Microsoft 365 mailbox audit logging bypass

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a user configures a mailbox audit logging bypass.

Strategy

Monitor Microsoft 365 Exchange audit logs to look for the operation Set-MailboxAuditBypassAssociation. When this operation is configured, no activity is logged, such as a user or account accessing or taking other actions in a mailbox. Attackers may configure this setting to evade existing defenses.

Triage and response

  1. Inspect the @Parameters.Identity attribute to determine which user or account will bypass mailbox audit logging.
  2. Determine if there is a legitimate use case for the mailbox audit bypass by contacting the user {{@usr.email}}.
  3. If {{@usr.email}} is not aware of the mailbox audit bypass:
    • Investigate other activities performed by the user {{@usr.email}} and @Parameters.Identity using the Cloud SIEM - User Investigation dashboard.
    • Begin your organization’s incident response process and investigate.

Changelog

  • 17 August 2023 - Updated query to replace attribute @threat_intel.results.subcategory:tor with @threat_intel.results.category:tor.