T1098.002 Additional Email Delegate Permissions
Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account.
For example, the Add-MailboxPermission PowerShell cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.652 In Google Workspace, delegation can be enabled via the Google Admin console and users can delegate accounts via their Gmail settings.43
Adversaries may also assign mailbox folder permissions through individual folder permissions or roles. In Office 365 environments, adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user’s mail folders.7
This may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can add Additional Cloud Roles to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: Internal Spearphishing), so the messages evade spam/phishing detection mechanisms.1
| Item | Value |
|---|---|
| ID | T1098.002 |
| Sub-techniques | T1098.001, T1098.002, T1098.003, T1098.004, T1098.005 |
| Tactics | TA0003 |
| Platforms | Google Workspace, Office 365, Windows |
| Version | 2.0 |
| Created | 19 January 2020 |
| Last Modified | 19 April 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0007 | APT28 | APT28 has used a Powershell cmdlet to grant the ApplicationImpersonation role to a compromised account.9 |
| G0016 | APT29 | APT29 has used a compromised global administrator account in Azure AD to backdoor a service principal with ApplicationImpersonation rights to start collecting emails from targeted mailboxes.8 |
| G0059 | Magic Hound | Magic Hound granted compromised email accounts read access to the email boxes of additional targeted accounts. The group then was able to authenticate to the intended victim’s OWA (Outlook Web Access) portal and read hundreds of email communications for information on Middle East organizations.5 |
| C0024 | SolarWinds Compromise | During the SolarWinds Compromise, APT29 added their own devices as allowed IDs for active sync using Set-CASMailbox, allowing it to obtain copies of victim mailboxes. It also added additional permissions (such as Mail.Read and Mail.ReadWrite) to compromised Application or Service Principals.101211 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program | If email delegation is not required, disable it. In Google Workspace this can be accomplished through the Google Admin console.4 |
| M1032 | Multi-factor Authentication | Use multi-factor authentication for user and privileged accounts. |
| M1026 | Privileged Account Management | Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0036 | Group | Group Modification |
| DS0002 | User Account | User Account Modification |
References
-
Bienstock, D.. (2019). BECS and Beyond: Investigating and Defending O365. Retrieved September 13, 2019. ↩
-
Crowdstrike. (2018, July 18). Hiding in Plain Sight: Using the Office 365 Activities API to Investigate Business Email Compromises. Retrieved January 19, 2020. ↩
-
Google. (2011, June 1). Ensuring your information is safe online. Retrieved April 1, 2022. ↩
-
Google. (n.d.). Turn Gmail delegation on or off. Retrieved April 1, 2022. ↩↩
-
Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018. ↩↩
-
Microsoft. (n.d.). Add-Mailbox Permission. Retrieved September 13, 2019. ↩
-
Mike Burns, Matthew McWhirt, Douglas Bienstock, Nick Bennett. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved September 25, 2021. ↩
-
Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023. ↩
-
NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. ↩
-
Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. ↩
-
Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022. ↩
-
MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020. ↩