Few techniques for leveraging Exchange for escalating privileges in an AD environment:
https://github.com/gdedrouas/Exchange-AD-Privesc
The Exchange group Exchange Windows Permissions is not listedf as protected, but its members can write a DACL to the domain object, this can lead to a DCSync attack.
The Exchange group Organization Management is powerfull, it has full control of the OU called “Microsoft Exchange Security Groups”, which contains the group Exchange Windows Permissions.
If an Exchange server is compromised, we can often dump all NTLM hashes (users are logging in to Outlook Web Access)
This attack results from a flaw in Exchange Server PushSubscription feature.
Any domain user can force the Exchange server to authenticate to any host via HTTP.
Exchange service runs as SYSTEM and is over-privileged by default (WriteDacl privilege on pre-2019).