- High risk Exchange operations which range from allowing the exfiltration of data, the creation of backdoor rules, execution of VBS scripts, or forwarding and collecting sensitive information.
Possible Root Causes
- An attacker is manipulating Exchange to gain access to a specific set of data or to enable continued attack progression.
- In some cases, these operations may be authorized activities for a small set of highly privileged users who perform them so infrequently that they are outside what the detection model considers normal.
- Authorized configurations in cases of a permanent employee separation or temporary leave of absence may involve activities that would otherwise compromise mailbox integrity.
- Sensitive data and content may be contained within Exchange which may be useful or desirable to an adversary.
- Compromising Exchange may allow an attacker to continue their attack progression.
Steps to Verify
- Verify whether these changes to the configurations are intentional and have been made with appropriate compensating safeguards.