T1098.002 Elastic Security · Elastic

Detect Additional Email Delegate Permissions in Elastic Security

Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account. Using cmdlets like Add-MailboxPermission in Exchange/Office 365, or assigning folder-level permissions, attackers can ensure continued access to target mailboxes. This technique is commonly used in BEC incidents and persistent threat campaigns (APT28, APT29, Magic Hound) to maintain covert email access, enable internal spearphishing, and evade detection by reading communications without triggering login alerts.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1098 Account Manipulation
Sub-technique
T1098.002 Additional Email Delegate Permissions
Canonical reference
https://attack.mitre.org/techniques/T1098/002/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where
  (
    event.dataset == "o365.audit" and
    event.action in (
      "Add-MailboxPermission",
      "Add-MailboxFolderPermission",
      "Set-MailboxFolderPermission",
      "Add-RecipientPermission",
      "Set-Mailbox",
      "New-ManagementRoleAssignment"
    ) and (
      o365.audit.Parameters : "*FullAccess*" or
      o365.audit.Parameters : "*SendAs*" or
      o365.audit.Parameters : "*SendOnBehalf*" or
      o365.audit.Parameters : "*ApplicationImpersonation*" or
      o365.audit.Parameters : "*ChangePermission*" or
      o365.audit.Parameters : "*ChangeOwner*"
    )
  ) or
  (
    event.dataset == "azure.auditlogs" and
    event.action in (
      "Add app role assignment to service principal",
      "Add delegated permission grant",
      "Add member to role",
      "Update application"
    ) and (
      azure.auditlogs.properties.target_resources.0.modified_properties.new_value : "*ApplicationImpersonation*" or
      azure.auditlogs.properties.target_resources.0.modified_properties.new_value : "*Exchange.ManageAsApp*"
    )
  )
high severity high confidence

Detects Exchange mailbox permission grants (FullAccess, SendAs, SendOnBehalf, ApplicationImpersonation) via O365 Exchange Admin audit events and Azure AD ApplicationImpersonation role assignments via Azure Audit Logs. Covers both branches of the KQL detection: OfficeActivity cmdlet operations with suspicious access rights, and AAD-level role assignment events for Exchange impersonation.

Data Sources

Microsoft Office 365 (Elastic Agent filebeat o365 module)Microsoft Azure Active Directory (Elastic Agent filebeat azure module)

Required Tables

o365.auditazure.auditlogs

False Positives & Tuning

  • IT helpdesk legitimately granting FullAccess to shared team or department mailboxes during provisioning workflows
  • Email compliance and archiving platforms (Mimecast, Proofpoint, Barracuda) configured with ApplicationImpersonation service accounts for mail flow
  • Exchange Online hybrid migration tooling or Microsoft 365 admin scripts that temporarily assign full mailbox access during tenant consolidation or onboarding
Download portable Sigma rule (.yml)

Other platforms for T1098.002

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Grant FullAccess Mailbox Permission via PowerShell

    Expected signal: Office 365 Unified Audit Log: Operation='Add-MailboxPermission', RecordType='ExchangeAdmin', UserId=<admin UPN>, [email protected], Parameters containing 'FullAccess' and '[email protected]'. PowerShell Event ID 4104 (ScriptBlock) if logging is enabled on the workstation running the cmdlet.

  2. Test 2Grant ApplicationImpersonation Role for Tenant-Wide Mailbox Access

    Expected signal: Office 365 Unified Audit Log: Operation='New-ManagementRoleAssignment', RecordType='ExchangeAdmin', Parameters containing 'ApplicationImpersonation' and '[email protected]'. Azure AD Audit Logs may also show a role assignment event. PowerShell ScriptBlock Log (Event ID 4104) captures the New-ManagementRoleAssignment cmdlet with parameters.

  3. Test 3Set Default User Reviewer Permission on Mailbox Inbox Folder

    Expected signal: Office 365 Unified Audit Log: Operation='Set-MailboxFolderPermission' and 'Add-MailboxFolderPermission', Parameters containing 'Default' and 'Reviewer'. Two separate audit events expected — one for Inbox and one for root folder. RecordType='ExchangeAdmin'.

  4. Test 4Grant SendAs Permission to Attacker Account for BEC

    Expected signal: Office 365 Unified Audit Log: Operation='Add-RecipientPermission', RecordType='ExchangeAdmin', [email protected], Parameters containing 'SendAs' and '[email protected]'. ClientIP of the admin session performing the grant.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1098.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1098Account Manipulation

Related Sub-techniques

T1098.001Additional Cloud CredentialsT1098.003Additional Cloud RolesT1098.004SSH Authorized KeysT1098.005Device RegistrationT1098.006Additional Container Cluster RolesT1098.007Additional Local or Domain Groups

Related Techniques

T1098Account ManipulationT1098.003Additional Cloud RolesT1114.002Remote Email CollectionT1534Internal SpearphishingT1078.004Cloud AccountsT1136.003Cloud AccountT1550.001Application Access TokenT1059.001PowerShellT1087.003Email Account

Same Tactic: Persistence

Popular Detections