CTD-000026

Regular Microsoft Entra user with Exchange Online PowerShell enabled

Informational
Entra ID Exchange Online
Collection Defense Evasion Initial Access
v59

Signature Identity

CTD-000026
Threat ID
59
Version
IOE
Indicator Type

Threat Description

A regular Microsoft Entra user account with Exchange Online PowerShell enabled poses a threat to your environment. Access to Exchange Online PowerShell doesn’t give users extra administrative powers in your organization, however, threat actors may use Exchange Online PowerShell to access the mailbox or modify inbox rules or configure forwarding SMTP addresses. Also, a compromised user mailbox with Exchange Online PowerShell enabled can be used to initiate a mass phishing attack by sending emails to other users in the tenant. Disabling Exchange Online PowerShell for users, who don’t need it to perform administrative tasks, reduces the possible impact if such an account is compromised.

MITRE ATT&CK: Attack Tactics

Collection Defense Evasion Initial Access

D3FEND: Defend Tactics

User Account Permissions

Remediation

To disable Exchange Online PowerShell for selected user:

  1. Connect to Exchange Online PowerShell using Connect-ExchangeOnline cmdlet.
  2. Run Set-User -Identity {User's identity} -RemotePowerShellEnabled $false.

Frequently Asked Questions

What does Regular Microsoft Entra user with Exchange Online PowerShell enabled mean?

Regular Microsoft Entra user with Exchange Online PowerShell enabled means a non-administrative Microsoft Entra user account has been granted permission to use Exchange Online PowerShell, allowing scripted or remote interaction with Exchange Online.

This configuration does not grant elevated administrative control by itself. However, the presence of this configuration increases exposure if the user account is compromised or misused due to expanded remote automation access.

An attacker can use a compromised account with Exchange Online PowerShell enabled to execute commands that access mailboxes, modify inbox rules, configure forwarding SMTP addresses, or initiate mass phishing attacks by sending emails to other users in the tenant. This expanded capability supports later attacker activity, such as reconnaissance and persistence.

Cayosoft Guardian continuously monitors permissions and settings of regular user accounts for those that have been granted permission to use Exchange Online PowerShell, enabling detection of this configuration.

Cayosoft Guardian alerts administrators to review and limit unnecessary Exchange Online PowerShell access for regular users, reducing the actions available to an attacker if a user account is compromised by limiting remote command access.

Stop AD Threats As They Happen

Cayosoft Protector provides continuous monitoring and real-time alerts across your entire Microsoft Identity stack

Classification
Systems
Entra ID Exchange Online
Themes
Account protection
Attack Tactics
Collection Defense Evasion Initial Access
Defend Tactics
User Account Permissions
Indicator Types
IOE
Related Threats
CTD-000139
Kerberos Constrained Delegation: krbtgt Risks
Critical
CTD-000122
Active Directory Schema Update Permission Risks
Critical