Query Details
HUNT 08 M365 Exchange Mailbox Permission Audit 30d
Query
// Hunt : M365 - Exchange Mailbox Permission Audit (30d)
// Purpose : Enumerate all mailbox permission grants (FullAccess, SendAs, ReadPermission)
// over 30 days. Supports BEC, insider threat, and privilege escalation reviews.
// Highlights external delegates, sensitive mailboxes, and admin-level assignments.
// Tables : OfficeActivity
// Period : P30D
//==========================================================================================
let LookbackDays = 30d;
let SensitiveKeywords = dynamic([
"ceo", "cfo", "cto", "coo", "vp-", "president", "director",
"finance", "legal", "hr", "payroll", "board", "exec", "security"
]);
OfficeActivity
| where TimeGenerated > ago(LookbackDays)
| where RecordType == "ExchangeAdmin"
| where Operation in (
"Add-MailboxPermission", "Add-RecipientPermission",
"Remove-MailboxPermission", "Remove-RecipientPermission",
"AddMailboxPermission")
| extend Params = tostring(Parameters)
| extend
AccessRights = extract(@"AccessRights.*?:(.*?)(\s|,|$)", 1, Params),
DelegateUser = extract(@"User.*?:([^\s,]+)", 1, Params),
TargetMailbox = extract(@"Identity.*?:([^\s,]+)", 1, Params),
IsAdd = Operation has "Add"
| extend
IsFullAccess = AccessRights has_any ("FullAccess", "SendAs"),
IsExternal = DelegateUser has "#EXT#"
or (DelegateUser has "@" and not(DelegateUser has "onmicrosoft.com")),
IsSensitiveBox = tolower(TargetMailbox) has_any (SensitiveKeywords)
| sort by TimeGenerated desc
| project
TimeGenerated,
ActorUserId = UserId,
TargetMailbox,
DelegateUser,
AccessRights,
Operation,
IsAdd,
IsFullAccess,
IsExternal,
IsSensitiveBox,
ClientIP
Explanation
This query is designed to analyze and report on mailbox permission changes in Microsoft 365 Exchange over the past 30 days. It focuses on identifying potential security risks such as business email compromise (BEC), insider threats, and privilege escalation. Here's a breakdown of what the query does:
-
Time Frame: It looks at activities from the last 30 days.
-
Sensitive Keywords: It defines a list of keywords that are considered sensitive, such as "ceo", "cfo", "finance", etc., to identify important mailboxes.
-
Data Source: It queries the
OfficeActivitytable for records related to Exchange administration. -
Operations Filtered: It specifically looks for operations that add or remove mailbox permissions, such as "Add-MailboxPermission" and "Remove-MailboxPermission".
-
Data Extraction: It extracts details from the operation parameters, including:
AccessRights: The type of access granted or removed (e.g., FullAccess, SendAs).DelegateUser: The user who was granted or removed permissions.TargetMailbox: The mailbox that the permissions were applied to.
-
Flags:
IsAdd: Indicates if the operation was an addition of permissions.IsFullAccess: Checks if the permissions include FullAccess or SendAs rights.IsExternal: Identifies if the delegate user is external to the organization.IsSensitiveBox: Flags if the target mailbox is considered sensitive based on the keywords.
-
Sorting and Projection: The results are sorted by the time the activity was generated, and only relevant fields are displayed, including the time, user ID of the actor, target mailbox, delegate user, access rights, operation type, and flags for full access, external user, and sensitive mailbox.
This query helps in auditing and reviewing mailbox permission changes to ensure security and compliance within the organization.
Details
David Alonso
Released: March 18, 2026
Tables
Keywords
Operators