LoFP LoFP / delegation by first-party applications that require mailbox access.

Techniques

Sample rules

Suspicious Mailbox Permission Delegation in Exchange Online

Description

Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms.

Detection logic

event.dataset: "o365.audit" and
event.provider: "Exchange" and
event.outcome: "success" and
not o365.audit.UserType : (3 or 4) and
(
    (event.action: "Add-MailboxPermission" and o365.audit.Parameters.AccessRights: "FullAccess") or
    (event.action: "Add-RecipientPermission" and o365.audit.Parameters.AccessRights: "SendAs") or
    (event.action: "Set-Mailbox" and o365.audit.Parameters.GrantSendOnBehalfTo: *)
) and
not user.id:(
    "NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)" or
    "NT AUTHORITY\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)" or
    "NT AUTHORITY\SYSTEM (w3wp)"
    )