Business Email Compromise

LogoBusiness-Email-Compromise-Guide/PwC-Business_Email_Compromise-Guide.pdf at main ¡ PwC-IR/Business-Email-Compromise-GuideGitHub
Redirecting

MailSniper:

Groups with full rights in Exchange:

  • Organization Management

  • Exchange Organization Administrators

By default, the “Domain Admins” group does not have “full access” rights to mailboxes on Exchange.

BUT, the “Domain Admins” group has the ability to grant this access to any account. You can always resort to adding your own user to the group with a DA

From a workstation on the domain the following command can be run as a domain admin to add a user to the “Exchange Organization Administrators” group:

net groups “Exchange Organization Administrators” <username-of-your-user> /DOMAIN /ADD

ApplicationImpersonation

Users with the “ApplicationImpersonation” role have the ability to access other user's mailboxes.

The “ApplicationImpersonation” role is a Microsoft Exchange server role that, when granted to a user, allows them to impersonate other users when accessing mailboxes. This role can be granted at the Exchange Management Shell with the following command:

New-ManagementRoleAssignment -Name:impersonationAssignmentName 
-Role:ApplicationImpersonation -User:username-of-impersonation-user
LogoIntroducing MailSniper: A Tool For Searching Every User’s Email for Sensitive Data - Black Hills Information SecurityBlack Hills Information Security

Security portals

LogoMicrosoft security portals and admin centersMicrosoftLearn
LogoPhishing investigationMicrosoftLearn
LogoGitHub - randomaccess3/Awesome-BEC: Repository of attack and defensive information for Business Email Compromise investigationsGitHub
LogoCrowdStrike Services Identifies Microsoft 365 Logging InconsistenciesCrowdStrike.com
LogoSecure email recommended policiesMicrosoftLearn
LogoMicrosoft 365 Admin portal abused to send sextortion emailsBleepingComputer

PreviousTokensNextHardening

Last updated