Detection rules › Splunk
O365 Mailbox Folder Read Permission Assigned
The following analytic identifies instances where read permissions are assigned to mailbox folders within an Office 365 environment. It leverages the o365_management_activity data source, specifically monitoring the ModifyFolderPermissions and AddFolderPermissions operations, while excluding Calendar, Contacts, and PersonMetadata objects. This activity is significant as unauthorized read permissions can lead to data exposure and potential information leakage. If confirmed malicious, an attacker could gain unauthorized access to sensitive emails, leading to data breaches and compromising the confidentiality of organizational communications.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1098.002 Account Manipulation: Additional Email Delegate Permissions |
| Privilege Escalation | T1098.002 Account Manipulation: Additional Email Delegate Permissions |
Rules detecting the same action
Other rules on this platform that filter on the same API call or operation.
Rule body splunk
name: O365 Mailbox Folder Read Permission Assigned
id: 1435475e-2128-4417-a34f-59770733b0d5
version: 11
creation_date: '2024-04-17'
modification_date: '2026-05-13'
author: Mauricio Velazco, Splunk
status: production
type: TTP
description: The following analytic identifies instances where read permissions are assigned to mailbox folders within an Office 365 environment. It leverages the `o365_management_activity` data source, specifically monitoring the `ModifyFolderPermissions` and `AddFolderPermissions` operations, while excluding Calendar, Contacts, and PersonMetadata objects. This activity is significant as unauthorized read permissions can lead to data exposure and potential information leakage. If confirmed malicious, an attacker could gain unauthorized access to sensitive emails, leading to data breaches and compromising the confidentiality of organizational communications.
data_source:
- O365 ModifyFolderPermissions
search: "`o365_management_activity` Workload=Exchange (Operation=ModifyFolderPermissions OR Operation=AddFolderPermissions) Workload=Exchange object!=Calendar object!=Contacts object!=PersonMetadata | eval isReadRole=if(match('Item.ParentFolder.MemberRights',\"(ReadAny)\"), \"true\", \"false\") | rename UserId as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by signature user object dest Item.ParentFolder.MemberUpn Item.ParentFolder.MemberRights src vendor_account vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_folder_read_permission_assigned_filter`"
how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
known_false_positives: Mailbox folder permissions may be configured for legitimate purposes, filter as needed.
references:
- https://attack.mitre.org/techniques/T1098/002/
- https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxodlgt/5610c6e6-3268-44e3-adff-8804f5315946
- https://learn.microsoft.com/en-us/purview/audit-mailboxes
drilldown_searches:
- name: View the detection results for - "$user$"
search: '%original_detection_search% | search user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
finding:
title: A folder was granted read permission by $user$
entity:
field: user
type: user
score: 50
analytic_story:
- Office 365 Collection Techniques
asset_type: O365 Tenant
mitre_attack_id:
- T1098.002
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: cloud
security_domain: audit
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/o365_mailbox_folder_read_granted.log
source: o365
sourcetype: o365:management:activity
test_type: unit
Stages and Predicates
Stage 1: search
`o365_management_activity` Workload=Exchange (Operation=ModifyFolderPermissions OR Operation=AddFolderPermissions) Workload=Exchange object!=Calendar object!=Contacts object!=PersonMetadata
Stage 2: eval
| eval isReadRole=if(match('Item.ParentFolder.MemberRights',"(ReadAny)"), "true", "false")
isReadRole =if
match('Item.ParentFolder.MemberRights', "(ReadAny)")"true"else
"false"Stage 3: rename
| rename UserId as user
Stage 4: stats
| stats count earliest(_time) as firstTime latest(_time) as lastTime by signature user object dest Item.ParentFolder.MemberUpn Item.ParentFolder.MemberRights src vendor_account vendor_product
Stage 5: search
| `security_content_ctime(firstTime)`
Stage 6: search
| `security_content_ctime(lastTime)`
Stage 7: search
| `o365_mailbox_folder_read_permission_assigned_filter`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Operation | eq |
|
Workload | eq |
|
object | ne |
|
sourcetype | eq |
|