Detection of anomalous or unauthorized mailbox delegation activity (e.g., Add-MailboxPermission, Default/Anonymous mailbox permissions, Gmail delegation setup).
| Data Component | Name | Channel |
|---|---|---|
| User Account Modification (DC0010) | m365:unified | Add-MailboxPermission, UpdateFolderPermissions |
| Field | Description |
|---|---|
| DelegatePermissionLevel | Threshold for unexpected delegate roles such as FullAccess or SendAs. |
| FolderTargetScope | Mailbox folder targeted by delegation (Inbox, Root, Calendar, etc.). |
| DelegatorToDelegatePairing | Pairings of delegate and delegator users that are expected. |
| MailflowAnomalyThreshold | Spike in outbound mail after delegate addition, used to catch phishing or mass exfil. |
Execution of PowerShell commands that modify mailbox permissions using Exchange cmdlets (e.g., Add-MailboxPermission), often tied to BEC or post-compromise persistence.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Application Log Content (DC0038) | m365:unified | PowerShell: Add-MailboxPermission |
| Field | Description |
|---|---|
| PowerShellCmdletFilter | Exchange cmdlets to include or exclude based on scope (e.g., Add-MailboxPermission, Set-MailboxFolderPermission). |
| ExecutionParent | Flag suspicious script or interactive shell launch by non-admins. |
| TimeWindow | Window in which Add-MailboxPermission is followed by anomalous usage (e.g., SendAs events). |