Query Details
RULE 17 M365 Exchange Full Access Delegate Granted
Query
// Rule : M365 - Exchange - Mailbox Full Access Permission Granted
// Severity: High
// Tactics : Persistence, Collection
// MITRE : T1098.002 (Additional Email Delegate Permissions), T1114
// Freq : PT1H Period: PT1H
// Description: Detects when FullAccess permissions are granted on Exchange Online
// mailboxes, especially for admin-level, executive, or sensitive mailboxes.
// Attackers with BEC access often add persistent delegate access.
//==========================================================================================
let LookbackPeriod = 1h;
let SensitiveMailboxPatterns = dynamic([
"ceo", "cfo", "cto", "coo", "vp", "president", "director",
"finance", "legal", "hr", "payroll", "board", "exec", "security"
]);
OfficeActivity
| where TimeGenerated > ago(LookbackPeriod)
| where RecordType == "ExchangeAdmin"
| where Operation in (
"Add-MailboxPermission", "Add-RecipientPermission",
"AddMailboxPermission")
| extend Params = tostring(Parameters)
| extend
AccessRights = extract(@"AccessRights.*?:(.*?)(\s|,|$)", 1, Params),
DelegateUser = extract(@"User.*?:([^\s,]+)", 1, Params),
TargetMailbox = extract(@"Identity.*?:([^\s,]+)", 1, Params)
| extend
IsFullAccess = AccessRights has "FullAccess"
or AccessRights has "SendAs",
IsSensitiveBox = tolower(TargetMailbox) has_any (SensitiveMailboxPatterns),
IsExternal = DelegateUser has "#EXT#"
| where IsFullAccess
| project
TimeGenerated,
ActorUserId = UserId,
TargetMailbox,
DelegateUser,
AccessRights,
ClientIP,
IsFullAccess,
IsSensitiveBox,
IsExternal,
AlertSeverity = case(
IsExternal and IsFullAccess, "Critical",
IsSensitiveBox and IsFullAccess, "High",
IsFullAccess, "Medium",
"Low")
Explanation
This query is designed to detect when full access permissions are granted to mailboxes in Exchange Online, focusing on those that are admin-level, executive, or otherwise sensitive. Here's a simple breakdown of what the query does:
-
Time Frame: It looks at activities from the past hour.
-
Sensitive Mailboxes: It identifies mailboxes that are likely sensitive, such as those belonging to executives or departments like finance, legal, or HR.
-
Activity Filtering: It filters for specific administrative operations related to mailbox permissions, specifically when permissions are added.
-
Extracting Details: It extracts details from the operation parameters, such as the type of access rights granted, the user who was granted permissions, and the target mailbox.
-
Conditions:
- Checks if the permissions include "FullAccess" or "SendAs".
- Determines if the mailbox is sensitive based on predefined patterns.
- Identifies if the delegate user is external (indicated by "#EXT#").
-
Severity Levels: It assigns an alert severity based on the conditions:
- "Critical" if an external user is granted full access.
- "High" if a sensitive mailbox is granted full access.
- "Medium" for other full access permissions.
-
Output: It projects relevant information like the time of the event, the user who performed the action, the target mailbox, the delegate user, access rights, client IP, and the determined alert severity.
Overall, this query helps in identifying potentially unauthorized or risky permission changes in Exchange Online, which could indicate a security threat or policy violation.
Details
David Alonso
Released: March 18, 2026
Tables
Keywords
Operators