title: Additional Email Delegate Permissions (T1098.002)
id: df00tech-t1098-002
status: experimental
description: "Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account. Using cmdlets like Add-MailboxPermission in Exchange/Office 365, or assigning folder-level permissions, attackers can ensure continued access to target mailboxes. This technique is commonly used in BEC incidents and persistent threat campaigns (APT28, APT29, Magic Hound) to maintain covert email access, enable internal spearphishing, and evade detection by reading communications without triggering login alerts."
references:
  - https://attack.mitre.org/techniques/T1098/002/
  - https://df00tech.com/detections/T1098.002
author: df00tech
date: 2026/04/13
tags:
  - attack.t1098.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate IT helpdesk or mail administrators adding shared mailbox permissions for business continuity (e.g., shared support mailboxes, executive assistants)"
  - "Automated provisioning systems (ServiceNow, Azure AD connectors) that programmatically grant SendAs or FullAccess to distribution groups"
  - "Office 365 migration tools (Exchange Hybrid, third-party tools) that assign ApplicationImpersonation during mailbox migrations"
  - Legitimate delegation by end users granting calendar or inbox access to assistants via Outlook settings
  - Security monitoring tools or compliance archiving solutions that require FullAccess or ApplicationImpersonation to index mailbox content
level: high