Mailbox Permission Delegation
Add-MailboxPermission - Persistent Mailbox Access
Records Add-MailboxPermission operations that grant mailbox access rights (FullAccess, SendAs, SendOnBehalf) to other users, providing persistent access that survives password resets
exchange
mailbox-permissions
delegation
persistence
privilege-escalation
JSON Format
25 Fields
Low Frequency
Generator
Overview
Captures Add-MailboxPermission operations that grant mailbox access rights to other users. FullAccess permissions are particularly concerning as they provide complete mailbox access, survive password resets, and can enable long-term persistence for attackers.
When Generated:
- Administrator delegates mailbox access for legitimate business needs
- Executive assistant granted access to executive mailbox
- Attacker establishes persistence via mailbox delegation
- Service account configured with mailbox access permissions
- Shared mailbox permissions configured
Security Relevance:
HighCompliance:
GDPR (Data Access Controls)
HIPAA (PHI Access Authorization)
SOX (Financial Data Access)
PCI-DSS (Least Privilege)
NIST 800-53 (AC-2, AC-6)
Frequency Notes:
Low frequency under normal operations. Suspicious patterns: FullAccess granted to contractor/external accounts, permissions granted to recently created accounts, automapping enabled (automatically adds mailbox to Outlook), and off-hours activity (2.5x night multiplier). FullAccess to executive/finance mailboxes requires elevated scrutiny.
Resources
Documentation
Tools
-
Get-MailboxPermission PowerShell
Query and audit mailbox permission delegations
-
Microsoft 365 Defender
Native detection for suspicious mailbox permission changes
-
Hawk PowerShell Module
Hunt for suspicious mailbox delegations and permissions
Generation Configuration
Base Frequency: 3 events/hour
Time Patterns:
business_hours
night_hours
Business Hours Multiplier: 2.0x
Night Hours Multiplier: 2.5x
Weekend Multiplier: 2.0x
Field Definitions
Complete field reference for this event type with data types, descriptions, and example values.
| Field Name | Type | Required | Format | Description | Example | Possible Values |
|---|---|---|---|---|---|---|
|
CreationTime
Source: now() | iso8601
|
DateTime | Required |
ISO 8601
|
Timestamp when the mailbox permission was granted |
2024-12-15T11:42:18Z
|
— |
|
Id
Source: random_guid()
|
String | Required |
GUID
|
Unique identifier for this audit record |
d5e6f7a8-b9c0-1d2e-3f4a-5b6c7d8e9f0a
|
— |
|
Operation
Source: Static value 'Add-MailboxPermission'
|
String | Required | — | Exchange PowerShell cmdlet executed |
Add-MailboxPermission
|
— |
|
OrganizationId
Source: Derived from organization domain
|
String | Required |
GUID
|
Microsoft 365 tenant identifier |
b4c5d6e7-8f9a-0b1c-2d3e-4f5a6b7c8d9e
|
— |
|
RecordType
Source: Static value 1
|
Integer | Required | — | Office 365 audit log record type (1 = ExchangeAdmin) |
1
|
— |
|
ResultStatus
Source: random_choice(['Success', 'Success', 'Success', 'Failed'])
|
String | Required | — | Outcome of the permission grant operation |
Success
|
Success
— Permission granted successfully
Failed
— Permission grant failed (insufficient permissions or validation error)
|
|
UserKey
Source: registry.get_random_user().email
|
String | Required | — | Unique identifier for the administrator who granted the permission |
it.admin@contoso.com
|
— |
|
UserType
Source: Static value 2 (Administrator)
|
Integer | Required | — | Type of user performing the action (should be admin) |
2
|
2
— Administrator - required for Add-MailboxPermission
|
|
Workload
Source: Static value 'Exchange'
|
String | Required | — | Office 365 service where the operation occurred |
Exchange
|
— |
|
UserId
Source: registry.get_random_user().email
|
String | Required |
Email/UPN
|
User principal name of the administrator account |
it.admin@contoso.com
|
— |
|
ClientIP
Source: random_choice([random_private_ip(), random_public_ip()])
|
String | Required |
IPv4:Port
|
IP address and port from which the operation was performed |
192.0.2.147:57392
|
— |
|
ObjectId
Source: registry.get_random_user().email
|
String | Required |
Email/UPN
|
Target mailbox for which permissions were granted |
executive@contoso.com
|
— |
|
ExternalAccess
Source: random_choice(['false', 'false', 'true']) - weighted toward internal
|
Boolean | Required | — | Indicates if the operation was performed from outside the corporate network |
false
|
— |
|
OrganizationName
Source: Derived from organization domain
|
String | Required |
*.onmicrosoft.com
|
Microsoft 365 tenant name |
contoso.onmicrosoft.com
|
— |
|
OriginatingServer
Source: Random Exchange Online server identifier
|
String | Required | — | Exchange server that processed the operation |
BN8PR01MB5678 (15.20.7654.32)
|
— |
|
Parameters
Source: Array of parameter objects
|
Array | Required | — | PowerShell parameters used in the Add-MailboxPermission operation | — | — |
|
Parameters[].Name
|
String | Required | — | Parameter name (Identity, User, AccessRights, InheritanceType, Automapping) |
AccessRights
|
— |
|
Parameters[].Value
Source: Context-specific values
|
String | Required | — | Parameter value - AccessRights (FullAccess, SendAs, SendOnBehalf), User (delegated account), Automapping (auto-add to Outlook) |
FullAccess
|
FullAccess
— Complete mailbox access including all folders - highest risk
SendAs
— Send emails as the mailbox owner
SendOnBehalf
— Send emails on behalf of the mailbox owner
ReadPermission
— Read-only access to mailbox
|
|
SessionId
Source: random_guid()
|
String | Required |
GUID
|
Session identifier for the administrative connection |
b2c3d4e5-f6a7-8b9c-0d1e-2f3a4b5c6d7e
|
— |
|
ClientInfoString
Source: Random client type (PowerShell, WebServices, EAC)
|
String | Optional | — | Information about the client application used |
Client=PowerShell;Version=15.20;
|
— |
|
Item
Source: Object with mailbox identity
|
Object | Required | — | Object containing details about the target mailbox | — | — |
|
ModifiedProperties
Source: Array showing AccessRights and User additions
|
Array | Required | — | Properties that were changed, showing permission grant details | — | — |
|
ModifiedProperties[].Name
|
String | Required | — | Property name (AccessRights, User) |
AccessRights
|
— |
|
ModifiedProperties[].NewValue
Source: Permission type granted
|
String | Required | — | New permission value granted |
FullAccess
|
— |
|
ModifiedProperties[].OldValue
Source: Empty string for new permissions
|
String | Required | — | Previous value (typically empty for new permissions) | — | — |
Details
25
Fields
Low
Frequency
5
Tags
mailbox_perm...
Event Type
Tags:
exchange
mailbox-permissions
delegation
persistence
privilege-escalation
Feedback
No ratings yet