Detect Additional Email Delegate Permissions in Google Chronicle
Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account. Using cmdlets like Add-MailboxPermission in Exchange/Office 365, or assigning folder-level permissions, attackers can ensure continued access to target mailboxes. This technique is commonly used in BEC incidents and persistent threat campaigns (APT28, APT29, Magic Hound) to maintain covert email access, enable internal spearphishing, and evade detection by reading communications without triggering login alerts.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1098 Account Manipulation
- Sub-technique
- T1098.002 Additional Email Delegate Permissions
- Canonical reference
- https://attack.mitre.org/techniques/T1098/002/
YARA-L Detection Query
rule t1098_002_additional_email_delegate_permissions {
meta:
author = "Detection Engineering"
description = "Detects Exchange mailbox permission grants and Azure AD ApplicationImpersonation role assignments used for persistent email access - T1098.002 Additional Email Delegate Permissions"
severity = "HIGH"
mitre_attack_tactic = "Persistence"
mitre_attack_technique = "T1098.002"
mitre_attack_url = "https://attack.mitre.org/techniques/T1098/002/"
threat_actors = "APT28, APT29, Magic Hound"
events:
$e.metadata.product_name = /Microsoft Office 365|Microsoft Azure Active Directory/ nocase
$e.metadata.product_event_type = /Add-MailboxPermission|Add-MailboxFolderPermission|Set-MailboxFolderPermission|Add-RecipientPermission|Set-Mailbox|New-ManagementRoleAssignment|Add app role assignment|Add delegated permission grant|Add member to role/ nocase
(
$e.security_result.description = /FullAccess|SendAs|SendOnBehalf|ApplicationImpersonation|ChangePermission|ChangeOwner|Exchange\.ManageAsApp/ nocase
or $e.metadata.product_event_type = /New-ManagementRoleAssignment/ nocase
)
$e.principal.user.userid = $initiating_user
condition:
$e
}Chronicle YARA-L 2.0 rule detecting Exchange mailbox permission grants and Azure AD ApplicationImpersonation assignments across both Office 365 and Azure Active Directory UDM events. Matches on product_event_type for the Exchange Admin cmdlet or AAD delegation operation, then requires a suspicious access right in the security_result description. The New-ManagementRoleAssignment operation is treated as inherently suspicious and fires without an additional access rights check. Associated threat actors: APT28, APT29, Magic Hound.
Data Sources
Required Tables
False Positives & Tuning
- Third-party email security or archiving platforms (Mimecast, Proofpoint) with ApplicationImpersonation service accounts required for mail inspection and journaling
- IT administrators adding executive assistants with FullAccess or SendOnBehalf to executive mailboxes as a documented business process
- Microsoft 365 group and shared mailbox provisioning workflows that automatically assign delegate permissions via automation accounts
Other platforms for T1098.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Grant FullAccess Mailbox Permission via PowerShell
Expected signal: Office 365 Unified Audit Log: Operation='Add-MailboxPermission', RecordType='ExchangeAdmin', UserId=<admin UPN>, [email protected], Parameters containing 'FullAccess' and '[email protected]'. PowerShell Event ID 4104 (ScriptBlock) if logging is enabled on the workstation running the cmdlet.
- Test 2Grant ApplicationImpersonation Role for Tenant-Wide Mailbox Access
Expected signal: Office 365 Unified Audit Log: Operation='New-ManagementRoleAssignment', RecordType='ExchangeAdmin', Parameters containing 'ApplicationImpersonation' and '[email protected]'. Azure AD Audit Logs may also show a role assignment event. PowerShell ScriptBlock Log (Event ID 4104) captures the New-ManagementRoleAssignment cmdlet with parameters.
- Test 3Set Default User Reviewer Permission on Mailbox Inbox Folder
Expected signal: Office 365 Unified Audit Log: Operation='Set-MailboxFolderPermission' and 'Add-MailboxFolderPermission', Parameters containing 'Default' and 'Reviewer'. Two separate audit events expected — one for Inbox and one for root folder. RecordType='ExchangeAdmin'.
- Test 4Grant SendAs Permission to Attacker Account for BEC
Expected signal: Office 365 Unified Audit Log: Operation='Add-RecipientPermission', RecordType='ExchangeAdmin', [email protected], Parameters containing 'SendAs' and '[email protected]'. ClientIP of the admin session performing the grant.
References (10)
- https://attack.mitre.org/techniques/T1098/002/
- https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission
- https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452
- https://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/
- https://static.carahsoft.com/concrete/files/1015/2779/3571/M-Trends-2018-Report.pdf
- https://www.slideshare.net/slideshow/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365/128744511
- https://support.google.com/a/answer/7223765?hl=en
- https://learn.microsoft.com/en-us/microsoft-365/compliance/mailbox-audit-logging
- https://learn.microsoft.com/en-us/exchange/permissions/role-assignments
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md
Unlock Pro Content
Get the full detection package for T1098.002 including response playbook, investigation guide, and atomic red team tests.