M365 Suspicious Mailbox Manipulation

View all detections
M365 Suspicious Mailbox Manipulation


  • Access has been granted to more resources than a user has had historically and has occurred outside of learned administrator behaviors.

Possible Root Causes

  • An attacker has escalated the account’s Exchange access rights to enable business email compromise or the collection of additional information to aid in the next step of the attack.
  • Employee life-cycle activities such as permanent separation or temporary leaves of absence may legitimately require mailbox modifications which could trigger this detection.
  • Some service-specific mailboxes are intentionally granted these permissions.

Business Impact

  • Sensitive data and content may be contained within Exchange which may be useful or desirable to an adversary.
  • Data may leak from a user’s mailbox by being transmitted to unauthorized entities.

Steps to Verify

  • Validate that the permissions granted are appropriate to the entity in question.