O365 Exchange Suspicious Mailbox Right Delegation
Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/05/17"
3integration = ["o365"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic", "Austin Songer"]
9description = """
10Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account
11to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can
12evade spam/phishing detection mechanisms.
13"""
14false_positives = ["Assignment of rights to a service account."]
15index = ["filebeat-*", "logs-o365*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "O365 Exchange Suspicious Mailbox Right Delegation"
19note = """## Setup
20
21The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
22risk_score = 21
23rule_id = "0ce6487d-8069-4888-9ddd-61b52490cebc"
24severity = "low"
25tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"]
26timestamp_override = "event.ingested"
27type = "query"
28
29query = '''
30event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and
31o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and
32not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)"
33'''
34
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38[[rule.threat.technique]]
39id = "T1098"
40name = "Account Manipulation"
41reference = "https://attack.mitre.org/techniques/T1098/"
42[[rule.threat.technique.subtechnique]]
43id = "T1098.002"
44name = "Additional Email Delegate Permissions"
45reference = "https://attack.mitre.org/techniques/T1098/002/"
46
47
48
49[rule.threat.tactic]
50id = "TA0003"
51name = "Persistence"
52reference = "https://attack.mitre.org/tactics/TA0003/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
Related rules
- Microsoft 365 Teams Custom Application Interaction Allowed
- Microsoft 365 Teams External Access Enabled
- Microsoft 365 Teams Guest Access Enabled
- Azure Automation Runbook Created or Modified
- Azure Automation Webhook Created