T1114.002 | LoFP

T1114.002

Title	Tags
administrators might temporarily share a mailbox with all users for legitimate reasons, such as troubleshooting, migrations, or other administrative tasks. some organizations use shared mailboxes for teams or departments where multiple users need access to the same mailbox. filter as needed.	t1114 T1114.002 o365 tenant splunk
compliance content searche exports may be executed for legitimate purposes, filter as needed.	t1114 T1114.002 o365 tenant splunk
compliance content searches may be executed for legitimate purposes, filter as needed.	t1114 T1114.002 o365 tenant splunk
legitimate applications may access multiple mailboxes via an api. you can filter by the clientappid or the clientipaddress fields.	T1114.002 o365 tenant splunk
oauth applications may access mailboxes for legitimate purposes, you can use the clientappid to add trusted applications to an allow list.	T1114.002 o365 tenant splunk
the false-positive rate will vary based on how you set the deviation_threshold and data_samples values. our recommendation is to adjust these values based on your network traffic to and from your email servers.	t1114 T1114.002 endpoint splunk
there are legitimate scenarios in wich an application registrations requires mailbox read access. filter as needed.	t1098 t1098.003 t1114 T1114.002 o365 tenant splunk
while there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executive's mailbox, there are also malicious scenarios. investigate and filter as needed.	t1098 T1098.002 t1114 T1114.002 o365 tenant splunk