This analytic rule identifies cases where elevated mailbox permissions are assigned in an Office 365 environment, specifically through the Add-MailboxPermission operation. By utilizing logs from the Exchange workload within the o365_management_activity data source, the rule inspects permissions such as FullAccess, ChangePermission, or ChangeOwner. Such activities can indicate potential unauthorized access, which poses a serious risk of data exfiltration or privilege escalation. If these actions are confirmed as malicious, attackers could gain significant access to sensitive email and manipulate mailbox settings severely threatening organizational security. Companies are advised to monitor these actions closely to maintain the integrity and confidentiality of mailbox contents.