Which SIEM platforms have a T1098.002 detection rule?

df00tech provides T1098.002 (Additional Email Delegate Permissions) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Additional Email Delegate Permissions (T1098.002)?

Detecting Additional Email Delegate Permissions requires the following data sources: Office 365 Unified Audit Log, Azure Active Directory Audit Logs, Exchange Admin Audit Log.

What severity and confidence is the T1098.002 detection?

The T1098.002 detection is rated high severity with high confidence.

What are common false positives for T1098.002?

Common false positives for T1098.002 include: Legitimate IT helpdesk or mail administrators adding shared mailbox permissions for business continuity (e.g., shared support mailboxes, executive assistants); Automated provisioning systems (ServiceNow, Azure AD connectors) that programmatically grant SendAs or FullAccess to distribution groups; Office 365 migration tools (Exchange Hybrid, third-party tools) that assign ApplicationImpersonation during mailbox migrations.

T1098.002 CrowdStrike LogScale · LogScale

Detect Additional Email Delegate Permissions in CrowdStrike LogScale

Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account. Using cmdlets like Add-MailboxPermission in Exchange/Office 365, or assigning folder-level permissions, attackers can ensure continued access to target mailboxes. This technique is commonly used in BEC incidents and persistent threat campaigns (APT28, APT29, Magic Hound) to maintain covert email access, enable internal spearphishing, and evade detection by reading communications without triggering login alerts.

MITRE ATT&CK

Tactic: Persistence Privilege Escalation
Technique: T1098 Account Manipulation
Sub-technique: T1098.002 Additional Email Delegate Permissions
Canonical reference: https://attack.mitre.org/techniques/T1098/002/

LogScale Detection Query

CrowdStrike LogScale (LogScale)

cql

// T1098.002 — Additional Email Delegate Permissions
// Requires CrowdStrike Falcon with O365 Audit Log integration in LogScale
#repo = "o365" OR #source = "o365_audit"
| Operation in ("Add-MailboxPermission", "Add-MailboxFolderPermission", "Set-MailboxFolderPermission", "Add-RecipientPermission", "Set-Mailbox", "New-ManagementRoleAssignment")
| Parameters = /(?i)FullAccess|SendAs|SendOnBehalf|ApplicationImpersonation|ChangePermission|ChangeOwner/ OR Operation = "New-ManagementRoleAssignment"
| eval(is_impersonation := Parameters = /(?i)ApplicationImpersonation/)
| eval(is_high_risk := Parameters = /(?i)FullAccess|SendAs|SendOnBehalf/)
| eval(is_default_anon := Parameters = /(?i)\"Default\"|\"Anonymous\"/)
| eval(is_folder_perm := Operation = /(?i)MailboxFolderPermission/)
| eval(risk_score := case(
    Parameters = /(?i)ApplicationImpersonation/, 3,
    Parameters = /(?i)FullAccess|SendAs/, 2,
    true(), 1
  ))
| eval(risk_level := case(
    risk_score >= 3, "CRITICAL",
    risk_score = 2, "HIGH",
    true(), "MEDIUM"
  ))
| table([timestamp, UserId, Operation, ClientIP, Parameters, is_impersonation, is_high_risk, is_default_anon, is_folder_perm, risk_score, risk_level])
| sort(timestamp, order=desc)

high severity medium confidence

CrowdStrike LogScale (Humio CQL) query detecting Exchange mailbox permission grants via the Falcon O365 Audit Log integration. Evaluates a risk score per event: ApplicationImpersonation scores 3 (CRITICAL), FullAccess/SendAs scores 2 (HIGH), and all other suspicious rights score 1 (MEDIUM). Computes boolean indicators for impersonation, high-risk rights, default/anonymous scope, and folder-level permission changes to aid triage. Mirrors the risk scoring logic from the reference SPL query.

Data Sources

CrowdStrike Falcon O365 Audit Log Integration (LogScale o365 repository)Humio/LogScale O365 ingest pipeline (if self-managed)

Required Tables

o365 repository or o365_audit source in CrowdStrike LogScale

False Positives & Tuning

Email compliance platforms (Mimecast Cloud Archive, Barracuda Cloud Archiving) with pre-approved ApplicationImpersonation service accounts registered in Exchange
IT teams bulk-assigning FullAccess to shared department mailboxes during organisational restructuring or employee transitions
Automated Microsoft 365 provisioning scripts that configure EA-to-executive mailbox delegate pairs as part of standard onboarding runbooks

Download portable Sigma rule (.yml)

Other platforms for T1098.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Grant FullAccess Mailbox Permission via PowerShell
Expected signal: Office 365 Unified Audit Log: Operation='Add-MailboxPermission', RecordType='ExchangeAdmin', UserId=<admin UPN>, [email protected], Parameters containing 'FullAccess' and '[email protected]'. PowerShell Event ID 4104 (ScriptBlock) if logging is enabled on the workstation running the cmdlet.
Test 2Grant ApplicationImpersonation Role for Tenant-Wide Mailbox Access
Expected signal: Office 365 Unified Audit Log: Operation='New-ManagementRoleAssignment', RecordType='ExchangeAdmin', Parameters containing 'ApplicationImpersonation' and '[email protected]'. Azure AD Audit Logs may also show a role assignment event. PowerShell ScriptBlock Log (Event ID 4104) captures the New-ManagementRoleAssignment cmdlet with parameters.
Test 3Set Default User Reviewer Permission on Mailbox Inbox Folder
Expected signal: Office 365 Unified Audit Log: Operation='Set-MailboxFolderPermission' and 'Add-MailboxFolderPermission', Parameters containing 'Default' and 'Reviewer'. Two separate audit events expected — one for Inbox and one for root folder. RecordType='ExchangeAdmin'.
Test 4Grant SendAs Permission to Attacker Account for BEC
Expected signal: Office 365 Unified Audit Log: Operation='Add-RecipientPermission', RecordType='ExchangeAdmin', [email protected], Parameters containing 'SendAs' and '[email protected]'. ClientIP of the admin session performing the grant.

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1098.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Additional Email Delegate Permissions in CrowdStrike LogScale

MITRE ATT&CK

LogScale Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1098.002

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Persistence

Popular Detections

MITRE ATT&CK

LogScale Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1098.002

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Persistence

Popular Detections

Get new detections in your inbox