityBlack Hills Information Security

Security portals

Microsoft security portals and admin centersMicrosoftLearn

Phishing investigationMicrosoftLearn

GitHub - randomaccess3/Awesome-BEC: Repository of attack and defensive information for Business Email Compromise investigationsGitHub

CrowdStrike Services Identifies Microsoft 365 Logging InconsistenciesCrowdStrike.com

Secure email recommended policiesMicrosoftLearn

Microsoft 365 Admin portal abused to send sextortion emailsBleepingComputer