M365 Suspicious Mailbox Manipulation
Detection overview
Triggers
- Access has been granted to more resources than a user has had historically and has occurred outside of learned administrator behaviors.
Possible Root Causes
- An attacker has escalated the account’s Exchange access rights to enable business email compromise or the collection of additional information to aid in the next step of the attack.
- Employee life-cycle activities such as permanent separation or temporary leaves of absence may legitimately require mailbox modifications which could trigger this detection.
- Some service-specific mailboxes are intentionally granted these permissions.
Business Impact
- Sensitive data and content may be contained within Exchange which may be useful or desirable to an adversary.
- Data may leak from a user’s mailbox by being transmitted to unauthorized entities.
Steps to Verify
- Validate that the permissions granted are appropriate to the entity in question.
M365 Suspicious Mailbox Manipulation
Possible root causes
Malicious Detection
Benign Detection
M365 Suspicious Mailbox Manipulation
Example scenarios
M365 Suspicious Mailbox Manipulation
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
M365 Suspicious Mailbox Manipulation
Steps to investigate
M365 Suspicious Mailbox Manipulation
Related detections
No items found.