O365 Exchange Suspicious Mailbox Right Delegation

 1[metadata]
 2creation_date = "2021/05/17"
 3integration = ["o365"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic", "Austin Songer"]
 9description = """
10Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account
11to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can
12evade spam/phishing detection mechanisms.
13"""
14false_positives = ["Assignment of rights to a service account."]
15index = ["filebeat-*", "logs-o365*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "O365 Exchange Suspicious Mailbox Right Delegation"
19note = """## Setup
20
21The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
22risk_score = 21
23rule_id = "0ce6487d-8069-4888-9ddd-61b52490cebc"
24severity = "low"
25tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"]
26timestamp_override = "event.ingested"
27type = "query"
28
29query = '''
30event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and
31o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and
32not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)"
33'''
34
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38[[rule.threat.technique]]
39id = "T1098"
40name = "Account Manipulation"
41reference = "https://attack.mitre.org/techniques/T1098/"
42[[rule.threat.technique.subtechnique]]
43id = "T1098.002"
44name = "Additional Email Delegate Permissions"
45reference = "https://attack.mitre.org/techniques/T1098/002/"
46
47
48
49[rule.threat.tactic]
50id = "TA0003"
51name = "Persistence"
52reference = "https://attack.mitre.org/tactics/TA0003/"