|
| 1 | +[metadata] |
| 2 | +creation_date = "2021/05/17" |
| 3 | +integration = ["o365"] |
| 4 | +maturity = "production" |
| 5 | +updated_date = "2025/05/07" |
| 6 | + |
| 7 | +[rule] |
| 8 | +author = ["Elastic", "Austin Songer"] |
| 9 | +description = """ |
| 10 | +Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account |
| 11 | +to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can |
| 12 | +evade spam/phishing detection mechanisms. |
| 13 | +""" |
| 14 | +false_positives = [ |
| 15 | + "Assignment of rights to a service account.", |
| 16 | + "Delegation by first-party applications that require mailbox access." |
| 17 | +] |
| 18 | +index = ["filebeat-*", "logs-o365.audit-*"] |
| 19 | +language = "kuery" |
| 20 | +license = "Elastic License v2" |
| 21 | +name = "Suspicious Mailbox Permission Delegation in Exchange Online" |
| 22 | +note = """## Triage and Analysis |
| 23 | +
|
| 24 | +### Investigating Suspicious Mailbox Permission Delegation in Exchange Online |
| 25 | +
|
| 26 | +This rule detects the delegation of mailbox permissions in Microsoft 365 Exchange. This behavior may indicate that an adversary is attempting to gain access to another user's mailbox or send messages on behalf of that user. |
| 27 | +
|
| 28 | +### Possible Investigation Steps |
| 29 | +- `user.id` and `o365.audit.Parameters.Identity`: Determine which account was delegated access and which account performed the delegation. Review both for unusual activity. |
| 30 | +- `event.action`: Indicates the type of permission granted. Review which delegation action was taken. |
| 31 | +- `o365.audit.Parameters.AccessRights` or `GrantSendOnBehalfTo`: Confirm the exact permission granted. |
| 32 | +- `@timestamp` and `event.ingested`: Review the timing of the delegation and whether it aligns with user activity or known business events. |
| 33 | +- `source.ip` and `source.geo`: Validate that the source IP and location are expected for the admin or account performing the action. |
| 34 | +- `user_agent.original`: If present, review to identify any automation, script, or unexpected interface used to assign the permissions. |
| 35 | +
|
| 36 | +#### FullAccess (`Add-MailboxPermission`) |
| 37 | +- `o365.audit.Parameters.Identity`: The mailbox being accessed. |
| 38 | +- `o365.audit.Parameters.User`: The user granted FullAccess. |
| 39 | +- Review for subsequent mailbox logins or message rules created by the grantee. |
| 40 | +
|
| 41 | +#### SendAs (`Add-RecipientPermission`) |
| 42 | +- `o365.audit.Parameters.Identity`: The account the grantee is allowed to impersonate. |
| 43 | +- `o365.audit.Parameters.Trustee`: The user who was granted the ability to send as the identity. |
| 44 | +- Search for recent messages sent "as" the identity and validate whether the activity was legitimate. |
| 45 | +
|
| 46 | +#### SendOnBehalf (`Set-Mailbox`) |
| 47 | +- `o365.audit.Parameters.GrantSendOnBehalfTo`: The user allowed to send on behalf of the mailbox owner. |
| 48 | +- Check for outbound emails or meeting requests with "on behalf of" headers. |
| 49 | +
|
| 50 | +### False Positive Analysis |
| 51 | +
|
| 52 | +- Delegation to Assistants: Executive or admin assistants often receive FullAccess or SendOnBehalf permissions. |
| 53 | +- Shared Mailboxes: Teams or departments may share access to mailboxes for operational efficiency. |
| 54 | +- Automated Admin Actions: System or service accounts may perform these actions as part of onboarding or automation. |
| 55 | +- Project-Based Access: Temporary access granted for short-term collaboration. |
| 56 | +- Maintain an allowlist of known delegation relationships. |
| 57 | +
|
| 58 | +### Response and Remediation |
| 59 | +
|
| 60 | +If the delegation is determined to be unauthorized or suspicious: |
| 61 | +
|
| 62 | +- Revoke the delegated permissions immediately to prevent further access. |
| 63 | +- Reset credentials for the impacted accounts if compromise is suspected. |
| 64 | +- Review mailbox rules and sent items to detect abuse. |
| 65 | +- Alert impacted users and advise on suspicious activity to watch for. |
| 66 | +- Audit audit logs around the delegation for additional attacker actions (e.g., MFA disablement, mailbox rule creation, login from foreign IPs). |
| 67 | +- Review conditional access, role-based access control, and app permissions to reduce the attack surface. |
| 68 | +- Harden delegation policies by requiring approvals, limiting delegation to specific groups, or implementing Just-in-Time (JIT) access for mailboxes. |
| 69 | +""" |
| 70 | +references = [ |
| 71 | + "https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/give-mailbox-permissions-to-another-user?view=o365-worldwide" |
| 72 | +] |
| 73 | +risk_score = 21 |
| 74 | +rule_id = "0ce6487d-8069-4888-9ddd-61b52490cebc" |
| 75 | +severity = "low" |
| 76 | +tags = [ |
| 77 | + "Domain: Cloud", |
| 78 | + "Domain: SaaS", |
| 79 | + "Data Source: Microsoft 365", |
| 80 | + "Data Source: Microsoft Exchange", |
| 81 | + "Data Source: Microsoft 365 Audit Logs", |
| 82 | + "Use Case: Configuration Audit", |
| 83 | + "Tactic: Persistence", |
| 84 | + "Resources: Investigation Guide" |
| 85 | +] |
| 86 | +timestamp_override = "event.ingested" |
| 87 | +type = "new_terms" |
| 88 | + |
| 89 | +query = ''' |
| 90 | +event.dataset: "o365.audit" and |
| 91 | +event.provider: "Exchange" and |
| 92 | +event.outcome: "success" and |
| 93 | +not o365.audit.UserType : (3 or 4) and |
| 94 | +( |
| 95 | + (event.action: "Add-MailboxPermission" and o365.audit.Parameters.AccessRights: "FullAccess") or |
| 96 | + (event.action: "Add-RecipientPermission" and o365.audit.Parameters.AccessRights: "SendAs") or |
| 97 | + (event.action: "Set-Mailbox" and o365.audit.Parameters.GrantSendOnBehalfTo: *) |
| 98 | +) and |
| 99 | +not user.id:( |
| 100 | + "NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)" or |
| 101 | + "NT AUTHORITY\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)" or |
| 102 | + "NT AUTHORITY\SYSTEM (w3wp)" |
| 103 | + ) |
| 104 | +''' |
| 105 | + |
| 106 | +[rule.investigation_fields] |
| 107 | +field_names = [ |
| 108 | + "@timestamp", |
| 109 | + "o365.audit.ObjectId", |
| 110 | + "o365.audit.Parameters.Identity", |
| 111 | + "user.id", |
| 112 | + "source.ip", |
| 113 | + "user_agent.original", |
| 114 | + "event.action", |
| 115 | +] |
| 116 | + |
| 117 | +[[rule.threat]] |
| 118 | +framework = "MITRE ATT&CK" |
| 119 | +[[rule.threat.technique]] |
| 120 | +id = "T1098" |
| 121 | +name = "Account Manipulation" |
| 122 | +reference = "https://attack.mitre.org/techniques/T1098/" |
| 123 | +[[rule.threat.technique.subtechnique]] |
| 124 | +id = "T1098.002" |
| 125 | +name = "Additional Email Delegate Permissions" |
| 126 | +reference = "https://attack.mitre.org/techniques/T1098/002/" |
| 127 | + |
| 128 | + |
| 129 | + |
| 130 | +[rule.threat.tactic] |
| 131 | +id = "TA0003" |
| 132 | +name = "Persistence" |
| 133 | +reference = "https://attack.mitre.org/tactics/TA0003/" |
| 134 | + |
| 135 | +[rule.new_terms] |
| 136 | +field = "new_terms_fields" |
| 137 | +value = ["o365.audit.UserId"] |
| 138 | +[[rule.new_terms.history_window_start]] |
| 139 | +field = "history_window_start" |
| 140 | +value = "now-14d" |
0 commit comments