LoFP LoFP / mailbox folder permissions may be configured for legitimate purposes, filter as needed.

Techniques

Sample rules

O365 Mailbox Folder Read Permission Granted

Description

This detection focuses on identifying changes in mailbox folder permissions within an Office 365 environment, specifically pinpointing instances where read permissions are granted. It monitors for two key operations Set-MailboxFolderPermission and Add-MailboxFolderPermission, as logged in the o365_management_activity. These operations are indicative of modifications or additions to the permissions of mailbox folders, potentially altering who can view or interact with the folder contents.

Detection logic

 `o365_management_activity` Workload=Exchange (Operation="Set-MailboxFolderPermission" OR Operation="Add-MailboxFolderPermission" ) 
| eval isReadRole=if(match(AccessRights, "^(ReadItems
|Author
|NonEditingAuthor
|Owner
|PublishingAuthor
|Reviewer)$"), "true", "false") 
| search isReadRole="true" 
| rename UserId as user 
| stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, Identity, AccessRights 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `o365_mailbox_folder_read_permission_granted_filter`

O365 Mailbox Folder Read Permission Assigned

Description

This detection is tailored to capture instances where read permissions are assigned to mailbox folders within an Office 365 environment, utilizing the operations ModifyFolderPermissions and AddFolderPermissions as captured in the o365_management_activity. Unlike other permission modifications, this detection excludes actions related to the Calendar, Contacts, and PersonMetadata objects, focusing on core mailbox folders.

Detection logic

`o365_management_activity` Workload=Exchange (Operation=ModifyFolderPermissions OR Operation=AddFolderPermissions) Workload=Exchange object!=Calendar object!=Contacts object!=PersonMetadata 
| eval isReadRole=if(match('Item.ParentFolder.MemberRights', "(ReadAny)"), "true", "false")  
| rename UserId as user  
| stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, object, Item.ParentFolder.MemberUpn, Item.ParentFolder.MemberRights 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `o365_mailbox_folder_read_permission_assigned_filter`