Microsoft 365 Full Access delegate permissions added

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when a user adds FullAccess permissions.

Strategy

Monitor Microsoft 365 audit logs to look for the operation Add-MailboxPermission. FullAccess permission allows the assigned user to read the mailbox and manage emails in the user’s mailbox that the permission is assigned to. Full Access permission does not grant Send as or Send on behalf permissions. Attackers may configure this to allow them to impersonate a user and read messages from their mailbox, allowing the attacker to persist in the organization.

Triage and response

  1. Inspect the @Parameters.User field to identify which user is getting access to the mailbox specified in @Parameters.Identity.
  2. Determine if there is a legitimate use case for adding FullAccess permissions by contacting the user {{@usr.email}}.
  3. If {{@usr.email}} is not aware of the action:
    • Investigate other activities performed by users at the following attributes @usr.email, @Parameters.User, and @Parameters.Identity using the Cloud SIEM - User Investigation dashboard.
    • Begin your organization’s incident response process and investigate.

Changelog

  • 18 December 2024 - remove duplicate rule query.