Skip to content
Threat Feed
high advisory

O365 Elevated Mailbox Permission Assignment

Detection of elevated mailbox permissions (FullAccess, ChangePermission, ChangeOwner) being assigned in Office 365, potentially leading to unauthorized access, data exfiltration, or privilege escalation.

This threat brief addresses the risk of unauthorized mailbox permission assignments within Office 365 environments. The primary focus is on detecting the Add-MailboxPermission operation with elevated access rights such as FullAccess, ChangePermission, or ChangeOwner. These permissions, if maliciously granted, can provide attackers with the ability to read sensitive emails, modify mailbox settings, and potentially escalate privileges within the organization. The detection strategy centers on analyzing Office 365 management activity logs. Successfully exploiting this attack vector may give external threat actors or malicious insiders persistent access to sensitive data.

Attack Chain

  1. An attacker gains initial access to a compromised account or uses stolen credentials with sufficient privileges to modify mailbox permissions.
  2. The attacker leverages PowerShell or the Exchange Management Shell to execute the Add-MailboxPermission cmdlet.
  3. The attacker assigns elevated permissions (e.g., FullAccess, ChangePermission, ChangeOwner) to a target mailbox.
  4. The attacker may hide their activity by modifying audit settings or deleting relevant logs, if possible.
  5. The attacker accesses the target mailbox using the newly assigned permissions.
  6. The attacker exfiltrates sensitive data from the mailbox, including emails, contacts, and calendar entries.
  7. The attacker may use the compromised mailbox to send phishing emails or further compromise other accounts within the organization.

Impact

Successful exploitation of elevated mailbox permission assignments can lead to significant data breaches, financial losses, and reputational damage. Attackers can gain access to confidential business communications, intellectual property, and sensitive customer data. The number of affected mailboxes and the extent of the damage depend on the scope of the unauthorized permission assignments. The targets are organizations that rely heavily on Microsoft Office 365 for communication and collaboration. If successful, attackers can maintain persistent access to mailboxes and escalate privileges within the environment.

Recommendation

  • Deploy the Sigma rule O365 Elevated Mailbox Permission Assigned to your SIEM to detect the assignment of FullAccess, ChangePermission, or ChangeOwner permissions (Rule: O365 Elevated Mailbox Permission Assigned).
  • Review and audit existing mailbox permissions regularly to identify and remove any unauthorized or excessive privileges.
  • Implement multi-factor authentication (MFA) for all user accounts to prevent credential compromise.
  • Monitor Office 365 management activity logs for suspicious PowerShell activity related to mailbox permission changes (Log Source: o365_management_activity).
  • Investigate any alerts generated by the Sigma rule and correlate them with other security events to determine the scope and impact of the attack.

Detection coverage 2

O365 Elevated Mailbox Permission Assigned

high

Detects the assignment of elevated mailbox permissions (FullAccess, ChangePermission, ChangeOwner) via the Add-MailboxPermission operation in Office 365.

sigma tactics: persistence techniques: T1098.002 sources: webserver, o365

O365 Suspicious Add-MailboxPermission by Non-Admin

medium

Detects Add-MailboxPermission operations performed by users who are not typically administrators, indicating potential abuse.

sigma tactics: persistence techniques: T1098.002 sources: webserver, o365

Detection queries are available on the platform. Get full rules →