O365 Elevated Mailbox Permission Assigned

name: O365 Elevated Mailbox Permission Assigned
id: 2246c142-a678-45f8-8546-aaed7e0efd30
version: 11
date: '2026-03-10'
author: Patrick Bareiss, Mauricio Velazco, Splunk
data_source:
    - O365 Add-MailboxPermission
type: TTP
status: production
description: The following analytic identifies the assignment of elevated mailbox permissions in an Office 365 environment via the Add-MailboxPermission operation. It leverages logs from the Exchange workload in the o365_management_activity data source, focusing on permissions such as FullAccess, ChangePermission, or ChangeOwner. This activity is significant as it indicates potential unauthorized access or control over mailboxes, which could lead to data exfiltration or privilege escalation. If confirmed malicious, attackers could gain extensive access to sensitive email data and potentially manipulate mailbox settings, posing a severe security risk.
search: |-
    `o365_management_activity` Workload=Exchange Operation=Add-MailboxPermission (AccessRights=FullAccess OR AccessRights=ChangePermission OR AccessRights=ChangeOwner)
      | rename Identity AS dest_user
      | fillnull
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY signature dest user
           src vendor_account vendor_product
           dest_user
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `o365_elevated_mailbox_permission_assigned_filter`
how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
known_false_positives: FullAccess mailbox delegation may be assigned for legitimate purposes, filter as needed.
references:
    - https://attack.mitre.org/techniques/T1098/002/
    - https://learn.microsoft.com/en-us/powershell/module/exchange/add-mailboxpermission
    - https://learn.microsoft.com/en-us/exchange/recipients/mailbox-permissions?view=exchserver-2019
drilldown_searches:
    - name: View the detection results for - "$dest_user$"
      search: '%original_detection_search% | search  dest_user = "$dest_user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest_user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: Elevated mailbox permissions were assigned on $dest_user$
    risk_objects:
        - field: dest_user
          type: user
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Office 365 Collection Techniques
    asset_type: O365 Tenant
    mitre_attack_id:
        - T1098.002
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: audit
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/suspicious_rights_delegation/suspicious_rights_delegation.json
          source: o365:management:activity
          sourcetype: o365:management:activity