Microsoft Exchange 2013 and newer versions are vulnerable to a privilege escalation attack that gives anyone with a mailbox a way to gain domain administrator rights at potentially 90% of organisations running Active Directory and Exchange, according to a security researcher. The attack is possible because of the extensive privileges available by default in Exchange and therefore cannot be patched against.
Microsoft Exchange (2013 and more recent) vulnerable to 'PrivExchange' zero-day: https://t.co/gmIFAnK8gV (by ZDNet's @campuscodi)
— Mary Jo Foley (@maryjofoley) January 29, 2019
Patrick Hunter, Sales Engineering Director at One Identity:
Never reply on default permissions. Remain sceptical and always test implementations with the minimum set of rights in your test/dev environment. Would you install a security firewall or camera and leave the default password? These accounts should be treated the same way. Always implement a strong authentication programme using some form of multifactor authentication to verify a person is who they say they are. Of course, you can never be sure you have covered all bases, so some form of analytics is going to go a long way to trap unwanted actions from intruders. You should also check to see if the operations being executed are in keeping with the day-to-day work and alert those that aren’t.”