services / Azure / DNS MX record set
Azure DNS MX record set defining the mail-exchange servers that handle inbound email for the domain. Controls public mail routing for the domain.
Write access reroutes inbound mail to attacker-controlled servers (mail-flow hijack); delete denies inbound email.
Microsoft.Network/dnszones/MX/write
Creating/replacing the MX record set redirects the domain's inbound email to attacker-controlled mail servers, hijacking mail flow and enabling interception/manipulation of communications.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog