O365 Exchange Suspicious Mailbox Right Delegation

Last updated 3 days ago on 2025-04-01

Created 4 years ago on 2021-05-17

About

Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms.

Tags

Domain: CloudData Source: Microsoft 365Use Case: Configuration AuditTactic: PersistenceLanguage: kuery

Severity

low

Risk Score

MITRE ATT&CK™

Persistence (TA0003)(opens in a new tab or window)

↳ Account Manipulation (T1098)(opens in a new tab or window)

False Positive Examples

Assignment of rights to a service account.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-o365*
Related Integrations: o365(opens in a new tab or window)
Query

event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and
o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and
not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)"

Install detection rules in Elastic Security

Detect O365 Exchange Suspicious Mailbox Right Delegation in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).