Office 365

👑 Azure AD Role Assignment

Add Member to Role - Privilege Escalation

Captures Azure Active Directory role assignment operations where users are added to administrative roles. Global Administrator assignments are the highest risk as they grant complete control over the tenant. This event is critical for detecting privilege escalation attacks and unauthorized administrative access.

📮 Inbox Rule Created with External Forwarding

New-InboxRule - User-level Email Forwarding

Captures New-InboxRule operations where users create inbox rules to automatically forward emails to external addresses. This is a common technique for data exfiltration and persistence as it bypasses administrator-level mailbox forwarding controls and can be harder to detect.

📤 Mailbox External Forwarding Configuration

Set-Mailbox with ForwardingSmtpAddress - Data Exfiltration Risk

Captures Set-Mailbox operations that configure ForwardingSmtpAddress, enabling automatic forwarding of emails to external addresses. This is a critical security event as it's commonly used for data exfiltration and persistence.

🔑 Mailbox Permission Delegation

Add-MailboxPermission - Persistent Mailbox Access

Captures Add-MailboxPermission operations that grant mailbox access rights to other users. FullAccess permissions are particularly concerning as they provide complete mailbox access, survive password resets, and can enable long-term persistence for attackers.

🔗 SharePoint Anonymous Link Created

Public File Sharing - Data Exposure Risk

Captures SharePoint Online events where users create anonymous sharing links ('Anyone with the link') for files or folders. These links allow unauthenticated access to content, creating potential data exposure risks, especially for sensitive documents in Finance, HR, or Legal sites.