Full Report
Something I have found myself doing more and more often is using Exchange Web Services (EWS) to bypass 2FA. I do this so that I could look through mail for accounts I have compromised. The 2FA bypass is due to a common misconfiguration which can leave EWS unprotected, and has been known about for ages, mostly from the Black Hills post in 2016. However, most of the tooling appears to be written in PowerShell, and being the lazy person I am I prefer not to start up a Windows VM when I want to see if I can access a persons email. Hence I started just using a small script around the amazing exchangelib where I would just retrieve the top 10 emails using the example provided in the help documentation. I was doing this often enough that I decided to make a more useful tool.
Analysis Summary
# Tool/Technique: thumbscr-ews
## Overview
`thumbscr-ews` is a Python-based tool developed to interact with Microsoft Exchange Web Services (EWS). Its primary purpose is to automate post-compromise activities, specifically bypassing Multi-Factor Authentication (MFA) by exploiting known misconfigurations in EWS exposure to access and exfiltrate mailbox data from compromised accounts. The tool leverages the `exchangelib` Python library.
## Technical Details
- Type: Tool
- Platform: Windows, Linux, macOS (Any platform supporting Python and `exchangelib`)
- Capabilities: Retrieving emails, searching mail content, querying the Global Address List (GAL), checking delegated access permissions, browsing mailbox folder structure, and downloading attachments.
- First Seen: November 2020 (Date of article publication)
## MITRE ATT&CK Mapping
- TA0006 - Credential Access
- T1003 - OS Credential Dumping (Indirectly, by accessing credentials/data within mail)
- T1114 - Email Collection
- T1114.001 - Email Data
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel (Implied, as data is retrieved by the attacker)
- **Tactic related to Initial Access/Persistence (via EWS Misconfiguration):** This bypass relies on accessing services that should be protected by MFA.
- T1550 - Use Alternate Authentication Material
- T1550.001 - Pass the Hash (Not directly relevant, but exploitation of MFA failure relates to insecure authentication mechanisms)
## Functionality
### Core Capabilities
- **Email Retrieval:** Listing and retrieving the top emails from folders (e.g., Inbox), including subject, sender, and timestamp.
- **Email Searching:** Filtering emails based on specific content within the subject, body, or sender using EWS query strings (e.g., `Body:Password`).
- **Global Address List (GAL) Querying:** Leveraging the EWS `ResolveNames` method to search for users in the GAL, implemented by iterating specific search strings (e.g., 'aa' to 'zz').
- **Delegation Check:** Ability to test explicitly for delegated access permissions on mailboxes.
- **Attachment Downloading:** Downloading attachments associated with specific emails identified via Mail ID.
### Advanced Features
- **Browse File Structure:** Enumerating the entire file structure of a target mailbox, printing raw objects found within specific folders, which allows viewing non-email items supported by `exchangelib`.
- **Delegate Access Application:** Adding a delegate flag to most commands to allow reading mail belonging to other users if delegated permissions exist.
- **Inspiration:** Functionality was heavily inspired by the PowerShell tool MailSniper.
## Indicators of Compromise
- File Hashes: N/A (No specific hash provided for the tool itself)
- File Names: `thumbscr-ews` (Tool name)
- Registry Keys: N/A
- Network Indicators: Utilizes standard Exchange Web Services (EWS) connections for communication with the target Exchange environment. (No C2 domain/IP specified as it targets legitimate EWS endpoints).
- Behavioral Indicators: High volume of EWS API calls (e.g., `ResolveNames`, folder content retrieval) originating from an atypical client/script.
## Associated Threat Actors
- The article describes the tool being created and used by an independent researcher/actor for personal use in exploiting observed misconfigurations. No named APT group is associated in the text.
## Detection Methods
- **Signature-based detection:** Detection signatures could target the Python script itself or known dependencies like `exchangelib` being imported for EWS interaction outside of standard OWA usage.
- **Behavioral detection:** Monitoring for scripted or automated EWS interaction, specifically iterative calls to `ResolveNames` using sequential search strings. Anomalous EWS traffic volume can be an indicator.
- **YARA rules if available:** Not provided in the text.
## Mitigation Strategies
- **Preventing EWS Misconfiguration Exploitation:** Ensure EWS endpoints are correctly secured and subject to the same Multi-Factor Authentication (MFA) controls as the Outlook Web Access (OWA) portal.
- **Principle of Least Privilege:** Review and restrict delegated access permissions on mailboxes where possible.
- **EWS Hardening:** Ensure Exchange server configurations strictly enforce proper authentication requirements for EWS access across the board.
## Related Tools/Techniques
- **MailSniper:** The tool that served as primary inspiration for feature set implementation.
- **PyMailSniper:** A similar project also leveraging Python for EWS interaction, noted by the author.
- **SprayingToolkit:** Mentioned as a potentially superior tool for horizontal brute-forcing, suggesting a common use case for attackers in MFA bypass scenarios.
- **Black Hills Post (2016):** Referenced as the source publicizing the EWS misconfiguration vulnerability enabling MFA bypass.