Microsoft 365 mailbox audit logging bypass

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a user configures a mailbox audit logging bypass.

Strategy

Monitor Microsoft 365 Exchange audit logs to look for the operation Set-MailboxAuditBypassAssociation. When this operation is configured, no activity is logged, such as a user or account accessing or taking other actions in a mailbox. Attackers may configure this setting to evade existing defenses.

Triage and response

  1. Inspect the @Parameters.Identity attribute to determine which user or account will bypass mailbox audit logging.
  2. Determine if there is a legitimate use case for the mailbox audit bypass by contacting the user {{@usr.email}}.
  3. If {{@usr.email}} is not aware of the mailbox audit bypass:
    • Investigate other activities performed by the user {{@usr.email}} and @Parameters.Identity using the Cloud SIEM - User Investigation dashboard.
    • Begin your organization’s incident response process and investigate.

Changelog

  • 17 August 2023 - Updated query to replace attribute @threat_intel.results.subcategory:tor with @threat_intel.results.category:tor.