Name:O365 Elevated Mailbox Permission Assigned id:2246c142-a678-45f8-8546-aaed7e0efd30 version:4 date:2024-09-30 author:Patrick Bareiss, Mauricio Velazco, Splunk status:production type:TTP Description:The following analytic identifies the assignment of elevated mailbox permissions in an Office 365 environment via the Add-MailboxPermission operation. It leverages logs from the Exchange workload in the o365_management_activity data source, focusing on permissions such as FullAccess, ChangePermission, or ChangeOwner. This activity is significant as it indicates potential unauthorized access or control over mailboxes, which could lead to data exfiltration or privilege escalation. If confirmed malicious, attackers could gain extensive access to sensitive email data and potentially manipulate mailbox settings, posing a severe security risk. Data_source:
search:`o365_management_activity` Workload=Exchange Operation=Add-MailboxPermission | search (AccessRights=FullAccess OR AccessRights=ChangePermission OR AccessRights=ChangeOwner) | rename Identity AS dest_user | stats count earliest(_time) as firstTime latest(_time) as lastTime by user dest_user Operation AccessRights |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_elevated_mailbox_permission_assigned_filter`
how_to_implement:You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. known_false_positives:FullAccess mailbox delegation may be assigned for legitimate purposes, filter as needed. References: -https://attack.mitre.org/techniques/T1098/002/ -https://learn.microsoft.com/en-us/powershell/module/exchange/add-mailboxpermission -https://learn.microsoft.com/en-us/exchange/recipients/mailbox-permissions?view=exchserver-2019 drilldown_searches: name:'View the detection results for - "$dest_user$"' search:'%original_detection_search% | search dest_user = "$dest_user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest_user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Office 365 Collection Techniques' asset_type:O365 Tenant confidence:70 impact:60 message:Elevated mailbox permissions were assigned on $dest_user$ mitre_attack_id: - 'T1098' - 'T1098.002' observable: name:'dest_user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'Workload' - 'Operation' - 'AccessRights' - 'user' - 'src_user' - 'dest_user' risk_score:42 security_domain:audit
