What different about the Exchange flaw compared to others is that it gets you immediately to a winning condition. There's no tricking employees or exploiting finicky desktops or pivoting around the network. You click a button and you have root at the very top of their network.
8
46
2
270
Exchange on-prem (likely) sees your password when you sign in from your phone. Every employee's password. It has permissions to AD with its own implicit unmonitored service accounts, basically 1 step to Domain Admin. It's often unmonitored for assumed performance reasons.

3:13 AM · Mar 10, 2021

4
12
1
117
Even if the only server you had access to was Exchange, you could ransom the company literally with just that. It's their email system. You wouldn't even need to do anything else.
9
11
0
120
Replying to @SwiftOnSecurity
You're scaring the children.
0
0
0
1
Replying to @SwiftOnSecurity
Don’t forget the computer accounts for all the Exchange servers are probably in the Administrators group in AD because people use DCs for DAG witness.
0
0
0
1
Replying to @SwiftOnSecurity
“Assumed performance reasons” meaning, basically, Microsoft swore they wouldn’t support you if anything was running in the box except exchange”. Until Sybari came along anyway..
0
0
0
1