M365 Risky Exchange Operation
Detection overview
Triggers
- High risk Exchange operations which range from allowing the exfiltration of data, the creation of backdoor rules, execution of VBS scripts, or forwarding and collecting sensitive information.
Possible Root Causes
- An attacker is manipulating Exchange to gain access to a specific set of data or to enable continued attack progression.
- In some cases, these operations may be authorized activities for a small set of highly privileged users who perform them so infrequently that they are outside what the detection model considers normal.
- Authorized configurations in cases of a permanent employee separation or temporary leave of absence may involve activities that would otherwise compromise mailbox integrity.
Business Impact
- Sensitive data and content may be contained within Exchange which may be useful or desirable to an adversary.
- Compromising Exchange may allow an attacker to continue their attack progression.
Steps to Verify
- Verify whether these changes to the configurations are intentional and have been made with appropriate compensating safeguards.
M365 Risky Exchange Operation
Possible root causes
Malicious Detection
Benign Detection
M365 Risky Exchange Operation
Example scenarios
M365 Risky Exchange Operation
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
M365 Risky Exchange Operation
Steps to investigate
M365 Risky Exchange Operation
MITRE ATT&CK techniques covered
M365 Risky Exchange Operation
Related detections
No items found.