Skip to content

DET0373 Detection Strategy for Addition of Email Delegate Permissions

Item Value
ID DET0373
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1098.002 (Additional Email Delegate Permissions)

Analytics

Office Suite

AN1051

Detection of anomalous or unauthorized mailbox delegation activity (e.g., Add-MailboxPermission, Default/Anonymous mailbox permissions, Gmail delegation setup).

Log Sources
Data Component Name Channel
User Account Modification (DC0010) m365:unified Add-MailboxPermission, UpdateFolderPermissions
Mutable Elements
Field Description
DelegatePermissionLevel Threshold for unexpected delegate roles such as FullAccess or SendAs.
FolderTargetScope Mailbox folder targeted by delegation (Inbox, Root, Calendar, etc.).
DelegatorToDelegatePairing Pairings of delegate and delegator users that are expected.
MailflowAnomalyThreshold Spike in outbound mail after delegate addition, used to catch phishing or mass exfil.

Windows

AN1052

Execution of PowerShell commands that modify mailbox permissions using Exchange cmdlets (e.g., Add-MailboxPermission), often tied to BEC or post-compromise persistence.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Application Log Content (DC0038) m365:unified PowerShell: Add-MailboxPermission
Mutable Elements
Field Description
PowerShellCmdletFilter Exchange cmdlets to include or exclude based on scope (e.g., Add-MailboxPermission, Set-MailboxFolderPermission).
ExecutionParent Flag suspicious script or interactive shell launch by non-admins.
TimeWindow Window in which Add-MailboxPermission is followed by anomalous usage (e.g., SendAs events).