Business Email Compromise

MailSniper:

Groups with full rights in Exchange:

  • Organization Management

  • Exchange Organization Administrators

By default, the “Domain Admins” group does not have “full access” rights to mailboxes on Exchange.

BUT, the “Domain Admins” group has the ability to grant this access to any account. You can always resort to adding your own user to the group with a DA

From a workstation on the domain the following command can be run as a domain admin to add a user to the “Exchange Organization Administrators” group:

net groups “Exchange Organization Administrators” <username-of-your-user> /DOMAIN /ADD

ApplicationImpersonation

Users with the “ApplicationImpersonation” role have the ability to access other user's mailboxes.

The “ApplicationImpersonation” role is a Microsoft Exchange server role that, when granted to a user, allows them to impersonate other users when accessing mailboxes. This role can be granted at the Exchange Management Shell with the following command:

New-ManagementRoleAssignment -Name:impersonationAssignmentName 
-Role:ApplicationImpersonation -User:username-of-impersonation-user

Security portals

Last updated