persistence_exchange_suspicious_mailbox_right_delegation.toml

[metadata]
creation_date = "2021/05/17"
integration = ["o365"]
maturity = "production"
updated_date = "2024/05/21"

[rule]
author = ["Elastic", "Austin Songer"]
description = """
Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account
to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can
evade spam/phishing detection mechanisms.
"""
false_positives = ["Assignment of rights to a service account."]
index = ["filebeat-*", "logs-o365*"]
language = "kuery"
license = "Elastic License v2"
name = "O365 Exchange Suspicious Mailbox Right Delegation"
note = """## Setup

The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
risk_score = 21
rule_id = "0ce6487d-8069-4888-9ddd-61b52490cebc"
severity = "low"
tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and
o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and
not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)"
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"
[[rule.threat.technique.subtechnique]]
id = "T1098.002"
name = "Additional Email Delegate Permissions"
reference = "https://attack.mitre.org/techniques/T1098/002/"



[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"