Microsoft 365 SendAs permissions added

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when a user adds SendAs permissions.

Strategy

Monitor Microsoft 365 audit logs to look for the operation Add-RecipientPermission. SendAs permission allows a user or group members to send messages that appear to come from the specified mailbox, mail contact, mail user, or group. Attackers may configure this to allow them to impersonate a user and send messages on their behalf from their mailbox, allowing the attacker to persist in the organization or move laterally by phishing other users.

Triage and response

  1. Inspect the @Parameters.Trustee field to determine if the email address is external to your organization.
  2. Determine if there is a legitimate use case for adding SendAs permissions by contacting the user {{@usr.email}}.
  3. If {{@usr.email}} is not aware of the action:
    • Investigate other activities performed by users at the following attributes @usr.email, @Parameters.Trustee and @Parameters.Identity using the Cloud SIEM - User Investigation dashboard.
    • Begin your organization’s incident response process and investigate.

Changelog

  • 17 August 2023 - Updated query to replace attribute @threat_intel.results.subcategory:tor with @threat_intel.results.category:tor.