Detect Additional Email Delegate Permissions in Splunk
Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account. Using cmdlets like Add-MailboxPermission in Exchange/Office 365, or assigning folder-level permissions, attackers can ensure continued access to target mailboxes. This technique is commonly used in BEC incidents and persistent threat campaigns (APT28, APT29, Magic Hound) to maintain covert email access, enable internal spearphishing, and evade detection by reading communications without triggering login alerts.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1098 Account Manipulation
- Sub-technique
- T1098.002 Additional Email Delegate Permissions
- Canonical reference
- https://attack.mitre.org/techniques/T1098/002/
SPL Detection Query
index=o365 sourcetype="o365:management:activity"
(Operation="Add-MailboxPermission"
OR Operation="Add-MailboxFolderPermission"
OR Operation="Set-MailboxFolderPermission"
OR Operation="Add-RecipientPermission"
OR Operation="New-ManagementRoleAssignment"
OR Operation="Set-Mailbox")
| eval Parameters=coalesce('Parameters', "[]")
| eval AccessRights=if(
match(Parameters, "(?i)(FullAccess|SendAs|SendOnBehalf|ApplicationImpersonation|ChangePermission|ChangeOwner)"),
replace(replace(Parameters, ".*AccessRights.*?([A-Za-z]+).*", "\1"), "[\[\]]", ""),
"Other"
)
| eval IsSuspiciousRight=if(
match(Parameters, "(?i)(FullAccess|SendAs|SendOnBehalf|ApplicationImpersonation|ChangePermission|ChangeOwner)"),
1, 0
)
| eval IsDefaultAnonymous=if(
match(Parameters, "(?i)(\"Default\"|\"Anonymous\")"),
1, 0
)
| eval IsFolderPermChange=if(
match(Operation, "(?i)(MailboxFolderPermission)"),
1, 0
)
| eval GrantedTo=coalesce(
mvindex(spath(Parameters, "{}.Value"), 1),
"unknown"
)
| eval RiskScore=IsSuspiciousRight + IsDefaultAnonymous + IsFolderPermChange
| eval RiskLevel=case(
RiskScore >= 2, "HIGH",
RiskScore = 1, "MEDIUM",
true(), "LOW"
)
| table _time, UserId, Operation, GrantedTo, AccessRights, IsSuspiciousRight, IsDefaultAnonymous, IsFolderPermChange, RiskScore, RiskLevel, ClientIP, Parameters
| sort - _timeDetects mailbox delegation and permission changes ingested from the Office 365 Management Activity API. Covers Add-MailboxPermission, Add-MailboxFolderPermission, Set-MailboxFolderPermission, Add-RecipientPermission, and New-ManagementRoleAssignment operations. Assigns a risk score based on suspicious access right types (FullAccess, SendAs, ApplicationImpersonation), Default/Anonymous user grants, and folder-level permission changes. Requires O365 Management Activity logs ingested via Splunk Add-on for Microsoft Office 365.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate IT helpdesk or mail administrators adding shared mailbox permissions for business continuity
- Automated provisioning systems that programmatically grant SendAs or FullAccess to distribution groups
- Office 365 migration tools requiring ApplicationImpersonation during mailbox migrations
- Legitimate end-user delegation via Outlook for calendar/inbox sharing with assistants
- Security monitoring or compliance archiving solutions requiring FullAccess to index mailbox content
Other platforms for T1098.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Grant FullAccess Mailbox Permission via PowerShell
Expected signal: Office 365 Unified Audit Log: Operation='Add-MailboxPermission', RecordType='ExchangeAdmin', UserId=<admin UPN>, [email protected], Parameters containing 'FullAccess' and '[email protected]'. PowerShell Event ID 4104 (ScriptBlock) if logging is enabled on the workstation running the cmdlet.
- Test 2Grant ApplicationImpersonation Role for Tenant-Wide Mailbox Access
Expected signal: Office 365 Unified Audit Log: Operation='New-ManagementRoleAssignment', RecordType='ExchangeAdmin', Parameters containing 'ApplicationImpersonation' and '[email protected]'. Azure AD Audit Logs may also show a role assignment event. PowerShell ScriptBlock Log (Event ID 4104) captures the New-ManagementRoleAssignment cmdlet with parameters.
- Test 3Set Default User Reviewer Permission on Mailbox Inbox Folder
Expected signal: Office 365 Unified Audit Log: Operation='Set-MailboxFolderPermission' and 'Add-MailboxFolderPermission', Parameters containing 'Default' and 'Reviewer'. Two separate audit events expected — one for Inbox and one for root folder. RecordType='ExchangeAdmin'.
- Test 4Grant SendAs Permission to Attacker Account for BEC
Expected signal: Office 365 Unified Audit Log: Operation='Add-RecipientPermission', RecordType='ExchangeAdmin', [email protected], Parameters containing 'SendAs' and '[email protected]'. ClientIP of the admin session performing the grant.
References (10)
- https://attack.mitre.org/techniques/T1098/002/
- https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission
- https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452
- https://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/
- https://static.carahsoft.com/concrete/files/1015/2779/3571/M-Trends-2018-Report.pdf
- https://www.slideshare.net/slideshow/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365/128744511
- https://support.google.com/a/answer/7223765?hl=en
- https://learn.microsoft.com/en-us/microsoft-365/compliance/mailbox-audit-logging
- https://learn.microsoft.com/en-us/exchange/permissions/role-assignments
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md
Unlock Pro Content
Get the full detection package for T1098.002 including response playbook, investigation guide, and atomic red team tests.