O365 Exchange Suspicious Mailbox Right Delegation
Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/05/17"
3integration = ["o365"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration."
6min_stack_version = "8.8.0"
7updated_date = "2024/04/02"
8
9[rule]
10author = ["Elastic", "Austin Songer"]
11description = """
12Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account
13to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can
14evade spam/phishing detection mechanisms.
15"""
16false_positives = ["Assignment of rights to a service account."]
17index = ["filebeat-*", "logs-o365*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "O365 Exchange Suspicious Mailbox Right Delegation"
21note = """## Setup
22
23The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
24risk_score = 21
25rule_id = "0ce6487d-8069-4888-9ddd-61b52490cebc"
26severity = "low"
27tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"]
28timestamp_override = "event.ingested"
29type = "query"
30
31query = '''
32event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and
33o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and
34not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)"
35'''
36
37
38[[rule.threat]]
39framework = "MITRE ATT&CK"
40[[rule.threat.technique]]
41id = "T1098"
42name = "Account Manipulation"
43reference = "https://attack.mitre.org/techniques/T1098/"
44[[rule.threat.technique.subtechnique]]
45id = "T1098.002"
46name = "Additional Email Delegate Permissions"
47reference = "https://attack.mitre.org/techniques/T1098/002/"
48
49
50
51[rule.threat.tactic]
52id = "TA0003"
53name = "Persistence"
54reference = "https://attack.mitre.org/tactics/TA0003/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
Related rules
- Microsoft 365 Teams Custom Application Interaction Allowed
- Microsoft 365 Teams External Access Enabled
- Microsoft 365 Teams Guest Access Enabled
- Microsoft 365 Exchange Anti-Phish Policy Deletion
- Microsoft 365 Exchange Anti-Phish Rule Modification