Auditing Inbox guidelines with EWS and the Graph API in Powershell

Auditing Inbox guidelines with EWS and the Graph API in Powershell

There was plenty of info of late from safety researchers and Microsoft themselves about Inbox guidelines getting used to compromise workstations and to be used in additional pervasive safety breaches. One of many extra attention-grabbing one is is https://blogs.technet.microsoft.com/workplace365safety/defending-against-rules-and-forms-injection/
Which has a fairly good EWS script https://github.com/OfficeDev/O365-InvestigationTooling/blob/grasp/Get-AllTenantRulesAndForms.ps1 for enumerating Guidelines, particularly they’re searching for a Consumer facet rule exploit so this script is enumerating all of the Prolonged Rule Objects within the FAI assortment of the Inbox. In Alternate you possibly can have Server facet guidelines which run whatever the connection state of any shopper or Consumer solely guidelines which solely run when the shopper is linked for extra info see https://assist.workplace.com/en-us/article/server-side-vs-client-only-rules-e1847992-8aa1-4158-8e24-ad043decf1eb
So what the above script does is particularly goal searching for a shopper facet rule exploit. Nevertheless it can return each for Server and Consumer facet prolonged rule object.
Alternate itself has two several types of guidelines Commonplace Guidelines and Prolonged guidelines, the later was an answer to the early Rule dimension challenge that plagued Alternate in early variations. 
One other attention-grabbing exploit for guidelines that launched by the next researchers https://weblog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
The exploit talked about within the above is about making a Server facet rule hidden so it will not seem whenever you attempt to enumerate it with the EXO cmdlet Get-InboxRule (or it additionally will not seem in Outlook or OWA) or truly any of EWS or Microsoft Graph Rule operations.  To know why this is able to happen for those who change the worth of the  PidTagRuleMessageProvider property on a  Rule object requires a bit of understanding or the Rule Protocol which is documented in https://docs.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxorule/70ac9436-501e-43e2-9163-20d2b546b886 .  
however principally the worth of this property is supposed to find out who owns and who can edit, delete the rule and so forth and shoppers ought to honour this worth and never contact guidelines that they do not personal and so forth. So Outlook not displaying you guidelines the place the worth is not set to “RuleOrganizer” is its manner of honouring the protocol and I am guessing Get-InboxRule (additionally the EWS GetRule operations) is doing simular. The Rule protocol and storage is utilized in different features just like the JunkEmail Rule and Out Off Workplace in Alternate so these Guidelines additionally do not present up when utilizing any of those API’s or cmdlets which is one other instance of this protocol in motion. Utilizing the script from https://github.com/OfficeDev/O365-InvestigationTooling/blob/grasp/Get-AllTenantRulesAndForms.ps1 it’s also possible to observe this exploit by together with the PidTagRuleMessageProvider worth in the results of the audit, I’ve created a fork of this script to exhibit the straightforward modification mandatory https://github.com/gscales/O365-InvestigationTooling/blob/grasp/Get-AllTenantRulesAndForms.ps1 . In case your conscious of the Hawk device this additionally has some protection for this https://www.powershellgallery.com/packages/HAWK/1.5.0/Content material/Userpercent5CGet-HawkUserHiddenRule.ps1 however this misses the mark at little in that it’ll discover clean or null entries however this may be simply defeated by simply setting your individual customized worth. 

In terms of enumerating Guidelines your first port of name could be utilizing the Get-InboxRule cmdlet in case your trying to do that vai one of many API you would use Redemption to do it through MAPI, for EWS you’ll use the InboxRule operation eg 


The Graph API additionally has the comply with operation for returning guidelines https://docs.microsoft.com/en-us/graph/api/mailfolder-list-messagerules?view=graph-rest-1.0 

Right here a easy ADAL script that dumps the Inbox guidelines of a consumer


Each of the examples I posted simply output the foundations again to the pipeline in powershell so that you would wish so as to add additional logic to check for the actual forms of rule that you simply wished to audit. For instance with the Graph instance to indicate solely forwarding rule use

Get-InboxRules -MailboxName [email protected] | The place-Object {$_.actions.redirectTo}

From a permissions perspective the EWS instance will work both delegate permission assinged to the mailbox utilizing Add-MailboxPermissions or with EWS Impersoantion.

With the Graph API the grant required to run this script is MailboxSettings.Learn or MailboxSettings.ReadWrite these grants are solely scoped to the present mailbox (no shared mailbox scope) which suggests for delegate entry you possibly can solely use this towards the present customers mailbox. Even if in case you have delegated rights to a different mailbox this operation will fail is you attempt to run it towards that mailbox. There’s nevertheless an utility permission for MailboxSettings utilizing this you would create an appOnly token that might be used to entry ever mailbox in your Tenant eg see https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread or you would use my Exch-Relaxation Module which might do that additionally https://github.com/gscales/Exch-Relaxation/blob/grasp/CertificateAuthentication.md and there’s a cmdlet within the module Get-Exr-InboxRules which can return the foundations the identical because the ADAL instance posted above.
One attention-grabbing factor is Workplace365 will now notify you when a brand new forwarding rule is created in OWA or through the Exo cmdlets eg
The safety console will then provide the particulars on the forwarding addresses that has been used. That is definitely a great mitigation nevertheless it would not work for those who create Guidelines through Outlook and also you additionally want be following up on these alerts. Different mitigations like ensuring your watching your Alternate audit logs https://docs.microsoft.com/en-us/workplace365/securitycompliance/enable-mailbox-auditing which is the best manner of selecting up on all of the rule replace exercise. Additionally keeping track of the Message Monitoring logs to see adjustments within the Visitors patterns and huge volumes of electronic mail going to a sure deal with and forwarding deal with experiences if in case you have entry below your subscription. As its been for the reason that Melissa virus Messaging safety is an space the place you want a steady construct of scripts and practices to maintain up with rising menace surroundings. 
As credential leakage improves with MFA and trendy auth using Automation like Inbox Guidelines, Move and Bot’s will change into a extra favoured assault vector. Eg if an entry token turns into compromised and the attacker has entry to the mailbox for much less the 60 minutes these are the vectors they’re going to use to extend their persistance.  
Tags:

Related Posts

Leave a Reply