Microsoft 365 SendAs permissions added
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect when a user adds SendAs permissions.
Strategy
Monitor Microsoft 365 audit logs to look for the operation Add-RecipientPermission
. SendAs permission allows a user or group members to send messages that appear to come from the specified mailbox, mail contact, mail user, or group. Attackers may configure this to allow them to impersonate a user and send messages on their behalf from their mailbox, allowing the attacker to persist in the organization or move laterally by phishing other users.
Triage and response
- Inspect the
@Parameters.Trustee
field to determine if the email address is external to your organization. - Determine if there is a legitimate use case for adding SendAs permissions by contacting the user
{{@usr.email}}
. - If
{{@usr.email}}
is not aware of the action:- Investigate other activities performed by users at the following attributes
@usr.email
, @Parameters.Trustee
and @Parameters.Identity
using the Cloud SIEM - User Investigation dashboard. - Begin your organization’s incident response process and investigate.
Changelog
- 17 August 2023 - Updated query to replace attribute
@threat_intel.results.subcategory:tor
with @threat_intel.results.category:tor
.