Suspicious Mailbox Permission Delegation in Exchange Online
Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/05/17"
3integration = ["o365"]
4maturity = "production"
5updated_date = "2025/05/07"
6
7[rule]
8author = ["Elastic", "Austin Songer"]
9description = """
10Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account
11to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can
12evade spam/phishing detection mechanisms.
13"""
14false_positives = [
15 "Assignment of rights to a service account.",
16 "Delegation by first-party applications that require mailbox access."
17]
18index = ["filebeat-*", "logs-o365.audit-*"]
19language = "kuery"
20license = "Elastic License v2"
21name = "Suspicious Mailbox Permission Delegation in Exchange Online"
22note = """## Triage and Analysis
23
24### Investigating Suspicious Mailbox Permission Delegation in Exchange Online
25
26This rule detects the delegation of mailbox permissions in Microsoft 365 Exchange. This behavior may indicate that an adversary is attempting to gain access to another user's mailbox or send messages on behalf of that user.
27
28### Possible Investigation Steps
29- `user.id` and `o365.audit.Parameters.Identity`: Determine which account was delegated access and which account performed the delegation. Review both for unusual activity.
30- `event.action`: Indicates the type of permission granted. Review which delegation action was taken.
31- `o365.audit.Parameters.AccessRights` or `GrantSendOnBehalfTo`: Confirm the exact permission granted.
32- `@timestamp` and `event.ingested`: Review the timing of the delegation and whether it aligns with user activity or known business events.
33- `source.ip` and `source.geo`: Validate that the source IP and location are expected for the admin or account performing the action.
34- `user_agent.original`: If present, review to identify any automation, script, or unexpected interface used to assign the permissions.
35
36#### FullAccess (`Add-MailboxPermission`)
37- `o365.audit.Parameters.Identity`: The mailbox being accessed.
38- `o365.audit.Parameters.User`: The user granted FullAccess.
39- Review for subsequent mailbox logins or message rules created by the grantee.
40
41#### SendAs (`Add-RecipientPermission`)
42- `o365.audit.Parameters.Identity`: The account the grantee is allowed to impersonate.
43- `o365.audit.Parameters.Trustee`: The user who was granted the ability to send as the identity.
44- Search for recent messages sent "as" the identity and validate whether the activity was legitimate.
45
46#### SendOnBehalf (`Set-Mailbox`)
47- `o365.audit.Parameters.GrantSendOnBehalfTo`: The user allowed to send on behalf of the mailbox owner.
48- Check for outbound emails or meeting requests with "on behalf of" headers.
49
50### False Positive Analysis
51
52- Delegation to Assistants: Executive or admin assistants often receive FullAccess or SendOnBehalf permissions.
53- Shared Mailboxes: Teams or departments may share access to mailboxes for operational efficiency.
54- Automated Admin Actions: System or service accounts may perform these actions as part of onboarding or automation.
55- Project-Based Access: Temporary access granted for short-term collaboration.
56- Maintain an allowlist of known delegation relationships.
57
58### Response and Remediation
59
60If the delegation is determined to be unauthorized or suspicious:
61
62- Revoke the delegated permissions immediately to prevent further access.
63- Reset credentials for the impacted accounts if compromise is suspected.
64- Review mailbox rules and sent items to detect abuse.
65- Alert impacted users and advise on suspicious activity to watch for.
66- Audit audit logs around the delegation for additional attacker actions (e.g., MFA disablement, mailbox rule creation, login from foreign IPs).
67- Review conditional access, role-based access control, and app permissions to reduce the attack surface.
68- Harden delegation policies by requiring approvals, limiting delegation to specific groups, or implementing Just-in-Time (JIT) access for mailboxes.
69"""
70references = [
71 "https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/give-mailbox-permissions-to-another-user?view=o365-worldwide"
72]
73risk_score = 21
74rule_id = "0ce6487d-8069-4888-9ddd-61b52490cebc"
75severity = "low"
76tags = [
77 "Domain: Cloud",
78 "Domain: SaaS",
79 "Data Source: Microsoft 365",
80 "Data Source: Microsoft Exchange",
81 "Data Source: Microsoft 365 Audit Logs",
82 "Use Case: Configuration Audit",
83 "Tactic: Persistence",
84 "Resources: Investigation Guide"
85]
86timestamp_override = "event.ingested"
87type = "new_terms"
88
89query = '''
90event.dataset: "o365.audit" and
91event.provider: "Exchange" and
92event.outcome: "success" and
93not o365.audit.UserType : (3 or 4) and
94(
95 (event.action: "Add-MailboxPermission" and o365.audit.Parameters.AccessRights: "FullAccess") or
96 (event.action: "Add-RecipientPermission" and o365.audit.Parameters.AccessRights: "SendAs") or
97 (event.action: "Set-Mailbox" and o365.audit.Parameters.GrantSendOnBehalfTo: *)
98) and
99not user.id:(
100 "NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)" or
101 "NT AUTHORITY\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)" or
102 "NT AUTHORITY\SYSTEM (w3wp)"
103 )
104'''
105
106[rule.investigation_fields]
107field_names = [
108 "@timestamp",
109 "o365.audit.ObjectId",
110 "o365.audit.Parameters.Identity",
111 "user.id",
112 "source.ip",
113 "user_agent.original",
114 "event.action",
115]
116
117[[rule.threat]]
118framework = "MITRE ATT&CK"
119[[rule.threat.technique]]
120id = "T1098"
121name = "Account Manipulation"
122reference = "https://attack.mitre.org/techniques/T1098/"
123[[rule.threat.technique.subtechnique]]
124id = "T1098.002"
125name = "Additional Email Delegate Permissions"
126reference = "https://attack.mitre.org/techniques/T1098/002/"
127
128
129
130[rule.threat.tactic]
131id = "TA0003"
132name = "Persistence"
133reference = "https://attack.mitre.org/tactics/TA0003/"
134
135[rule.new_terms]
136field = "new_terms_fields"
137value = ["o365.audit.UserId"]
138[[rule.new_terms.history_window_start]]
139field = "history_window_start"
140value = "now-14d"
Triage and Analysis
Investigating Suspicious Mailbox Permission Delegation in Exchange Online
This rule detects the delegation of mailbox permissions in Microsoft 365 Exchange. This behavior may indicate that an adversary is attempting to gain access to another user's mailbox or send messages on behalf of that user.
Possible Investigation Steps
user.idando365.audit.Parameters.Identity: Determine which account was delegated access and which account performed the delegation. Review both for unusual activity.event.action: Indicates the type of permission granted. Review which delegation action was taken.o365.audit.Parameters.AccessRightsorGrantSendOnBehalfTo: Confirm the exact permission granted.@timestampandevent.ingested: Review the timing of the delegation and whether it aligns with user activity or known business events.source.ipandsource.geo: Validate that the source IP and location are expected for the admin or account performing the action.user_agent.original: If present, review to identify any automation, script, or unexpected interface used to assign the permissions.
FullAccess (Add-MailboxPermission)
o365.audit.Parameters.Identity: The mailbox being accessed.o365.audit.Parameters.User: The user granted FullAccess.- Review for subsequent mailbox logins or message rules created by the grantee.
SendAs (Add-RecipientPermission)
o365.audit.Parameters.Identity: The account the grantee is allowed to impersonate.o365.audit.Parameters.Trustee: The user who was granted the ability to send as the identity.- Search for recent messages sent "as" the identity and validate whether the activity was legitimate.
SendOnBehalf (Set-Mailbox)
o365.audit.Parameters.GrantSendOnBehalfTo: The user allowed to send on behalf of the mailbox owner.- Check for outbound emails or meeting requests with "on behalf of" headers.
False Positive Analysis
- Delegation to Assistants: Executive or admin assistants often receive FullAccess or SendOnBehalf permissions.
- Shared Mailboxes: Teams or departments may share access to mailboxes for operational efficiency.
- Automated Admin Actions: System or service accounts may perform these actions as part of onboarding or automation.
- Project-Based Access: Temporary access granted for short-term collaboration.
- Maintain an allowlist of known delegation relationships.
Response and Remediation
If the delegation is determined to be unauthorized or suspicious:
- Revoke the delegated permissions immediately to prevent further access.
- Reset credentials for the impacted accounts if compromise is suspected.
- Review mailbox rules and sent items to detect abuse.
- Alert impacted users and advise on suspicious activity to watch for.
- Audit audit logs around the delegation for additional attacker actions (e.g., MFA disablement, mailbox rule creation, login from foreign IPs).
- Review conditional access, role-based access control, and app permissions to reduce the attack surface.
- Harden delegation policies by requiring approvals, limiting delegation to specific groups, or implementing Just-in-Time (JIT) access for mailboxes.
References
-
Give a Microsoft 365 user the right to access another user's mailbox, which allows the user to read and send emails from the other user's mailbox.
Read More
Related rules
- Microsoft Azure or Mail Sign-in from a Suspicious Source
- Microsoft 365 OAuth Redirect to Device Registration for User Principal
- Microsoft 365 OAuth Phishing via Visual Studio Code Client
- Microsoft 365 Teams Custom Application Interaction Allowed
- Microsoft 365 Teams External Access Enabled