Exchange mailbox folder permission modification

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • Office 365 Audit

Detection Modules

Identity Threat Module

Detector Tags

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Account Manipulation: Additional Email Delegate Permissions (T1098.002)

Severity

Informational

Description

A user modified permissions to an Exchange mailbox folder.

Attacker's Goals

An attacker may add permissions to a mailbox folder for persistence reasons. For instance, an attacker may assign the Default or Anonymous user permissions. This will allow them to maintain persistent access to the mailbox folder, which may lead to exfiltration of the messages.

Investigative actions

  • Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity).
  • Investigate the IP address associated with the activity.
  • Follow further actions done by the account.
  • Look for unusual email patterns from the affected mailbox (e.g. unusual email contents).
  • Check for abnormal Azure AD non-interactive logins by the user.
  • Monitor for changes that may indicate excessively broad permissions.

Variations

Exchange mailbox folder permission modification for a default user

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Account Manipulation: Additional Email Delegate Permissions (T1098.002)

Severity

Low

Description

A user modified permissions to an Exchange mailbox folder. The user granted the permission is a default user, which effectively grants the permission to any user.

Attacker's Goals

An attacker may add permissions to a mailbox folder for persistence reasons. For instance, an attacker may assign the Default or Anonymous user permissions. This will allow them to maintain persistent access to the mailbox folder, which may lead to exfiltration of the messages.

Investigative actions

  • Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity).
  • Investigate the IP address associated with the activity.
  • Follow further actions done by the account.
  • Look for unusual email patterns from the affected mailbox (e.g. unusual email contents).
  • Check for abnormal Azure AD non-interactive logins by the user.
  • Monitor for changes that may indicate excessively broad permissions.