Skip to content
Threat Feed
critical threat

O365 ApplicationImpersonation Role Assigned

Detection of the ApplicationImpersonation role being assigned in Office 365, potentially leading to unauthorized mailbox access and impersonation.

The ApplicationImpersonation role in Office 365 grants extensive privileges, allowing a user or application to impersonate any other user within the organization. Assignment of this role is a sensitive event that requires careful monitoring. This activity is significant because the ApplicationImpersonation role allows impersonation of any user, enabling access to and modification of their mailbox. Attackers, such as the NOBELIUM group, can abuse this role to gain unauthorized access to sensitive information, manipulate mailbox data, and perform actions as a legitimate user. The source detection logic leverages the Office 365 Management Activity API to monitor Azure Active Directory audit logs.

Attack Chain

  1. Initial Access: An attacker gains initial access to an account with sufficient privileges to modify Office 365 roles.
  2. Privilege Escalation: The attacker attempts to assign the ApplicationImpersonation role to a compromised user account or a newly created service principal. This can be achieved via PowerShell or the Azure AD portal.
  3. Role Assignment: The "New-ManagementRoleAssignment" operation is executed within the Office 365 environment, assigning the ApplicationImpersonation role.
  4. Persistence: The attacker leverages the newly assigned ApplicationImpersonation role to maintain persistent access to the target organization's mailboxes.
  5. Data Access: The attacker uses the ApplicationImpersonation role to access and exfiltrate sensitive data from mailboxes.
  6. Lateral Movement: With access to user mailboxes, the attacker gathers information to facilitate lateral movement within the organization.
  7. Covering Tracks: The attacker may attempt to disable logging or remove audit trails to conceal their activities.

Impact

Successful exploitation can lead to complete compromise of sensitive email data, intellectual property theft, and potential business email compromise (BEC) attacks. An attacker with the ApplicationImpersonation role can read, modify, and delete emails from any user's mailbox, leading to significant data breaches and reputational damage.

Recommendation

  • Deploy the Sigma rule O365 ApplicationImpersonation Role Assigned to your SIEM and tune for your environment.
  • Review existing ApplicationImpersonation role assignments to identify and revoke any unauthorized or suspicious grants.
  • Monitor O365 management activity logs for unusual "New-ManagementRoleAssignment" events.
  • Investigate any alerts triggered by the detection logic, focusing on the target_user and user fields in the logs.
  • Implement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges.
  • Regularly audit Azure AD roles and permissions to ensure least privilege.

Detection coverage 2

O365 ApplicationImpersonation Role Assigned

critical

Detects the assignment of the ApplicationImpersonation role in Office 365.

sigma tactics: credential_access, persistence techniques: T1098.002 sources: o365, o365

O365 ApplicationImpersonation Role Assigned to Application

high

Detects the assignment of ApplicationImpersonation role to an application in O365.

sigma tactics: credential_access, persistence techniques: T1098.002 sources: o365, o365

Detection queries are available on the platform. Get full rules →