{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/mailbox-permissions/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office 365","Exchange"],"_cs_severities":["high"],"_cs_tags":["o365","mailbox-permissions","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief addresses the risk of unauthorized mailbox permission assignments within Office 365 environments. The primary focus is on detecting the \u003ccode\u003eAdd-MailboxPermission\u003c/code\u003e operation with elevated access rights such as \u003ccode\u003eFullAccess\u003c/code\u003e, \u003ccode\u003eChangePermission\u003c/code\u003e, or \u003ccode\u003eChangeOwner\u003c/code\u003e. These permissions, if maliciously granted, can provide attackers with the ability to read sensitive emails, modify mailbox settings, and potentially escalate privileges within the organization. The detection strategy centers on analyzing Office 365 management activity logs. Successfully exploiting this attack vector may give external threat actors or malicious insiders persistent access to sensitive data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised account or uses stolen credentials with sufficient privileges to modify mailbox permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages PowerShell or the Exchange Management Shell to execute the \u003ccode\u003eAdd-MailboxPermission\u003c/code\u003e cmdlet.\u003c/li\u003e\n\u003cli\u003eThe attacker assigns elevated permissions (e.g., \u003ccode\u003eFullAccess\u003c/code\u003e, \u003ccode\u003eChangePermission\u003c/code\u003e, \u003ccode\u003eChangeOwner\u003c/code\u003e) to a target mailbox.\u003c/li\u003e\n\u003cli\u003eThe attacker may hide their activity by modifying audit settings or deleting relevant logs, if possible.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the target mailbox using the newly assigned permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data from the mailbox, including emails, contacts, and calendar entries.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the compromised mailbox to send phishing emails or further compromise other accounts within the organization.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of elevated mailbox permission assignments can lead to significant data breaches, financial losses, and reputational damage. Attackers can gain access to confidential business communications, intellectual property, and sensitive customer data. The number of affected mailboxes and the extent of the damage depend on the scope of the unauthorized permission assignments. The targets are organizations that rely heavily on Microsoft Office 365 for communication and collaboration. If successful, attackers can maintain persistent access to mailboxes and escalate privileges within the environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eO365 Elevated Mailbox Permission Assigned\u003c/code\u003e to your SIEM to detect the assignment of FullAccess, ChangePermission, or ChangeOwner permissions (Rule: \u003ccode\u003eO365 Elevated Mailbox Permission Assigned\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview and audit existing mailbox permissions regularly to identify and remove any unauthorized or excessive privileges.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts to prevent credential compromise.\u003c/li\u003e\n\u003cli\u003eMonitor Office 365 management activity logs for suspicious PowerShell activity related to mailbox permission changes (Log Source: \u003ccode\u003eo365_management_activity\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule and correlate them with other security events to determine the scope and impact of the attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-o365-mailbox-permissions/","summary":"Detection of elevated mailbox permissions (FullAccess, ChangePermission, ChangeOwner) being assigned in Office 365, potentially leading to unauthorized access, data exfiltration, or privilege escalation.","title":"O365 Elevated Mailbox Permission Assignment","url":"https://feed.craftedsignal.io/briefs/2024-01-o365-mailbox-permissions/"}],"language":"en","title":"CraftedSignal Threat Feed - Mailbox-Permissions","version":"https://jsonfeed.org/version/1.1"}