O365 Mailbox Audit Logging Bypass
Detects the occurrence of mailbox audit bypass associations. The mailbox audit is responsible for logging specified mailbox events (like accessing a folder or a message or permanently deleting a message). However, actions taken by some authorized accounts, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a large number of mailbox audit log entries and may not be of interest to your organization. Because of this, administrators can create bypass associations, allowing certain accounts to perform their tasks without being logged. Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by the account.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/01/13"
3integration = ["o365"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration."
6min_stack_version = "8.8.0"
7updated_date = "2024/04/02"
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects the occurrence of mailbox audit bypass associations. The mailbox audit is responsible for logging specified
13mailbox events (like accessing a folder or a message or permanently deleting a message). However, actions taken by some
14authorized accounts, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a
15large number of mailbox audit log entries and may not be of interest to your organization. Because of this,
16administrators can create bypass associations, allowing certain accounts to perform their tasks without being logged.
17Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by
18the account.
19"""
20false_positives = ["Legitimate allowlisting of noisy accounts"]
21from = "now-30m"
22index = ["filebeat-*", "logs-o365*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "O365 Mailbox Audit Logging Bypass"
26note = """## Setup
27
28The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
29references = ["https://twitter.com/misconfig/status/1476144066807140355"]
30risk_score = 47
31rule_id = "675239ea-c1bc-4467-a6d3-b9e2cc7f676d"
32severity = "medium"
33tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Initial Access", "Tactic: Defense Evasion"]
34timestamp_override = "event.ingested"
35type = "query"
36
37query = '''
38event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1562"
46name = "Impair Defenses"
47reference = "https://attack.mitre.org/techniques/T1562/"
48[[rule.threat.technique.subtechnique]]
49id = "T1562.001"
50name = "Disable or Modify Tools"
51reference = "https://attack.mitre.org/techniques/T1562/001/"
52
53
54
55[rule.threat.tactic]
56id = "TA0005"
57name = "Defense Evasion"
58reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Microsoft 365 Exchange Anti-Phish Policy Deletion
- Microsoft 365 Exchange Anti-Phish Rule Modification
- Microsoft 365 Exchange DLP Policy Removed
- Microsoft 365 Exchange Malware Filter Policy Deletion
- Microsoft 365 Exchange Malware Filter Rule Modification