Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Threat Module |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
Account Manipulation: Additional Email Delegate Permissions (T1098.002) |
Severity |
Informational |
Description
A user modified permissions to an Exchange mailbox folder.
Attacker's Goals
An attacker may add permissions to a mailbox folder for persistence reasons. For instance, an attacker may assign the Default or Anonymous user permissions. This will allow them to maintain persistent access to the mailbox folder, which may lead to exfiltration of the messages.
Investigative actions
- Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity).
- Investigate the IP address associated with the activity.
- Follow further actions done by the account.
- Look for unusual email patterns from the affected mailbox (e.g. unusual email contents).
- Check for abnormal Azure AD non-interactive logins by the user.
- Monitor for changes that may indicate excessively broad permissions.