Detect Additional Email Delegate Permissions in Sumo Logic CSE
Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account. Using cmdlets like Add-MailboxPermission in Exchange/Office 365, or assigning folder-level permissions, attackers can ensure continued access to target mailboxes. This technique is commonly used in BEC incidents and persistent threat campaigns (APT28, APT29, Magic Hound) to maintain covert email access, enable internal spearphishing, and evade detection by reading communications without triggering login alerts.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1098 Account Manipulation
- Sub-technique
- T1098.002 Additional Email Delegate Permissions
- Canonical reference
- https://attack.mitre.org/techniques/T1098/002/
Sumo Detection Query
(_sourceCategory=*o365* OR _sourceCategory=*office365* OR _sourceCategory=*azure/audit*)
| json field=_raw "Operation" as operation nodrop
| json field=_raw "UserId" as user_id nodrop
| json field=_raw "ClientIP" as client_ip nodrop
| json field=_raw "Parameters" as parameters nodrop
| json field=_raw "RecordType" as record_type nodrop
| where operation in (
"Add-MailboxPermission",
"Add-MailboxFolderPermission",
"Set-MailboxFolderPermission",
"Add-RecipientPermission",
"Set-Mailbox",
"New-ManagementRoleAssignment"
)
OR (operation in (
"Add app role assignment to service principal",
"Add delegated permission grant",
"Add member to role"
) and (parameters matches "(?i)(ApplicationImpersonation|Exchange\.ManageAsApp)"))
| where parameters matches "(?i)(FullAccess|SendAs|SendOnBehalf|ApplicationImpersonation|ChangePermission|ChangeOwner)" or operation = "New-ManagementRoleAssignment"
| if(parameters matches "(?i)ApplicationImpersonation", 1, 0) as is_impersonation
| if(parameters matches "(?i)(FullAccess|SendAs|SendOnBehalf)", 1, 0) as is_high_risk_right
| if(parameters matches "(?i)(\"Default\"|\"Anonymous\")", 1, 0) as is_default_anon
| if(operation matches "(?i)MailboxFolderPermission", 1, 0) as is_folder_perm
| (is_impersonation + is_high_risk_right + is_default_anon) as risk_score
| if(risk_score >= 2, "HIGH", if(risk_score = 1, "MEDIUM", "LOW")) as risk_level
| fields _messageTime, user_id, operation, client_ip, parameters, is_impersonation, is_high_risk_right, is_default_anon, is_folder_perm, risk_score, risk_level
| sort by _messageTime descSumo Logic search detecting Exchange mailbox permission changes and Azure AD ApplicationImpersonation grants from O365 and Azure audit log sources. Parses JSON fields from raw events, filters on known suspicious cmdlets and access rights, and computes a risk score mirroring the SPL logic: ApplicationImpersonation, high-risk rights (FullAccess/SendAs), and default/anonymous scope each contribute to risk level (HIGH/MEDIUM/LOW).
Data Sources
Required Tables
False Positives & Tuning
- Automated Microsoft 365 provisioning tools that configure delegate access for executive/EA mailbox pairs during onboarding
- Email archiving and compliance solutions (Mimecast, Barracuda, AvePoint) with pre-approved ApplicationImpersonation service accounts
- Helpdesk bulk operations assigning FullAccess to shared mailboxes during department restructuring or employee offboarding
Other platforms for T1098.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Grant FullAccess Mailbox Permission via PowerShell
Expected signal: Office 365 Unified Audit Log: Operation='Add-MailboxPermission', RecordType='ExchangeAdmin', UserId=<admin UPN>, [email protected], Parameters containing 'FullAccess' and '[email protected]'. PowerShell Event ID 4104 (ScriptBlock) if logging is enabled on the workstation running the cmdlet.
- Test 2Grant ApplicationImpersonation Role for Tenant-Wide Mailbox Access
Expected signal: Office 365 Unified Audit Log: Operation='New-ManagementRoleAssignment', RecordType='ExchangeAdmin', Parameters containing 'ApplicationImpersonation' and '[email protected]'. Azure AD Audit Logs may also show a role assignment event. PowerShell ScriptBlock Log (Event ID 4104) captures the New-ManagementRoleAssignment cmdlet with parameters.
- Test 3Set Default User Reviewer Permission on Mailbox Inbox Folder
Expected signal: Office 365 Unified Audit Log: Operation='Set-MailboxFolderPermission' and 'Add-MailboxFolderPermission', Parameters containing 'Default' and 'Reviewer'. Two separate audit events expected — one for Inbox and one for root folder. RecordType='ExchangeAdmin'.
- Test 4Grant SendAs Permission to Attacker Account for BEC
Expected signal: Office 365 Unified Audit Log: Operation='Add-RecipientPermission', RecordType='ExchangeAdmin', [email protected], Parameters containing 'SendAs' and '[email protected]'. ClientIP of the admin session performing the grant.
References (10)
- https://attack.mitre.org/techniques/T1098/002/
- https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission
- https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452
- https://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/
- https://static.carahsoft.com/concrete/files/1015/2779/3571/M-Trends-2018-Report.pdf
- https://www.slideshare.net/slideshow/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365/128744511
- https://support.google.com/a/answer/7223765?hl=en
- https://learn.microsoft.com/en-us/microsoft-365/compliance/mailbox-audit-logging
- https://learn.microsoft.com/en-us/exchange/permissions/role-assignments
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md
Unlock Pro Content
Get the full detection package for T1098.002 including response playbook, investigation guide, and atomic red team tests.