This detection rule identifies instances where a user assigns mailbox access rights in Microsoft 365 Exchange, specifically analyzing permissions that could be exploited by adversaries to manipulate email communications while evading detection. The rule captures successful events where users gain specific permissions such as FullAccess, SendAs, or SendOnBehalf to another mailbox. This activity can indicate potential account compromise, especially if performed by accounts that typically should not have delegation capabilities. By filtering out automated system actions and service accounts, the rule aims to reduce false positive alerts. Investigative guidance is provided for analyzing event logs, focusing on account legitimacy, and assessing permission impacts. Contextual advice is also detailed for remediation steps, including the revocation of permissions, account password resets, and notifications about security incidents.