O365 Mailbox Audit Logging Bypass
Detects the occurrence of mailbox audit bypass associations. The mailbox audit is responsible for logging specified mailbox events (like accessing a folder or a message or permanently deleting a message). However, actions taken by some authorized accounts, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a large number of mailbox audit log entries and may not be of interest to your organization. Because of this, administrators can create bypass associations, allowing certain accounts to perform their tasks without being logged. Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by the account.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/01/13"
3integration = ["o365"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects the occurrence of mailbox audit bypass associations. The mailbox audit is responsible for logging specified
11mailbox events (like accessing a folder or a message or permanently deleting a message). However, actions taken by some
12authorized accounts, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a
13large number of mailbox audit log entries and may not be of interest to your organization. Because of this,
14administrators can create bypass associations, allowing certain accounts to perform their tasks without being logged.
15Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by
16the account.
17"""
18false_positives = ["Legitimate allowlisting of noisy accounts"]
19from = "now-30m"
20index = ["filebeat-*", "logs-o365*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "O365 Mailbox Audit Logging Bypass"
24note = """## Setup
25
26The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
27references = ["https://twitter.com/misconfig/status/1476144066807140355"]
28risk_score = 47
29rule_id = "675239ea-c1bc-4467-a6d3-b9e2cc7f676d"
30severity = "medium"
31tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Initial Access", "Tactic: Defense Evasion"]
32timestamp_override = "event.ingested"
33type = "query"
34
35query = '''
36event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success
37'''
38
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42[[rule.threat.technique]]
43id = "T1562"
44name = "Impair Defenses"
45reference = "https://attack.mitre.org/techniques/T1562/"
46[[rule.threat.technique.subtechnique]]
47id = "T1562.001"
48name = "Disable or Modify Tools"
49reference = "https://attack.mitre.org/techniques/T1562/001/"
50
51
52
53[rule.threat.tactic]
54id = "TA0005"
55name = "Defense Evasion"
56reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Microsoft 365 Exchange Anti-Phish Policy Deletion
- Microsoft 365 Exchange Anti-Phish Rule Modification
- Microsoft 365 Exchange DLP Policy Removed
- Microsoft 365 Exchange Malware Filter Policy Deletion
- Microsoft 365 Exchange Malware Filter Rule Modification