Techniques
Sample rules
Suspicious Mailbox Permission Delegation in Exchange Online
- source: elastic
- technicques:
- T1098
Description
Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms.
Detection logic
event.dataset: "o365.audit" and
event.provider: "Exchange" and
event.outcome: "success" and
not o365.audit.UserType : (3 or 4) and
(
(event.action: "Add-MailboxPermission" and o365.audit.Parameters.AccessRights: "FullAccess") or
(event.action: "Add-RecipientPermission" and o365.audit.Parameters.AccessRights: "SendAs") or
(event.action: "Set-Mailbox" and o365.audit.Parameters.GrantSendOnBehalfTo: *)
) and
not user.id:(
"NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)" or
"NT AUTHORITY\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)" or
"NT AUTHORITY\SYSTEM (w3wp)"
)