<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Mailbox-Permissions - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/mailbox-permissions/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/mailbox-permissions/feed.xml" rel="self" type="application/rss+xml"/><item><title>O365 Elevated Mailbox Permission Assignment</title><link>https://feed.craftedsignal.io/briefs/2024-01-o365-mailbox-permissions/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-o365-mailbox-permissions/</guid><description>Detection of elevated mailbox permissions (FullAccess, ChangePermission, ChangeOwner) being assigned in Office 365, potentially leading to unauthorized access, data exfiltration, or privilege escalation.</description><content:encoded><![CDATA[<p>This threat brief addresses the risk of unauthorized mailbox permission assignments within Office 365 environments. The primary focus is on detecting the <code>Add-MailboxPermission</code> operation with elevated access rights such as <code>FullAccess</code>, <code>ChangePermission</code>, or <code>ChangeOwner</code>. These permissions, if maliciously granted, can provide attackers with the ability to read sensitive emails, modify mailbox settings, and potentially escalate privileges within the organization. The detection strategy centers on analyzing Office 365 management activity logs. Successfully exploiting this attack vector may give external threat actors or malicious insiders persistent access to sensitive data.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a compromised account or uses stolen credentials with sufficient privileges to modify mailbox permissions.</li>
<li>The attacker leverages PowerShell or the Exchange Management Shell to execute the <code>Add-MailboxPermission</code> cmdlet.</li>
<li>The attacker assigns elevated permissions (e.g., <code>FullAccess</code>, <code>ChangePermission</code>, <code>ChangeOwner</code>) to a target mailbox.</li>
<li>The attacker may hide their activity by modifying audit settings or deleting relevant logs, if possible.</li>
<li>The attacker accesses the target mailbox using the newly assigned permissions.</li>
<li>The attacker exfiltrates sensitive data from the mailbox, including emails, contacts, and calendar entries.</li>
<li>The attacker may use the compromised mailbox to send phishing emails or further compromise other accounts within the organization.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of elevated mailbox permission assignments can lead to significant data breaches, financial losses, and reputational damage. Attackers can gain access to confidential business communications, intellectual property, and sensitive customer data. The number of affected mailboxes and the extent of the damage depend on the scope of the unauthorized permission assignments. The targets are organizations that rely heavily on Microsoft Office 365 for communication and collaboration. If successful, attackers can maintain persistent access to mailboxes and escalate privileges within the environment.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>O365 Elevated Mailbox Permission Assigned</code> to your SIEM to detect the assignment of FullAccess, ChangePermission, or ChangeOwner permissions (Rule: <code>O365 Elevated Mailbox Permission Assigned</code>).</li>
<li>Review and audit existing mailbox permissions regularly to identify and remove any unauthorized or excessive privileges.</li>
<li>Implement multi-factor authentication (MFA) for all user accounts to prevent credential compromise.</li>
<li>Monitor Office 365 management activity logs for suspicious PowerShell activity related to mailbox permission changes (Log Source: <code>o365_management_activity</code>).</li>
<li>Investigate any alerts generated by the Sigma rule and correlate them with other security events to determine the scope and impact of the attack.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>o365</category><category>mailbox-permissions</category><category>privilege-escalation</category></item></channel></rss>