M365 Risky Exchange Operation

View all detections
M365 Risky Exchange Operation


  • High risk Exchange operations which range from allowing the exfiltration of data, the creation of backdoor rules, execution of VBS scripts, or forwarding and collecting sensitive information.

Possible Root Causes

  • An attacker is manipulating Exchange to gain access to a specific set of data or to enable continued attack progression.
  • In some cases, these operations may be authorized activities for a small set of highly privileged users who perform them so infrequently that they are outside what the detection model considers normal.
  • Authorized configurations in cases of a permanent employee separation or temporary leave of absence may involve activities that would otherwise compromise mailbox integrity.

Business Impact

  • Sensitive data and content may be contained within Exchange which may be useful or desirable to an adversary.
  • Compromising Exchange may allow an attacker to continue their attack progression.

Steps to Verify

  • Verify whether these changes to the configurations are intentional and have been made with appropriate compensating safeguards.