Account Manipulation: Additional Email Delegate Permissions

Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account.

For example, the Add-MailboxPermission PowerShell cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.[1][2][3] In Google Workspace, delegation can be enabled via the Google Admin console and users can delegate accounts via their Gmail settings.[4][5]

Adversaries may also assign mailbox folder permissions through individual folder permissions or roles. In Office 365 environments, adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user’s mail folders.[6]

This may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can add Additional Cloud Roles to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: Internal Spearphishing), so the messages evade spam/phishing detection mechanisms.[7]

ID: T1098.002
Sub-technique of:  T1098
Platforms: Office Suite, Windows
Contributors: Arad Inbar, Fidelis Security; Jannie Li, Microsoft Threat Intelligence Center (MSTIC); Microsoft Detection and Response Team (DART); Mike Burns, Mandiant; Naveen Vijayaraghavan; Nilesh Dherange (Gurucul)
Version: 2.2
Created: 19 January 2020
Last Modified: 15 October 2024

Procedure Examples

ID Name Description
G0007 APT28

APT28 has used a Powershell cmdlet to grant the ApplicationImpersonation role to a compromised account.[8]

G0016 APT29

APT29 has used a compromised global administrator account in Azure AD to backdoor a service principal with ApplicationImpersonation rights to start collecting emails from targeted mailboxes; APT29 has also used compromised accounts holding ApplicationImpersonation rights in Exchange to collect emails.[9][10]

C0038 HomeLand Justice

During HomeLand Justice, threat actors added the ApplicationImpersonation management role to accounts under their control to impersonate users and take ownership of targeted mailboxes.[11]

G0059 Magic Hound

Magic Hound granted compromised email accounts read access to the email boxes of additional targeted accounts. The group then was able to authenticate to the intended victim's OWA (Outlook Web Access) portal and read hundreds of email communications for information on Middle East organizations.[2]

C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 added their own devices as allowed IDs for active sync using Set-CASMailbox, allowing it to obtain copies of victim mailboxes. It also added additional permissions (such as Mail.Read and Mail.ReadWrite) to compromised Application or Service Principals.[12][13][14]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

If email delegation is not required, disable it. In Google Workspace this can be accomplished through the Google Admin console.[4]

M1032 Multi-factor Authentication

Use multi-factor authentication for user and privileged accounts.

M1026 Privileged Account Management

Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Enable the UpdateFolderPermissions action for all logon types. The mailbox audit log will forward folder permission modification events to the Unified Audit Log. Create rules to alert on ModifyFolderPermissions operations where the Anonymous or Default user is assigned permissions other than None.

A larger than normal volume of emails sent from an account and similar phishing emails sent from real accounts within a network may be a sign that an account was compromised and attempts to leverage access with modified email permissions is occurring.

DS0036 Group Group Modification

Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions (including memberships in privileged groups) being granted to compromised accounts.

DS0002 User Account User Account Modification

Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions being granted to compromised accounts.

References