LoFP / mailbox folder permissions may be configured for legitimate purposes, filter as needed.

Techniques

• T1098
• T1098.002

Sample rules

O365 Mailbox Folder Read Permission Granted

• source: splunk
• technicques:
  • T1098
  • T1098.002

Description

The following analytic identifies instances where read permissions are granted to mailbox folders within an Office 365 environment. It detects this activity by monitoring the o365_management_activity data source for the Set-MailboxFolderPermission and Add-MailboxFolderPermission operations. This behavior is significant as it may indicate unauthorized access or changes to mailbox folder permissions, potentially exposing sensitive email content. If confirmed malicious, an attacker could gain unauthorized access to read email communications, leading to data breaches or information leakage.

Detection logic

`o365_management_activity` Workload=Exchange (Operation="Set-MailboxFolderPermission" OR Operation="Add-MailboxFolderPermission" ) 
| eval isReadRole=if(match(AccessRights, "^(ReadItems
|Author
|NonEditingAuthor
|Owner
|PublishingAuthor
|Reviewer)$"), "true", "false") 
| search isReadRole="true" 
| rename UserId as user 
| stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, Identity, AccessRights 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `o365_mailbox_folder_read_permission_granted_filter`

O365 Mailbox Folder Read Permission Assigned

• source: splunk
• technicques:
  • T1098
  • T1098.002

Description

The following analytic identifies instances where read permissions are assigned to mailbox folders within an Office 365 environment. It leverages the o365_management_activity data source, specifically monitoring the ModifyFolderPermissions and AddFolderPermissions operations, while excluding Calendar, Contacts, and PersonMetadata objects. This activity is significant as unauthorized read permissions can lead to data exposure and potential information leakage. If confirmed malicious, an attacker could gain unauthorized access to sensitive emails, leading to data breaches and compromising the confidentiality of organizational communications.

Detection logic

`o365_management_activity` Workload=Exchange (Operation=ModifyFolderPermissions OR Operation=AddFolderPermissions) Workload=Exchange object!=Calendar object!=Contacts object!=PersonMetadata 
| eval isReadRole=if(match('Item.ParentFolder.MemberRights', "(ReadAny)"), "true", "false")  
| rename UserId as user  
| stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, object, Item.ParentFolder.MemberUpn, Item.ParentFolder.MemberRights 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `o365_mailbox_folder_read_permission_assigned_filter`