Detect Additional Email Delegate Permissions in IBM QRadar
Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account. Using cmdlets like Add-MailboxPermission in Exchange/Office 365, or assigning folder-level permissions, attackers can ensure continued access to target mailboxes. This technique is commonly used in BEC incidents and persistent threat campaigns (APT28, APT29, Magic Hound) to maintain covert email access, enable internal spearphishing, and evade detection by reading communications without triggering login alerts.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1098 Account Manipulation
- Sub-technique
- T1098.002 Additional Email Delegate Permissions
- Canonical reference
- https://attack.mitre.org/techniques/T1098/002/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS "Event Time",
username AS "Initiated By",
"EventID" AS "Operation",
sourceip AS "Client IP",
CATEGORYNAME(category) AS "Category",
QIDNAME(qid) AS "Event Name",
LOGSOURCETYPENAME(devicetype) AS "Log Source Type",
utf8(payload) AS "Raw Event"
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN (
'Microsoft Office 365',
'Microsoft Azure Active Directory'
)
AND LAST 1 DAYS
AND (
"EventID" ILIKE 'Add-MailboxPermission' OR
"EventID" ILIKE 'Add-MailboxFolderPermission' OR
"EventID" ILIKE 'Set-MailboxFolderPermission' OR
"EventID" ILIKE 'Add-RecipientPermission' OR
"EventID" ILIKE 'Set-Mailbox' OR
"EventID" ILIKE 'New-ManagementRoleAssignment' OR
"EventID" ILIKE 'Add app role assignment to service principal' OR
"EventID" ILIKE 'Add delegated permission grant' OR
"EventID" ILIKE 'Add member to role'
)
AND (
utf8(payload) ILIKE '%FullAccess%' OR
utf8(payload) ILIKE '%SendAs%' OR
utf8(payload) ILIKE '%SendOnBehalf%' OR
utf8(payload) ILIKE '%ApplicationImpersonation%' OR
utf8(payload) ILIKE '%ChangePermission%' OR
utf8(payload) ILIKE '%ChangeOwner%' OR
utf8(payload) ILIKE '%Exchange.ManageAsApp%' OR
"EventID" ILIKE 'New-ManagementRoleAssignment'
)
ORDER BY starttime DESCAQL query for QRadar detecting Exchange mailbox permission grants and Azure AD impersonation role assignments from Office 365 and Azure Active Directory log sources. Searches raw payload for suspicious access rights (FullAccess, SendAs, ApplicationImpersonation) and filters on known Exchange Admin cmdlets and Azure AD permission operations. Covers both the Exchange Admin audit and AAD delegation branches.
Data Sources
Required Tables
False Positives & Tuning
- Administrators legitimately delegating SendAs or SendOnBehalf permissions to executive assistants for standard business operations
- Microsoft 365 service accounts used by third-party compliance tools (e.g., Mimecast Cloud Archive) that require ApplicationImpersonation to access all mailboxes
- IT automation scripts during offboarding that transfer FullAccess of departing employee mailboxes to their managers
Other platforms for T1098.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Grant FullAccess Mailbox Permission via PowerShell
Expected signal: Office 365 Unified Audit Log: Operation='Add-MailboxPermission', RecordType='ExchangeAdmin', UserId=<admin UPN>, [email protected], Parameters containing 'FullAccess' and '[email protected]'. PowerShell Event ID 4104 (ScriptBlock) if logging is enabled on the workstation running the cmdlet.
- Test 2Grant ApplicationImpersonation Role for Tenant-Wide Mailbox Access
Expected signal: Office 365 Unified Audit Log: Operation='New-ManagementRoleAssignment', RecordType='ExchangeAdmin', Parameters containing 'ApplicationImpersonation' and '[email protected]'. Azure AD Audit Logs may also show a role assignment event. PowerShell ScriptBlock Log (Event ID 4104) captures the New-ManagementRoleAssignment cmdlet with parameters.
- Test 3Set Default User Reviewer Permission on Mailbox Inbox Folder
Expected signal: Office 365 Unified Audit Log: Operation='Set-MailboxFolderPermission' and 'Add-MailboxFolderPermission', Parameters containing 'Default' and 'Reviewer'. Two separate audit events expected — one for Inbox and one for root folder. RecordType='ExchangeAdmin'.
- Test 4Grant SendAs Permission to Attacker Account for BEC
Expected signal: Office 365 Unified Audit Log: Operation='Add-RecipientPermission', RecordType='ExchangeAdmin', [email protected], Parameters containing 'SendAs' and '[email protected]'. ClientIP of the admin session performing the grant.
References (10)
- https://attack.mitre.org/techniques/T1098/002/
- https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission
- https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452
- https://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/
- https://static.carahsoft.com/concrete/files/1015/2779/3571/M-Trends-2018-Report.pdf
- https://www.slideshare.net/slideshow/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365/128744511
- https://support.google.com/a/answer/7223765?hl=en
- https://learn.microsoft.com/en-us/microsoft-365/compliance/mailbox-audit-logging
- https://learn.microsoft.com/en-us/exchange/permissions/role-assignments
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md
Unlock Pro Content
Get the full detection package for T1098.002 including response playbook, investigation guide, and atomic red team tests.