Business Email Compromise
MailSniper:
Groups with full rights in Exchange:
Organization Management
Exchange Organization Administrators
By default, the “Domain Admins” group does not have “full access” rights to mailboxes on Exchange.
BUT, the “Domain Admins” group has the ability to grant this access to any account. You can always resort to adding your own user to the group with a DA
From a workstation on the domain the following command can be run as a domain admin to add a user to the “Exchange Organization Administrators” group:
ApplicationImpersonation
Users with the “ApplicationImpersonation” role have the ability to access other user's mailboxes.
The “ApplicationImpersonation” role is a Microsoft Exchange server role that, when granted to a user, allows them to impersonate other users when accessing mailboxes. This role can be granted at the Exchange Management Shell with the following command:
Security portals
Microsoft Defender portal | Monitor and respond to threat activity and strengthen security posture across your identities, email, data, endpoints, and apps with Microsoft Defender XDR | |
Microsoft Defender Security Center | Monitor and respond to threat activity on your endpoints using capabilities provided with Microsoft Defender for Endpoint. NOTE: Most tenants should now be redirected to the Microsoft Defender portal at security.microsoft.com. | |
Office 365 Security & Compliance Center | Manage Exchange Online Protection and Microsoft Defender for Office 365 to protect your email and collaboration services, and ensure compliance to various data-handling regulations. NOTE: Most tenants using the security sections of the Office 365 Security & Compliance Center should now be redirected to the Microsoft Defender portal at security.microsoft.com. | |
Defender for Cloud portal | Use Microsoft Defender for Cloud to strengthen the security posture of your data centers and your hybrid workloads in the cloud | |
Microsoft Defender for Identity portal | Identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions using Active Directory signals with Microsoft Defender for Identity | |
Defender for Cloud Apps portal | Use Microsoft Defender for Cloud Apps to get rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats on cloud services | |
Microsoft Security Intelligence portal | Get security intelligence updates for Microsoft Defender for Endpoint, submit samples, and explore the threat encyclopedia |
Portals for other workloads
Microsoft Entra admin center | Access and administer the Microsoft Entra family to protect your business with decentralized identity, identity protection, governance, and more, in a multi-cloud environment | |
Azure portal | View and manage all your Azure resources | |
Microsoft Entra admin center | View and manage Microsoft Entra ID | |
Microsoft Purview compliance portal | Manage data handling policies and ensure compliance with regulations | |
Microsoft 365 admin center | Configure Microsoft 365 services; manage roles, licenses, and track updates to your Microsoft 365 services | |
Microsoft Intune admin center | Use Microsoft Intune to manage and secure devices. Can also combine Intune and Configuration Manager capabilities. | |
Microsoft Intune portal | Use Microsoft Intune to deploy device policies and monitor devices for compliance |
Last updated