cisagov / ScubaGear

Automation to assess the state of your M365 tenant against CISA's baselines
https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project
Creative Commons Zero v1.0 Universal
1.76k stars 226 forks source link

Proposal: Create a new EXO policy to check for users with Default or Anonymous mailbox folder permissions #1420

Open tkol2022 opened 1 week ago

tkol2022 commented 1 week ago

šŸ’” Summary

This is a new EXO policy proposal.

The proposal is to add a policy that checks for users in Exchange Online that have Default or Anonymous permissions set on their mailboxes. When the permission named Default is set, it allows widespread access to a victim user's mailbox by either any member of the organization. When the Anonymous permission is set, it allows access by any external user. Therefore these permissions are associated with a high amount of risk and we have evidence that they are exploited in the wild. See articles below for context, including how to code a policy check with example code from Mandiant.

https://github.com/mandiant/Mandiant-Azure-AD-Investigator/tree/master#mailbox-folder-permissions-get-mandiantmailboxfolderpermissions https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.psm1#L922

Motivation and context

It is always good to enhance Scuba with policies that check for high risk configurations.

Implementation notes

We received an update directly from Microsoft that the feature to setup default or anonymous permissions may be disabled in the future, however it is not clear that the updates Microsoft is making will disable the ability for an adversary to setup these dangerous permissions on a victim mailbox so this requires some testing. The change from Microsoft is characterized as "Updates to the Microsoft 365 Cloud Policy service setting Turn off sharing recommendation in the Microsoft 365 admin center will disable the ability for users to share or edit folder permissions with individual users in Microsoft Outlook on the web and new Microsoft Outlook for Window desktops." The way this change is characterized it seems like a change to the GUI but it is not clear how this affects the ability to perform the configuration via the back-end API. Also Microsoft said that the update will not be fully rolled out until late December 2024 so we should not test if the feature is still available just yet.

Set-MailboxFolderPermission -Identity zbaduser@TenantName.onmicrosoft.com:\Inbox -User Default -AccessRights ReadItems

Image