T1098.002 Additional Email Delegate Permissions Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1098.002 — Additional Email Delegate Permissions
// Detects mailbox permission grants, folder permission changes, and ApplicationImpersonation role assignments
// Sources: OfficeActivity (Unified Audit Log) and AuditLogs (AAD)
let SuspiciousMailboxOps = dynamic([
  "Add-MailboxPermission",
  "Add-MailboxFolderPermission",
  "Set-MailboxFolderPermission",
  "Add-RecipientPermission",
  "Set-Mailbox",
  "New-ManagementRoleAssignment"
]);
let SuspiciousAccessRights = dynamic([
  "FullAccess",
  "SendAs",
  "SendOnBehalf",
  "ApplicationImpersonation",
  "ChangePermission",
  "ChangeOwner"
]);
let SuspiciousFolderPerms = dynamic([
  "Owner",
  "PublishingEditor",
  "Editor",
  "Reviewer"
]);
// Branch 1: OfficeActivity — Exchange Admin Audit Log and Mailbox Audit
let OfficeActivityAlerts = OfficeActivity
| where TimeGenerated > ago(24h)
| where RecordType in ("ExchangeAdmin", "ExchangeItemGroup", "ExchangeItem")
| where Operation has_any (SuspiciousMailboxOps)
| extend Parameters_s = tostring(Parameters)
| extend TargetUser = coalesce(
    tostring(parse_json(Parameters_s)[0].Value),
    UserId
  )
| extend AccessRights = extract(@'AccessRights[^\]]*\[([^\]]+)\]|AccessRights":\s*"([^"]+)"', 1, Parameters_s)
| extend GrantedTo = extract(@'User":\s*"([^"]+)"', 1, Parameters_s)
| extend IsSuspiciousRight = AccessRights has_any (SuspiciousAccessRights) or Parameters_s has_any (SuspiciousAccessRights)
| extend IsFolderPermChange = Operation in ("Add-MailboxFolderPermission", "Set-MailboxFolderPermission")
| extend IsDefaultAnonymous = Parameters_s has "Default" or Parameters_s has "Anonymous"
| project
    TimeGenerated,
    Operation,
    UserId,
    TargetUser,
    GrantedTo,
    AccessRights,
    IsSuspiciousRight,
    IsFolderPermChange,
    IsDefaultAnonymous,
    ClientIP,
    Parameters_s,
    RecordType,
    OfficeObjectId
| extend AlertSource = "OfficeActivity";
// Branch 2: AuditLogs — Azure AD role assignments (ApplicationImpersonation)
let AADAuditAlerts = AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName in ("Add app role assignment to service principal", "Add delegated permission grant", "Add member to role", "Update application")
| extend InitiatedByUser = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatedByApp = tostring(InitiatedBy.app.displayName)
| extend TargetResource = tostring(TargetResources[0].displayName)
| extend ModifiedProps = tostring(TargetResources[0].modifiedProperties)
| extend IsImpersonation = ModifiedProps has "ApplicationImpersonation" or ModifiedProps has "Exchange.ManageAsApp"
| where IsImpersonation
| project
    TimeGenerated,
    OperationName,
    InitiatedByUser,
    InitiatedByApp,
    TargetResource,
    ModifiedProps,
    IsImpersonation,
    CorrelationId,
    Result
| extend AlertSource = "AuditLogs";
// Combine results
OfficeActivityAlerts
| union (AADAuditAlerts
  | project TimeGenerated,
    Operation = OperationName,
    UserId = InitiatedByUser,
    TargetUser = TargetResource,
    GrantedTo = "",
    AccessRights = "ApplicationImpersonation",
    IsSuspiciousRight = true,
    IsFolderPermChange = false,
    IsDefaultAnonymous = false,
    ClientIP = "",
    Parameters_s = ModifiedProps,
    RecordType = "AADAudit",
    OfficeObjectId = "",
    AlertSource
  )
| sort by TimeGenerated desc

high severity high confidence

Data Sources

Office 365 Unified Audit Log Azure Active Directory Audit Logs Exchange Admin Audit Log

Required Tables

OfficeActivity AuditLogs

False Positives

Legitimate IT helpdesk or mail administrators adding shared mailbox permissions for business continuity (e.g., shared support mailboxes, executive assistants)
Automated provisioning systems (ServiceNow, Azure AD connectors) that programmatically grant SendAs or FullAccess to distribution groups
Office 365 migration tools (Exchange Hybrid, third-party tools) that assign ApplicationImpersonation during mailbox migrations
Legitimate delegation by end users granting calendar or inbox access to assistants via Outlook settings
Security monitoring tools or compliance archiving solutions that require FullAccess or ApplicationImpersonation to index mailbox content

Splunk

spl

index=o365 sourcetype="o365:management:activity"
  (Operation="Add-MailboxPermission"
   OR Operation="Add-MailboxFolderPermission"
   OR Operation="Set-MailboxFolderPermission"
   OR Operation="Add-RecipientPermission"
   OR Operation="New-ManagementRoleAssignment"
   OR Operation="Set-Mailbox")
| eval Parameters=coalesce('Parameters', "[]")
| eval AccessRights=if(
    match(Parameters, "(?i)(FullAccess|SendAs|SendOnBehalf|ApplicationImpersonation|ChangePermission|ChangeOwner)"),
    replace(replace(Parameters, ".*AccessRights.*?([A-Za-z]+).*", "\1"), "[\[\]]", ""),
    "Other"
  )
| eval IsSuspiciousRight=if(
    match(Parameters, "(?i)(FullAccess|SendAs|SendOnBehalf|ApplicationImpersonation|ChangePermission|ChangeOwner)"),
    1, 0
  )
| eval IsDefaultAnonymous=if(
    match(Parameters, "(?i)(\"Default\"|\"Anonymous\")"),
    1, 0
  )
| eval IsFolderPermChange=if(
    match(Operation, "(?i)(MailboxFolderPermission)"),
    1, 0
  )
| eval GrantedTo=coalesce(
    mvindex(spath(Parameters, "{}.Value"), 1),
    "unknown"
  )
| eval RiskScore=IsSuspiciousRight + IsDefaultAnonymous + IsFolderPermChange
| eval RiskLevel=case(
    RiskScore >= 2, "HIGH",
    RiskScore = 1, "MEDIUM",
    true(), "LOW"
  )
| table _time, UserId, Operation, GrantedTo, AccessRights, IsSuspiciousRight, IsDefaultAnonymous, IsFolderPermChange, RiskScore, RiskLevel, ClientIP, Parameters
| sort - _time

high severity high confidence

Data Sources

Office 365 Management Activity API Exchange Admin Audit Log

Required Sourcetypes

o365:management:activity

False Positives

Legitimate IT helpdesk or mail administrators adding shared mailbox permissions for business continuity
Automated provisioning systems that programmatically grant SendAs or FullAccess to distribution groups
Office 365 migration tools requiring ApplicationImpersonation during mailbox migrations
Legitimate end-user delegation via Outlook for calendar/inbox sharing with assistants
Security monitoring or compliance archiving solutions requiring FullAccess to index mailbox content

Elastic Security (EQL)

eql

any where
  (
    event.dataset == "o365.audit" and
    event.action in (
      "Add-MailboxPermission",
      "Add-MailboxFolderPermission",
      "Set-MailboxFolderPermission",
      "Add-RecipientPermission",
      "Set-Mailbox",
      "New-ManagementRoleAssignment"
    ) and (
      o365.audit.Parameters : "*FullAccess*" or
      o365.audit.Parameters : "*SendAs*" or
      o365.audit.Parameters : "*SendOnBehalf*" or
      o365.audit.Parameters : "*ApplicationImpersonation*" or
      o365.audit.Parameters : "*ChangePermission*" or
      o365.audit.Parameters : "*ChangeOwner*"
    )
  ) or
  (
    event.dataset == "azure.auditlogs" and
    event.action in (
      "Add app role assignment to service principal",
      "Add delegated permission grant",
      "Add member to role",
      "Update application"
    ) and (
      azure.auditlogs.properties.target_resources.0.modified_properties.new_value : "*ApplicationImpersonation*" or
      azure.auditlogs.properties.target_resources.0.modified_properties.new_value : "*Exchange.ManageAsApp*"
    )
  )

high severity high confidence

Data Sources

Microsoft Office 365 (Elastic Agent filebeat o365 module) Microsoft Azure Active Directory (Elastic Agent filebeat azure module)

Required Tables

o365.audit azure.auditlogs

False Positives

IT helpdesk legitimately granting FullAccess to shared team or department mailboxes during provisioning workflows
Email compliance and archiving platforms (Mimecast, Proofpoint, Barracuda) configured with ApplicationImpersonation service accounts for mail flow
Exchange Online hybrid migration tooling or Microsoft 365 admin scripts that temporarily assign full mailbox access during tenant consolidation or onboarding

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS "Event Time",
  username AS "Initiated By",
  "EventID" AS "Operation",
  sourceip AS "Client IP",
  CATEGORYNAME(category) AS "Category",
  QIDNAME(qid) AS "Event Name",
  LOGSOURCETYPENAME(devicetype) AS "Log Source Type",
  utf8(payload) AS "Raw Event"
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN (
  'Microsoft Office 365',
  'Microsoft Azure Active Directory'
)
  AND LAST 1 DAYS
  AND (
    "EventID" ILIKE 'Add-MailboxPermission' OR
    "EventID" ILIKE 'Add-MailboxFolderPermission' OR
    "EventID" ILIKE 'Set-MailboxFolderPermission' OR
    "EventID" ILIKE 'Add-RecipientPermission' OR
    "EventID" ILIKE 'Set-Mailbox' OR
    "EventID" ILIKE 'New-ManagementRoleAssignment' OR
    "EventID" ILIKE 'Add app role assignment to service principal' OR
    "EventID" ILIKE 'Add delegated permission grant' OR
    "EventID" ILIKE 'Add member to role'
  )
  AND (
    utf8(payload) ILIKE '%FullAccess%' OR
    utf8(payload) ILIKE '%SendAs%' OR
    utf8(payload) ILIKE '%SendOnBehalf%' OR
    utf8(payload) ILIKE '%ApplicationImpersonation%' OR
    utf8(payload) ILIKE '%ChangePermission%' OR
    utf8(payload) ILIKE '%ChangeOwner%' OR
    utf8(payload) ILIKE '%Exchange.ManageAsApp%' OR
    "EventID" ILIKE 'New-ManagementRoleAssignment'
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Microsoft Office 365 QRadar log source (DSM) Microsoft Azure Active Directory QRadar log source (DSM)

Required Tables

events

False Positives

Administrators legitimately delegating SendAs or SendOnBehalf permissions to executive assistants for standard business operations
Microsoft 365 service accounts used by third-party compliance tools (e.g., Mimecast Cloud Archive) that require ApplicationImpersonation to access all mailboxes
IT automation scripts during offboarding that transfer FullAccess of departing employee mailboxes to their managers

Sumo Logic CSE

sql

(_sourceCategory=*o365* OR _sourceCategory=*office365* OR _sourceCategory=*azure/audit*)
| json field=_raw "Operation" as operation nodrop
| json field=_raw "UserId" as user_id nodrop
| json field=_raw "ClientIP" as client_ip nodrop
| json field=_raw "Parameters" as parameters nodrop
| json field=_raw "RecordType" as record_type nodrop
| where operation in (
    "Add-MailboxPermission",
    "Add-MailboxFolderPermission",
    "Set-MailboxFolderPermission",
    "Add-RecipientPermission",
    "Set-Mailbox",
    "New-ManagementRoleAssignment"
  )
  OR (operation in (
    "Add app role assignment to service principal",
    "Add delegated permission grant",
    "Add member to role"
  ) and (parameters matches "(?i)(ApplicationImpersonation|Exchange\.ManageAsApp)"))
| where parameters matches "(?i)(FullAccess|SendAs|SendOnBehalf|ApplicationImpersonation|ChangePermission|ChangeOwner)" or operation = "New-ManagementRoleAssignment"
| if(parameters matches "(?i)ApplicationImpersonation", 1, 0) as is_impersonation
| if(parameters matches "(?i)(FullAccess|SendAs|SendOnBehalf)", 1, 0) as is_high_risk_right
| if(parameters matches "(?i)(\"Default\"|\"Anonymous\")", 1, 0) as is_default_anon
| if(operation matches "(?i)MailboxFolderPermission", 1, 0) as is_folder_perm
| (is_impersonation + is_high_risk_right + is_default_anon) as risk_score
| if(risk_score >= 2, "HIGH", if(risk_score = 1, "MEDIUM", "LOW")) as risk_level
| fields _messageTime, user_id, operation, client_ip, parameters, is_impersonation, is_high_risk_right, is_default_anon, is_folder_perm, risk_score, risk_level
| sort by _messageTime desc

high severity high confidence

Data Sources

Office 365 Audit Log (Sumo Logic O365 HTTP source or Collector) Azure Active Directory Audit Logs (Sumo Logic Azure AD source)

Required Tables

Sumo Logic O365 source (_sourceCategory=*o365*) Sumo Logic Azure AD source (_sourceCategory=*azure/audit*)

False Positives

Automated Microsoft 365 provisioning tools that configure delegate access for executive/EA mailbox pairs during onboarding
Email archiving and compliance solutions (Mimecast, Barracuda, AvePoint) with pre-approved ApplicationImpersonation service accounts
Helpdesk bulk operations assigning FullAccess to shared mailboxes during department restructuring or employee offboarding

Google Chronicle / SecOps

yaral

rule t1098_002_additional_email_delegate_permissions {
  meta:
    author = "Detection Engineering"
    description = "Detects Exchange mailbox permission grants and Azure AD ApplicationImpersonation role assignments used for persistent email access - T1098.002 Additional Email Delegate Permissions"
    severity = "HIGH"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1098.002"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1098/002/"
    threat_actors = "APT28, APT29, Magic Hound"

  events:
    $e.metadata.product_name = /Microsoft Office 365|Microsoft Azure Active Directory/ nocase
    $e.metadata.product_event_type = /Add-MailboxPermission|Add-MailboxFolderPermission|Set-MailboxFolderPermission|Add-RecipientPermission|Set-Mailbox|New-ManagementRoleAssignment|Add app role assignment|Add delegated permission grant|Add member to role/ nocase
    (
      $e.security_result.description = /FullAccess|SendAs|SendOnBehalf|ApplicationImpersonation|ChangePermission|ChangeOwner|Exchange\.ManageAsApp/ nocase
      or $e.metadata.product_event_type = /New-ManagementRoleAssignment/ nocase
    )
    $e.principal.user.userid = $initiating_user

  condition:
    $e
}

high severity high confidence

Data Sources

Microsoft Office 365 (Chronicle O365 log ingestion, normalized to UDM) Microsoft Azure Active Directory (Chronicle Azure AD log ingestion, normalized to UDM)

Required Tables

UDM events from Office 365 and Azure Active Directory Chronicle log sources

False Positives

Third-party email security or archiving platforms (Mimecast, Proofpoint) with ApplicationImpersonation service accounts required for mail inspection and journaling
IT administrators adding executive assistants with FullAccess or SendOnBehalf to executive mailboxes as a documented business process
Microsoft 365 group and shared mailbox provisioning workflows that automatically assign delegate permissions via automation accounts

CrowdStrike LogScale (CQL)

cql

// T1098.002 — Additional Email Delegate Permissions
// Requires CrowdStrike Falcon with O365 Audit Log integration in LogScale
#repo = "o365" OR #source = "o365_audit"
| Operation in ("Add-MailboxPermission", "Add-MailboxFolderPermission", "Set-MailboxFolderPermission", "Add-RecipientPermission", "Set-Mailbox", "New-ManagementRoleAssignment")
| Parameters = /(?i)FullAccess|SendAs|SendOnBehalf|ApplicationImpersonation|ChangePermission|ChangeOwner/ OR Operation = "New-ManagementRoleAssignment"
| eval(is_impersonation := Parameters = /(?i)ApplicationImpersonation/)
| eval(is_high_risk := Parameters = /(?i)FullAccess|SendAs|SendOnBehalf/)
| eval(is_default_anon := Parameters = /(?i)\"Default\"|\"Anonymous\"/)
| eval(is_folder_perm := Operation = /(?i)MailboxFolderPermission/)
| eval(risk_score := case(
    Parameters = /(?i)ApplicationImpersonation/, 3,
    Parameters = /(?i)FullAccess|SendAs/, 2,
    true(), 1
  ))
| eval(risk_level := case(
    risk_score >= 3, "CRITICAL",
    risk_score = 2, "HIGH",
    true(), "MEDIUM"
  ))
| table([timestamp, UserId, Operation, ClientIP, Parameters, is_impersonation, is_high_risk, is_default_anon, is_folder_perm, risk_score, risk_level])
| sort(timestamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon O365 Audit Log Integration (LogScale o365 repository) Humio/LogScale O365 ingest pipeline (if self-managed)

Required Tables

o365 repository or o365_audit source in CrowdStrike LogScale

False Positives

Email compliance platforms (Mimecast Cloud Archive, Barracuda Cloud Archiving) with pre-approved ApplicationImpersonation service accounts registered in Exchange
IT teams bulk-assigning FullAccess to shared department mailboxes during organisational restructuring or employee transitions
Automated Microsoft 365 provisioning scripts that configure EA-to-executive mailbox delegate pairs as part of standard onboarding runbooks

Additional Email Delegate Permissions

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections