O365 Elevated Mailbox Permission Assignment
Detection of elevated mailbox permissions (FullAccess, ChangePermission, ChangeOwner) being assigned in Office 365, potentially leading to unauthorized access, data exfiltration, or privilege escalation.
This threat brief addresses the risk of unauthorized mailbox permission assignments within Office 365 environments. The primary focus is on detecting the Add-MailboxPermission operation with elevated access rights such as FullAccess, ChangePermission, or ChangeOwner. These permissions, if maliciously granted, can provide attackers with the ability to read sensitive emails, modify mailbox settings, and potentially escalate privileges within the organization. The detection strategy centers on analyzing Office 365 management activity logs. Successfully exploiting this attack vector may give external threat actors or malicious insiders persistent access to sensitive data.
Attack Chain
- An attacker gains initial access to a compromised account or uses stolen credentials with sufficient privileges to modify mailbox permissions.
- The attacker leverages PowerShell or the Exchange Management Shell to execute the
Add-MailboxPermissioncmdlet. - The attacker assigns elevated permissions (e.g.,
FullAccess,ChangePermission,ChangeOwner) to a target mailbox. - The attacker may hide their activity by modifying audit settings or deleting relevant logs, if possible.
- The attacker accesses the target mailbox using the newly assigned permissions.
- The attacker exfiltrates sensitive data from the mailbox, including emails, contacts, and calendar entries.
- The attacker may use the compromised mailbox to send phishing emails or further compromise other accounts within the organization.
Impact
Successful exploitation of elevated mailbox permission assignments can lead to significant data breaches, financial losses, and reputational damage. Attackers can gain access to confidential business communications, intellectual property, and sensitive customer data. The number of affected mailboxes and the extent of the damage depend on the scope of the unauthorized permission assignments. The targets are organizations that rely heavily on Microsoft Office 365 for communication and collaboration. If successful, attackers can maintain persistent access to mailboxes and escalate privileges within the environment.
Recommendation
- Deploy the Sigma rule
O365 Elevated Mailbox Permission Assignedto your SIEM to detect the assignment of FullAccess, ChangePermission, or ChangeOwner permissions (Rule:O365 Elevated Mailbox Permission Assigned). - Review and audit existing mailbox permissions regularly to identify and remove any unauthorized or excessive privileges.
- Implement multi-factor authentication (MFA) for all user accounts to prevent credential compromise.
- Monitor Office 365 management activity logs for suspicious PowerShell activity related to mailbox permission changes (Log Source:
o365_management_activity). - Investigate any alerts generated by the Sigma rule and correlate them with other security events to determine the scope and impact of the attack.
Detection coverage 2
O365 Elevated Mailbox Permission Assigned
highDetects the assignment of elevated mailbox permissions (FullAccess, ChangePermission, ChangeOwner) via the Add-MailboxPermission operation in Office 365.
O365 Suspicious Add-MailboxPermission by Non-Admin
mediumDetects Add-MailboxPermission operations performed by users who are not typically administrators, indicating potential abuse.
Detection queries are available on the platform. Get full rules →