Azure sign-in log entries with an “App Display Name” of Microsoft Exchange Online Remote PowerShell.Kroll has identified the following indicators as likely evidence of an Exchange Online PowerShell logon attempt: Identifying Exchange Online PowerShell Authentication Events Throughout the course of conducting M365 business email compromise investigations, Kroll has observed successful logon events that indicate some threat actors are leveraging Exchange Online PowerShell to aid in and/or automate interactions with compromised mailboxes and user accounts. The specific actions a user can perform depend entirely on the user’s assigned roles. This feature, designed primarily to assist IT administrators, allows a user to programmatically perform actions on a Microsoft 365 (M365) tenant. ![]() However, by default, all users also have access to a system called Exchange Online PowerShell. Most users are familiar with Microsoft Exchange Online only as an application for accessing their email inboxes.
0 Comments
Leave a Reply. |