Additional Email Delegate Permissions

Information

• Name: Additional Email Delegate Permissions

• ID: T1098.002

• Tactics: TA0003, TA0004

• Technique: T1098

Introduction

The sub-technique Additional Email Delegate Permissions (T1098.002) falls under the MITRE ATT&CK framework's Account Manipulation technique (T1098). Attackers leveraging this sub-technique assign additional delegate permissions to email accounts, enabling unauthorized access, persistence, and stealthy monitoring of email communications. Delegation permissions allow attackers to read, send, and manage emails on behalf of the compromised users, facilitating internal reconnaissance, lateral movement, and data exfiltration activities without raising immediate suspicion.

Deep Dive Into Technique

Attackers exploiting Additional Email Delegate Permissions typically target email systems such as Microsoft Exchange and Office 365. Email delegation permissions allow one mailbox user to grant another user or account the ability to read, send, and manage email messages on their behalf. Attackers may abuse this functionality by:

• Modifying mailbox permissions using administrative credentials or compromised user accounts with sufficient privileges.

• Leveraging PowerShell cmdlets, Exchange Management Shell, or Exchange Web Services (EWS) API to assign mailbox delegation rights silently.

• Assigning delegate permissions such as "Full Access," "Send As," or "Send on Behalf" to an attacker-controlled account or compromised internal account.

Technical execution methods include:

• PowerShell Commands:

  • Add-MailboxPermission -Identity victim@example.com -User attacker@example.com -AccessRights FullAccess -InheritanceType All

  • Add-RecipientPermission victim@example.com -Trustee attacker@example.com -AccessRights SendAs

• Exchange Web Services (EWS) APIs:

  • Attackers may interact directly with EWS endpoints to manipulate permissions programmatically and silently.

• Graph API (Office 365 environments):

  • Attackers may leverage Microsoft Graph API endpoints to silently adjust mailbox permissions if they have sufficient privileges.

Real-world procedures commonly involve:

• Compromising administrator-level accounts or accounts with sufficient Exchange privileges.

• Stealthily assigning delegate permissions to attacker-controlled accounts or compromised internal accounts for persistent email access.

• Monitoring internal communications, exfiltrating sensitive data, or conducting internal phishing campaigns using delegated permissions.

When this Technique is Usually Used

Additional Email Delegate Permissions are typically employed by attackers during the following attack stages and scenarios:

• Persistence:

  • Attackers establish persistent access to sensitive email communications by silently assigning delegate permissions, even after initial access vectors are mitigated.

• Collection and Reconnaissance:

  • Attackers monitor email communications to gather intelligence, sensitive data, credentials, or internal organizational information.

• Credential Access and Lateral Movement:

  • Attackers leverage delegated permissions to send internal phishing emails, spread malicious content, or escalate privileges internally.

• Exfiltration:

  • Attackers silently forward emails or use delegated access to extract sensitive information outside the organization without raising alarms.

• Internal Phishing and Social Engineering:

  • Attackers use delegate permissions to impersonate legitimate users, sending emails from trusted internal accounts to deceive users.

How this Technique is Usually Detected

Detection of Additional Email Delegate Permissions involves monitoring and auditing mailbox permissions and changes closely. Methods and tools include:

• Exchange Audit Logging:

  • Regularly review mailbox permission changes logged by Exchange or Office 365 audit logs for suspicious or unauthorized delegate permissions.

• PowerShell Logging and Monitoring:

  • Monitor PowerShell command execution logs for suspicious mailbox permission cmdlets (Add-MailboxPermission, Add-RecipientPermission) executed by unusual accounts or at unusual times.

• Microsoft 365 Defender and Security Center Alerts:

  • Utilize built-in alerts and anomaly detection that flag unusual mailbox permission assignments or delegate permission changes.

• SIEM Solutions and Log Aggregation Tools:

  • Aggregate and correlate Exchange logs, PowerShell logs, and API access logs to detect suspicious permission changes.

• Indicators of Compromise (IoCs):

  • Sudden appearance of unknown delegate permissions on sensitive mailboxes.

  • Unexpected mailbox permission modifications initiated by non-administrative or rarely-used administrative accounts.

  • Unusual login or mailbox access patterns from unknown or suspicious IP addresses or devices.

Why it is Important to Detect This Technique

Detecting Additional Email Delegate Permissions early is critical due to the potential severe impacts on organizational security, privacy, and operational integrity:

• Data Theft and Exfiltration:

  • Attackers gain persistent, covert access to sensitive internal communications, intellectual property, financial data, and personally identifiable information (PII).

• Internal Reconnaissance and Privilege Escalation:

  • Attackers leverage email delegate permissions to gather intelligence, escalate privileges, and prepare for lateral movement across the network.

• Business Email Compromise (BEC) and Fraud:

  • Attackers impersonate legitimate internal users, conducting fraudulent transactions, unauthorized wire transfers, or business disruptions.

• Reputational Damage and Regulatory Compliance:

  • Unauthorized email access can lead to data breaches, regulatory fines, loss of customer trust, and significant reputational damage.

• Difficulty of Detection Post-Compromise:

  • Delegate permissions are subtle and may evade detection if not monitored closely, allowing attackers prolonged access and increasing the difficulty of remediation.

Early detection and response significantly reduce these risks, limiting attacker dwell time, minimizing potential damage, and ensuring rapid containment and remediation.

Examples

Real-world examples of attacks involving Additional Email Delegate Permissions include:

• APT29 (Cozy Bear) and SolarWinds Incident:

  • Attackers leveraged compromised administrator accounts to silently assign delegate permissions in Microsoft 365 environments, enabling persistent access to sensitive email communications. Attackers monitored internal communications for months, harvesting sensitive data and intelligence.

  • Tools used included PowerShell scripts and Exchange Web Services (EWS) APIs to silently configure delegate permissions.

  • Impact included prolonged espionage, sensitive data exfiltration, and significant operational disruption.

• Business Email Compromise (BEC) Incidents:

  • Attackers compromised executive-level accounts, silently assigned delegate permissions to attacker-controlled internal accounts, and monitored email communications for financial transactions and sensitive business information.

  • Attackers used delegate permissions to impersonate executives, sending fraudulent payment instructions, resulting in significant financial losses.

  • Impact included financial theft, reputational damage, and regulatory scrutiny.

• Internal Phishing Campaigns:

  • Attackers assigned delegate permissions to compromised internal accounts, enabling them to send phishing emails from trusted internal accounts, significantly increasing the effectiveness of social engineering attacks.

  • Attackers used delegated email access to distribute malware, ransomware, or credential-stealing phishing emails internally.

  • Impact included widespread credential theft, malware infections, operational disruptions, and costly remediation efforts.

These examples highlight the effectiveness, stealth, and potential severe impacts of Additional Email Delegate Permissions, underscoring the importance of proactive monitoring, detection, and response.