--- title: Microsoft 365 Default or Anonymous user permissions added to mailbox folder description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > OOTB Rules > Microsoft 365 Default or Anonymous user permissions added to mailbox folder --- # Microsoft 365 Default or Anonymous user permissions added to mailbox folder Classification:attackTactic:[TA0003-persistence](https://attack.mitre.org/tactics/TA0003)Technique:[T1098-account-manipulation](https://attack.mitre.org/techniques/T1098) ## Goal{% #goal %} Detect when a user adds Default or Anonymous user permissions for a mailbox folder. ## Strategy{% #strategy %} Monitor Microsoft 365 audit logs to look for the operation [`Add-MailboxFolderPermission`](https://learn.microsoft.com/en-us/powershell/module/exchange/add-mailboxfolderpermission?view=exchange-ps) or [`Set-MailboxFolderPermission`](https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailboxfolderpermission?view=exchange-ps). These operations grant or modify permissions to specific mailbox folders like inbox. An attacker may grant folder access to the Default or Anonymous user permission allowing them to maintain persistence to the target user's mail folders. **Note:** - Default - references any internal, authenticated users. - Anonymous - references any external, unauthenticated users. ## Triage and response{% #triage-and-response %} 1. Determine if there is a legitimate use case for adding Default or Anonymous permissions by contacting the user `{{@usr.email}}`. 1. If `{{@usr.email}}` is not aware of the action: - Investigate other activities performed by users at the following attributes `@usr.email` and `@Parameters.Identity` using the Cloud SIEM - User Investigation dashboard. - Begin your organization's incident response process and investigate. ## Changelog{% #changelog %} - 17 August 2023 - Updated query to replace attribute `@threat_intel.results.subcategory:tor` with `@threat_intel.results.category:tor`. - 18 December 2025 - Removed corporate VPNs as a threat intel source.