AWS WorkMail mailbox exported
Description
AlphaSOC detected an AWS WorkMail mailbox export operation, involving actions
such as PutBucketPolicy, PutBucketAcl, and StartMailboxExportJob. This
activity may indicate an adversary’s attempt to exfiltrate mailbox content to
unauthorized cloud storage under their control, potentially as part of a broader
attack targeting sensitive data stored in email communications.
Impact
Unauthorized mailbox exports can lead to data breaches, exposing confidential communications, attachments, and other sensitive information. This could result in intellectual property theft, blackmail, compromise of personal information, or provide threat actors with valuable insights for further attacks.
Severity
| Severity | Condition |
|---|---|
Low | AWS WorkMail mailbox exported |
High | AWS WorkMail mailbox exported to a bucket that was made public |
Investigation and Remediation
Investigate the exported content and review AWS CloudTrail logs to identify the AWS IAM user or role responsible for the export. Examine their recent activities and determine whether the action was authorized. If unauthorized, rotate the affected credentials and assess the extent of potential damage.
Known False Positives
- Migration activities where mailboxes are being moved to a different system or service by authorized administrators
- Authorized third-party tools or services that interact with WorkMail and require mailbox exports