Tracking Exchange Online Powershell Access Into Microsoft 365 Environments Cyber

or to bookmark this page

Click here to bookmark this page

Click here to remove bookmark

Tracking Exchange Online Powershell Access Into Microsoft 365 Environments

  • Devon Ackerman is an Associate Managing Director
    Devon Ackerman DevonAckerman
  • Jonathan Holtmann Jonathan Holtmann
  • Scott Downie Scott Downie
  • Jamie Vendel Jamie Vendel

Tracking Exchange Online Powershell Access Into Microsoft 365 Environments

Most users are familiar with Microsoft Exchange Online only as an application for accessing their email inboxes. However, by default, all users also have access to a system called Exchange Online PowerShell. This feature, designed primarily to assist IT administrators, allows a user to programmatically perform actions on a Microsoft 365 (M365) tenant. The specific actions a user can perform depend entirely on the user’s assigned roles.

Throughout the course of conducting M365 business email compromise investigations, Kroll has observed successful logon events that indicate some threat actors are leveraging Exchange Online PowerShell to aid in and/or automate interactions with compromised mailboxes and user accounts.

Identifying Exchange Online PowerShell Authentication Events

Kroll has identified the following indicators as likely evidence of an Exchange Online PowerShell logon attempt:

  • Azure sign-in log entries with an “App Display Name” of Microsoft Exchange Online Remote PowerShell
  • Unified Audit Log entries with user agent strings mentioning:
    • Microsoft WinRM Client
    • Microsoft.Exchange.PowerShell
  • Unified Audit Log entries with user agent strings attributable to Internet Explorer 11

The newer Exchange Online PowerShell V2 module, which Microsoft recommends be used for Exchange Online connections, results in user agent strings that do not mention PowerShell or WinRM. Rather, the recorded user agent strings represent Internet Explorer 11. Entries mentioning WinRM are likely generated by older PowerShell modules that might rely on basic authentication.

Risks of Successful Threat Actor Authentications

Threat actors may leverage Exchange Online PowerShell to rapidly deploy malicious inbox rules and configure forwarding SMTP addresses. While the potential impact of an Exchange Online PowerShell sign-in by a compromised, non-privileged user account is limited to that user’s mailbox, compromised users with certain additional roles may pose a risk to all users on the tenant.

A user with default permissions would be able to perform the following common threat actor actions after logging in using PowerShell:

  • Create/modify/delete own inbox rules (Figures 1 and 2)
  • Create/modify/delete own forwarding SMTP address
  • Send email as the user via the OWA API

Tracking Exchange Online Powershell Access Into Microsoft 365 Environments

Figure 1: Example of malicious inbox rule that redirects emails containing certain keywords to the junk folder


Tracking Exchange Online Powershell Access Into Microsoft 365 Environments

Figure 2: Resulting malicious rule in user mailbox

A user with elevated permissions could perform some—or all of—the following actions, depending on their assigned role(s):

  • Create/modify/delete inbox rules for any user in the tenant
  • Create/modify/delete forwarding SMTP address for any user in the tenant (Figure 3)
  • Create and delete users
  • Disable logging sources and/or limit the retention period for certain logs
  • Reset user passwords
  • Create and export compliance search results for any content in the tenant

Tracking Exchange Online Powershell Access Into Microsoft 365 Environments

Figure 3: Example of a malicious forwarding rule that sends a copy of all inbound emails to another inbox for all mailboxes for which the compromised user has access

Note that some of the expanded capabilities listed above may require PowerShell modules other than those that provide access to Exchange Online. As of this writing, Kroll has determined that it is not possible for a user to export the result of a compliance search unless they have the “Export” role, which is included by default in the “eDiscovery Manager” role group. Accordingly, due to this requirement, Kroll identified no risk that a threat actor could exfiltrate a user’s mailbox content following an Exchange Online PowerShell connection if the user is non-privileged.

Two Ways to Proactively Mitigate the Risk

As most users do not have a business need for Exchange Online PowerShell, IT administrators might simply consider disabling the feature for all users except those that require it for administration purposes (see here for how to disable Exchange Online PowerShell).

When multifactor authentication (MFA) is enabled for all authentication methods, threat actors will be forced to provide an MFA token to access Exchange Online PowerShell.

  • Note that if you have disabled basic authentication via an authentication policy, PowerShell is a category separate from SMTP, Outlook and other services and needs to be independently disabled.
  • If basic authentication is disabled for mail access protocols but left enabled for PowerShell, a threat actor would still be able to take actions on a compromised user’s account without needing to provide an MFA token.


In the short term, organizations can protect themselves from Exchange Online PowerShell exploitation by requiring employees to enable MFA and restricting user permissions according to a least-privilege policy. However, this is just one example of how threat actors exploit legitimate software tools and features for malicious purposes. Combined with malware and threat actor tactics that grow more sophisticated every day, cyber challenges are crucial to address as early as possible.

Tracking Exchange Online Powershell Access Into Microsoft 365 Environments 2021-10-20T00:00:00.0000000 /en/insights/publications/cyber/tracking-exchange-online-powershell-access /-/media/kroll/images/publications/featured-images/tracking-exchange-online-powershell-access.jpg publication {E39587AD-8F0B-4FE2-865F-969BC5501096} {809E3BA6-ABC7-4C3B-AB97-D7E5B9A66B24} {7A48DD95-1A63-4784-842F-A2BE81EAFE13} {3A077BFC-C74A-40AF-A14C-13BCF6E3873E} {042F6B91-DC71-4D5F-BB23-BFA7E05A37CE}

Other Areas We Can Help

Cyber Risk

Cyber Risk

Global, end-to-end cyber risk solutions.

Cyber Risk
Kroll Nominated in Two Categories at the Advisen Cyber Risk Awards

Computer Forensics

Expert computer forensic assistance at any stage of a digital investigation or litigation.

Computer Forensics
Incident Response and Litigation Support

24x7 Incident Response

Compliant notifications, reputation-saving remediation, and litigation support.

24x7 Incident Response
Anti-Bribery & Corruption Benchmarking Report – 2020

Data Collection and Preservation

Collection and preservation of all electronic evidence including email servers, networks, and more.

Data Collection and Preservation


Episode 17

Global Supply Chain Theft Threatens Supply Chain Security: How Corporations Can Prepare and Protect

Episode 17

Are Your Disclosures and Compliance Programs SEC Compliant?


Regulatory Internal Audit Case Studies