Proposal: Create a new EXO policy to check for users with Default or Anonymous mailbox folder permissions

[tkol2022]

💡 Summary

This is a new EXO policy proposal.

The proposal is to add a policy that checks for users in Exchange Online that have Default or Anonymous permissions set on their mailboxes. When the permission named Default is set, it allows widespread access to a victim user's mailbox by either any member of the organization. When the Anonymous permission is set, it allows access by any external user. Therefore these permissions are associated with a high amount of risk and we have evidence that they are exploited in the wild. See articles below for context, including how to code a policy check with example code from Mandiant.

https://github.com/mandiant/Mandiant-Azure-AD-Investigator/tree/master#mailbox-folder-permissions-get-mandiantmailboxfolderpermissions
https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.psm1#L922

Motivation and context

It is always good to enhance Scuba with policies that check for high risk configurations.

Implementation notes

We received an update directly from Microsoft that the feature to setup default or anonymous permissions may be disabled in the future, however it is not clear that the updates Microsoft is making will disable the ability for an adversary to setup these dangerous permissions on a victim mailbox so this requires some testing. The change from Microsoft is characterized as "Updates to the Microsoft 365 Cloud Policy service setting Turn off sharing recommendation in the Microsoft 365 admin center will disable the ability for users to share or edit folder permissions with individual users in Microsoft Outlook on the web and new Microsoft Outlook for Window desktops." The way this change is characterized it seems like a change to the GUI but it is not clear how this affects the ability to perform the configuration via the back-end API. Also Microsoft said that the update will not be fully rolled out until late December 2024 so we should not test if the feature is still available just yet.

• In February of 2025, perform a hands-on check of Exchange Online to confirm that these permissions are no longer available. If that is the case, then close out this issue. Use the code below to set the permission Default for a specific user and then test from another user's account in Outlook to see if you can access the shared mailbox.

Set-MailboxFolderPermission -Identity [email protected]:\Inbox -User Default -AccessRights ReadItems