Microsoft Exchange, Operation-Level Auditing: Auditing the Insider Threat

Do you have sensitive data in your Exchange mailbox? What would happen if your mailbox was accessed with malicious intent?

The first step to mitigating your risk is to know if an unauthorized person has accessed your mailbox. You don’t need to know what the burglar is trying to steal to know they’re in your house. The next question, however, is not who, but what.

In my previous blog post about monitoring non-owner mailbox access in Microsoft Exchange (Microsoft Exchange, Non-Owner Mailbox Logon: Auditing the Insider Threat) we discussed how Exchange is far more than just a mechanism to send and receive emails. Exchange mailboxes are essentially long-term storage repositories of data generated by virtually all users. Such a scenario becomes more and more prevalent as storage costs go down and mailbox size limits go up.

We also discussed how auditing changes to mailbox permissions and mailbox logons is critical to track nefarious activity from a “who committed the act?” perspective. However, this time, we’re going to cover what happens once access has been gained to a mailbox.

VIP Mailboxes

…every business has them. These can be mailboxes belonging to C-level employees, the Finance Director, the Human Resources Manager, R&D scientists, etc. They all contain business-sensitive, financial, or personally identifiable data. Alarmingly, improper and unauthorized access to these VIP mailboxes has the potential to bring an entire business into disrepute.

Interestingly, it’s quite common for these VIP mailboxes to have a delegate, such as a personal assistant, who creates and manages content in the mailbox like incoming calendar requests and day-to-day emails. Therefore, even though you would consider these mailboxes ‘high risk’, they are often among the least secure due to the larger number of different people who legitimately access and interact with them.

A VIP mailbox is one of the most at-risk datasets in your environment and is arguably the most susceptible to an Insider Threat.

It’s a simple, yet effective recipe for disaster: Take two pinches of sensitive data and one pinch of access.  Mix with a half measure of intent or substitute with a half measure of compromised account.

Et voila! All the ingredients for a perfectly cooked data breach.

Now that we understand the ingredients, let’s run through some activities typical of a malicious actor seeking unauthorized access to a VIP mailbox.

The attacker targets the VIP’s mailbox, because he assumes it has a treasure trove of sensitive or valuable information, and he’d typically be right. After successfully compromising the VIP’s or their delegate’s account through spear-phishing, the attacker logs on with proper credentials to the VIP’s mailbox through Outlook Web Access (OWA). The attacker then browses through the mailbox, reading messages, opening attachments and forwarding emails to external email addresses. It’s that simple.

As if the breach itself didn’t do your organization enough financial and reputational damage, the news also brings to light your failure to comply with various industry and federal regulations.

Imagine having to have this conversation:

So Ms. Compliance Officer, I see that Mr. Perpetrator accessed a mailbox he shouldn’t have.

That is correct, Mr. Auditor.

Can you tell me what Mr. Perpetrator did in that mailbox?

Um, no…..

Enabling real-time, operation-level auditing of your sensitive Exchange mailboxes not only alerts you to serious breach scenarios in time to do something about them but avoids this compliance nightmare. Protecting Exchange should be at the very top of your list.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Name

Email*