Glen's Exchange and Office 365 Dev Blog

 After the events of the last weeks around the latest zero day vulnerabilities in Exchange   and once you've finished cleaning up any back doors that may have been left on servers its a good idea to review some other less known but established ways bad actors may hide persistent access within Mailboxes. One of these are Inbox Rules (but Mail Flow rules could also be used) and a more advanced method is the hidden Inbox rule exploit that was first talked about  https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/  and I covered it in  https://gsexdev.blogspot.com/2019/05/audting-inbox-rules-with-ews-and-graph.html  and somebody else  https://mgreen27.github.io/posts/2019/06/09/O365HiddenRules.html  there are a number of tools and techniques around detecting these types of rule but are all focused more toward Office365 as that was where at the time this exploit was being mostly employed. In my post at the time I mo...

This is a follow-on from my last post on  Modifying your EWS Managed API code to use Hybrid Modern Authentication against OnPrem Mailboxes  . If instead of the EWS Managed API you are using EWS Proxy Code (generated from the EWS WSDL) and you want to migrate it to using Modern Authentication for Office365 and/or Hybrid here's a method you can use using the MSAL Authentication library . Unlike the EWS Managed API the WSDL generated proxy classes and specifically the ExchangeServiceBinding class doesn't have any provision to use Token Credentials. One way of implementing this in .NET is to take advantage of  Polymorphism and create a new class that is derived from the ExchangeServiceBinding class and then override the method GetWebResponse from this class (which is actually derived from the SoapHttpClientProtocol class which contains the actual method we are going to override  https://docs.microsoft.com/en-us/dotnet/api/system.web.services.protocols.soap...

In this post I'm going to look at what you need to do in your EWS Managed API code to support using Hybrid Modern Authentication where previously you've been using Basic or Integrated Authentication (both of which are susceptible to password spray attacks). If you don't know what  Hybrid Modern Authentication   is put simply it brings to Exchange OnPrem email clients the security benefits of Modern Authentication offered by Azure AD to Office365 tenants. If your already using OAuth to connect to Office365 you have most of the work already done but you will still need logic to ensure you have the correct Audience set in your token when that code is used against an OnPrem Mailbox.  Prerequisites  You need to be using Hybrid Exchange or more specifically  Hybrid Office 365 tenant is configured in full hybrid configuration using Exchange Classic Hybrid Topology mode ref  https://docs.microsoft.com/en-us/exchange/clients/outlook-for-ios-and-android/use-hybr...

While the Search-Mailbox cmdlet is now depreciated in Exchange Online, OnPrem its still used a fair bit and also does still have some use in the cloud for specific tasks. I've been using it this week a fair bit for various testing tasks and one pain I found when doing a lot of repeated searches in logging mode is each time to have to go in, open the results message in the discovery search mailbox and download the attachment with the log file, unzip and open it in Excel. So I came up with a way of automating this in powershell which turned out to be pretty simple but effective. First off the only information you need to get the Results Message gets returned in the Target Folder property of the Search results eg.  The TargetFolder value tells you what folder in the discovery Search mailbox the results are stored in and the DateTime value that will be in the subject of the Results Message. So in EWS you can use FindFolder to Find that Folder (using a Split on "\" wh...

Mailbox Change discovery is the process of looking at any folders or items that are new or have been modified recently in a Mailbox. Its useful in a number of different ways including (but not limited to) Looking at what objects a third party Addin is creating or modifying in your mailbox Help to work out which FAI (Folder Associated Item) is being modified when changes are made to the configuration in Outlook or Outlook on the Web (this can be useful if you then want to automate those changes in your own scripts) Fixing client issues caused by corrupt or bad items (eg if you've ever used MFCMapi to delete and Item that's causing a particular client function not to work correctly) Getting an understanding of how the backend scaffolding of new features work in Outlook on the Web (eg looking at what the substrate Is doing in Office365)  If you have ever looked recently at the Non_IPM Root folder of any Office365 Mailbox you can see by the large number of folders that are...