MAAD-AF Mailbox Forwarding

This module allows attackers to setup mail forwarding rules on a mailbox within Exchange Online to forward emails to an external adversary-controlled mailbox. Setting mail forwarding rules allows an attacker to maintain access to organizational information, even if the account access is discovered.

Module Overview - DRAFT

NOTE TO ENABLEMENT TEAM: We may need to find a more sustainable example to use for lab users and adjust the verbiage below accordingly.

  1. From the main Attack Arsenal menu, enter 7 for Setup Mailbox Forwarding for Continuous Exfiltration. Read through the MITRE information, and press <Enter> to continue.

  2. Follow the on-screen prompts in MAAD-AF and set up the following mail forwarding rule:

    • Mailbox: Michael Scott

    • Forwarding Destination: your_vectra_email

  3. MAAD-AF will prompt the user to undo the actions just created. Select No for the purposes of this exercise.

Validation

Enter the full email address for the mailbox that mail forwarding was configured on.