Microsoft 365 mailbox audit logging bypass

microsoft-365

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when a user configures a mailbox audit logging bypass.

Strategy

Monitor Microsoft 365 Exchange audit logs to look for the operation Set-MailboxAuditBypassAssociation. When this operation is configured, no activity is logged, such as a user or account accessing or taking other actions in a mailbox. Attackers may configure this setting to evade existing defenses.

Triage and response

  1. Inspect the @Parameters.Identity attribute to determine which user or account will bypass mailbox audit logging.
  2. Determine if there is a legitimate use case for the mailbox audit bypass by contacting the user {{@usr.email}}.
  3. If {{@usr.email}} is not aware of the mailbox audit bypass:
    • Investigate other activities performed by the user {{@usr.email}} and @Parameters.Identity using the Cloud SIEM - User Investigation dashboard.
    • Begin your organization’s incident response process and investigate.

Changelog

  • 17 August 2023 - Updated query to replace attribute @threat_intel.results.subcategory:tor with @threat_intel.results.category:tor.