O365 Exchange Suspicious Mailbox Right Delegation

Elastic Stack Serverless Security

Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms.

Rule type: query

Rule indices:

• filebeat-*
• logs-o365*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: None (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

• Domain: Cloud
• Data Source: Microsoft 365
• Use Case: Configuration Audit
• Tactic: Persistence
• Resources: Investigation Guide

Version: 207

Rule authors:

• Elastic
• Austin Songer

Rule license: Elastic License v2

Triage and analysis

[TBC: QUOTE]
Investigating O365 Exchange Suspicious Mailbox Right Delegation

Microsoft 365 Exchange allows users to delegate mailbox access, enabling collaboration by granting permissions like FullAccess, SendAs, or SendOnBehalf. However, adversaries can exploit this by assigning these rights to compromised accounts, facilitating unauthorized access and message manipulation. The detection rule identifies successful permission assignments, excluding system accounts, to flag potential misuse and maintain security integrity.

Possible investigation steps

• Review the event logs to identify the user account that was granted mailbox permissions, focusing on the user.id field to determine if the account is legitimate or potentially compromised.
• Examine the o365.audit.Parameters.AccessRights field to confirm the specific permissions granted (FullAccess, SendAs, or SendOnBehalf) and assess the potential impact of these permissions.
• Investigate the history of the user account that was granted permissions, including recent login activity and any unusual behavior, to identify signs of compromise.
• Check for any recent changes or anomalies in the mailbox that received the permissions, such as unexpected email forwarding rules or unusual email activity.
• Correlate the event with other security alerts or logs to identify any related suspicious activities or patterns that might indicate a broader security incident.

False positive analysis

• Delegation for administrative purposes: Regular delegation of mailbox rights for administrative tasks can trigger alerts. To manage this, create exceptions for known administrative accounts that frequently require such permissions.
• Shared mailbox access: Organizations often use shared mailboxes for collaborative purposes. Identify and exclude these shared mailboxes from the rule to prevent false positives.
• Temporary project-based access: Temporary access granted for specific projects can be mistaken for suspicious activity. Implement a process to document and whitelist these temporary permissions.
• Automated system processes: Some automated processes may require mailbox access rights. Review and exclude these processes from the rule to avoid unnecessary alerts.
• Frequent delegation by specific roles: Certain roles, like executive assistants, may regularly delegate mailbox access. Identify these roles and adjust the rule to accommodate their typical behavior.

Response and remediation

• Immediately revoke the delegated permissions identified in the alert to prevent further unauthorized access to the mailbox.
• Conduct a thorough review of the affected mailbox and any associated accounts to identify any unauthorized changes or suspicious activities, such as unexpected email forwarding rules or message deletions.
• Reset the passwords for the compromised account and any other accounts that may have been affected to prevent further unauthorized access.
• Notify the affected user(s) and relevant stakeholders about the incident, providing guidance on recognizing phishing attempts and securing their accounts.
• Escalate the incident to the security operations team for further investigation and to determine if additional accounts or systems have been compromised.
• Implement additional monitoring on the affected accounts and mailboxes to detect any further suspicious activities or attempts to re-establish unauthorized access.
• Review and update access control policies and permissions settings to ensure that only necessary permissions are granted and that they are regularly audited.

The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and
o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and
not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)"

Framework: MITRE ATT&CKTM

• Tactic:

  • Name: Persistence
  • ID: TA0003
  • Reference URL: https://attack.mitre.org/tactics/TA0003/

• Technique:

  • Name: Account Manipulation
  • ID: T1098
  • Reference URL: https://attack.mitre.org/techniques/T1098/

• Sub-technique:

  • Name: Additional Email Delegate Permissions
  • ID: T1098.002
  • Reference URL: https://attack.mitre.org/techniques/T1098/002/