delegation by first-party applications that require mailbox access.

Techniques

T1098

Sample rules

Suspicious Mailbox Permission Delegation in Exchange Online

source: elastic
technicques:
- T1098

Description

Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms.

Detection logic

event.dataset: "o365.audit" and
event.provider: "Exchange" and
event.outcome: "success" and
not o365.audit.UserType : (3 or 4) and
(
    (event.action: "Add-MailboxPermission" and o365.audit.Parameters.AccessRights: "FullAccess") or
    (event.action: "Add-RecipientPermission" and o365.audit.Parameters.AccessRights: "SendAs") or
    (event.action: "Set-Mailbox" and o365.audit.Parameters.GrantSendOnBehalfTo: *)
) and
not user.id:(
    "NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)" or
    "NT AUTHORITY\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)" or
    "NT AUTHORITY\SYSTEM (w3wp)"
    )